From robert.l.harris at gmail.com Mon May 1 03:18:55 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Mon, 01 May 2017 03:18:55 +0000 Subject: [Freeipa-users] Installing on Ubuntu 16.04 Message-ID: Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and some base packages which does include freeipa-client. When I do an apt-get install on freeipa-server it runs along happily until I find this: . ... Setting up pki-server (10.2.6+git20160317-1) ... Job for pki-tomcatd.service failed because the control process exited with error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe" for details. invoke-rc.d: initscript pki-tomcatd, action "start" failed. * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 MDT; 3ms ago Docs: man:systemd-sysv-generator(8) Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, status=5) Apr 30 20:38:29 ipa systemd[1]: Starting LSB: Start pki-tomcatd at boot time... Apr 30 20:38:29 ipa pki-tomcatd[9645]: ERROR: No 'tomcat' instances installed! ... because no CA instance has been configured yet. pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it. pki-tomcatd.target is a disabled or a static unit, not starting it. Setting up pki-ca (10.2.6+git20160317-1) ... ... . I have been googling but can't find a relevant fix that resolves this. Any ideas? Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From simon.williams at thehelpfulcat.com Mon May 1 06:51:28 2017 From: simon.williams at thehelpfulcat.com (Simon Williams) Date: Mon, 01 May 2017 06:51:28 +0000 Subject: [Freeipa-users] Installing on Ubuntu 16.04 In-Reply-To: References: Message-ID: Don't worry about this during the install from the repository. I also got that installing on Ubuntu recently. Running ipa-server-install later will set up the missing data and pki-tomcat will start fine. At the point apt is trying to start the service it can't start cleanly. The package configure probably shouldn't be attempting to start it. On Mon, 1 May 2017, 04:20 Robert L. Harris, wrote: > > Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and some > base packages which does include freeipa-client. When I do an apt-get > install on freeipa-server it runs along happily until I find this: > > . > ... > Setting up pki-server (10.2.6+git20160317-1) ... > Job for pki-tomcatd.service failed because the control process exited with > error code. See "systemctl status pki-tomcatd.service" and "journalctl -xe" > for details. > invoke-rc.d: initscript pki-tomcatd, action "start" failed. > * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time > Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled) > Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 MDT; > 3ms ago > Docs: man:systemd-sysv-generator(8) > Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, > status=5) > > Apr 30 20:38:29 ipa systemd[1]: Starting LSB: Start pki-tomcatd at boot > time... > Apr 30 20:38:29 ipa pki-tomcatd[9645]: ERROR: No 'tomcat' instances > installed! > ... because no CA instance has been configured yet. > pki-tomcatd-nuxwdog.target is a disabled or a static unit, not starting it. > pki-tomcatd.target is a disabled or a static unit, not starting it. > Setting up pki-ca (10.2.6+git20160317-1) ... > ... > . > > > I have been googling but can't find a relevant fix that resolves this. > Any ideas? > > Robert > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at 0xc0dedbad.com Mon May 1 07:30:36 2017 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Mon, 1 May 2017 17:30:36 +1000 Subject: [Freeipa-users] Installing on Ubuntu 16.04 In-Reply-To: References: Message-ID: freeipa-server is still quite broken on Ubuntu I believe. It should install fine, but certmonger can not renew the CA successfully, as nss on Debian/Ubuntu is missing nss-pem, so it can't read certificate files. I wrote about this in a thread titled "Dogtag certs did not auto-renew, very stuck!". I'd recommend running the server on a Redhat derivative for the foreseeable future. On 01/05/17 13:18, Robert L. Harris wrote: > > Gave up on freeipa and Ubuntu 17.10. Re-installed with 16.04 and > some base packages which does include freeipa-client. When I do an > apt-get install on freeipa-server it runs along happily until I find this: > > . > ... > Setting up pki-server (10.2.6+git20160317-1) ... > Job for pki-tomcatd.service failed because the control process exited > with error code. See "systemctl status pki-tomcatd.service" and > "journalctl -xe" for details. > invoke-rc.d: initscript pki-tomcatd, action "start" failed. > * pki-tomcatd.service - LSB: Start pki-tomcatd at boot time > Loaded: loaded (/etc/init.d/pki-tomcatd; bad; vendor preset: enabled) > Active: failed (Result: exit-code) since Sun 2017-04-30 20:38:29 > MDT; 3ms ago > Docs: man:systemd-sysv-generator(8) > Process: 9645 ExecStart=/etc/init.d/pki-tomcatd start (code=exited, > status=5) > > Apr 30 20:38:29 ipa systemd[1]: Starting LSB: Start pki-tomcatd at > boot time... > Apr 30 20:38:29 ipa pki-tomcatd[9645]: ERROR: No 'tomcat' instances > installed! > ... because no CA instance has been configured yet. > pki-tomcatd-nuxwdog.target is a disabled or a static unit, not > starting it. > pki-tomcatd.target is a disabled or a static unit, not starting it. > Setting up pki-ca (10.2.6+git20160317-1) ... > ... > . > > > I have been googling but can't find a relevant fix that resolves this. > Any ideas? > > Robert > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From prasun.gera at gmail.com Mon May 1 09:39:58 2017 From: prasun.gera at gmail.com (Prasun Gera) Date: Mon, 1 May 2017 05:39:58 -0400 Subject: [Freeipa-users] Chrome 58 Doesn't Trust SSL Certificates Signed by FreeIPA In-Reply-To: References: <20170421010630.GR21957@dhcp-40-8.bne.redhat.com> <20170424005012.GV21957@dhcp-40-8.bne.redhat.com> Message-ID: Any ideas why the replica's certs are not being tracked ? That looks like an issue in itself. If they are not being tracked, the replica will fail once they expire. Is there any way to fix the replica ? On Sun, Apr 23, 2017 at 10:08 PM, Prasun Gera wrote: > I tried that, but the replica's "getcert list" doesn't seem to show any > results. "Number of certificates and requests being tracked: 0." Is that > expected ? > > On Sun, Apr 23, 2017 at 8:50 PM, Fraser Tweedale > wrote: > >> On Sun, Apr 23, 2017 at 03:32:19AM -0400, Prasun Gera wrote: >> > Thank you. That worked for the master. How do I fix the replica's cert ? >> > This is on ipa-server-4.4.0-14.el7_3.7.x86_64 on RHEL7. I am not using >> > ipa's DNS at all. Did this happen because of that ? >> > >> This is not related to DNS. >> >> To fix the replica, log onto the host and perform the same steps >> with Certmonger there. The tracking Request ID will be different >> but otherwise the process is the same. >> >> Cheers, >> Fraser >> >> > On Thu, Apr 20, 2017 at 9:06 PM, Fraser Tweedale >> > wrote: >> > >> > > On Thu, Apr 20, 2017 at 07:31:16PM -0400, Prasun Gera wrote: >> > > > I can confirm that I see this behaviour too. My ipa server install >> is a >> > > > pretty stock install with no 3rd party certificates. >> > > > >> > > > On Thu, Apr 20, 2017 at 5:46 PM, Simon Williams < >> > > > simon.williams at thehelpfulcat.com> wrote: >> > > > >> > > > > Yesterday, Chrome on both my Ubuntu and Windows machines updated >> to >> > > > > version 58.0.3029.81. It appears that this version of Chrome >> will not >> > > > > trust certificates based on Common Name. Looking at the Chrome >> > > > > documentation and borne out by one of the messages, from Chrome >> 58, >> > > > > the subjectAltName is required to identify the DNS name of the >> host >> > > that >> > > > > the certificate is issued for. I would be grateful if someone >> could >> > > point >> > > > > me in the direction of how to recreate my SSL certificates so that >> > > > > the subjectAltName is populated. >> > > > > >> > > > > Thanks in advance >> > > > > >> > > > > -- >> > > > > Manage your subscription for the Freeipa-users mailing list: >> > > > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > > Go to http://freeipa.org for more info on the project >> > > > > >> > > Which version of IPA are you using? >> > > >> > > The first thing you should do, which I think should be sufficient in >> > > most cases, is to tell certmonger to submit a new cert request for >> > > each affected certificate, instructing to include the relevant >> > > DNSName in the subjectAltName extension in the CSR. >> > > >> > > To list certmonger tracking requests and look for the HTTPS >> > > certificate. For example: >> > > >> > > $ getcert list >> > > Number of certificate and requests being tracked: 11 >> > > ... >> > > Request ID '20170418012901': >> > > status: MONITORING >> > > stuck: no >> > > key pair storage: type=NSSDB,location='/etc/ >> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate >> > > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > > certificate: type=NSSDB,location='/etc/ >> > > httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> > > CA: IPA >> > > issuer: CN=Certificate Authority,O=IPA.LOCAL 201703211317 >> > > subject: CN=f25-2.ipa.local,O=IPA.LOCAL 201703211317 >> > > expires: 2019-03-22 03:20:19 UTC >> > > dns: f25-2.ipa.local >> > > key usage: digitalSignature,nonRepudiatio >> n,keyEncipherment, >> > > dataEncipherment >> > > eku: id-kp-serverAuth,id-kp-clientAuth >> > > pre-save command: >> > > post-save command: /usr/libexec/ipa/certmonger/re >> start_httpd >> > > track: yes >> > > auto-renew: yes >> > > ... >> > > >> > > Using the Request ID of the HTTPS certificate, resubmit the request >> > > but use the ``-D `` option to specify a DNSName to include >> > > in the SAN extension: >> > > >> > > $ getcert resubmit -i -D >> > > >> > > ``-D `` can be specified multiple times, if necessary. >> > > >> > > This should request a new certificate that will have the server DNS >> > > name in the SAN extension. >> > > >> > > HTH, >> > > Fraser >> > > >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lslebodn at redhat.com Mon May 1 09:44:04 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 1 May 2017 11:44:04 +0200 Subject: [Freeipa-users] Fedora 25 - SSSD: Smart card login is broken In-Reply-To: <20170426093720.GD3829@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170426093720.GD3829@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170501094404.GB22762@10.4.128.1> On (26/04/17 11:37), Sumit Bose wrote: >On Tue, Apr 25, 2017 at 12:38:11PM -0500, Michael Rainey (Contractor) wrote: >> Hello, >> >> While using Fedora 25 we noticed smart card login is broken with the latest >> update to SSSD. A month or so ago a patch was created to fix the same >> issue. Here are some of the details: >> >> Before Update: >> >> sssd.x86_64 1.15.2-1.fc25sb1 (was 1.15.2-1.fc25 before patch) >> >> After Update: >> >> sssd.x86_64 1.15.2-2.fc25 >> >> I was able to compared this to a freshly updated system to a system which >> didn't receive the same update so I am confident lies with the package >> update. > >ah, sorry, this is my fault, I forgot to create a Fedora bugzilla >ticket, there is one for RHEL but not for Fedora. I just created >https://bugzilla.redhat.com/show_bug.cgi?id=1445680 to track this for >Fedora. > https://bodhi.fedoraproject.org/updates/FEDORA-2017-ac43ea8522 LS From freeipa at 0xc0dedbad.com Mon May 1 12:08:31 2017 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Mon, 1 May 2017 22:08:31 +1000 Subject: [Freeipa-users] List SPAM In-Reply-To: <5beedf04-1769-9abf-62d0-14401f6bbb7c@redhat.com> References: <5beedf04-1769-9abf-62d0-14401f6bbb7c@redhat.com> Message-ID: <9e88fb1b-3194-b32a-a8e3-6068a56a379a@0xc0dedbad.com> On 27/12/16 23:32, Martin Basti wrote: > > > On 27.12.2016 13:22, Outback Dingo wrote: >> Im still getting nude porn spam emails and pics from a user >> >> Kimi Rachel >> > > It is not a user, it is a SPAM bot mining public archives. We don't > have any control about it we can just un-publish archives (tested, > spam stopped after that) but they contain a lot of information for users. It's pretty bad - I got a dozen spam messages in response to a reply to the list today, and zero legitimate replies. If these are really being scraped from the archives, can we please scrub email addresses entirely from the archive? From freeipa at 0xc0dedbad.com Mon May 1 12:15:31 2017 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Mon, 1 May 2017 22:15:31 +1000 Subject: [Freeipa-users] List SPAM In-Reply-To: <9e88fb1b-3194-b32a-a8e3-6068a56a379a@0xc0dedbad.com> References: <5beedf04-1769-9abf-62d0-14401f6bbb7c@redhat.com> <9e88fb1b-3194-b32a-a8e3-6068a56a379a@0xc0dedbad.com> Message-ID: <7c94f73a-af70-4af8-7458-a50b4bdffdc8@0xc0dedbad.com> On 01/05/17 22:08, Peter Fern wrote: > On 27/12/16 23:32, Martin Basti wrote: >> It is not a user, it is a SPAM bot mining public archives. We don't >> have any control about it we can just un-publish archives (tested, >> spam stopped after that) but they contain a lot of information for users. > It's pretty bad - I got a dozen spam messages in response to a reply to > the list today, and zero legitimate replies. If these are really being > scraped from the archives, can we please scrub email addresses entirely > from the archive? In fact, based on the rapidity of the spam replies, I was a little suspicious of the suggestion that they're being harvested from the public archives. Checking the message headers reveals that these replies are actually being generated directly from the mailing list, since they contain a valid In-Reply-To Message-Id. So, these are actually being generated by a subscriber on the list. From freeipa at 0xc0dedbad.com Mon May 1 12:25:34 2017 From: freeipa at 0xc0dedbad.com (Peter Fern) Date: Mon, 1 May 2017 22:25:34 +1000 Subject: [Freeipa-users] List SPAM In-Reply-To: <7c94f73a-af70-4af8-7458-a50b4bdffdc8@0xc0dedbad.com> References: <5beedf04-1769-9abf-62d0-14401f6bbb7c@redhat.com> <9e88fb1b-3194-b32a-a8e3-6068a56a379a@0xc0dedbad.com> <7c94f73a-af70-4af8-7458-a50b4bdffdc8@0xc0dedbad.com> Message-ID: <13ad2da7-2afb-29d8-4ba3-ca167da7d390@0xc0dedbad.com> On 01/05/17 22:15, Peter Fern wrote: > On 01/05/17 22:08, Peter Fern wrote: >> On 27/12/16 23:32, Martin Basti wrote: >>> It is not a user, it is a SPAM bot mining public archives. We don't >>> have any control about it we can just un-publish archives (tested, >>> spam stopped after that) but they contain a lot of information for users. >> It's pretty bad - I got a dozen spam messages in response to a reply to >> the list today, and zero legitimate replies. If these are really being >> scraped from the archives, can we please scrub email addresses entirely >> from the archive? > In fact, based on the rapidity of the spam replies, I was a little > suspicious of the suggestion that they're being harvested from the > public archives. Checking the message headers reveals that these > replies are actually being generated directly from the mailing list, > since they contain a valid In-Reply-To Message-Id. > > So, these are actually being generated by a subscriber on the list. Aaaand... a final note on the topic, my presumption here may be unfounded - looks like the mail archive includes email headers as HTML comments, so it's tough to conclude anything... still, they'd have to be hammering the archive site to scrape and post emails with the speed they arrive - it takes about the same time to receive a spam reply as it does for my mail to appear on the list. From iulian.roman at gmail.com Mon May 1 14:44:28 2017 From: iulian.roman at gmail.com (Iulian Roman) Date: Mon, 1 May 2017 16:44:28 +0200 Subject: [Freeipa-users] ipa replica between different environments Message-ID: Hello, is it possible/supported to _clone_ an ipa setup between different environments , disconnect the replicas and use them independently (ex. clone ST to ET and use them as separate IPA servers for ST respective ET clients ? ) or does the disconnect remove the data ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon May 1 15:04:11 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 1 May 2017 18:04:11 +0300 Subject: [Freeipa-users] List SPAM In-Reply-To: <13ad2da7-2afb-29d8-4ba3-ca167da7d390@0xc0dedbad.com> References: <5beedf04-1769-9abf-62d0-14401f6bbb7c@redhat.com> <9e88fb1b-3194-b32a-a8e3-6068a56a379a@0xc0dedbad.com> <7c94f73a-af70-4af8-7458-a50b4bdffdc8@0xc0dedbad.com> <13ad2da7-2afb-29d8-4ba3-ca167da7d390@0xc0dedbad.com> Message-ID: <20170501150411.hvbi3kw5c2fnkr6t@redhat.com> On ma, 01 touko 2017, Peter Fern wrote: >On 01/05/17 22:15, Peter Fern wrote: >> On 01/05/17 22:08, Peter Fern wrote: >>> On 27/12/16 23:32, Martin Basti wrote: >>>> It is not a user, it is a SPAM bot mining public archives. We don't >>>> have any control about it we can just un-publish archives (tested, >>>> spam stopped after that) but they contain a lot of information for users. >>> It's pretty bad - I got a dozen spam messages in response to a reply to >>> the list today, and zero legitimate replies. If these are really being >>> scraped from the archives, can we please scrub email addresses entirely >>> from the archive? >> In fact, based on the rapidity of the spam replies, I was a little >> suspicious of the suggestion that they're being harvested from the >> public archives. Checking the message headers reveals that these >> replies are actually being generated directly from the mailing list, >> since they contain a valid In-Reply-To Message-Id. >> >> So, these are actually being generated by a subscriber on the list. > >Aaaand... a final note on the topic, my presumption here may be >unfounded - looks like the mail archive includes email headers as HTML >comments, so it's tough to conclude anything... still, they'd have to be >hammering the archive site to scrape and post emails with the speed they >arrive - it takes about the same time to receive a spam reply as it does >for my mail to appear on the list. Unfortunately, we do not control list archives on that granularity to mangle headers/emails. We can either close the archives down with a password or move list archives to Fedora project. In the latter we have more featured and updated mailing list software. -- / Alexander Bokovoy From rcritten at redhat.com Mon May 1 17:42:40 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 1 May 2017 13:42:40 -0400 Subject: [Freeipa-users] Help needed - CA Server role not adding In-Reply-To: References: Message-ID: Chris Moody wrote: > Hello. > > First wanted to thank everyone working hard to bring this awesome bundle > of applications to market. This is a great project and I really > appreciate the efforts. > > I need a hand with a new 4.4.3 install that I'm still trying to flesh > out fully to support all the services I need. > > I recently attempted to add the 'CA Server' Role to a node in a replica > pair. > > I ran the 'ipa-ca-install' command on the node in question but in the > middle of the operation, it unfortunately bombed out due to memory > exhaustion. I have since doubled the RAM in the host, but I can no > longer get this system to proceed with the multitude of steps it > performs to enable this role. > > When I type 'ipa server-role-find' it lists the 'CA Server' Role as > absent, but whenever I issue the command 'ipa-ca-install' to try and > re-instantiate the process of adding the role, it spits back out 'CA is > already installed on this host.'. > > I'm not seeing a 'remove role' or 'force' option via any of the > tab-completed command options now available in 4.x nor is the man page > of much help. Online documentation as well seems to be in a state of > flux between the older 3.x docs and the new 4.x functionality. At the moment the only way around this is to uninstall IPA master on this server and re-run the installation. rob From zarko at etcfstab.com Tue May 2 00:36:26 2017 From: zarko at etcfstab.com (Z D) Date: Tue, 2 May 2017 00:36:26 +0000 Subject: [Freeipa-users] EL5 sudo and IdM Message-ID: Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well. And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf The situation I see is that sudo rule is successful only when using ALL for hosts, the example of debug message is: sudo: ldap sudoHost 'ALL' ... MATCH! Otherwise, it doesn't work and the message is: sudo: ldap sudoHost '+hostg_build' ... not The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" correctly, sudoHost expects host netgroup (prefixed with a '+'). Is there any resolution here? thanks, Zarko -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 2 01:50:10 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 1 May 2017 21:50:10 -0400 Subject: [Freeipa-users] EL5 sudo and IdM In-Reply-To: References: Message-ID: <87429666-6755-4d2a-dd48-98485eff6660@redhat.com> Z D wrote: > Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build > system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been > installed, that works well. > > And I believe that with EL5, there is no sssd support for sudo, hence > it's configured via /etc/ldap.conf > > > The situation I see is that sudo rule is successful only when using ALL > for hosts, the example of debug message is: > > sudo: ldap sudoHost 'ALL' ... MATCH! > > > Otherwise, it doesn't work and the message is: > > sudo: ldap sudoHost '+hostg_build' ... not > > > The "hostg_build" is IPA host group, and if I read "man sudoers.ldap" > correctly, sudoHost expects host netgroup (prefixed with a |'+'|). A netgroup is created for every hostgroup automatically. Make sure you have your NIS domain set and the netgroup is resolvable using getent netgroup foo rob From lslebodn at redhat.com Tue May 2 08:19:51 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Tue, 2 May 2017 10:19:51 +0200 Subject: [Freeipa-users] EL5 sudo and IdM In-Reply-To: References: Message-ID: <20170502081951.GE22814@10.4.128.1> On (02/05/17 00:36), Z D wrote: >Hi, we've been using the IdM server 4.4.0 but still have some EL5 (build system) we'd like to be ipa-clients. The ipa-client v2.1.3 has been installed, that works well. > >And I believe that with EL5, there is no sssd support for sudo, hence it's configured via /etc/ldap.conf > A little bit offtopic. If you meant el5 == CentOS 5 then I would recommend to upgrade to el6 CentOS Linux 5 has reached End of Life, as of 31 March 2017 http://centosfaq.org/centos-announce/centos-linux-5-eol/ LS From dag at sonsorol.org Tue May 2 13:35:10 2017 From: dag at sonsorol.org (Chris Dagdigian) Date: Tue, 02 May 2017 09:35:10 -0400 Subject: [Freeipa-users] Simple replica debugging? Different Host count between replicating masters ... Message-ID: <59088B0E.8040602@sonsorol.org> I have a simple IPA setup with masters spanning two different AWS regional VPCs with a replication agreement between them. Oddly enough I see a different host count between the two servers. I've tried running: ipa-replica-manage force-sync --from (remote host) ... on both hosts. Did not seem to work but also produced no real error output. Example: # ipa-replica-manage force-sync --verbose --from deawilidmp001.XXX.org ipa: INFO: Setting agreement cn=meTousaeilidmp001.XXX.org,cn=replica,cn=dc\=XXX\,dc\=org,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTousaeilidmp001.XXX.org,cn=replica,cn=dc\=XXX\,dc\=org,cn=mapping tree,cn=config Any useful hints or tips for troubleshooting? Normally I'd blow a master away and recreate a replica server but the replica that is misbehaving has "more" enrolled Hosts than the master I wish to preserve ... Regards, Chris From bret.wortman at damascusgrp.com Tue May 2 14:50:21 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 2 May 2017 10:50:21 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> Message-ID: I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps out as looking like an error. The cert-show failure is troubling, but my inability to get CSRs turned into certs is what's actually driving this. Bret On 04/26/2017 06:02 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> So I can see my certs using cert-find, but can't get details using >> cert-show or add new ones using cert-request. >> >> # ipa cert-find >> : >> ------------------------------ >> Number of entries returned 385 >> ------------------------------ >> # ipa cert-show 895 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # ipa cert-show 1 (which does not exist) >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # ipa cert-status 895 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # >> >> Is this an IPV6 thing? Because ipactl shows everything green and >> certmonger is running. > Doubtful. > > cert-find and cert-show use different APIs in dogtag. cert-find uses the > newer RESTful API and cert-show uses the older XML-based API (and is > authenticated). I'm guessing that is where the issue lies. > > What I'd recommend doing is noting the time, restarting the CA, and then > plow through the debug log looking for failures. It could be that the CA > is only partially up (and I'd check your CA subsystem certs as well). > > rob > >> Bret >> >> >> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>> Digging still deeper: >>> >>> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> >>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>> it has a CA but there's no CMS available? >>> >>> >>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>> Using the firefox debugger, I get these errors when trying to pop up >>>> the New Certificate dialog: >>>> >>>> Empty string passed to getElementById(). (5) >>>> jquery.js:4:1060 >>>> TypeError: u is undefined >>>> app.js:1:362059 >>>> Empty string passed to getElementById(). (5) >>>> jquery.js:4:1060 >>>> TypeError: t is undefined >>>> app.js:1:217432 >>>> >>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>> >>>> >>>> Bret >>>> >>>> >>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>> "Action -> New Certificate" not do anything on this or any other server? >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>> past month or so. >>>>>> >>>>>> Today, someone came and asked me to generate a new certificate for >>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>> and no error, either. >>>>>> >>>>>> I suspect the problem might be that we no longer have a CA server >>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>> the CA. >>>>>> >>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>> not sure if this shows that I'm missing a CA or not: >>>>>> >>>>>> # ipa ca-find >>>>>> ------------ >>>>>> 1 CA matched >>>>>> ------------ >>>>>> Name: ipa >>>>>> Description IPA CA >>>>>> Authority ID: 3ce3346[...] >>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>> ---------------------------- >>>>>> Number of entries returned 1 >>>>>> ---------------------------- >>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>> O=DAMASCUSGRP.COM" >>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>> # klist >>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>> >>>>>> Valid starting Expires Service principal >>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>> # >>>>>> >>>>>> >>>>>> What's my best path of recovery? >>>>>> >>>>>> -- >>>>>> *Bret Wortman* >>>>>> The Damascus Group >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> From bret.wortman at damascusgrp.com Tue May 2 14:58:10 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 2 May 2017 10:58:10 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> Message-ID: The closest I found was this: [02/May/2017:14:33:57][localhost-startStop-1]: No rule can be found for publishing: cacert [02/May/2017:14:33:37][localhost-startStop-1]: published ca cert [02/May/2017:14:33:37][localhost-startStop-1]: CMSEngine: ca startup done On 05/02/2017 10:50 AM, Bret Wortman wrote: > I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps > out as looking like an error. > > The cert-show failure is troubling, but my inability to get CSRs > turned into certs is what's actually driving this. > > > Bret > > > On 04/26/2017 06:02 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> So I can see my certs using cert-find, but can't get details using >>> cert-show or add new ones using cert-request. >>> >>> # ipa cert-find >>> : >>> ------------------------------ >>> Number of entries returned 385 >>> ------------------------------ >>> # ipa cert-show 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-show 1 (which does not exist) >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-status 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # >>> >>> Is this an IPV6 thing? Because ipactl shows everything green and >>> certmonger is running. >> Doubtful. >> >> cert-find and cert-show use different APIs in dogtag. cert-find uses the >> newer RESTful API and cert-show uses the older XML-based API (and is >> authenticated). I'm guessing that is where the issue lies. >> >> What I'd recommend doing is noting the time, restarting the CA, and then >> plow through the debug log looking for failures. It could be that the CA >> is only partially up (and I'd check your CA subsystem certs as well). >> >> rob >> >>> Bret >>> >>> >>> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>>> Digging still deeper: >>>> >>>> # ipa cert-request f.f >>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> >>>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>>> it has a CA but there's no CMS available? >>>> >>>> >>>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>>> Using the firefox debugger, I get these errors when trying to pop up >>>>> the New Certificate dialog: >>>>> >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: u is undefined >>>>> app.js:1:362059 >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: t is undefined >>>>> app.js:1:217432 >>>>> >>>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>>> "Action -> New Certificate" not do anything on this or any other >>>>>> server? >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>>> past month or so. >>>>>>> >>>>>>> Today, someone came and asked me to generate a new certificate for >>>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>>> and no error, either. >>>>>>> >>>>>>> I suspect the problem might be that we no longer have a CA server >>>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>>> the CA. >>>>>>> >>>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>>> not sure if this shows that I'm missing a CA or not: >>>>>>> >>>>>>> # ipa ca-find >>>>>>> ------------ >>>>>>> 1 CA matched >>>>>>> ------------ >>>>>>> Name: ipa >>>>>>> Description IPA CA >>>>>>> Authority ID: 3ce3346[...] >>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>>> O=DAMASCUSGRP.COM" >>>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>>> # klist >>>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>>> >>>>>>> Valid starting Expires Service principal >>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>>> # >>>>>>> >>>>>>> >>>>>>> What's my best path of recovery? >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> The Damascus Group >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.ruiten at rdmedia.com Tue May 2 15:19:39 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Tue, 2 May 2017 17:19:39 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain Message-ID: Hello, I now have a working two-way trust between Active Directory ( clients.rdmedia.com) and FreeIPA (i.rdmedia.com). Users from the AD can authenticate to FreeIPA hosts and the other way around. Great! Next, I'm trying to achieve passwordless Single Sign On through GSSAPI for Windows clients to FreeIPA hosts. This doesn't seem to be working, despite setting ipa host-mod --ok-as-delegate=TRUE To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA host ( neodymium.test.ams.i.rdmedia.com) with the same AD account. I expect to be logged in through GSSAPI, instead I get a password prompt. Is this supposed to work? Did I miss something? Below the SSH log from the FreeIPA host with LogLevel DEBUG3: May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8 config len 922 May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8 May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3 May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 on 192.168.50.63 port 22 May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; client software version PuTTY_KiTTY May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for protocol 2.0 May 2 17:10:32 neodymium sshd[752]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit sandbox May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 43 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43 May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, rijndael-cbc at lysator.liu.se [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1, umac-64 at openssh.com,umac-128 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com, hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com, hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1, umac-64 at openssh.com,umac-128 at openssh.com ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, zlib at openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, zlib at openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm at openssh.com, hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-etm at openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2-256-etm at openssh.com, hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com, hmac-md5-etm at openssh.com [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr hmac-sha2-256 none [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr hmac-sha2-256 none [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: kex: curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 121 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 May 2 17:10:32 neodymium sshd[752]: debug1: kex: curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 121 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 6 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 7 [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 6 May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature 0x7f7ea34ed250(83) May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 7 May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, disabling now May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth] May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received [preauth] May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tiemen at clients.rdmedia.com service ssh-connection method none [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 8 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 9 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 8 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address 192.168.10.155. May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config reprocess config len 922 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 9 May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 100 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 4 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 80 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method none [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 100 May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " adm.tiemen at clients.rdmedia.com" May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to "192.168.10.155" May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tiemen at clients.rdmedia.com service ssh-connection method gssapi-with-mic [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method gssapi-with-mic [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 42 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 43 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 4 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: service=ssh-connection, style= May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 80 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, disabling now May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 42 May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 43 May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user adm.tiemen at clients.rdmedia.com service ssh-connection method keyboard-interactive [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method keyboard-interactive [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= adm.tiemen at clients.rdmedia.com devs= [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices pam [preauth] May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices [preauth] May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 104 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 105 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 104 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 105 May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 106 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: type 107 [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering [preauth] May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 106 May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv entering, 1 messages May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 107 May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query returned 0 [preauth] May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 [preauth] -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From striker at terranforge.com Tue May 2 15:43:18 2017 From: striker at terranforge.com (Striker Leggette) Date: Tue, 2 May 2017 11:43:18 -0400 Subject: [Freeipa-users] FreeIPA @ SouthEast Linux Fest 2017 Message-ID: Hi, I will be hosting a table at the SouthEast Linux Fest in Charlotte, North Carolina this year from June 9th to the 11th and would like to invite anyone in the area to stop by an hang out. At the table, I will be giving a brief overlook as to what FreeIPA is and the potential it has. Last year, I hosted a talk about joining Fedora machines to Active Directory so that AD users could authenticate into the Fedora machine. While many folks were interested in this talk, some folks were asking me about IPA and how it could fit into the scenario. I am expecting to be asked questions that I will not be able to answer, which is normal for anyone hosting an open-demonstration. Any help that folks here can provide would be appreciated. Or, feel free to just stop by and say "Hi". southeastlinuxfest.org -- Striker Leggette Identity Management linkedin.com/in/striker From uncommonkat at gmail.com Tue May 2 15:44:15 2017 From: uncommonkat at gmail.com (Kat) Date: Tue, 2 May 2017 10:44:15 -0500 Subject: [Freeipa-users] External cert with correct CSR? Message-ID: <34364bc8-7bc5-635d-4d0b-6866b823d91d@gmail.com> Hi all, I am somewhat confused trying to get the process of using an external cert for IPA. If I follow step 1: ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM --external-ca -U This does indeed generate a CSR, but trying to do anything with this CSR has no success since it is not properly formed with all info. In otherwords, ipa does not add country, state, location, etc. If I submit this CSR to any cert company, it will of course, complain. Is there a way to get this right? Or am I just missing something here? Thanks K From t.ruiten at rdmedia.com Tue May 2 15:46:34 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Tue, 2 May 2017 17:46:34 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> Message-ID: I think I just realised that my expectation may be wrong: GSSAPI login with a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct to also expect passwordless login with an AD user to a FreeIPA host? On 2 May 2017 at 17:40, Jason B. Nance wrote: > Hi Tiemen, > > To be clear, what I'm trying to do: log in from an AD account > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I > expect to be logged in through GSSAPI, instead I get a password prompt. > > I'm assuming that you are coming from a Windows client that is domain > joined and logged into that Windows client with the same domain credentials > that you are using to connect to the IPA-joined host. Do you also have > your SSH client configured to attempt GSSAPI? It appears that you do from > the logs you provided but I'm just double-checking. > > In my setup I've found that this feature does not work all of the time. > I've not yet been able to track it down and I'm assuming it has something > to do with connections to domain controllers timing out, but at this point > that is speculation. > > So to answer your question, yes, that should work. Sorry I don't have > more information for you, I guess I'm basically "me too"ing your post. > > Regards, > > j > > Is this supposed to work? Did I miss something? > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd > = 8 config len 922 > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 > newsock 5 pipe 7 sock 8 > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: > 3, 3 > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port > 53106 on 192.168.50.63 port 22 > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; > client software version PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode > for protocol 2.0 > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > SSH-2.0-OpenSSH_6.6.1 > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing > rlimit sandbox > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 42 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 43 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 42 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 43 > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > group14-sha1,diffie-hellman-group1-sha1 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@ > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac- > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@ > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac- > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > zlib at openssh.com [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > zlib at openssh.com [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com > ,hmac-md5-etm at openssh.com [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com > ,hmac-md5-etm at openssh.com [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > first_kex_follows 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server > aes256-ctr hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > hmac-sha2-256 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client > aes256-ctr hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 120 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 120 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > SSH2_MSG_KEX_ECDH_INIT [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 6 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > MONITOR_ANS_SIGN [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 7 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > request 6 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > 0x7f7ea34ed250(83) > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > type 7 > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, > disabling now > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS > [preauth] > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received > [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > adm.tiemen at clients.rdmedia.com service ssh-connection method none > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 8 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for > MONITOR_ANS_PWNAM [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 9 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 8 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address > 192.168.10.155. > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config > reprocess config len 922 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending > MONITOR_ANS_PWNAM: 1 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 9 > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 100 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 4 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 80 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method none [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure > partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 100 > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " > adm.tiemen at clients.rdmedia.com" > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > "192.168.10.155" > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > adm.tiemen at clients.rdmedia.com service ssh-connection method > gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 42 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 43 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 4 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > service=ssh-connection, style= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 80 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 42 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 43 > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > adm.tiemen at clients.rdmedia.com service ssh-connection method > keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > method keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= > adm.tiemen at clients.rdmedia.com devs= [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: > devices pam [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying > authentication method 'pam' [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 104 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting > for MONITOR_ANS_PAM_INIT_CTX [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 105 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 104 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 105 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 106 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for > MONITOR_ANS_PAM_QUERY [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > entering: type 107 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > request 106 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv > entering, 1 messages > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > type 107 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query > returned 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > [preauth] > > > > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at tresgeek.net Tue May 2 15:55:28 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Tue, 2 May 2017 10:55:28 -0500 (CDT) Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> Message-ID: <1241521687.1490.1493740528873.JavaMail.zimbra@tresgeek.net> > I think I just realised that my expectation may be wrong: GSSAPI login with a > FreeIPA user logged in on an AD host to a FreeIPA host works. So is it correct > to also expect passwordless login with an AD user to a FreeIPA host? If your FreeIPA domain trusts the AD domain, then yes, you can use an AD user to login to a FreeIPA-joined Linux host from a domain-joined Windows client where you are logged into the Windows client as the AD user (assuming you have your HBACs setup to allow - if you didn't password auth wouldn't work either). Unless you've configured "default_domain_suffix" in sssd.conf the user name is "aduser at addomain.tld". If you have configured "default_domain_suffix" make sure that your user names in AD don't conflict with the user names in IPA. Regards, j > On 2 May 2017 at 17:40, Jason B. Nance < [ mailto:jason at tresgeek.net | > jason at tresgeek.net ] > wrote: >> Hi Tiemen, >>> To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), from >>> an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] ) >>> to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ | >>> neodymium.test.ams.i.rdmedia.com ] ) with the same AD account. I expect to be >>> logged in through GSSAPI, instead I get a password prompt. >> I'm assuming that you are coming from a Windows client that is domain joined and >> logged into that Windows client with the same domain credentials that you are >> using to connect to the IPA-joined host. Do you also have your SSH client >> configured to attempt GSSAPI? It appears that you do from the logs you provided >> but I'm just double-checking. >> In my setup I've found that this feature does not work all of the time. I've not >> yet been able to track it down and I'm assuming it has something to do with >> connections to domain controllers timing out, but at this point that is >> speculation. >> So to answer your question, yes, that should work. Sorry I don't have more >> information for you, I guess I'm basically "me too"ing your post. >> Regards, >> j >>> Is this supposed to work? Did I miss something? >>> Below the SSH log from the FreeIPA host with LogLevel DEBUG3: >>> May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK >>> May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. >>> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8 >>> config len 922 >>> May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 >>> May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done >>> May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore >>> May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 >>> May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5 >>> pipe 7 sock 8 >>> May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3 >>> May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 on >>> 192.168.50.63 port 22 >>> May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; client >>> software version PuTTY_KiTTY >>> May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY >>> May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for >>> protocol 2.0 >>> May 2 17:10:32 neodymium sshd[752]: debug1: Local version string >>> SSH-2.0-OpenSSH_6.6.1 >>> May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK >>> May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit >>> sandbox >>> May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 >>> May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started >>> May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: >>> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 43 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42 >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43 >>> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, >>> [ mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] >>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [ >>> mailto:aes128-gcm at openssh.com | aes128-gcm at openssh.com ] , [ >>> mailto:aes256-gcm at openssh.com | aes256-gcm at openssh.com ] , [ >>> mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] >>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [ >>> mailto:rijndael-cbc at lysator.liu.se | rijndael-cbc at lysator.liu.se ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [ >>> mailto:aes128-gcm at openssh.com | aes128-gcm at openssh.com ] , [ >>> mailto:aes256-gcm at openssh.com | aes256-gcm at openssh.com ] , [ >>> mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] >>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [ >>> mailto:rijndael-cbc at lysator.liu.se | rijndael-cbc at lysator.liu.se ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ >>> mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] , [ >>> mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ >>> mailto:umac-64-etm at openssh.com | umac-64-etm at openssh.com ] , [ >>> mailto:umac-128-etm at openssh.com | umac-128-etm at openssh.com ] , [ >>> mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ >>> mailto:hmac-sha2-512-etm at openssh.com | hmac-sha2-512-etm at openssh.com ] , [ >>> mailto:hmac-ripemd160-etm at openssh.com | hmac-ripemd160-etm at openssh.com ] , [ >>> mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ >>> mailto:hmac-md5-96-etm at openssh.com | hmac-md5-96-etm at openssh.com ] >>> ,hmac-md5,hmac-sha1, [ mailto:umac-64 at openssh.com | umac-64 at openssh.com ] , [ >>> mailto:umac-128 at openssh.com | umac-128 at openssh.com ] >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [ >>> mailto:hmac-ripemd160 at openssh.com | hmac-ripemd160 at openssh.com ] >>> ,hmac-sha1-96,hmac-md5-96 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ >>> mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] , [ >>> mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ >>> mailto:umac-64-etm at openssh.com | umac-64-etm at openssh.com ] , [ >>> mailto:umac-128-etm at openssh.com | umac-128-etm at openssh.com ] , [ >>> mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ >>> mailto:hmac-sha2-512-etm at openssh.com | hmac-sha2-512-etm at openssh.com ] , [ >>> mailto:hmac-ripemd160-etm at openssh.com | hmac-ripemd160-etm at openssh.com ] , [ >>> mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ >>> mailto:hmac-md5-96-etm at openssh.com | hmac-md5-96-etm at openssh.com ] >>> ,hmac-md5,hmac-sha1, [ mailto:umac-64 at openssh.com | umac-64 at openssh.com ] , [ >>> mailto:umac-128 at openssh.com | umac-128 at openssh.com ] >>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [ >>> mailto:hmac-ripemd160 at openssh.com | hmac-ripemd160 at openssh.com ] >>> ,hmac-sha1-96,hmac-md5-96 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [ >>> mailto:zlib at openssh.com | zlib at openssh.com ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [ >>> mailto:zlib at openssh.com | zlib at openssh.com ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows >>> 0 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ >>> mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] >>> ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> aes256-ctr,aes256-cbc, [ mailto:rijndael-cbc at lysator.liu.se | >>> rijndael-cbc at lysator.liu.se ] ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, [ >>> mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] >>> ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> aes256-ctr,aes256-cbc, [ mailto:rijndael-cbc at lysator.liu.se | >>> rijndael-cbc at lysator.liu.se ] ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, [ >>> mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] >>> ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [ >>> mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ >>> mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ >>> mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ >>> mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >>> hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [ >>> mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ >>> mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ >>> mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ >>> mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows >>> 0 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr >>> hmac-sha2-256 none [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr >>> hmac-sha2-256 none [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: kex: [ >>> mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] need=32 >>> dh_need=32 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 121 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 >>> May 2 17:10:32 neodymium sshd[752]: debug1: kex: [ >>> mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] need=32 >>> dh_need=32 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 121 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 >>> May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 6 >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for >>> MONITOR_ANS_SIGN [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 7 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 6 >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature >>> 0x7f7ea34ed250(83) >>> May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 7 >>> May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, disabling >>> now >>> May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth] >>> May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] >>> May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] >>> May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received [preauth] >>> May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] >>> service ssh-connection method none [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 8 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for >>> MONITOR_ANS_PWNAM [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 9 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 8 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow >>> May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address >>> 192.168.10.155. >>> May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config >>> reprocess config len 922 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending >>> MONITOR_ANS_PWNAM: 1 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 9 >>> May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, disabling >>> now >>> May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: setting up >>> authctxt for [ mailto:adm.tiemen at clients.rdmedia.com | >>> adm.tiemen at clients.rdmedia.com ] [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 100 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 4 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 80 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method >>> none [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure partial=0 >>> next >>> methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 100 >>> May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] " >>> May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to >>> "192.168.10.155" >>> May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" >>> May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, >>> disabling now >>> May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] >>> service ssh-connection method gssapi-with-mic [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method >>> gssapi-with-mic [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 42 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 43 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 4 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: >>> service=ssh-connection, style= >>> May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, disabling >>> now >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 80 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= >>> May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, >>> disabling now >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 42 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 43 >>> May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] from >>> 192.168.10.155 port 53106 ssh2 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] >>> service ssh-connection method keyboard-interactive [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method >>> keyboard-interactive [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] devs= >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices pam >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying >>> authentication method 'pam' [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 104 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting for >>> MONITOR_ANS_PAM_INIT_CTX [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 105 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 104 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx >>> May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 105 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 106 >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for >>> MONITOR_ANS_PAM_QUERY [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: >>> type 107 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> [preauth] >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 106 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query >>> May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering >>> May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv entering, 1 >>> messages >>> May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 >>> May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 107 >>> May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query returned >>> 0 [preauth] >>> May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for [ >>> mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] from >>> 192.168.10.155 port 53106 ssh2 [preauth] >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> [ https://www.redhat.com/mailman/listinfo/freeipa-users | >>> https://www.redhat.com/mailman/listinfo/freeipa-users ] >>> Go to [ http://freeipa.org/ | http://freeipa.org ] for more info on the project > -- > Tiemen Ruiten > Systems Engineer > R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at tresgeek.net Tue May 2 15:40:12 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Tue, 2 May 2017 10:40:12 -0500 (CDT) Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: References: Message-ID: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> Hi Tiemen, > To be clear, what I'm trying to do: log in from an AD account (adm.tiemen), from > an AD host ( [ http://leon.clients.rdmedia.com/ | leon.clients.rdmedia.com ] ) > to a FreeIPA host ( [ http://neodymium.test.ams.i.rdmedia.com/ | > neodymium.test.ams.i.rdmedia.com ] ) with the same AD account. I expect to be > logged in through GSSAPI, instead I get a password prompt. I'm assuming that you are coming from a Windows client that is domain joined and logged into that Windows client with the same domain credentials that you are using to connect to the IPA-joined host. Do you also have your SSH client configured to attempt GSSAPI? It appears that you do from the logs you provided but I'm just double-checking. In my setup I've found that this feature does not work all of the time. I've not yet been able to track it down and I'm assuming it has something to do with connections to domain controllers timing out, but at this point that is speculation. So to answer your question, yes, that should work. Sorry I don't have more information for you, I guess I'm basically "me too"ing your post. Regards, j > Is this supposed to work? Did I miss something? > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd = 8 > config len 922 > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 newsock 5 > pipe 7 sock 8 > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: 3, 3 > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port 53106 on > 192.168.50.63 port 22 > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; client > software version PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode for > protocol 2.0 > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > SSH-2.0-OpenSSH_6.6.1 > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing rlimit > sandbox > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 42 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 43 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 42 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 43 > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==, > [ mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] > ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [ > mailto:aes128-gcm at openssh.com | aes128-gcm at openssh.com ] , [ > mailto:aes256-gcm at openssh.com | aes256-gcm at openssh.com ] , [ > mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [ > mailto:rijndael-cbc at lysator.liu.se | rijndael-cbc at lysator.liu.se ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128, [ > mailto:aes128-gcm at openssh.com | aes128-gcm at openssh.com ] , [ > mailto:aes256-gcm at openssh.com | aes256-gcm at openssh.com ] , [ > mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour, [ > mailto:rijndael-cbc at lysator.liu.se | rijndael-cbc at lysator.liu.se ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ > mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] , [ > mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ > mailto:umac-64-etm at openssh.com | umac-64-etm at openssh.com ] , [ > mailto:umac-128-etm at openssh.com | umac-128-etm at openssh.com ] , [ > mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ > mailto:hmac-sha2-512-etm at openssh.com | hmac-sha2-512-etm at openssh.com ] , [ > mailto:hmac-ripemd160-etm at openssh.com | hmac-ripemd160-etm at openssh.com ] , [ > mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ > mailto:hmac-md5-96-etm at openssh.com | hmac-md5-96-etm at openssh.com ] > ,hmac-md5,hmac-sha1, [ mailto:umac-64 at openssh.com | umac-64 at openssh.com ] , [ > mailto:umac-128 at openssh.com | umac-128 at openssh.com ] > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [ > mailto:hmac-ripemd160 at openssh.com | hmac-ripemd160 at openssh.com ] > ,hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ > mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] , [ > mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ > mailto:umac-64-etm at openssh.com | umac-64-etm at openssh.com ] , [ > mailto:umac-128-etm at openssh.com | umac-128-etm at openssh.com ] , [ > mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ > mailto:hmac-sha2-512-etm at openssh.com | hmac-sha2-512-etm at openssh.com ] , [ > mailto:hmac-ripemd160-etm at openssh.com | hmac-ripemd160-etm at openssh.com ] , [ > mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ > mailto:hmac-md5-96-etm at openssh.com | hmac-md5-96-etm at openssh.com ] > ,hmac-md5,hmac-sha1, [ mailto:umac-64 at openssh.com | umac-64 at openssh.com ] , [ > mailto:umac-128 at openssh.com | umac-128 at openssh.com ] > ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160, [ > mailto:hmac-ripemd160 at openssh.com | hmac-ripemd160 at openssh.com ] > ,hmac-sha1-96,hmac-md5-96 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [ > mailto:zlib at openssh.com | zlib at openssh.com ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, [ > mailto:zlib at openssh.com | zlib at openssh.com ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows > 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [ > mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] > ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc, [ mailto:rijndael-cbc at lysator.liu.se | > rijndael-cbc at lysator.liu.se ] ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, [ > mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > aes256-ctr,aes256-cbc, [ mailto:rijndael-cbc at lysator.liu.se | > rijndael-cbc at lysator.liu.se ] ,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, [ > mailto:chacha20-poly1305 at openssh.com | chacha20-poly1305 at openssh.com ] > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [ > mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ > mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ > mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ > mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5, [ > mailto:hmac-sha2-256-etm at openssh.com | hmac-sha2-256-etm at openssh.com ] , [ > mailto:hmac-sha1-etm at openssh.com | hmac-sha1-etm at openssh.com ] , [ > mailto:hmac-sha1-96-etm at openssh.com | hmac-sha1-96-etm at openssh.com ] , [ > mailto:hmac-md5-etm at openssh.com | hmac-md5-etm at openssh.com ] [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: first_kex_follows > 0 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server aes256-ctr > hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup hmac-sha2-256 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client aes256-ctr > hmac-sha2-256 none [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: kex: [ > mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] need=32 > dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: kex: [ > mailto:curve25519-sha256 at libssh.org | curve25519-sha256 at libssh.org ] need=32 > dh_need=32 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 120 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 121 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 120 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 121 > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 6 > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > MONITOR_ANS_SIGN [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 7 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking request 6 > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > 0x7f7ea34ed250(83) > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: type 7 > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, disabling > now > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent [preauth] > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received [preauth] > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] > service ssh-connection method none [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 8 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for > MONITOR_ANS_PWNAM [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 9 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 8 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address > 192.168.10.155. > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config > reprocess config len 922 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending > MONITOR_ANS_PWNAM: 1 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 9 > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, disabling > now > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: setting up > authctxt for [ mailto:adm.tiemen at clients.rdmedia.com | > adm.tiemen at clients.rdmedia.com ] [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 100 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 4 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 80 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method > none [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure partial=0 > next > methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 100 > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] " > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > "192.168.10.155" > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] > service ssh-connection method gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method > gssapi-with-mic [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 42 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 43 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 4 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > service=ssh-connection, style= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, disabling > now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 80 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, > disabling now > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 42 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 43 > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] from > 192.168.10.155 port 53106 ssh2 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] > service ssh-connection method keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try method > keyboard-interactive [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] devs= > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: devices pam > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying > authentication method 'pam' [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 104 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting for > MONITOR_ANS_PAM_INIT_CTX [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 105 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 104 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 105 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 106 > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for > MONITOR_ANS_PAM_QUERY [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect entering: > type 107 [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > [preauth] > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking request 106 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv entering, 1 > messages > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: type 107 > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query returned > 0 [preauth] > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for [ > mailto:adm.tiemen at clients.rdmedia.com | adm.tiemen at clients.rdmedia.com ] from > 192.168.10.155 port 53106 ssh2 [preauth] > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 2 16:04:41 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 2 May 2017 12:04:41 -0400 Subject: [Freeipa-users] External cert with correct CSR? In-Reply-To: <34364bc8-7bc5-635d-4d0b-6866b823d91d@gmail.com> References: <34364bc8-7bc5-635d-4d0b-6866b823d91d@gmail.com> Message-ID: <5cb693ea-dd7f-5f05-774f-6e1012959320@redhat.com> Kat wrote: > Hi all, > > I am somewhat confused trying to get the process of using an external > cert for IPA. > > If I follow step 1: > ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM > --external-ca -U > > This does indeed generate a CSR, but trying to do anything with this CSR > has no success since it is not properly formed with all info. In > otherwords, ipa does not add country, state, location, etc. If I submit > this CSR to any cert company, it will of course, complain. Is there a > way to get this right? Or am I just missing something here? > What cert company are you trying to get to sign this? This is a CA cert, I don't know that any of the major ones will sign this, at least not without a huge check. What version of IPA? rob From uncommonkat at gmail.com Tue May 2 16:10:12 2017 From: uncommonkat at gmail.com (Kat) Date: Tue, 2 May 2017 11:10:12 -0500 Subject: [Freeipa-users] External cert with correct CSR? In-Reply-To: <5cb693ea-dd7f-5f05-774f-6e1012959320@redhat.com> References: <34364bc8-7bc5-635d-4d0b-6866b823d91d@gmail.com> <5cb693ea-dd7f-5f05-774f-6e1012959320@redhat.com> Message-ID: <2463c17f-707d-af9d-34b5-a34fcfc47a99@gmail.com> Yeah, after I sent this email, I realized what I was trying to do and that, "Oh wait, this is not really going to work." For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7 -K On 5/2/17 11:04 AM, Rob Crittenden wrote: > Kat wrote: >> Hi all, >> >> I am somewhat confused trying to get the process of using an external >> cert for IPA. >> >> If I follow step 1: >> ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM >> --external-ca -U >> >> This does indeed generate a CSR, but trying to do anything with this CSR >> has no success since it is not properly formed with all info. In >> otherwords, ipa does not add country, state, location, etc. If I submit >> this CSR to any cert company, it will of course, complain. Is there a >> way to get this right? Or am I just missing something here? >> > What cert company are you trying to get to sign this? This is a CA cert, > I don't know that any of the major ones will sign this, at least not > without a huge check. > > What version of IPA? > > rob > From sbose at redhat.com Tue May 2 16:25:51 2017 From: sbose at redhat.com (Sumit Bose) Date: Tue, 2 May 2017 18:25:51 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> Message-ID: <20170502162551.GB23465@p.Speedport_W_724V_Typ_A_05011603_00_011> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote: > I think I just realised that my expectation may be wrong: GSSAPI login with > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it > correct to also expect passwordless login with an AD user to a FreeIPA host? The AD user case should work as well. First please send the SSSD version you use on the IPA client, alternatively you can check if /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This would tell if SSSD can map the user name to the Kerberos principal of if additional configuration is needed. On the AD host please check after trying to connect with ssh if there is a proper service ticket for the IPA client by calling 'klist' in cmd.exe or PowerShell. bye, Sumit > > On 2 May 2017 at 17:40, Jason B. Nance wrote: > > > Hi Tiemen, > > > > To be clear, what I'm trying to do: log in from an AD account > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I > > expect to be logged in through GSSAPI, instead I get a password prompt. > > > > I'm assuming that you are coming from a Windows client that is domain > > joined and logged into that Windows client with the same domain credentials > > that you are using to connect to the IPA-joined host. Do you also have > > your SSH client configured to attempt GSSAPI? It appears that you do from > > the logs you provided but I'm just double-checking. > > > > In my setup I've found that this feature does not work all of the time. > > I've not yet been able to track it down and I'm assuming it has something > > to do with connections to domain controllers timing out, but at this point > > that is speculation. > > > > So to answer your question, yes, that should work. Sorry I don't have > > more information for you, I guess I'm basically "me too"ing your post. > > > > Regards, > > > > j > > > > Is this supposed to work? Did I miss something? > > > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > > > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: entering fd > > = 8 config len 922 > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 > > newsock 5 pipe 7 sock 8 > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after dupping: > > 3, 3 > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 port > > 53106 on 192.168.50.63 port 22 > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version 2.0; > > client software version PuTTY_KiTTY > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility mode > > for protocol 2.0 > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > > SSH-2.0-OpenSSH_6.6.1 > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: preparing > > rlimit sandbox > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid 753 > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor started > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 42 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 43 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > request 42 > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 43 > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5Slw5Ew8Mqkay+ > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve > > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > > group14-sha1,diffie-hellman-group1-sha1 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@ > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac- > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@ > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com, > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac- > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > > zlib at openssh.com [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > > zlib at openssh.com [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > first_kex_follows 0 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com > > ,hmac-md5-etm at openssh.com [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-etm at openssh.com > > ,hmac-md5-etm at openssh.com [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none,zlib > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > first_kex_follows 0 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: reserved 0 > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > > hmac-sha2-256 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server > > aes256-ctr hmac-sha2-256 none [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > > hmac-sha2-256 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client > > aes256-ctr hmac-sha2-256 none [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 120 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 121 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > request 120 > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 121 > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 120 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 121 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > request 120 > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 121 > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > > SSH2_MSG_KEX_ECDH_INIT [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 6 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > > MONITOR_ANS_SIGN [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 7 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > request 6 > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > > 0x7f7ea34ed250(83) > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > type 7 > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, > > disabling now > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent > > [preauth] > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS > > [preauth] > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 [preauth] > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received > > [preauth] > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > adm.tiemen at clients.rdmedia.com service ssh-connection method none > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 8 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting for > > MONITOR_ANS_PWNAM [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 9 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 8 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map address > > 192.168.10.155. > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: config > > reprocess config len 922 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: sending > > MONITOR_ANS_PWNAM: 1 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 9 > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, > > disabling now > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 100 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 4 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 80 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > > method none [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure > > partial=0 next methods="publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive" > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 100 > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " > > adm.tiemen at clients.rdmedia.com" > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > > "192.168.10.155" > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to "ssh" > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used once, > > disabling now > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > adm.tiemen at clients.rdmedia.com service ssh-connection method > > gssapi-with-mic [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > > method gssapi-with-mic [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 42 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 43 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 4 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > > service=ssh-connection, style= > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, > > disabling now > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 80 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used once, > > disabling now > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 42 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 43 > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > adm.tiemen at clients.rdmedia.com service ssh-connection method > > keyboard-interactive [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: try > > method keyboard-interactive [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= > > adm.tiemen at clients.rdmedia.com devs= [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices 'pam' > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: > > devices pam [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: devices > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: trying > > authentication method 'pam' [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 104 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: waiting > > for MONITOR_ANS_PAM_INIT_CTX [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 105 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 104 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx entering > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 105 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 106 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting for > > MONITOR_ANS_PAM_QUERY [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > entering: type 107 [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > [preauth] > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive entering > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > request 106 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv > > entering, 1 messages > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > type 107 > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query > > returned 0 [preauth] > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > > [preauth] > > > > > > > > > > > > > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From t.ruiten at rdmedia.com Tue May 2 17:45:30 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Tue, 2 May 2017 19:45:30 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: <20170502162551.GB23465@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> <20170502162551.GB23465@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need for mapping. However on the AD host: Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen>klist Current LogonId is 0:0x603b58 Cached Tickets: (0) adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen> Note that this is the domain controller and I'm logged in using the experimental Win32-OpenSSH server. Not sure if that makes a difference. I am not currently in the office, so unfortunately can't turn on the only joined laptop in this domain. How can I ensure a proper ticket is generated? On 2 May 2017 at 18:25, Sumit Bose wrote: > On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote: > > I think I just realised that my expectation may be wrong: GSSAPI login > with > > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it > > correct to also expect passwordless login with an AD user to a FreeIPA > host? > > The AD user case should work as well. > > First please send the SSSD version you use on the IPA client, > alternatively you can check if > /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This > would tell if SSSD can map the user name to the Kerberos principal of if > additional configuration is needed. > > On the AD host please check after trying to connect with ssh if there is > a proper service ticket for the IPA client by calling 'klist' in cmd.exe > or PowerShell. > > bye, > Sumit > > > > > On 2 May 2017 at 17:40, Jason B. Nance wrote: > > > > > Hi Tiemen, > > > > > > To be clear, what I'm trying to do: log in from an AD account > > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA > > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I > > > expect to be logged in through GSSAPI, instead I get a password prompt. > > > > > > I'm assuming that you are coming from a Windows client that is domain > > > joined and logged into that Windows client with the same domain > credentials > > > that you are using to connect to the IPA-joined host. Do you also have > > > your SSH client configured to attempt GSSAPI? It appears that you do > from > > > the logs you provided but I'm just double-checking. > > > > > > In my setup I've found that this feature does not work all of the time. > > > I've not yet been able to track it down and I'm assuming it has > something > > > to do with connections to domain controllers timing out, but at this > point > > > that is speculation. > > > > > > So to answer your question, yes, that should work. Sorry I don't have > > > more information for you, I guess I'm basically "me too"ing your post. > > > > > > Regards, > > > > > > j > > > > > > Is this supposed to work? Did I miss something? > > > > > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > > > > > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: > entering fd > > > = 8 config len 922 > > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 > > > newsock 5 pipe 7 sock 8 > > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after > dupping: > > > 3, 3 > > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 > port > > > 53106 on 192.168.50.63 port 22 > > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version > 2.0; > > > client software version PuTTY_KiTTY > > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility > mode > > > for protocol 2.0 > > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > > > SSH-2.0-OpenSSH_6.6.1 > > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: > preparing > > > rlimit sandbox > > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid > 753 > > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor > started > > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: 74/74 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 42 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 43 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > > request 42 > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 43 > > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1- > toWM5Slw5Ew8Mqkay+ > > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve > > > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > > > group14-sha1,diffie-hellman-group1-sha1 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ > openssh.com > > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ > openssh.com > > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e > tm at openssh.com > > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac > -sha2-512-etm@ > > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ > openssh.com, > > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com > ,umac- > > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e > tm at openssh.com > > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac > -sha2-512-etm@ > > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ > openssh.com, > > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com > ,umac- > > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > > > zlib at openssh.com [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > > > zlib at openssh.com [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > first_kex_follows 0 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > reserved 0 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, > > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e > tm at openssh.com > > > ,hmac-md5-etm at openssh.com [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e > tm at openssh.com > > > ,hmac-md5-etm at openssh.com [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > none,zlib > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > none,zlib > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > > > first_kex_follows 0 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > reserved 0 > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > > > hmac-sha2-256 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server > > > aes256-ctr hmac-sha2-256 none [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > > > hmac-sha2-256 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client > > > aes256-ctr hmac-sha2-256 none [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 120 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 121 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > > request 120 > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 121 > > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 120 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 121 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > > request 120 > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 121 > > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > > > SSH2_MSG_KEX_ECDH_INIT [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 6 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > > > MONITOR_ANS_SIGN [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 7 [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > > > request 6 > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > > > 0x7f7ea34ed250(83) > > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 7 > > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used once, > > > disabling now > > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent > > > [preauth] > > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting SSH2_MSG_NEWKEYS > > > [preauth] > > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 > [preauth] > > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received > > > [preauth] > > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > > adm.tiemen at clients.rdmedia.com service ssh-connection method none > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 8 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: waiting > for > > > MONITOR_ANS_PWNAM [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 9 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 8 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map > address > > > 192.168.10.155. > > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: > config > > > reprocess config len 922 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: > sending > > > MONITOR_ANS_PWNAM: 1 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 9 > > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used once, > > > disabling now > > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > > > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 100 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 4 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 80 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > try > > > method none [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure > > > partial=0 next methods="publickey,gssapi-keye > x,gssapi-with-mic,password,keyboard-interactive" > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 100 > > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " > > > adm.tiemen at clients.rdmedia.com" > > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > > > "192.168.10.155" > > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to > "ssh" > > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used > once, > > > disabling now > > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > > adm.tiemen at clients.rdmedia.com service ssh-connection method > > > gssapi-with-mic [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > try > > > method gssapi-with-mic [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 42 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 43 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 4 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > > > service=ssh-connection, style= > > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used once, > > > disabling now > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 80 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used > once, > > > disabling now > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 42 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 43 > > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for > > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > > > adm.tiemen at clients.rdmedia.com service ssh-connection method > > > keyboard-interactive [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > try > > > method keyboard-interactive [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= > > > adm.tiemen at clients.rdmedia.com devs= [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices > 'pam' > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: > > > devices pam [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: > devices > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: > trying > > > authentication method 'pam' [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 104 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: > waiting > > > for MONITOR_ANS_PAM_INIT_CTX [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 105 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 104 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 105 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 106 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting > for > > > MONITOR_ANS_PAM_QUERY [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > > > entering: type 107 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > [preauth] > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > > > request 106 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv > > > entering, 1 messages > > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > > > type 107 > > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: pam_query > > > returned 0 [preauth] > > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive for > > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > > > [preauth] > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Tiemen Ruiten > > > Systems Engineer > > > R&D Media > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From hack at nerd-marrow.com Tue May 2 20:50:38 2017 From: hack at nerd-marrow.com (Jay Fenlason) Date: Tue, 2 May 2017 16:50:38 -0400 Subject: [Freeipa-users] LDAP size limit and the FreeIPA web UI Message-ID: <20170502205038.GA21434@nerd-marrow.com> One of my users is having trouble because the FreeIPA web interface does not work well with a DNS zone that contains more than 2000 entries. When he goes to Network Services->DNS->DNS Zones and selects the problematic zone, he gets an error popup saying the results were truncated because the number of entries exceeds the LDAP server's search limit. I went in to IPA Server->Configuration and changed the Search size limit, but raising it over 2000 requires manually modifying the LDAP server configuration. Are there any plans to improve the web UI so that it does not require such a large size limit when viewing a DNS zone? Are there other GUI tools that can be used to view/edit the DNS zone data (and that don't also suffer from hitting these search size limits)? I'm using ipa-server-4.4.0-14.el7.centos.6.x86_64 if it matters. -- JF From b.candler at pobox.com Wed May 3 08:04:05 2017 From: b.candler at pobox.com (Brian Candler) Date: Wed, 3 May 2017 09:04:05 +0100 Subject: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0" Message-ID: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> Hi, I have FreeIPA set up under CentOS 7. When I use freeipa-client to add an ubuntu 14.04 client it works fine (*). However when do the same with ubuntu 16.04, sudo always refuses to run: $ sudo -s [sudo] password for brian.candler: brian.candler is not allowed to run sudo on api-dev.int.example.com. This incident will be reported. I have a simple one-entry sudo policy which says that for all users in groups X and Y, on all hosts, run all commands. (**) If I crank up sudo logging by setting this in /etc/sudo.conf: Debug sudo /var/log/sudo-debug all at info then on the working 14.04 machine I see ... various settings ... May 2 22:05:27 sudo[19175] settings: plugin_dir=/usr/lib/sudo/ May 2 22:05:27 sudo[19175] user_info: user=brian.candler May 2 22:05:27 sudo[19175] user_info: pid=19175 ... lots more user_info, perms, netgroups etc ... May 2 22:05:29 sudo[19175] policy plugin returns 1 ... but on the failing 16.04 machine I see only this: May 3 07:44:56 sudo[21118] will restore signal 13 on exec May 3 07:44:56 sudo[21118] comparing dev 34817 to /dev/pts/1: match! @ sudo_ttyname_dev() ./ttyname.c:336 May 3 07:44:56 sudo[21118] settings: run_shell=true May 3 07:44:56 sudo[21118] settings: progname=sudo May 3 07:44:56 sudo[21118] settings: network_addrs=x.x.x.x/255.255.255.0 xxxx:xxxx:xxxx:xxxx::230/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff fe80::1:xxxx:xxxx:xxxx/ffff:ffff:ffff:ffff:: May 3 07:44:56 sudo[21118] settings: plugin_dir=/usr/lib/sudo/ May 3 07:44:58 sudo[21118] policy plugin returns 0 That's all that gets logged - nothing more. It seems that a return of 0 means failure: https://www.sudo.ws/man/1.8.15/sudo_plugin.man.html "open() ... Returns 1 on success, 0 on failure, -1 if a general error occurred, or -2 if there was a usage error." But I have no idea what sort of failure or why. /var/log/auth.log shows: May 3 08:00:14 api-dev sudo: pam_unix(sudo:auth): authentication failure; logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 ruser=brian.candler rhost= user=brian.candler May 3 08:00:14 api-dev sudo: pam_sss(sudo:auth): authentication success; logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 ruser=brian.candler rhost= user=brian.candler May 3 08:00:14 api-dev sudo: brian.candler : user NOT in sudoers ; TTY=pts/1 ; PWD=/home/brian.candler ; USER=root ; COMMAND=/bin/bash (which shows I gave the correct FreeIPA password, but not why the sudoers lookup failed) I really can't see where else to look. Both machines have "sudo: files sss" in /etc/nsswitch.conf, and both have the same /etc/sssd/sssd.conf. Setting "sss_debuglevel 7" and "sss_cache -UG" shows a lot of noise but no obvious errors. I've also upgraded to the latest sudo_1.8.19-3_amd64.deb package from https://www.sudo.ws/download.html, but this makes no difference. Has anyone seen this problem before, or have some ideas where else to look? Thanks, Brian Candler. (*) In Ubuntu 14.04 I had to manually add sudo to the list of sssd services: |[sssd]| |services = nss, pam, ssh, sudo| but this was done automatically by freeipa-client in Ubuntu 16.04. (**) Therefore I'm pretty sure this is not the netgroups problem, for which the fix has been released anyway: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666 -------------- next part -------------- An HTML attachment was scrubbed... URL: From pvoborni at redhat.com Wed May 3 08:14:58 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Wed, 3 May 2017 10:14:58 +0200 Subject: [Freeipa-users] LDAP size limit and the FreeIPA web UI In-Reply-To: <20170502205038.GA21434@nerd-marrow.com> References: <20170502205038.GA21434@nerd-marrow.com> Message-ID: <0af50679-632f-30e7-d2d4-7e11011caa35@redhat.com> On 05/02/2017 10:50 PM, Jay Fenlason wrote: > One of my users is having trouble because the FreeIPA web interface > does not work well with a DNS zone that contains more than 2000 > entries. When he goes to Network Services->DNS->DNS Zones and selects > the problematic zone, he gets an error popup saying the results were > truncated because the number of entries exceeds the LDAP server's > search limit. I went in to IPA Server->Configuration and changed the > Search size limit, but raising it over 2000 requires manually > modifying the LDAP server configuration. > > Are there any plans to improve the web UI so that it does not require > such a large size limit when viewing a DNS zone? Are there > other GUI tools that can be used to view/edit the DNS zone data (and > that don't also suffer from hitting these search size limits)? > > I'm using ipa-server-4.4.0-14.el7.centos.6.x86_64 if it matters. > > -- JF > Web UI has the same size limits which are imposed by LDAP server for the authenticated user. In 4.5 version the warning was changed to be less annoying. There are currently no specific plans to change Web UI in this area. A think which was considered is to disable paging for post pages (e.g. user and host search) and rely more on size-limits and searching. The reasoning is that browser through a lot of records is not very usable and it is better to search. So I would ask in different way. How would you envision the Web UI should behave for so many records? E.g. just in DNS area. -- Petr Vobornik From jhrozek at redhat.com Wed May 3 08:38:11 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 3 May 2017 10:38:11 +0200 Subject: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0" In-Reply-To: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> References: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> Message-ID: <20170503083811.u4g2fmkijweusvi2@hendrix> On Wed, May 03, 2017 at 09:04:05AM +0100, Brian Candler wrote: > Hi, > > I have FreeIPA set up under CentOS 7. When I use freeipa-client to add an > ubuntu 14.04 client it works fine (*). However when do the same with ubuntu > 16.04, sudo always refuses to run: > > $ sudo -s > [sudo] password for brian.candler: > brian.candler is not allowed to run sudo on api-dev.int.example.com. This > incident will be reported. > > I have a simple one-entry sudo policy which says that for all users in > groups X and Y, on all hosts, run all commands. (**) > > If I crank up sudo logging by setting this in /etc/sudo.conf: > > Debug sudo /var/log/sudo-debug all at info > > then on the working 14.04 machine I see > > ... various settings ... > May 2 22:05:27 sudo[19175] settings: plugin_dir=/usr/lib/sudo/ > May 2 22:05:27 sudo[19175] user_info: user=brian.candler > May 2 22:05:27 sudo[19175] user_info: pid=19175 > ... lots more user_info, perms, netgroups etc ... > May 2 22:05:29 sudo[19175] policy plugin returns 1 > ... > > but on the failing 16.04 machine I see only this: > > May 3 07:44:56 sudo[21118] will restore signal 13 on exec > May 3 07:44:56 sudo[21118] comparing dev 34817 to /dev/pts/1: match! @ > sudo_ttyname_dev() ./ttyname.c:336 > May 3 07:44:56 sudo[21118] settings: run_shell=true > May 3 07:44:56 sudo[21118] settings: progname=sudo > May 3 07:44:56 sudo[21118] settings: network_addrs=x.x.x.x/255.255.255.0 > xxxx:xxxx:xxxx:xxxx::230/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff > fe80::1:xxxx:xxxx:xxxx/ffff:ffff:ffff:ffff:: > May 3 07:44:56 sudo[21118] settings: plugin_dir=/usr/lib/sudo/ > May 3 07:44:58 sudo[21118] policy plugin returns 0 > > That's all that gets logged - nothing more. It seems that a return of 0 > means failure: > > https://www.sudo.ws/man/1.8.15/sudo_plugin.man.html > > "open() > ... > Returns 1 on success, 0 on failure, -1 if a general error occurred, or -2 if > there was a usage error." > > But I have no idea what sort of failure or why. > > /var/log/auth.log shows: > > May 3 08:00:14 api-dev sudo: pam_unix(sudo:auth): authentication failure; > logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 > ruser=brian.candler rhost= user=brian.candler > May 3 08:00:14 api-dev sudo: pam_sss(sudo:auth): authentication success; > logname=brian.candler uid=1211000003 euid=0 tty=/dev/pts/1 > ruser=brian.candler rhost= user=brian.candler > May 3 08:00:14 api-dev sudo: brian.candler : user NOT in sudoers ; > TTY=pts/1 ; PWD=/home/brian.candler ; USER=root ; COMMAND=/bin/bash > > (which shows I gave the correct FreeIPA password, but not why the sudoers > lookup failed) > > I really can't see where else to look. Both machines have "sudo: files sss" > in /etc/nsswitch.conf, and both have the same /etc/sssd/sssd.conf. Setting > "sss_debuglevel 7" and "sss_cache -UG" shows a lot of noise but no obvious > errors. do you have 'sudo: files sss" or "sudoers: files sss"? The former doesn't do anything, the latter is correct. if you crank up debugging in the sudo section in sssd.conf do you see any activity at all? do you have '/usr/lib64/libsss_sudo.so' installed? On fedora/rhel, this is provided by libsss_sudo, I don't know what provides it on Debian. > > I've also upgraded to the latest sudo_1.8.19-3_amd64.deb package from > https://www.sudo.ws/download.html, but this makes no difference. > > Has anyone seen this problem before, or have some ideas where else to look? > > Thanks, > > Brian Candler. > > > (*) In Ubuntu 14.04 I had to manually add sudo to the list of sssd services: > > |[sssd]| > |services = nss, pam, ssh, sudo| > > but this was done automatically by freeipa-client in Ubuntu 16.04. > > (**) Therefore I'm pretty sure this is not the netgroups problem, for which > the fix has been released anyway: > https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666 > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From b.candler at pobox.com Wed May 3 09:13:02 2017 From: b.candler at pobox.com (Brian Candler) Date: Wed, 3 May 2017 10:13:02 +0100 Subject: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0" In-Reply-To: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> References: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> Message-ID: > do you have 'sudo: files sss" or "sudoers: files sss"? The former doesn't do anything, the latter is correct. My mistake, I meant sudoers: files sss But oddly, out of the three 16.04 boxes I set up and enrolled, it was missing on one of them - and this happened to be the one I was checking logs on :-( (However, sudo fails in the same way on all three machines) So after adding this I've rechecked logs. /var/log/sudo-debug is the same, in particular it still shows "policy plugin returns 0" and nothing after. With sss_debuglevel 5, /var/log/sssd/sssd_IPA.EXAMPLE.COM.log has ... (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): ruser: brian.candler (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): rhost: (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): priv: 0 (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): cli_pid: 22709 (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [pam_print_data] (0x0100): logon name: not set (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: normal_hosts (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [ipa_hostgroup_info_done] (0x0200): Dereferenced host group: development_hosts (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [hbac_get_category] (0x0200): Category is set to 'all'. (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [allow_normal_hosts] (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [be_pam_handler_callback] (0x0100): Sending result [0][IPA.EXAMPLE.COM] (Wed May 3 08:50:37 2017) [sssd[be[IPA.EXAMPLE.COM]]] [be_pam_handler_callback] (0x0100): Sent result [0][IPA.EXAMPLE.COM] ("allow_normal_hosts" is indeed the name of the rule in FreeIPA database) sssd.log has: (Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed May 3 08:50:35 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed May 3 08:50:35 2017) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [] (Wed May 3 08:50:35 2017) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Wed May 3 08:50:37 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Hmm, suspicious that error about "root" ??) sssd_sudo.log has: (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting default options for [brian.candler] from [] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [brian.candler at IPA.EXAMPLE.COM] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:35 2017) [sssd[sudo]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_cmd_parse_query_done] (0x0200): Requesting rules for [brian.candler] from [] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_user] (0x0200): Requesting info about [brian.candler at IPA.EXAMPLE.COM] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*))(&(dataExpireTimestamp<=1493801435)))] (Wed May 3 08:50:35 2017) [sssd[sudo]] [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(sudoUser=ALL)(sudoUser=brian.candler)(sudoUser=#1211000003)(sudoUser=%security_administrators)(sudoUser=%admins)(sudoUser=%network_readonly)(sudoUser=%vpn)(sudoUser=%system_administrators)(sudoUser=%ipausers)(sudoUser=%staff)(sudoUser=%brian.candler)(sudoUser=+*)))] (Wed May 3 08:50:37 2017) [sssd[sudo]] [client_recv] (0x0200): Client disconnected! sssd_pam.log has: (Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Wed May 3 08:50:37 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22709 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [brian.candler at IPA.EXAMPLE.COM] (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: IPA.EXAMPLE.COM (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22709 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][IPA.EXAMPLE.COM] (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 83 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Wed May 3 08:50:37 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'brian.candler' matched without domain, user is brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22709 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [brian.candler at IPA.EXAMPLE.COM] (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: IPA.EXAMPLE.COM (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: sudo (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/pts/1 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 22709 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: brian.candler (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][IPA.EXAMPLE.COM] (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 3 08:50:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 34 (Wed May 3 08:50:37 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! I probably should have said: logging into the machine with an IPA account works fine, and "id brian.candler" works fine. It's just sudo which is failing. > if you crank up debugging in the sudo section in sssd.conf do you see any activity at all? do you have '/usr/lib64/libsss_sudo.so' installed? On fedora/rhel, this is provided by libsss_sudo, I don't know what provides it on Debian. Yes it's there, in this package: ii libsss-sudo 1.13.4-1ubuntu1.2 amd64 Communicator library for sudo # ls -l /usr/lib/x86_64-linux-gnu/libsss_sudo.so -rw-r--r-- 1 root root 19048 Feb 23 17:53 /usr/lib/x86_64-linux-gnu/libsss_sudo.so # file /usr/lib/x86_64-linux-gnu/libsss_sudo.so /usr/lib/x86_64-linux-gnu/libsss_sudo.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=7eb72ec85bdd76aca8d82e03a3fad9aa12abc0ba, stripped Regards, Brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From t.ruiten at rdmedia.com Wed May 3 09:28:18 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 3 May 2017 11:28:18 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> <20170502162551.GB23465@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: Tickets on the FreeIPA host after connecting (with a password): [adm.tiemen at clients.rdmedia.com@neodymium ~]$ klist Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1 Default principal: adm.tiemen at CLIENTS.RDMEDIA.COM Valid starting Expires Service principal 05/03/2017 11:26:03 05/03/2017 21:26:03 krbtgt/ CLIENTS.RDMEDIA.COM at CLIENTS.RDMEDIA.COM renew until 05/04/2017 11:26:03 Tickets on the AD laptop after a connection attempt: C:\Users\adm.tiemen.CLIENTS>klist Current LogonId is 0:0x587aa Cached Tickets: (2) #0> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM Server: krbtgt/CLIENTS.RDMEDIA.COM @ CLIENTS.RDMEDIA.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 5/3/2017 11:12:46 (local) End Time: 5/3/2017 21:12:46 (local) Renew Time: 5/10/2017 11:12:46 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: vm-win-01.clients.rdmedia.com #1> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM Server: LDAP/vm-win-01.clients.rdmedia.com/clients.rdmedia.com @ CLIENTS.RDMEDIA.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 5/3/2017 11:12:46 (local) End Time: 5/3/2017 21:12:46 (local) Renew Time: 5/10/2017 11:12:46 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: vm-win-01.clients.rdmedia.com On 2 May 2017 at 19:45, Tiemen Ruiten wrote: > It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need > for mapping. However on the AD host: > > Microsoft Windows [Version 6.3.9600] > > (c) 2013 Microsoft Corporation. All rights reserved. > > > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen>klist > > > Current LogonId is 0:0x603b58 > > > Cached Tickets: (0) > > > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen> > > Note that this is the domain controller and I'm logged in using the > experimental Win32-OpenSSH server. Not sure if that makes a difference. I > am not currently in the office, so unfortunately can't turn on the only > joined laptop in this domain. > > How can I ensure a proper ticket is generated? > > On 2 May 2017 at 18:25, Sumit Bose wrote: > >> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote: >> > I think I just realised that my expectation may be wrong: GSSAPI login >> with >> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it >> > correct to also expect passwordless login with an AD user to a FreeIPA >> host? >> >> The AD user case should work as well. >> >> First please send the SSSD version you use on the IPA client, >> alternatively you can check if >> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This >> would tell if SSSD can map the user name to the Kerberos principal of if >> additional configuration is needed. >> >> On the AD host please check after trying to connect with ssh if there is >> a proper service ticket for the IPA client by calling 'klist' in cmd.exe >> or PowerShell. >> >> bye, >> Sumit >> >> > >> > On 2 May 2017 at 17:40, Jason B. Nance wrote: >> > >> > > Hi Tiemen, >> > > >> > > To be clear, what I'm trying to do: log in from an AD account >> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA >> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I >> > > expect to be logged in through GSSAPI, instead I get a password >> prompt. >> > > >> > > I'm assuming that you are coming from a Windows client that is domain >> > > joined and logged into that Windows client with the same domain >> credentials >> > > that you are using to connect to the IPA-joined host. Do you also >> have >> > > your SSH client configured to attempt GSSAPI? It appears that you do >> from >> > > the logs you provided but I'm just double-checking. >> > > >> > > In my setup I've found that this feature does not work all of the >> time. >> > > I've not yet been able to track it down and I'm assuming it has >> something >> > > to do with connections to domain controllers timing out, but at this >> point >> > > that is speculation. >> > > >> > > So to answer your question, yes, that should work. Sorry I don't have >> > > more information for you, I guess I'm basically "me too"ing your post. >> > > >> > > Regards, >> > > >> > > j >> > > >> > > Is this supposed to work? Did I miss something? >> > > >> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: >> > > >> > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK >> > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: >> entering fd >> > > = 8 config len 922 >> > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done >> > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore >> > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 >> > > newsock 5 pipe 7 sock 8 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after >> dupping: >> > > 3, 3 >> > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 >> port >> > > 53106 on 192.168.50.63 port 22 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version >> 2.0; >> > > client software version PuTTY_KiTTY >> > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility >> mode >> > > for protocol 2.0 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string >> > > SSH-2.0-OpenSSH_6.6.1 >> > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK >> > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: >> preparing >> > > rlimit sandbox >> > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid >> 753 >> > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor >> started >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: >> 74/74 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 42 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 43 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 42 >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 43 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5S >> lw5Ew8Mqkay+ >> > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve >> > > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- >> > > group14-sha1,diffie-hellman-group1-sha1 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ >> openssh.com >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ >> openssh.com >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e >> tm at openssh.com >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac >> -sha2-512-etm@ >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ >> openssh.com, >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com >> ,umac- >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e >> tm at openssh.com >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac >> -sha2-512-etm@ >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ >> openssh.com, >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com >> ,umac- >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, >> > > zlib at openssh.com [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, >> > > zlib at openssh.com [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > first_kex_follows 0 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> reserved 0 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- >> > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, >> > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e >> tm at openssh.com >> > > ,hmac-md5-etm at openssh.com [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e >> tm at openssh.com >> > > ,hmac-md5-etm at openssh.com [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> none,zlib >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> none,zlib >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> > > first_kex_follows 0 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: >> reserved 0 >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup >> > > hmac-sha2-256 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server >> > > aes256-ctr hmac-sha2-256 none [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup >> > > hmac-sha2-256 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client >> > > aes256-ctr hmac-sha2-256 none [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 120 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 121 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 120 >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 121 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 120 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 121 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 120 >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 121 >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting >> > > SSH2_MSG_KEX_ECDH_INIT [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 6 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for >> > > MONITOR_ANS_SIGN [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 7 [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 6 >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature >> > > 0x7f7ea34ed250(83) >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 7 >> > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used >> once, >> > > disabling now >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 >> [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent >> > > [preauth] >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting >> SSH2_MSG_NEWKEYS >> > > [preauth] >> > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 >> [preauth] >> > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received >> > > [preauth] >> > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method none >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 >> [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 8 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: >> waiting for >> > > MONITOR_ANS_PWNAM [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 9 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 8 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow >> > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map >> address >> > > 192.168.10.155. >> > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: >> config >> > > reprocess config len 922 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: >> sending >> > > MONITOR_ANS_PWNAM: 1 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 9 >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used >> once, >> > > disabling now >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: >> > > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 100 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 4 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 80 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: >> try >> > > method none [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure >> > > partial=0 next methods="publickey,gssapi-keye >> x,gssapi-with-mic,password,keyboard-interactive" >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 100 >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " >> > > adm.tiemen at clients.rdmedia.com" >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to >> > > "192.168.10.155" >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to >> "ssh" >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used >> once, >> > > disabling now >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method >> > > gssapi-with-mic [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 >> [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: >> try >> > > method gssapi-with-mic [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 42 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 43 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 4 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: >> > > service=ssh-connection, style= >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used >> once, >> > > disabling now >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 80 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used >> once, >> > > disabling now >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 42 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 43 >> > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method >> > > keyboard-interactive [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 >> [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: >> try >> > > method keyboard-interactive [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= >> > > adm.tiemen at clients.rdmedia.com devs= [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices >> 'pam' >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: >> > > devices pam [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: >> devices >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: >> trying >> > > authentication method 'pam' [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx >> [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 104 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: >> waiting >> > > for MONITOR_ANS_PAM_INIT_CTX [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 105 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 104 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 105 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 106 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting >> for >> > > MONITOR_ANS_PAM_QUERY [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect >> > > entering: type 107 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking >> > > request 106 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query >> entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering >> > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv >> > > entering, 1 messages >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: >> > > type 107 >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: >> pam_query >> > > returned 0 [preauth] >> > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive >> for >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 >> > > [preauth] >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > -- >> > > Tiemen Ruiten >> > > Systems Engineer >> > > R&D Media >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > > >> > > >> > > >> > >> > >> > -- >> > Tiemen Ruiten >> > Systems Engineer >> > R&D Media >> >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media -------------- next part -------------- An HTML attachment was scrubbed... URL: From b.candler at pobox.com Wed May 3 14:05:43 2017 From: b.candler at pobox.com (Brian Candler) Date: Wed, 3 May 2017 15:05:43 +0100 Subject: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0" In-Reply-To: References: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> Message-ID: It turns out we had another 16.04 machine which was working fine. But as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to 1.8.16-0ubuntu1.3, it stopped working too. So it looks like I have a reproducing case for this and I can investigate further - I suspect it's a behaviour change from this fix: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1607666 From dag at sonsorol.org Wed May 3 15:16:04 2017 From: dag at sonsorol.org (Chris Dagdigian) Date: Wed, 03 May 2017 11:16:04 -0400 Subject: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error Message-ID: <5909F434.9060905@sonsorol.org> Any guidance for this one? Summary - this seems to be the fatal error that causes the CA setup on the replica to fail: May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-usaeilidmp002.XXX.org-pki-tomcat,cn=config does not exist May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not be a latest instance. Ignoring .. More details ... Trying to build a replica with CA duties for the first time. It hangs here during the replica install process: ipa : DEBUG stderr= ipa : DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 ipa : DEBUG Waiting until the CA is running ipa : DEBUG request POST http://usaeilidmp002.XXX.org:8080/ca/admin/ca/getStatus ipa : DEBUG request body '' However the root cause seems to be that the CA won't start because something is wrong with an LDAP replication manager user? When I restart the pki-tomcatd service the replica install STDOUT refreshes the above status. After the 3rd attempt it triggers the fatal "CA will not start after 300 seconds" error From the logs: # systemctl status pki-tomcatd at pki-tomcat.service ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled; vendor preset: disabled) Active: active (running) since Wed 2017-05-03 15:09:04 UTC; 40s ago Process: 3843 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=1/FAILURE) Process: 3880 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) Main PID: 3993 (java) CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service ??3993 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/... May 03 15:09:08 usaeilidmp002.XXX.org server[3993]: SSLAuthenticatorWithFallback: Setting container May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: SSLAuthenticatorWithFallback: Initializing authenticators May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: SSLAuthenticatorWithFallback: Starting authenticators May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine.initializePasswordStore() begins May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine.initializePasswordStore(): tag=internaldb May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection connecting to usaeilidmp002.XXX.org:389 May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine.initializePasswordStore(): tag=replicationdb May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection connecting to usaeilidmp002.XXX.org:389 May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: The specified user cn=Replication Manager masterAgreement1-usaeilidmp002.XXX...not exist May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init(): password test execution failed for replicationdbwith NO_SUCH_USER. This may not...noring .. Hint: Some lines were ellipsized, use -l to show in full. From p.m.bjornstad at medisin.uio.no Wed May 3 15:26:42 2017 From: p.m.bjornstad at medisin.uio.no (=?utf-8?Q?Marius_Bj=C3=B8rnstad?=) Date: Wed, 3 May 2017 17:26:42 +0200 Subject: [Freeipa-users] CA lost on migration Message-ID: Hi, I have migrated some FreeIPA servers from 3.0.0-51 to 4.4.0-14 by adding new replicas. There were a lot of issues, and I'm strugglig a bit with a configuration management system set up by a central IT department, which overrides files like sssd.conf, and I have to make exceptions to the policy. I hope someone could take the time to help me with this anyway. I was able to join both new RHEL 7 machines, and remove one of the old RHEL 6 machines, but then I couldn't remove the last one, and couldn't install the CA on any of the new masters. I (perhaps stupidly) removed the old server using ldapdelete, based on this thread: https://www.redhat.com/archives/freeipa-users/2012-June/msg00382.html. I thought that if I could get rid of the old stuff, I may be able to successfully promote one of the new servers to CA master. The command to install the CA almost completed successfully on the first master, but stopped on one of the last steps. Now I get: # ipa-ca-install CA is already installed on this host. It is clear that the CA is not installed. I get errors in /var/log/httpd/error_log for hosts requesting certs, and getting NotFound. ipa: INFO: [xmlserver] host/xxxxx at DOMAIN: cert_request(u'MIIDnzCCaoc....... I then removed and uninstalled the other master, which did not have a CA, thinking it could get going with a reinstall. However, the installation fails ipa : ERROR Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates. (there may be some typos in the error messages, since I'm copying from an air-gapped network) Is there any way I can manually resurrect the CA? I have the files left over on the original (version 3) master, but did do an uninstall. If that's not possible, is there any way to migrate the users to a new domain with exactly the same name (this would be less convenient, if it's actually possible, since I have to re-enroll all the clients). Thanks, Marius Bj?rnstad From freeipa at stormcloud9.net Wed May 3 19:09:41 2017 From: freeipa at stormcloud9.net (Patrick Hemmer) Date: Wed, 3 May 2017 19:09:41 +0000 Subject: [Freeipa-users] Password history based on age, not count? Message-ID: <0100015bcfb7ce42-4e0bc64a-1ece-47dc-a573-0fd41aec1c78-000000@email.amazonses.com> Would it be reasonable to request a feature for FreeIPA to enforce password history reuse based on age, instead of a count? Meaning configure FreeIPA to enforce that a password cannot be reused within the last 1 year? Then we could remove the minimum time between password changes, and not worry about people cycling through X passwords to be able to reuse one. When we were using OpenLDAP for user account management, I wrote an extension for it to do just that and it was rather convenient (not having to deal with an annoying min-change-time). The whole min-time-between-changes, and number-of-passwords-in-history thing has always seemed like a hack to accomplish the true goal of preventing users from reusing passwords within a certain amount of time. -Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Wed May 3 21:28:16 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 3 May 2017 17:28:16 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: Message-ID: I have a three node IPA cluster. ipa11.mgmt - was a master over 6 months ago ipa13.mgmt - current master ipa12.mgmt ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have agreements between each other. It appears that either ipa12.mgmt lost some level of its replication agreement with ipa13. I saw some level because users / hosts were replicated between all systems but we started seeing DNS was not resolving properly from ipa12. I do not know when this started. When looking at replication agreements on ipa12 I did not see any agreement with ipa13. When I run ipa-replica-manage list all three hosts show has master. When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. When I run ipa-replica-manage ipa12.mgmt nothing returned. I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt I then ran the following ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was able to create user and DNS records and see the information replicated properly across all three nodes. I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt because I wanted to make sure everything was running fresh after the changes above. While IPA was staring up (DNS started) we were able to see valid DNS queries returned but pki-tomcat would not start. I am not sure what I need to do in order to get this working. I have included the output of certutil and getcert below from all three servers as well as the debug output for pki. While the IPA system is coming up I am able to successfully run ldapsearch -x as the root user and see results. I am also able to login with the "cn=Directory Manager" account and see results. The debug log shows the following error. [03/May/2017:21:22:01][localhost-startStop-1]: ============================================ [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM INITIALIZED ======= [03/May/2017:21:22:01][localhost-startStop-1]: ============================================ [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=debug [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized debug [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=log [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=log [03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) [03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) [03/May/2017:21:22:01][localhost-startStop-1]: Creating RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=log [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=jss [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=jss [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at autoShutdown? false [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look for cert for auto-shutdown support:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found cert:auditSigningCert cert-pki-ca [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=jss [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem id=dbs [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init id=dbs [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() mEnableSerialMgmt=true [03/May/2017:21:22:01][localhost-startStop-1]: Creating LdapBoundConnFactor(DBSubsystem) [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory:doCloning true [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends [03/May/2017:21:22:01][localhost-startStop-1]: init: before makeConnection errorIfDown is true [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: errorIfDown true [03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [03/May/2017:21:22:02][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Internal Database Error encountered: Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) at javax.servlet.GenericServlet.init(GenericServlet.java:158) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() ============================= IPA11.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u IPA12.MGMT (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,, (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u ================================================= IPA11.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229155314': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 15:52:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229155652': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Audit,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-19 15:56:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 15:52:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229160009': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=IPA RA,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes ================================== IPA13.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229143449': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 14:34:20 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229143826': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Audit,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-19 14:37:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 14:34:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229144146': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=IPA RA,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes =========================== IPA12.MGMT (root)>getcert list Number of certificates and requests being tracked: 8. Request ID '20161229151518': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 15:14:51 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID '20161229151850': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Audit,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:26 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:00:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM expires: 2036-11-22 13:00:25 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-19 15:18:16 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM expires: 2018-12-30 15:14:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20161229152204': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM subject: CN=IPA RA,O=MGMT.CROSSCHX.COM expires: 2018-11-12 13:01:34 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ianh at brownpapertickets.com Wed May 3 22:41:32 2017 From: ianh at brownpapertickets.com (Ian Harding) Date: Wed, 3 May 2017 15:41:32 -0700 Subject: [Freeipa-users] ipa server-del Message-ID: Is there any way this can be made to work? This server does not exist in real life or seemingly in FreeIPA, but a ghost of it does. ianh at vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks -------------------- 1 IPA server matched -------------------- Server name: freeipa-dal.bpt.rocks Min domain level: 0 Max domain level: 0 ---------------------------- Number of entries returned 1 ---------------------------- ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks Removing freeipa-dal.bpt.rocks from replication topology, please wait... ipa: ERROR: freeipa-dal.bpt.rocks: server not found ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force Removing freeipa-dal.bpt.rocks from replication topology, please wait... ipa: ERROR: freeipa-dal.bpt.rocks: server not found ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force --continue Removing freeipa-dal.bpt.rocks from replication topology, please wait... ipa: WARNING: Forcing removal of freeipa-dal.bpt.rocks --------------------- Deleted IPA server "" --------------------- Failed to remove: freeipa-dal.bpt.rocks ianh at vm-ian-laptop:~$ - Ian From ftweedal at redhat.com Thu May 4 01:47:06 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 4 May 2017 11:47:06 +1000 Subject: [Freeipa-users] External cert with correct CSR? In-Reply-To: <2463c17f-707d-af9d-34b5-a34fcfc47a99@gmail.com> References: <34364bc8-7bc5-635d-4d0b-6866b823d91d@gmail.com> <5cb693ea-dd7f-5f05-774f-6e1012959320@redhat.com> <2463c17f-707d-af9d-34b5-a34fcfc47a99@gmail.com> Message-ID: <20170504014706.GM19119@dhcp-40-8.bne.redhat.com> On Tue, May 02, 2017 at 11:10:12AM -0500, Kat wrote: > Yeah, after I sent this email, I realized what I was trying to do and that, > "Oh wait, this is not really going to work." > Indeed. This feature is usually used to chain an IPA CA into an organisation's existing PKI, which is controlled by the organisation, thus they can add whatever they need to the cert regardless of what is/is not asserted by the CSR). Cheers, Fraser > For what it is worth - version on RHEL 7.3 - 4.4.0-14.el7_3.7 > > -K > > On 5/2/17 11:04 AM, Rob Crittenden wrote: > > Kat wrote: > > > Hi all, > > > > > > I am somewhat confused trying to get the process of using an external > > > cert for IPA. > > > > > > If I follow step 1: > > > ipa-server-install -a Secret123 -p Secret123 -r EXAMPLE.COM > > > --external-ca -U > > > > > > This does indeed generate a CSR, but trying to do anything with this CSR > > > has no success since it is not properly formed with all info. In > > > otherwords, ipa does not add country, state, location, etc. If I submit > > > this CSR to any cert company, it will of course, complain. Is there a > > > way to get this right? Or am I just missing something here? > > > > > What cert company are you trying to get to sign this? This is a CA cert, > > I don't know that any of the major ones will sign this, at least not > > without a huge check. > > > > What version of IPA? > > > > rob > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From michael.plemmons at crosschx.com Thu May 4 02:16:24 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 3 May 2017 22:16:24 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: Message-ID: I realized that I was not very clear in my statement about testing with ldapsearch. I had initially run it without logging in with a DN. I was just running the local ldapsearch -x command. I then tested on ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch command succeeded. I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I also ran the command showing a line count for the output and the line counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w PASSWORD dn *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > I have a three node IPA cluster. > > ipa11.mgmt - was a master over 6 months ago > ipa13.mgmt - current master > ipa12.mgmt > > ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have > agreements between each other. > > It appears that either ipa12.mgmt lost some level of its replication > agreement with ipa13. I saw some level because users / hosts were > replicated between all systems but we started seeing DNS was not resolving > properly from ipa12. I do not know when this started. > > When looking at replication agreements on ipa12 I did not see any > agreement with ipa13. > > When I run ipa-replica-manage list all three hosts show has master. > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt > > I then ran the following > > ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com > > ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com > > I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I was > able to create user and DNS records and see the information replicated > properly across all three nodes. > > I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt > because I wanted to make sure everything was running fresh after the > changes above. While IPA was staring up (DNS started) we were able to see > valid DNS queries returned but pki-tomcat would not start. > > I am not sure what I need to do in order to get this working. I have > included the output of certutil and getcert below from all three servers as > well as the debug output for pki. > > > While the IPA system is coming up I am able to successfully run ldapsearch > -x as the root user and see results. I am also able to login with the > "cn=Directory Manager" account and see results. > > > The debug log shows the following error. > > > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM > INITIALIZED ======= > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init > id=debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized > debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=log > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown > crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look > for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem > id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init > id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() > mEnableSerialMgmt=true > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > LdapBoundConnFactor(DBSubsystem) > [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapBoundConnFactory:doCloning true > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: > errorIfDown true > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 > Error netscape.ldap.LDAPException: Authentication failed (48) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection( > LdapBoundConnFactory.java:205) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:166) > at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:130) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > at org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > at org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > at org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > at org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > at org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > at org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > at org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Internal Database Error encountered: Could not connect to LDAP server host > ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: > Authentication failed (48) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > at org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > at org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > at org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > at org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > at org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > at org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > at org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > at org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > at org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() > > > ============================= > > > IPA11.MGMT > > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > > > > > IPA13.MGMT > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > > > > IPA12.MGMT > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,, > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > > ================================================= > > IPA11.MGMT > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229155314': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:43 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229155652': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155654': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155655': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155657': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155659': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:56:20 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229155921': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:46 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229160009': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > > ================================== > > IPA13.MGMT > > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229143449': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:20 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229143826': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143828': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143831': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143833': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229143835': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 14:37:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229144057': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:23 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229144146': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > =========================== > > IPA12.MGMT > > (root)>getcert list > Number of certificates and requests being tracked: 8. > Request ID '20161229151518': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:51 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM > track: yes > auto-renew: yes > Request ID '20161229151850': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:29 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151852': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151854': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151856': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229151858': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:18:16 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20161229152115': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:54 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20161229152204': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM > subject: CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:01:34 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Thu May 4 02:52:15 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 3 May 2017 22:52:15 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: Message-ID: I ran another test. I started IPA with the ignore service failure option and I tired doing ldap searches like this. ldapsearch -H ldaps://ipa12.mgmt.crosschx.com from both my laptop and from ipa11.mgmt and I get successful returns when logging in as the admin user and as the directory manager. I then looked closer at the LDAP access logs for the last time I tried to start up PKI and got the auth failure and i see this. [04/May/2017:02:22:45.859021005 +0000] conn=12 fd=101 slot=101 SSL connection from 10.71.100.92 to 10.71.100.92 [04/May/2017:02:22:45.875672450 +0000] conn=12 TLS1.2 256-bit AES [04/May/2017:02:22:45.940908536 +0000] conn=12 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [04/May/2017:02:22:45.942441120 +0000] conn=12 op=0 RESULT err=48 tag=97 nentries=0 etime=0 Is dn="" supposed to be empty? *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > I realized that I was not very clear in my statement about testing with > ldapsearch. I had initially run it without logging in with a DN. I was > just running the local ldapsearch -x command. I then tested on ipa12.mgmt > and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory > Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch > command succeeded. > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I > also ran the command showing a line count for the output and the line > counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w > PASSWORD dn > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons < > michael.plemmons at crosschx.com> wrote: > >> I have a three node IPA cluster. >> >> ipa11.mgmt - was a master over 6 months ago >> ipa13.mgmt - current master >> ipa12.mgmt >> >> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have >> agreements between each other. >> >> It appears that either ipa12.mgmt lost some level of its replication >> agreement with ipa13. I saw some level because users / hosts were >> replicated between all systems but we started seeing DNS was not resolving >> properly from ipa12. I do not know when this started. >> >> When looking at replication agreements on ipa12 I did not see any >> agreement with ipa13. >> >> When I run ipa-replica-manage list all three hosts show has master. >> >> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. >> >> When I run ipa-replica-manage ipa12.mgmt nothing returned. >> >> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt >> ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt >> >> I then ran the following >> >> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com >> >> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com >> >> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I >> was able to create user and DNS records and see the information replicated >> properly across all three nodes. >> >> I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt >> because I wanted to make sure everything was running fresh after the >> changes above. While IPA was staring up (DNS started) we were able to see >> valid DNS queries returned but pki-tomcat would not start. >> >> I am not sure what I need to do in order to get this working. I have >> included the output of certutil and getcert below from all three servers as >> well as the debug output for pki. >> >> >> While the IPA system is coming up I am able to successfully run >> ldapsearch -x as the root user and see results. I am also able to login >> with the "cn=Directory Manager" account and see results. >> >> >> The debug log shows the following error. >> >> >> [03/May/2017:21:22:01][localhost-startStop-1]: >> ============================================ >> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM >> INITIALIZED ======= >> [03/May/2017:21:22:01][localhost-startStop-1]: >> ============================================ >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> id=debug >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized >> debug >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >> id=log >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >> id=log >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> id=log >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized log >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >> id=jss >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >> id=jss >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >> autoShutdown? false >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> cert:auditSigningCert cert-pki-ca >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> id=jss >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized jss >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >> id=dbs >> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >> id=dbs >> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() >> mEnableSerialMgmt=true >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> LdapBoundConnFactor(DBSubsystem) >> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: init >> [03/May/2017:21:22:01][localhost-startStop-1]: >> LdapBoundConnFactory:doCloning true >> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() >> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins >> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends >> [03/May/2017:21:22:01][localhost-startStop-1]: init: before >> makeConnection errorIfDown is true >> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: >> errorIfDown true >> [03/May/2017:21:22:02][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: Setting desired cert nickname to: >> subsystemCert cert-pki-ca >> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set >> client auth cert nickname subsystemCert cert-pki-ca >> [03/May/2017:21:22:02][localhost-startStop-1]: >> SSLClientCertificatSelectionCB: Entering! >> [03/May/2017:21:22:02][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: returning: null >> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened >> Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 >> Error netscape.ldap.LDAPException: Authentication failed (48) >> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >> ction(LdapBoundConnFactory.java:205) >> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >> BoundConnFactory.java:166) >> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >> BoundConnFactory.java:130) >> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >> java:1169) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >> .java:1075) >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:288) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:285) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt >> il.java:320) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> at org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe >> r.java:1085) >> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> at org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) >> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> at org.apache.catalina.core.ContainerBase.access$000(ContainerB >> ase.java:133) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas >> e.java:873) >> at org.apache.catalina.core.StandardHost.addChild(StandardHost. >> java:652) >> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Internal Database Error encountered: Could not connect to LDAP server >> host ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: >> Authentication failed (48) >> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >> java:1169) >> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >> .java:1075) >> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:288) >> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:285) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt >> il.java:320) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> at org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe >> r.java:1085) >> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> at org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) >> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> at org.apache.catalina.core.ContainerBase.access$000(ContainerB >> ase.java:133) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas >> e.java:873) >> at org.apache.catalina.core.StandardHost.addChild(StandardHost. >> java:652) >> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() >> >> >> ============================= >> >> >> IPA11.MGMT >> >> >> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C >> >> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> caSigningCert cert-pki-ca CTu,Cu,Cu >> auditSigningCert cert-pki-ca u,u,Pu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> Server-Cert cert-pki-ca u,u,u >> >> >> >> >> >> IPA13.MGMT >> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C >> >> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> caSigningCert cert-pki-ca CTu,Cu,Cu >> auditSigningCert cert-pki-ca u,u,Pu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> Server-Cert cert-pki-ca u,u,u >> >> >> >> >> IPA12.MGMT >> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,, >> >> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> caSigningCert cert-pki-ca CTu,Cu,Cu >> auditSigningCert cert-pki-ca u,u,Pu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> Server-Cert cert-pki-ca u,u,u >> >> ================================================= >> >> IPA11.MGMT >> (root)>getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20161229155314': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 15:52:43 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >> track: yes >> auto-renew: yes >> Request ID '20161229155652': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:29 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229155654': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:26 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229155655': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:28 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229155657': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> expires: 2036-11-22 13:00:25 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229155659': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-19 15:56:20 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229155921': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 15:52:46 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20161229160009': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:01:34 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> >> >> ================================== >> >> IPA13.MGMT >> >> (root)>getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20161229143449': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 14:34:20 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >> track: yes >> auto-renew: yes >> Request ID '20161229143826': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:29 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229143828': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:26 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229143831': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:28 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229143833': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> expires: 2036-11-22 13:00:25 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229143835': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-19 14:37:54 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229144057': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 14:34:23 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20161229144146': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:01:34 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> >> =========================== >> >> IPA12.MGMT >> >> (root)>getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20161229151518': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 15:14:51 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >> track: yes >> auto-renew: yes >> Request ID '20161229151850': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:29 UTC >> key usage: digitalSignature,nonRepudiation >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229151852': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:26 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> eku: id-kp-OCSPSigning >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229151854': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:00:28 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229151856': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> expires: 2036-11-22 13:00:25 UTC >> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229151858': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-19 15:18:16 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20161229152115': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >> expires: 2018-12-30 15:14:54 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20161229152204': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >> expires: 2018-11-12 13:01:34 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >> track: yes >> auto-renew: yes >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Thu May 4 03:10:59 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 3 May 2017 23:10:59 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: Message-ID: I also looked at RUVs and here is what I found. I do not know if anything here is helpful. ldapsearch -ZZ -h ipa11.mgmt.crosschx.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" nsDS5ReplicaId: 1095 nsds50ruv: {replicageneration} 58344598000000600000 nsds50ruv: {replica 1095 ldap://ipa11.mgmt.crosschx.com:389} 5865323f000004470 nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389} 58651fdb00000056000 nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389} 5834459c00000060000 nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389} 583449970000005b000 nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389} 583445c300000061000 nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389} 5865295600000051000 IPA12 - this is the problem node. ldapsearch -ZZ -h ipa12.mgmt.crosschx.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" nsDS5ReplicaId: 81 nsds50ruv: {replicageneration} 58344598000000600000 nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389} 5865295600000051000 nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389} 5834459c00000060000 nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389} 58651fdb00000056000 nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389} 583449970000005b000 nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389} 583445c300000061000 ldapsearch -ZZ -h ipa13.mgmt.crosschx.com -D "cn=Directory Manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" | grep "nsds50ruv\|nsDS5ReplicaId" nsDS5ReplicaId: 86 nsds50ruv: {replicageneration} 58344598000000600000 nsds50ruv: {replica 86 ldap://ipa13.mgmt.crosschx.com:389} 58651fdb00000056000 nsds50ruv: {replica 1095 ldap://ipa11.mgmt.crosschx.com:389} 5865323f000004470 nsds50ruv: {replica 96 ldap://ipa11.mgmt.crosschx.com:389} 5834459c00000060000 nsds50ruv: {replica 91 ldap://ipa13.mgmt.crosschx.com:389} 583449970000005b000 nsds50ruv: {replica 97 ldap://ipa12.mgmt.crosschx.com:389} 583445c300000061000 nsds50ruv: {replica 81 ldap://ipa12.mgmt.crosschx.com:389} 5865295600000051000 *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Wed, May 3, 2017 at 10:52 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > I ran another test. I started IPA with the ignore service failure option > and I tired doing ldap searches like this. > > ldapsearch -H ldaps://ipa12.mgmt.crosschx.com > > from both my laptop and from ipa11.mgmt and I get successful returns when > logging in as the admin user and as the directory manager. > > I then looked closer at the LDAP access logs for the last time I tried to > start up PKI and got the auth failure and i see this. > > > [04/May/2017:02:22:45.859021005 +0000] conn=12 fd=101 slot=101 SSL > connection from 10.71.100.92 to 10.71.100.92 > [04/May/2017:02:22:45.875672450 +0000] conn=12 TLS1.2 256-bit AES > [04/May/2017:02:22:45.940908536 +0000] conn=12 op=0 BIND dn="" > method=sasl version=3 mech=EXTERNAL > [04/May/2017:02:22:45.942441120 +0000] conn=12 op=0 RESULT err=48 tag=97 > nentries=0 etime=0 > > Is dn="" supposed to be empty? > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Wed, May 3, 2017 at 10:16 PM, Michael Plemmons < > michael.plemmons at crosschx.com> wrote: > >> I realized that I was not very clear in my statement about testing with >> ldapsearch. I had initially run it without logging in with a DN. I was >> just running the local ldapsearch -x command. I then tested on ipa12.mgmt >> and ipa11.mgmt logging in with a full DN for the admin and "cn=Directory >> Manager" from ipa12.mgmt (broken server) and ipa11.mgmt and both ldapsearch >> command succeeded. >> >> I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. I >> also ran the command showing a line count for the output and the line >> counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. >> >> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "DN" -w PASSWORD -b >> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >> >> ldapsearch -LLL -h ipa12.mgmt.crosschx.com -D "cn=directory manager" -w >> PASSWORD dn >> >> >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons < >> michael.plemmons at crosschx.com> wrote: >> >>> I have a three node IPA cluster. >>> >>> ipa11.mgmt - was a master over 6 months ago >>> ipa13.mgmt - current master >>> ipa12.mgmt >>> >>> ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not have >>> agreements between each other. >>> >>> It appears that either ipa12.mgmt lost some level of its replication >>> agreement with ipa13. I saw some level because users / hosts were >>> replicated between all systems but we started seeing DNS was not resolving >>> properly from ipa12. I do not know when this started. >>> >>> When looking at replication agreements on ipa12 I did not see any >>> agreement with ipa13. >>> >>> When I run ipa-replica-manage list all three hosts show has master. >>> >>> When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. >>> >>> When I run ipa-replica-manage ipa12.mgmt nothing returned. >>> >>> I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt >>> ipa12.mgmt.crosschx.com ipa13.mgmt.crosschx.com on ipa12.mgmt >>> >>> I then ran the following >>> >>> ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com >>> >>> ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com >>> >>> I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. I >>> was able to create user and DNS records and see the information replicated >>> properly across all three nodes. >>> >>> I then ran ipactl stop on ipa12.mgmt and then ipactl start on ipa12.mgmt >>> because I wanted to make sure everything was running fresh after the >>> changes above. While IPA was staring up (DNS started) we were able to see >>> valid DNS queries returned but pki-tomcat would not start. >>> >>> I am not sure what I need to do in order to get this working. I have >>> included the output of certutil and getcert below from all three servers as >>> well as the debug output for pki. >>> >>> >>> While the IPA system is coming up I am able to successfully run >>> ldapsearch -x as the root user and see results. I am also able to login >>> with the "cn=Directory Manager" account and see results. >>> >>> >>> The debug log shows the following error. >>> >>> >>> [03/May/2017:21:22:01][localhost-startStop-1]: >>> ============================================ >>> [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG SUBSYSTEM >>> INITIALIZED ======= >>> [03/May/2017:21:22:01][localhost-startStop-1]: >>> ============================================ >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >>> autoShutdown? false >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >>> cert:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >>> id=debug >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized >>> debug >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >>> id=log >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >>> id=log >>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) >>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >>> autoShutdown? false >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >>> cert:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >>> id=log >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized >>> log >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >>> id=jss >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >>> id=jss >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at >>> autoShutdown? false >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: autoShutdown >>> crumb file path? /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to look >>> for cert for auto-shutdown support:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >>> cert:auditSigningCert cert-pki-ca >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >>> id=jss >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initialized >>> jss >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: initSubsystem >>> id=dbs >>> [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to init >>> id=dbs >>> [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() >>> mEnableSerialMgmt=true >>> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> LdapBoundConnFactor(DBSubsystem) >>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: >>> init >>> [03/May/2017:21:22:01][localhost-startStop-1]: >>> LdapBoundConnFactory:doCloning true >>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() >>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins >>> [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends >>> [03/May/2017:21:22:01][localhost-startStop-1]: init: before >>> makeConnection errorIfDown is true >>> [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: >>> errorIfDown true >>> [03/May/2017:21:22:02][localhost-startStop-1]: >>> SSLClientCertificateSelectionCB: Setting desired cert nickname to: >>> subsystemCert cert-pki-ca >>> [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set >>> client auth cert nickname subsystemCert cert-pki-ca >>> [03/May/2017:21:22:02][localhost-startStop-1]: >>> SSLClientCertificatSelectionCB: Entering! >>> [03/May/2017:21:22:02][localhost-startStop-1]: >>> SSLClientCertificateSelectionCB: returning: null >>> [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened >>> Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 >>> Error netscape.ldap.LDAPException: Authentication failed (48) >>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >>> ction(LdapBoundConnFactory.java:205) >>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>> BoundConnFactory.java:166) >>> at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>> BoundConnFactory.java:130) >>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) >>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>> java:1169) >>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>> .java:1075) >>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>> ervlet.java:114) >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:288) >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:285) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>> il.java:320) >>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:175) >>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:124) >>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar >>> dWrapper.java:1270) >>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>> dWrapper.java:1195) >>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>> r.java:1085) >>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>> ardContext.java:5318) >>> at org.apache.catalina.core.StandardContext.startInternal(Stand >>> ardContext.java:5610) >>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>> ava:147) >>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>> ainerBase.java:899) >>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB >>> ase.java:133) >>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:156) >>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:145) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>> e.java:873) >>> at org.apache.catalina.core.StandardHost.addChild(StandardHost. >>> java:652) >>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>> Config.java:679) >>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>> HostConfig.java:1966) >>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>> s.java:511) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> Internal Database Error encountered: Could not connect to LDAP server >>> host ipa12.mgmt.crosschx.com port 636 Error >>> netscape.ldap.LDAPException: Authentication failed (48) >>> at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) >>> at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>> java:1169) >>> at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>> .java:1075) >>> at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>> at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>> at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>> at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>> ervlet.java:114) >>> at javax.servlet.GenericServlet.init(GenericServlet.java:158) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:288) >>> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:285) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >>> at org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>> il.java:320) >>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:175) >>> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:124) >>> at org.apache.catalina.core.StandardWrapper.initServlet(Standar >>> dWrapper.java:1270) >>> at org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>> dWrapper.java:1195) >>> at org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>> r.java:1085) >>> at org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>> ardContext.java:5318) >>> at org.apache.catalina.core.StandardContext.startInternal(Stand >>> ardContext.java:5610) >>> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>> ava:147) >>> at org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>> ainerBase.java:899) >>> at org.apache.catalina.core.ContainerBase.access$000(ContainerB >>> ase.java:133) >>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:156) >>> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:145) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>> e.java:873) >>> at org.apache.catalina.core.StandardHost.addChild(StandardHost. >>> java:652) >>> at org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>> Config.java:679) >>> at org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>> HostConfig.java:1966) >>> at java.util.concurrent.Executors$RunnableAdapter.call(Executor >>> s.java:511) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() >>> >>> >>> ============================= >>> >>> >>> IPA11.MGMT >>> >>> >>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C >>> >>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> auditSigningCert cert-pki-ca u,u,Pu >>> ocspSigningCert cert-pki-ca u,u,u >>> subsystemCert cert-pki-ca u,u,u >>> Server-Cert cert-pki-ca u,u,u >>> >>> >>> >>> >>> >>> IPA13.MGMT >>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA CT,C,C >>> >>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> auditSigningCert cert-pki-ca u,u,Pu >>> ocspSigningCert cert-pki-ca u,u,u >>> subsystemCert cert-pki-ca u,u,u >>> Server-Cert cert-pki-ca u,u,u >>> >>> >>> >>> >>> IPA12.MGMT >>> (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> Server-Cert u,u,uMGMT.CROSSCHX.COM IPA CA C,, >>> >>> (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >>> >>> Certificate Nickname Trust Attributes >>> SSL,S/MIME,JAR/XPI >>> >>> caSigningCert cert-pki-ca CTu,Cu,Cu >>> auditSigningCert cert-pki-ca u,u,Pu >>> ocspSigningCert cert-pki-ca u,u,u >>> subsystemCert cert-pki-ca u,u,u >>> Server-Cert cert-pki-ca u,u,u >>> >>> ================================================= >>> >>> IPA11.MGMT >>> (root)>getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20161229155314': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 15:52:43 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155652': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:29 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155654': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:26 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155655': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:28 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155657': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> expires: 2036-11-22 13:00:25 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155659': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-19 15:56:20 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229155921': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa11.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 15:52:46 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> Request ID '20161229160009': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:01:34 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> >>> >>> >>> >>> ================================== >>> >>> IPA13.MGMT >>> >>> (root)>getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20161229143449': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 14:34:20 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >>> track: yes >>> auto-renew: yes >>> Request ID '20161229143826': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:29 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229143828': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:26 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229143831': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:28 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229143833': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> expires: 2036-11-22 13:00:25 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229143835': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-19 14:37:54 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229144057': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa13.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 14:34:23 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> Request ID '20161229144146': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:01:34 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> >>> >>> >>> =========================== >>> >>> IPA12.MGMT >>> >>> (root)>getcert list >>> Number of certificates and requests being tracked: 8. >>> Request ID '20161229151518': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 15:14:51 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv MGMT-CROSSCHX-COM >>> track: yes >>> auto-renew: yes >>> Request ID '20161229151850': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Audit,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:29 UTC >>> key usage: digitalSignature,nonRepudiation >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229151852': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:26 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> eku: id-kp-OCSPSigning >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229151854': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:00:28 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229151856': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> expires: 2036-11-22 13:00:25 UTC >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229151858': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' >>> CA: dogtag-ipa-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-19 15:18:16 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20161229152115': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' >>> CA: IPA >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=ipa12.mgmt.crosschx.com,O=MGMT.CROSSCHX.COM >>> expires: 2018-12-30 15:14:54 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> auto-renew: yes >>> Request ID '20161229152204': >>> status: MONITORING >>> stuck: no >>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> subject: CN=IPA RA,O=MGMT.CROSSCHX.COM >>> expires: 2018-11-12 13:01:34 UTC >>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>> eku: id-kp-serverAuth,id-kp-clientAuth >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>> track: yes >>> auto-renew: yes >>> >>> >>> >>> >>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >>> 614.427.2411 >>> mike.plemmons at crosschx.com >>> www.crosschx.com >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu May 4 08:03:29 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 4 May 2017 11:03:29 +0300 Subject: [Freeipa-users] Password history based on age, not count? In-Reply-To: <0100015bcfb7ce42-4e0bc64a-1ece-47dc-a573-0fd41aec1c78-000000@email.amazonses.com> References: <0100015bcfb7ce42-4e0bc64a-1ece-47dc-a573-0fd41aec1c78-000000@email.amazonses.com> Message-ID: <20170504080329.anl7vp5drn37mvqv@redhat.com> On ke, 03 touko 2017, Patrick Hemmer wrote: >Would it be reasonable to request a feature for FreeIPA to enforce >password history reuse based on age, instead of a count? Meaning >configure FreeIPA to enforce that a password cannot be reused within the >last 1 year? Then we could remove the minimum time between password >changes, and not worry about people cycling through X passwords to be >able to reuse one. > >When we were using OpenLDAP for user account management, I wrote an >extension for it to do just that and it was rather convenient (not >having to deal with an annoying min-change-time). The whole >min-time-between-changes, and number-of-passwords-in-history thing has >always seemed like a hack to accomplish the true goal of preventing >users from reusing passwords within a certain amount of time. Please file a ticket for FreeIPA. We want to eventually move all this code to 389-ds itself so that its password history check plugin could support all IPA-related features as well but it is not there yet. I think password age based checks are a reasonable request. -- / Alexander Bokovoy From pvoborni at redhat.com Thu May 4 11:31:25 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 4 May 2017 13:31:25 +0200 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> Message-ID: <35826ec9-b5b4-3cc2-7b5e-08b8b4a71b08@redhat.com> On 04/28/2017 02:57 PM, Bret Wortman wrote: > Flo, > > I did find that issue and made those corrections to our /etc/hosts file, > but the problem persists. > > Thanks for the idea! after the change did you restart pki? > > > Bret > > > > On 04/27/2017 03:42 AM, Florence Blanc-Renaud wrote: >> On 04/26/2017 04:33 PM, Bret Wortman wrote: >>> So I can see my certs using cert-find, but can't get details using >>> cert-show or add new ones using cert-request. >>> >>> # ipa cert-find >>> : >>> ------------------------------ >>> Number of entries returned 385 >>> ------------------------------ >>> # ipa cert-show 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-show 1 (which does not exist) >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-status 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # >>> >>> Is this an IPV6 thing? Because ipactl shows everything green and >>> certmonger is running. >>> >> Hi Bret, >> >> the issue looks similar to https://pagure.io/freeipa/issue/6575 and >> https://pagure.io/dogtagpki/issue/2570 which were IPv6 related. Note >> that IPv6 must be enabled on the machine but IPA does not require an >> IPv6 address to be configured (except for the loopback). >> >> You can check the following: >> - is PKI listening to port 8009 on IPv6 or IPv4 interface? >> sudo netstat -tunpl | grep 8009 >> tcp6 0 0 127.0.0.1:8009 :::* LISTEN 10749/java >> >> - /etc/pki/pki-tomcat/server.xml defines a redirection from port 8009 >> to 8443, and the "address" part is important: >> > protocol="AJP/1.3" >> redirectPort="8443" >> address="localhost" /> >> >> In the above example, it will be using localhost which can resolve >> either to IPv4 or IPv6. >> >> - /etc/hosts must define the loopback addresses with >> 127.0.0.1 localhost localhost.localdomain localhost4 >> localhost4.localdomain4 >> ::1 localhost localhost.localdomain localhost6 >> localhost6.localdomain6 >> >> HTH, >> Flo. >>> Bret >>> >>> >>> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>>> >>>> Digging still deeper: >>>> >>>> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> >>>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>>> it has a CA but there's no CMS available? >>>> >>>> >>>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>>> >>>>> Using the firefox debugger, I get these errors when trying to pop up >>>>> the New Certificate dialog: >>>>> >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: u is undefined >>>>> app.js:1:362059 >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: t is undefined >>>>> app.js:1:217432 >>>>> >>>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>>> >>>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>>> "Action -> New Certificate" not do anything on this or any other >>>>>> server? >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>>> >>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>>> past month or so. >>>>>>> >>>>>>> Today, someone came and asked me to generate a new certificate for >>>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>>> and no error, either. >>>>>>> >>>>>>> I suspect the problem might be that we no longer have a CA server >>>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>>> the CA. >>>>>>> >>>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>>> not sure if this shows that I'm missing a CA or not: >>>>>>> >>>>>>> # ipa ca-find >>>>>>> ------------ >>>>>>> 1 CA matched >>>>>>> ------------ >>>>>>> Name: ipa >>>>>>> Description IPA CA >>>>>>> Authority ID: 3ce3346[...] >>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>>> O=DAMASCUSGRP.COM" >>>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>>> # klist >>>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>>> >>>>>>> Valid starting Expires Service principal >>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>>> # >>>>>>> >>>>>>> >>>>>>> What's my best path of recovery? >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> The Damascus Group >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> > -- Petr Vobornik Associate Manager, Engineering, Identity Management Red Hat From pvoborni at redhat.com Thu May 4 11:35:45 2017 From: pvoborni at redhat.com (Petr Vobornik) Date: Thu, 4 May 2017 13:35:45 +0200 Subject: [Freeipa-users] ipa server-del In-Reply-To: References: Message-ID: <7098a668-5e0d-a876-9a9e-2688c39fc705@redhat.com> On 05/04/2017 12:41 AM, Ian Harding wrote: > Is there any way this can be made to work? This server does not exist > in real life or seemingly in FreeIPA, but a ghost of it does. > > ianh at vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks > -------------------- > 1 IPA server matched > -------------------- > Server name: freeipa-dal.bpt.rocks > Min domain level: 0 > Max domain level: 0 > ---------------------------- > Number of entries returned 1 > ---------------------------- > ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks > Removing freeipa-dal.bpt.rocks from replication topology, please wait... > ipa: ERROR: freeipa-dal.bpt.rocks: server not found > ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force > Removing freeipa-dal.bpt.rocks from replication topology, please wait... > ipa: ERROR: freeipa-dal.bpt.rocks: server not found > ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force > --continue > Removing freeipa-dal.bpt.rocks from replication topology, please wait... > ipa: WARNING: Forcing removal of freeipa-dal.bpt.rocks > --------------------- > Deleted IPA server "" > --------------------- > Failed to remove: freeipa-dal.bpt.rocks > ianh at vm-ian-laptop:~$ > > - Ian > This looks like a bug to me. Probably some LDAP search ended with "not found" result which then was incorrectly interpreted as "server not found". To know where the issue is it would help switch IPA framework on server to debug mode [1] and provide httpd/error_log and dirsrv/$domain/access log from time of execution of the command. [1] https://www.freeipa.org/page/Troubleshooting#Administration_Framework -- Petr Vobornik From flo at redhat.com Thu May 4 11:55:12 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 4 May 2017 13:55:12 +0200 Subject: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error In-Reply-To: <5909F434.9060905@sonsorol.org> References: <5909F434.9060905@sonsorol.org> Message-ID: <759b9fb7-d578-b3c2-4725-7b0ef9e8f45e@redhat.com> On 05/03/2017 05:16 PM, Chris Dagdigian wrote: > > > Any guidance for this one? > > Summary - this seems to be the fatal error that causes the CA setup on > the replica to fail: > > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: > The specified user cn=Replication Manager > masterAgreement1-usaeilidmp002.XXX.org-pki-tomcat,cn=config does not exist > > > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init(): > password test execution failed for replicationdbwith NO_SUCH_USER. This > may not be a latest instance. Ignoring .. > > > More details ... > > > Trying to build a replica with CA duties for the first time. > > It hangs here during the replica install process: > > > ipa : DEBUG stderr= > ipa : DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > ipa : DEBUG Waiting until the CA is running > ipa : DEBUG request POST > http://usaeilidmp002.XXX.org:8080/ca/admin/ca/getStatus > ipa : DEBUG request body '' > > > However the root cause seems to be that the CA won't start because > something is wrong with an LDAP replication manager user? > > When I restart the pki-tomcatd service the replica install STDOUT > refreshes the above status. After the 3rd attempt it triggers the fatal > "CA will not start after 300 seconds" error > > > > From the logs: > > # systemctl status pki-tomcatd at pki-tomcat.service > ? pki-tomcatd at pki-tomcat.service - PKI Tomcat Server pki-tomcat > Loaded: loaded (/lib/systemd/system/pki-tomcatd at .service; enabled; > vendor preset: disabled) > Active: active (running) since Wed 2017-05-03 15:09:04 UTC; 40s ago > Process: 3843 ExecStop=/usr/libexec/tomcat/server stop (code=exited, > status=1/FAILURE) > Process: 3880 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, > status=0/SUCCESS) > Main PID: 3993 (java) > CGroup: > /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd at pki-tomcat.service > ??3993 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java > -DRESTEASY_LIB=/usr/share/java/resteasy-base > -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/... > > May 03 15:09:08 usaeilidmp002.XXX.org server[3993]: > SSLAuthenticatorWithFallback: Setting container > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: > SSLAuthenticatorWithFallback: Initializing authenticators > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: > SSLAuthenticatorWithFallback: Starting authenticators > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: > CMSEngine.initializePasswordStore() begins > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: > CMSEngine.initializePasswordStore(): tag=internaldb > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection > connecting to usaeilidmp002.XXX.org:389 > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: > CMSEngine.initializePasswordStore(): tag=replicationdb > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection > connecting to usaeilidmp002.XXX.org:389 > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: testLDAPConnection: > The specified user cn=Replication Manager > masterAgreement1-usaeilidmp002.XXX...not exist > May 03 15:09:09 usaeilidmp002.XXX.org server[3993]: CMSEngine: init(): > password test execution failed for replicationdbwith NO_SUCH_USER. This > may not...noring .. > Hint: Some lines were ellipsized, use -l to show in full. > > > > > > Hi, the issue looks similar to ticket 6766 [1] Flo. [1] https://pagure.io/freeipa/issue/6766 From dag at sonsorol.org Thu May 4 12:01:46 2017 From: dag at sonsorol.org (Chris Dagdigian) Date: Thu, 04 May 2017 08:01:46 -0400 Subject: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error In-Reply-To: <759b9fb7-d578-b3c2-4725-7b0ef9e8f45e@redhat.com> References: <5909F434.9060905@sonsorol.org> <759b9fb7-d578-b3c2-4725-7b0ef9e8f45e@redhat.com> Message-ID: <590B182A.2050005@sonsorol.org> Florence Blanc-Renaud wrote: > the issue looks similar to ticket 6766 [1] > Flo. > > [1] https://pagure.io/freeipa/issue/6766 Thanks Flo, I agree that this looks like the issue I"m hitting in v4.4 much appreciated! I'm gonna be watching this closely, it's nerve wracking knowing that I can't use, update or create *any* replica servers at the moment ... -Chris From slaznick at redhat.com Thu May 4 12:08:05 2017 From: slaznick at redhat.com (Standa Laznicka) Date: Thu, 4 May 2017 14:08:05 +0200 Subject: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error In-Reply-To: <590B182A.2050005@sonsorol.org> References: <5909F434.9060905@sonsorol.org> <759b9fb7-d578-b3c2-4725-7b0ef9e8f45e@redhat.com> <590B182A.2050005@sonsorol.org> Message-ID: On 05/04/2017 02:01 PM, Chris Dagdigian wrote: > > Florence Blanc-Renaud wrote: >> the issue looks similar to ticket 6766 [1] >> Flo. >> >> [1] https://pagure.io/freeipa/issue/6766 > > > Thanks Flo, I agree that this looks like the issue I"m hitting in v4.4 > much appreciated! > > I'm gonna be watching this closely, it's nerve wracking knowing that I > can't use, update or create *any* replica servers at the moment ... > > -Chris > > You can, but you probably won't be able to install a CA replica on them (you have to leave out the --setup-ca option). In the meantime, you can create replicas without CA replication and when the Dogtag/DS guys solve the problem, you can run ipa-ca-install on those to setup CA replication there as well. -------------- next part -------------- An HTML attachment was scrubbed... URL: From dag at sonsorol.org Thu May 4 12:23:19 2017 From: dag at sonsorol.org (Chris Dagdigian) Date: Thu, 04 May 2017 08:23:19 -0400 Subject: [Freeipa-users] Can't make replica with CA due to LDAP 'replication manager' user not found error In-Reply-To: References: <5909F434.9060905@sonsorol.org> <759b9fb7-d578-b3c2-4725-7b0ef9e8f45e@redhat.com> <590B182A.2050005@sonsorol.org> Message-ID: <590B1D37.40605@sonsorol.org> Standa Laznicka wrote: > You can, but you probably won't be able to install a CA replica on > them (you have to leave out the --setup-ca option). In the meantime, > you can create replicas without CA replication and when the Dogtag/DS > guys solve the problem, you can run ipa-ca-install on those to setup > CA replication there as well. Appreciate the attention this is getting! My testing from yesterday shows that all replication is broken for me due to this 'replication manager' user not existing in LDAP so I may be hit by something in addition to the dogtag issue I have two servers that are out of sync with each other - Manual force update fails - Manual re-initialization fails - Installing a new IPA server without CA-service claims to work but no actual updates transfer As far as I can tell all of the failures are due to an LDAP access issue where the logs talk about a replication-agreement-specific LDAP user not existing. Example From Replica: # ipa-replica-manage -v re-initialize --from usaeilidmp001.redactedidm.org ipa: INFO: Setting agreement cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meTousaeilidmp002.redactedidm.org,cn=replica,cn=dc\=redactedidm\,dc\=org,cn=mapping tree,cn=config Update in progress, 14 seconds elapsed # [usaeilidmp001.redactedidm.org] reports: Update failed! Status: [-2 - LDAP error: Local error] dirsirv error logs from Master: 04/May/2017:12:20:08.531621754 +0000] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-usaeilidmp002.redactedidm.org-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [04/May/2017:12:20:10.071619724 +0000] slapi_ldap_bind - Error: could not bind id [cn=Replication Manager cloneAgreement1-deawilidmp001.redactedidm.org-pki-tomcat,ou=csusers,cn=config] authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 (Success) [04/May/2017:12:20:11.074340742 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [04/May/2017:12:20:35.078730934 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) [04/May/2017:12:21:23.083737475 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/usaeilidmp001.redactedidm.org@] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328203 (Key table entry not found) Regards, Chris From rcritten at redhat.com Thu May 4 13:13:58 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 4 May 2017 09:13:58 -0400 Subject: [Freeipa-users] ipa server-del In-Reply-To: <7098a668-5e0d-a876-9a9e-2688c39fc705@redhat.com> References: <7098a668-5e0d-a876-9a9e-2688c39fc705@redhat.com> Message-ID: Petr Vobornik wrote: > On 05/04/2017 12:41 AM, Ian Harding wrote: >> Is there any way this can be made to work? This server does not exist >> in real life or seemingly in FreeIPA, but a ghost of it does. >> >> ianh at vm-ian-laptop:~$ ipa server-find freeipa-dal.bpt.rocks >> -------------------- >> 1 IPA server matched >> -------------------- >> Server name: freeipa-dal.bpt.rocks >> Min domain level: 0 >> Max domain level: 0 >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks >> Removing freeipa-dal.bpt.rocks from replication topology, please wait... >> ipa: ERROR: freeipa-dal.bpt.rocks: server not found >> ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force >> Removing freeipa-dal.bpt.rocks from replication topology, please wait... >> ipa: ERROR: freeipa-dal.bpt.rocks: server not found >> ianh at vm-ian-laptop:~$ ipa server-del freeipa-dal.bpt.rocks --force >> --continue >> Removing freeipa-dal.bpt.rocks from replication topology, please wait... >> ipa: WARNING: Forcing removal of freeipa-dal.bpt.rocks >> --------------------- >> Deleted IPA server "" >> --------------------- >> Failed to remove: freeipa-dal.bpt.rocks >> ianh at vm-ian-laptop:~$ >> >> - Ian >> > > This looks like a bug to me. > > Probably some LDAP search ended with "not found" result which then was > incorrectly interpreted as "server not found". > > To know where the issue is it would help switch IPA framework on server > to debug mode [1] and provide httpd/error_log and dirsrv/$domain/access > log from time of execution of the command. > > [1] https://www.freeipa.org/page/Troubleshooting#Administration_Framework > I think it is probably a replication conflict entry. I'd start with https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html rob From rcritten at redhat.com Thu May 4 13:24:40 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 4 May 2017 09:24:40 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: Message-ID: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> Michael Plemmons wrote: > I realized that I was not very clear in my statement about testing with > ldapsearch. I had initially run it without logging in with a DN. I was > just running the local ldapsearch -x command. I then tested on > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and > "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt > and both ldapsearch command succeeded. > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. > I also ran the command showing a line count for the output and the line > counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > -D "DN" -w PASSWORD -b > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > -D "cn=directory manager" -w PASSWORD dn The CA has its own suffix and replication agreements. Given the auth error and recent (5 months) renewal of CA credentials I'd check that the CA agent authentication entries are correct. Against each master with a CA run: $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b uid=ipara,ou=people,o=ipaca description The format is 2;serial#,subject,issuer Then on each run: # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial The serial # should match that in the description everywhere. rob > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons > > > wrote: > > I have a three node IPA cluster. > > ipa11.mgmt - was a master over 6 months ago > ipa13.mgmt - current master > ipa12.mgmt > > ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not > have agreements between each other. > > It appears that either ipa12.mgmt lost some level of its replication > agreement with ipa13. I saw some level because users / hosts were > replicated between all systems but we started seeing DNS was not > resolving properly from ipa12. I do not know when this started. > > When looking at replication agreements on ipa12 I did not see any > agreement with ipa13. > > When I run ipa-replica-manage list all three hosts show has master. > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a replica. > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > ipa12.mgmt.crosschx.com > ipa13.mgmt.crosschx.com on ipa12.mgmt > > I then ran the following > > ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com > > > ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com > > > I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. > I was able to create user and DNS records and see the information > replicated properly across all three nodes. > > I then ran ipactl stop on ipa12.mgmt and then ipactl start on > ipa12.mgmt because I wanted to make sure everything was running > fresh after the changes above. While IPA was staring up (DNS > started) we were able to see valid DNS queries returned but > pki-tomcat would not start. > > I am not sure what I need to do in order to get this working. I > have included the output of certutil and getcert below from all > three servers as well as the debug output for pki. > > > While the IPA system is coming up I am able to successfully run > ldapsearch -x as the root user and see results. I am also able to > login with the "cn=Directory Manager" account and see results. > > > The debug log shows the following error. > > > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG > SUBSYSTEM INITIALIZED ======= > [03/May/2017:21:22:01][localhost-startStop-1]: > ============================================ > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > autoShutdown crumb file path? > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init > id=debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initialized debug > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initSubsystem id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to > init id=log > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > autoShutdown crumb file path? > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init > id=log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initialized log > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initSubsystem id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to > init id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart at > autoShutdown? false > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > autoShutdown crumb file path? > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found > cert:auditSigningCert cert-pki-ca > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init > id=jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initialized jss > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > initSubsystem id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to > init id=dbs > [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() > mEnableSerialMgmt=true > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > LdapBoundConnFactor(DBSubsystem) > [03/May/2017:21:22:01][localhost-startStop-1]: LdapBoundConnFactory: > init > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapBoundConnFactory:doCloning true > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init begins > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init ends > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: > errorIfDown true > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [03/May/2017:21:22:02][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa12.mgmt.crosschx.com > port 636 Error > netscape.ldap.LDAPException: Authentication failed (48) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Internal Database Error encountered: Could not connect to LDAP > server host ipa12.mgmt.crosschx.com > port 636 Error netscape.ldap.LDAPException: Authentication failed (48) > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > at > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > at > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > at javax.servlet.GenericServlet.init(GenericServlet.java:158) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > at > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > at > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > at > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > at > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > at > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > at > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > at > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > at > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() > > > ============================= > > > IPA11.MGMT > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert > u,u,u MGMT.CROSSCHX.COM IPA CA CT,C,C > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM > IPA CA CT,C,C (root)>certutil -L -d > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u > IPA12.MGMT (root)>certutil -L -d > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM > IPA CA C,, (root)>certutil -L -d > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u > ================================================= IPA11.MGMT > (root)>getcert list Number of certificates and requests being > tracked: 8. Request ID '20161229155314': status: MONITORING stuck: > no key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa11.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:43 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > '20161229155652': status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC key usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > id-kp-OCSPSigning pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC key > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa11.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:56:20 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa11.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:52:46 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > auto-renew: yes Request ID '20161229160009': status: MONITORING > stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:01:34 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes > ================================== IPA13.MGMT (root)>getcert list > Number of certificates and requests being tracked: 8. Request ID > '20161229143449': status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa13.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:20 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > '20161229143826': status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC key usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > id-kp-OCSPSigning pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC key > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa13.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 14:37:54 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa13.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 14:34:23 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > auto-renew: yes Request ID '20161229144146': status: MONITORING > stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:01:34 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes > =========================== IPA12.MGMT (root)>getcert list Number of > certificates and requests being tracked: 8. Request ID > '20161229151518': status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa12.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:51 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_dirsrv > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > '20161229151850': status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:26 UTC key usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > id-kp-OCSPSigning pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > expires: 2018-11-12 13:00:28 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > expires: 2036-11-22 13:00:25 UTC key > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB',pin set certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa12.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-19 15:18:16 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115': > status: MONITORING stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' CA: IPA issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=ipa12.mgmt.crosschx.com > ,O=MGMT.CROSSCHX.COM > expires: 2018-12-30 15:14:54 UTC key > usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > auto-renew: yes Request ID '20161229152204': status: MONITORING > stuck: no key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate > Authority,O=MGMT.CROSSCHX.COM subject: > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: > 2018-11-12 13:01:34 UTC key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > > > From jamesaharrisonuk at yahoo.co.uk Thu May 4 14:20:27 2017 From: jamesaharrisonuk at yahoo.co.uk (James Harrison) Date: Thu, 4 May 2017 14:20:27 +0000 (UTC) Subject: [Freeipa-users] LDAP Conflicts References: <1565853988.4375082.1493907627117.ref@mail.yahoo.com> Message-ID: <1565853988.4375082.1493907627117@mail.yahoo.com> Hello All,According to ipa_check_consistency we have "LDAP Conflicts" (https://github.com/peterpakos/ipa_check_consistency). How do I find and resolve them? I've seen:Re: [Freeipa-devel] LDAP conflicts resolution API | | | Re: [Freeipa-devel] LDAP conflicts resolution API | | | But not sure if I am looking in the right place. Many thanks,James Harrison -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu May 4 14:39:50 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 04 May 2017 16:39:50 +0200 Subject: [Freeipa-users] LDAP Conflicts In-Reply-To: <1565853988.4375082.1493907627117@mail.yahoo.com> References: <1565853988.4375082.1493907627117.ref@mail.yahoo.com> <1565853988.4375082.1493907627117@mail.yahoo.com> Message-ID: <590B3D36.80300@redhat.com> you can start here: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts you need first find out which conflict entries you have, which entries need to be preserved, and then can start to rename or delete the conflicts. there is no magic tool. On 05/04/2017 04:20 PM, James Harrison wrote: > Hello All, > According to ipa_check_consistency we have "LDAP Conflicts" > (https://github.com/peterpakos/ipa_check_consistency). > > How do I find and resolve them? > > I've seen: > Re: [Freeipa-devel] LDAP conflicts resolution API > > > > > > > Re: [Freeipa-devel] LDAP conflicts resolution API > > > > > > But not sure if I am looking in the right place. > > Many thanks, > James Harrison > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From christopher.lamb at ch.ibm.com Thu May 4 16:02:25 2017 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Thu, 4 May 2017 18:02:25 +0200 Subject: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction Message-ID: Hi All Is the following statement correct? "If a kerberos client (e.g. a FreeIPA client) holds a service ticket to a service principal in its credentials cache, it no longer needs to interact with the KDC to access the service (assuming the ticket is still valid). i.e. if a kerberos client is not caching service tickets, each interaction with the service principal will require getting a new ticket from the KDC." Are there logs on my FreeIPA-Server I can use to track ticket requests from clients, and prove or disprove my statement above? Cheers Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: From mareynol at redhat.com Thu May 4 19:41:58 2017 From: mareynol at redhat.com (Mark Reynolds) Date: Thu, 4 May 2017 15:41:58 -0400 Subject: [Freeipa-users] LDAP Conflicts In-Reply-To: <1565853988.4375082.1493907627117@mail.yahoo.com> References: <1565853988.4375082.1493907627117.ref@mail.yahoo.com> <1565853988.4375082.1493907627117@mail.yahoo.com> Message-ID: <7c8394a1-5771-ca42-af7f-2af458308210@redhat.com> On 05/04/2017 10:20 AM, James Harrison wrote: > Hello All, > According to ipa_check_consistency we have "LDAP Conflicts" > (https://github.com/peterpakos/ipa_check_consistency). > > How do I find and resolve them? https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts Enjoy, Mark > > I've seen: > Re: [Freeipa-devel] LDAP conflicts resolution API > > > > > > > Re: [Freeipa-devel] LDAP conflicts resolution API > > > > > > But not sure if I am looking in the right place. > > Many thanks, > James Harrison > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From huston at astro.princeton.edu Thu May 4 21:36:26 2017 From: huston at astro.princeton.edu (Steve Huston) Date: Thu, 4 May 2017 17:36:26 -0400 Subject: [Freeipa-users] Getting a certificate for an alias Message-ID: I'm trying to use certmonger to get an SSL certificate on a web host which has an alias. I added the alias as a principal alias to the host record in FreeIPA, and I added the service as well with the actual hostname and the alias. However every time certmonger contacts the CA, the request is rejected with "The service principal for subject alt name ... does not exist" (or earlier, another similar error which has now been lost to the scrollback). hostname: coathook.astro.princeton.edu Principal alias: host/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU Principal alias: host/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU Principal alias: HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU Principal alias: HTTP/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU Service: HTTP Host Name: coathook.astro.princeton.edu ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU -C '/usr/sbin/apachectl graceful' When I check with ipa-getcert list, I find: ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml failed request, will retry: 4001 (RPC failed at server. The service principal for subject alt name puppet.astro.princeton.edu in certificate request does not exist). Other attempts used the CN of puppet, and the Kerberos principal of puppet as well, and they also failed but with the slightly different error (I believe it was that the host does not exist). So how does one create a certificate for an alias on a host? -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From william.muriithi at gmail.com Thu May 4 21:51:33 2017 From: william.muriithi at gmail.com (William Muriithi) Date: Thu, 4 May 2017 17:51:33 -0400 Subject: [Freeipa-users] DNS forwarding issue Message-ID: Hello, I have a problem with Samba setup that I haven't been able to overcome for months. I am trying to setup samba on RHEL 7 using SSSD instead of winbind Currently, I have a one way trust between the production Active directory and productin IPA. I have users on IPA and Active directory. For example, I have an account called william at activedirectory.example.com and william at ipa.example.com. To get sharing working, I have created a posix group that now have of the above users. The intent is, I should be able to write to my Linux home user irrespective of what account I log in with. [homes] comment = Home Directories path = /home/william browseable = yes writeable = yes valid users = @william_posix_group From any of the IPA clients, samba seem to work fine. I can login with samba client, delete, list and do anything. With klist, I do see both the CIFS and Linux host ticket. >From Windows though, it don't work. I see that the Windows system did actually get the host ticket for the server running samba, the Windows hots ticket but the CIFS ticket is missing. With that background, I have setup a dummy active directory called test.local. Essentially, I intend to destroy it once I verify that the behaviour is consistent with the production active directory. I am however stuck with DNS setup, and can't therefore establish trust between production IPA and dummy active directory. Would you know what I could be doing wrong with from the logs below? [root at lithium ~]# ipa dnsforwardzone-add test.local. --forwarder=192.168.11.56 --forward-policy=first Server will check DNS forwarder(s). This may take some time, please wait ... ipa: WARNING: DNSSEC validation failed: record 'test.local. SOA' failed DNSSEC validation on server 192.168.20.1. Please verify your DNSSEC configuration or disable DNSSEC validation on all IPA servers. Zone name: test.local. Active zone: TRUE Zone forwarders: 192.168.11.56 Forward policy: first [root at lithium ~]# dig +short -t SRV _kerberos._udp.dc._msdcs.test.local [root at lithium ~]# dig @192.168.11.56 +short -t SRV _kerberos._udp.dc._msdcs.test.local 0 100 88 server.test.local. [root at lithium ~]# Regards, William -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Fri May 5 01:15:00 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 5 May 2017 11:15:00 +1000 Subject: [Freeipa-users] Getting a certificate for an alias In-Reply-To: References: Message-ID: <20170505011459.GO19119@dhcp-40-8.bne.redhat.com> On Thu, May 04, 2017 at 05:36:26PM -0400, Steve Huston wrote: > I'm trying to use certmonger to get an SSL certificate on a web host > which has an alias. I added the alias as a principal alias to the > host record in FreeIPA, and I added the service as well with the > actual hostname and the alias. However every time certmonger contacts > the CA, the request is rejected with "The service principal for > subject alt name ... does not exist" (or earlier, another similar > error which has now been lost to the scrollback). > > hostname: coathook.astro.princeton.edu > Principal alias: host/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU > Principal alias: host/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU > > Principal alias: HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU > Principal alias: HTTP/puppet.astro.princeton.edu at ASTRO.PRINCETON.EDU > Service: HTTP > Host Name: coathook.astro.princeton.edu > > ipa-getcert request -k /etc/pki/tls/private/puppetexplorer.key -f > /etc/pki/tls/certs/puppetexplorer.crt -D puppet.astro.princeton.edu -N > CN=coathook.astro.princeton.edu,O=ASTRO.PRINCETON.EDU -K > HTTP/coathook.astro.princeton.edu at ASTRO.PRINCETON.EDU -C > '/usr/sbin/apachectl graceful' > > When I check with ipa-getcert list, I find: > ca-error: Server at https://ipa.astro.princeton.edu/ipa/xml > failed request, will retry: 4001 (RPC failed at server. The service > principal for subject alt name puppet.astro.princeton.edu in > certificate request does not exist). > > Other attempts used the CN of puppet, and the Kerberos principal of > puppet as well, and they also failed but with the slightly different > error (I believe it was that the host does not exist). > > So how does one create a certificate for an alias on a host? > Hi Steve, The fix for this was released in FreeIPA 4.5. See ticket https://pagure.io/freeipa/issue/6295. Thanks, Fraser From huston at astro.princeton.edu Fri May 5 02:30:39 2017 From: huston at astro.princeton.edu (Steve Huston) Date: Thu, 4 May 2017 22:30:39 -0400 Subject: [Freeipa-users] Getting a certificate for an alias In-Reply-To: <20170505011459.GO19119@dhcp-40-8.bne.redhat.com> References: <20170505011459.GO19119@dhcp-40-8.bne.redhat.com> Message-ID: On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale wrote: > The fix for this was released in FreeIPA 4.5. See ticket > https://pagure.io/freeipa/issue/6295. > Excellent! Any chance of that getting backported into the 4.4.x series available on RHEL7? -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From ftweedal at redhat.com Fri May 5 03:24:18 2017 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 5 May 2017 13:24:18 +1000 Subject: [Freeipa-users] Getting a certificate for an alias In-Reply-To: References: <20170505011459.GO19119@dhcp-40-8.bne.redhat.com> Message-ID: <20170505032418.GP19119@dhcp-40-8.bne.redhat.com> On Thu, May 04, 2017 at 10:30:39PM -0400, Steve Huston wrote: > On Thu, May 4, 2017 at 9:15 PM, Fraser Tweedale wrote: > > The fix for this was released in FreeIPA 4.5. See ticket > > https://pagure.io/freeipa/issue/6295. > > > > Excellent! Any chance of that getting backported into the 4.4.x > series available on RHEL7? > Anecdotally it's unlikely, but it cannot hurt to file a ticket / support case and ask for it. Cheers, Fraser From detlev.habicht at ims.uni-hannover.de Fri May 5 08:38:54 2017 From: detlev.habicht at ims.uni-hannover.de (Detlev Habicht) Date: Fri, 5 May 2017 10:38:54 +0200 Subject: [Freeipa-users] Need LDAP access for host not in IPA domain Message-ID: Hello, i need a simple, plain LDAP bind for authentication for a host, which is not part of my IPA domain. Something like this is working in the domain: ldapsearch -vx -H ldaps://xxx.yyy.intern -b "cn=accounts,dc=yyy,dc=intern" My problem is, it is only working with the hostname xxx.yyy.intern which is part of my domain yyy.intern. But outside of the domain i have to use the IP address or something like xxx.yyy.zzz.de . But than i have this error message: ldap_initialize( ldaps://xxx.yyy.zzz.de:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Any idea what i can do? Thank you! Detlev P.S.: I have the same problem in the domain, when i am not using xxx.yyy.intern. IP address for example is also not working. -- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht at ims.uni-hannover.de --------+-------- Handy +49 172 5415752 --------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 5 08:39:43 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 5 May 2017 10:39:43 +0200 Subject: [Freeipa-users] GSSAPI authentication from trusted AD domain In-Reply-To: References: <1974436417.1342.1493739612106.JavaMail.zimbra@tresgeek.net> <20170502162551.GB23465@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170505083943.GE27811@p.Speedport_W_724V_Typ_A_05011603_00_011> On Wed, May 03, 2017 at 11:28:18AM +0200, Tiemen Ruiten wrote: > Tickets on the FreeIPA host after connecting (with a password): > > [adm.tiemen at clients.rdmedia.com@neodymium ~]$ klist > Ticket cache: KEYRING:persistent:998801112:krb_ccache_ZzERoB1 > Default principal: adm.tiemen at CLIENTS.RDMEDIA.COM > > Valid starting Expires Service principal > 05/03/2017 11:26:03 05/03/2017 21:26:03 krbtgt/ > CLIENTS.RDMEDIA.COM at CLIENTS.RDMEDIA.COM > renew until 05/04/2017 11:26:03 > > > > Tickets on the AD laptop after a connection attempt: > > C:\Users\adm.tiemen.CLIENTS>klist > > Current LogonId is 0:0x587aa > > Cached Tickets: (2) > > #0> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM > Server: krbtgt/CLIENTS.RDMEDIA.COM @ CLIENTS.RDMEDIA.COM > KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 > Ticket Flags 0x40e10000 -> forwardable renewable initial > pre_authent name_canonicalize > Start Time: 5/3/2017 11:12:46 (local) > End Time: 5/3/2017 21:12:46 (local) > Renew Time: 5/10/2017 11:12:46 (local) > Session Key Type: AES-256-CTS-HMAC-SHA1-96 > Cache Flags: 0x1 -> PRIMARY > Kdc Called: vm-win-01.clients.rdmedia.com > > #1> Client: adm.tiemen @ CLIENTS.RDMEDIA.COM > Server: LDAP/vm-win-01.clients.rdmedia.com/clients.rdmedia.com @ > CLIENTS.RDMEDIA.COM > KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 > Ticket Flags 0x40a50000 -> forwardable renewable pre_authent > ok_as_delegate name_canonicalize > Start Time: 5/3/2017 11:12:46 (local) > End Time: 5/3/2017 21:12:46 (local) > Renew Time: 5/10/2017 11:12:46 (local) > Session Key Type: AES-256-CTS-HMAC-SHA1-96 > Cache Flags: 0 > Kdc Called: vm-win-01.clients.rdmedia.com There is no ticket for host/neodymium.test.ams.i.rdmedia.com at TEST.AMS.I.RDMEDIA.COM nor a cross-realm ticket krbtgt/TEST.AMS.I.RDMEDIA.COM at CLIENTS.RDMEDIA.COM So it looks the ssh client in the Windows host didn't try to get a Kerberos ticket for the IPA client. Did you use the FQDN neodymium.test.ams.i.rdmedia.com when trying to connect to the IPA client? According to the logs it looks like you are using kitty, have you tried to use putty? bye, Sumit > > > > > On 2 May 2017 at 19:45, Tiemen Ruiten wrote: > > > It's a CentOS 7.3 host, the version of sssd is 1.14.0, so there's no need > > for mapping. However on the AD host: > > > > Microsoft Windows [Version 6.3.9600] > > > > (c) 2013 Microsoft Corporation. All rights reserved. > > > > > > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen>klist > > > > > > Current LogonId is 0:0x603b58 > > > > > > Cached Tickets: (0) > > > > > > adm.tiemen at VM-WIN-01 C:\Users\adm.tiemen> > > > > Note that this is the domain controller and I'm logged in using the > > experimental Win32-OpenSSH server. Not sure if that makes a difference. I > > am not currently in the office, so unfortunately can't turn on the only > > joined laptop in this domain. > > > > How can I ensure a proper ticket is generated? > > > > On 2 May 2017 at 18:25, Sumit Bose wrote: > > > >> On Tue, May 02, 2017 at 05:46:34PM +0200, Tiemen Ruiten wrote: > >> > I think I just realised that my expectation may be wrong: GSSAPI login > >> with > >> > a FreeIPA user logged in on an AD host to a FreeIPA host works. So is it > >> > correct to also expect passwordless login with an AD user to a FreeIPA > >> host? > >> > >> The AD user case should work as well. > >> > >> First please send the SSSD version you use on the IPA client, > >> alternatively you can check if > >> /var/lib/sss/pubconf/krb5.include.d/localauth_plugin exists or not. This > >> would tell if SSSD can map the user name to the Kerberos principal of if > >> additional configuration is needed. > >> > >> On the AD host please check after trying to connect with ssh if there is > >> a proper service ticket for the IPA client by calling 'klist' in cmd.exe > >> or PowerShell. > >> > >> bye, > >> Sumit > >> > >> > > >> > On 2 May 2017 at 17:40, Jason B. Nance wrote: > >> > > >> > > Hi Tiemen, > >> > > > >> > > To be clear, what I'm trying to do: log in from an AD account > >> > > (adm.tiemen), from an AD host (leon.clients.rdmedia.com) to a FreeIPA > >> > > host (neodymium.test.ams.i.rdmedia.com) with the same AD account. I > >> > > expect to be logged in through GSSAPI, instead I get a password > >> prompt. > >> > > > >> > > I'm assuming that you are coming from a Windows client that is domain > >> > > joined and logged into that Windows client with the same domain > >> credentials > >> > > that you are using to connect to the IPA-joined host. Do you also > >> have > >> > > your SSH client configured to attempt GSSAPI? It appears that you do > >> from > >> > > the logs you provided but I'm just double-checking. > >> > > > >> > > In my setup I've found that this feature does not work all of the > >> time. > >> > > I've not yet been able to track it down and I'm assuming it has > >> something > >> > > to do with connections to domain controllers timing out, but at this > >> point > >> > > that is speculation. > >> > > > >> > > So to answer your question, yes, that should work. Sorry I don't have > >> > > more information for you, I guess I'm basically "me too"ing your post. > >> > > > >> > > Regards, > >> > > > >> > > j > >> > > > >> > > Is this supposed to work? Did I miss something? > >> > > > >> > > Below the SSH log from the FreeIPA host with LogLevel DEBUG3: > >> > > > >> > > May 2 17:10:32 neodymium sshd[572]: debug3: fd 5 is not O_NONBLOCK > >> > > May 2 17:10:32 neodymium sshd[572]: debug1: Forked child 752. > >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: > >> entering fd > >> > > = 8 config len 922 > >> > > May 2 17:10:32 neodymium sshd[572]: debug3: ssh_msg_send: type 0 > >> > > May 2 17:10:32 neodymium sshd[572]: debug3: send_rexec_state: done > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: oom_adjust_restore > >> > > May 2 17:10:32 neodymium sshd[752]: Set /proc/self/oom_score_adj to 0 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: rexec start in 5 out 5 > >> > > newsock 5 pipe 7 sock 8 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: inetd sockets after > >> dupping: > >> > > 3, 3 > >> > > May 2 17:10:32 neodymium sshd[752]: Connection from 192.168.10.155 > >> port > >> > > 53106 on 192.168.50.63 port 22 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Client protocol version > >> 2.0; > >> > > client software version PuTTY_KiTTY > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: no match: PuTTY_KiTTY > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Enabling compatibility > >> mode > >> > > for protocol 2.0 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: Local version string > >> > > SSH-2.0-OpenSSH_6.6.1 > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: fd 3 setting O_NONBLOCK > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: ssh_sandbox_init: > >> preparing > >> > > rlimit sandbox > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: Network child is on pid > >> 753 > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: preauth child monitor > >> started > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SELinux support disabled > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: privsep user:group 74:74 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: permanently_set_uid: > >> 74/74 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: list_hostkey_types: > >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 42 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 43 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 42 > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 43 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT sent > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_KEXINIT received > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==,gss-group1-sha1-toWM5S > >> lw5Ew8Mqkay+ > >> > > al2g==,gss-group14-sha1-toWM5Slw5Ew8Mqkay+al2g==,curve > >> > > 25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > >> > > group14-sha1,diffie-hellman-group1-sha1 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ > >> openssh.com > >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1 > >> > > 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305@ > >> openssh.com > >> > > ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc, > >> > > aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e > >> tm at openssh.com > >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac > >> -sha2-512-etm@ > >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ > >> openssh.com, > >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com > >> ,umac- > >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e > >> tm at openssh.com > >> > > ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac > >> -sha2-512-etm@ > >> > > openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm@ > >> openssh.com, > >> > > hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com > >> ,umac- > >> > > 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h > >> > > mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > >> > > zlib at openssh.com [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: none, > >> > > zlib at openssh.com [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > first_kex_follows 0 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> reserved 0 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2- > >> > > nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange- > >> > > sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- > >> > > group14-sha1,rsa2048-sha256,rsa1024-sha1,diffie-hellman-group1-sha1 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, > >> > > ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > aes256-ctr,aes256-cbc,rijndael-cbc at lysator.liu.se,aes192- > >> > > ctr,aes192-cbc,aes128-ctr,aes128-cbc,chacha20-poly1305 at openssh.com > >> > > ,blowfish-ctr,blowfish-cbc,3des-ctr,3des-cbc,arcfour256,arcfour128 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e > >> tm at openssh.com > >> > > ,hmac-md5-etm at openssh.com [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-sha2- > >> > > 256-etm at openssh.com,hmac-sha1-etm at openssh.com,hmac-sha1-96-e > >> tm at openssh.com > >> > > ,hmac-md5-etm at openssh.com [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> none,zlib > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> none,zlib > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> > > first_kex_follows 0 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_parse_kexinit: > >> reserved 0 > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > >> > > hmac-sha2-256 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: client->server > >> > > aes256-ctr hmac-sha2-256 none [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: mac_setup: setup > >> > > hmac-sha2-256 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: server->client > >> > > aes256-ctr hmac-sha2-256 none [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 120 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 121 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 120 > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 121 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: kex: > >> > > curve25519-sha256 at libssh.org need=32 dh_need=32 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 120 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 121 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 120 > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 121 > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > >> > > SSH2_MSG_KEX_ECDH_INIT [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign entering > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 6 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_key_sign: waiting for > >> > > MONITOR_ANS_SIGN [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 7 [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 6 > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_answer_sign: signature > >> > > 0x7f7ea34ed250(83) > >> > > May 2 17:10:32 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 7 > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: monitor_read: 6 used > >> once, > >> > > disabling now > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: kex_derive_keys [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug2: set_newkeys: mode 1 > >> [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS sent > >> > > [preauth] > >> > > May 2 17:10:32 neodymium sshd[752]: debug1: expecting > >> SSH2_MSG_NEWKEYS > >> > > [preauth] > >> > > May 2 17:10:33 neodymium sshd[752]: debug2: set_newkeys: mode 0 > >> [preauth] > >> > > May 2 17:10:33 neodymium sshd[752]: debug1: SSH2_MSG_NEWKEYS received > >> > > [preauth] > >> > > May 2 17:10:33 neodymium sshd[752]: debug1: KEX done [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method none > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 0 failures 0 > >> [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 8 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_getpwnamallow: > >> waiting for > >> > > MONITOR_ANS_PWNAM [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 9 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 8 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: Trying to reverse map > >> address > >> > > 192.168.10.155. > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: parse_server_config: > >> config > >> > > reprocess config len 922 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pwnamallow: > >> sending > >> > > MONITOR_ANS_PWNAM: 1 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 9 > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 8 used > >> once, > >> > > disabling now > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > >> > > setting up authctxt for adm.tiemen at clients.rdmedia.com [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_start_pam entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 100 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authserv > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 4 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_inform_authrole > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 80 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > >> try > >> > > method none [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: userauth_finish: failure > >> > > partial=0 next methods="publickey,gssapi-keye > >> x,gssapi-with-mic,password,keyboard-interactive" > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 100 > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: initializing for " > >> > > adm.tiemen at clients.rdmedia.com" > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_RHOST to > >> > > "192.168.10.155" > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: PAM: setting PAM_TTY to > >> "ssh" > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 100 used > >> once, > >> > > disabling now > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method > >> > > gssapi-with-mic [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 1 failures 0 > >> [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > >> try > >> > > method gssapi-with-mic [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 42 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 43 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 4 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authserv: > >> > > service=ssh-connection, style= > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 4 used > >> once, > >> > > disabling now > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 80 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_authrole: role= > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: monitor_read: 80 used > >> once, > >> > > disabling now > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 42 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 43 > >> > > May 2 17:10:42 neodymium sshd[752]: Postponed gssapi-with-mic for > >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: userauth-request for user > >> > > adm.tiemen at clients.rdmedia.com service ssh-connection method > >> > > keyboard-interactive [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: attempt 2 failures 0 > >> [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: input_userauth_request: > >> try > >> > > method keyboard-interactive [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: keyboard-interactive devs > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge: user= > >> > > adm.tiemen at clients.rdmedia.com devs= [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: kbdint_alloc: devices > >> 'pam' > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: auth2_challenge_start: > >> > > devices pam [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug2: kbdint_next_device: > >> devices > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug1: auth2_challenge_start: > >> trying > >> > > authentication method 'pam' [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx > >> [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 104 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_init_ctx: > >> waiting > >> > > for MONITOR_ANS_PAM_INIT_CTX [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 105 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 104 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_init_ctx > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_init_ctx > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 105 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 106 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: waiting > >> for > >> > > MONITOR_ANS_PAM_QUERY [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive_expect > >> > > entering: type 107 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_receive > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: monitor_read: checking > >> > > request 106 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_answer_pam_query > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: PAM: sshpam_query > >> entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: ssh_msg_recv entering > >> > > May 2 17:10:42 neodymium sshd[766]: debug3: PAM: sshpam_thread_conv > >> > > entering, 1 messages > >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_send: type 1 > >> > > May 2 17:10:42 neodymium sshd[766]: debug3: ssh_msg_recv entering > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_request_send entering: > >> > > type 107 > >> > > May 2 17:10:42 neodymium sshd[752]: debug3: mm_sshpam_query: > >> pam_query > >> > > returned 0 [preauth] > >> > > May 2 17:10:42 neodymium sshd[752]: Postponed keyboard-interactive > >> for > >> > > adm.tiemen at clients.rdmedia.com from 192.168.10.155 port 53106 ssh2 > >> > > [preauth] > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > -- > >> > > Tiemen Ruiten > >> > > Systems Engineer > >> > > R&D Media > >> > > > >> > > -- > >> > > Manage your subscription for the Freeipa-users mailing list: > >> > > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > > Go to http://freeipa.org for more info on the project > >> > > > >> > > > >> > > > >> > > >> > > >> > -- > >> > Tiemen Ruiten > >> > Systems Engineer > >> > R&D Media > >> > >> > -- > >> > Manage your subscription for the Freeipa-users mailing list: > >> > https://www.redhat.com/mailman/listinfo/freeipa-users > >> > Go to http://freeipa.org for more info on the project > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > > > > > > > > -- > > Tiemen Ruiten > > Systems Engineer > > R&D Media > > > > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media From jameslast29 at gmail.com Fri May 5 08:46:15 2017 From: jameslast29 at gmail.com (Johan Vermeulen) Date: Fri, 5 May 2017 10:46:15 +0200 Subject: [Freeipa-users] Openwrt-Freeradius-FreeIPA Message-ID: Hello All, We have FreeIPA running on Centos7 [root at freeipa03 ~]# cat /etc/*release CentOS Linux release 7.2.1511 (Core) Not fully updated but that is planned. [root at freeipa03 ~]# yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 @updates libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates python-iniparse.noarch 0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.12 @updates We are using FreeIPA to authenticate laptops/users, that works great. Thank you for making that possible! Now I bought some Linksys access points and installed Openwrt on them. Next I'm following the second part of this wiki: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 starting from : install, configure and test RADIUS server as a frontend to IPA. That works great, up to the point where I can do the radtest: [root at freeipa03 ~]# radtest test password123 192.168.250.12 1812 testing1234 Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 User-Name = 'test' User-Password = 'password123' NAS-IP-Address = 192.168.250.12 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 26 from 192.168.250.12:1812 to 192.168.250.12:44889 length 20 where user test is in freeipa and 192.168.250.12 is the vpn address of the ipa server. My question now is: is it possible to have users connect with the Linksys/Openwrt access point using username/password from FreeIPA? So far I'm not getting past EM: Error: Ignoring request to auth address * port 1812 as server default from unknown client 10.10.20.117 port 55421 proto udp where 10.10.20.117 is the Openwrt access point. I added the access point to /etc/radddb/client.conf in a number of ways, but nothing changes. Now I'm thinking, because Freeradius now reads from FreeIPA, it doesn't recognize the access point. Thanks for any advise. greetings, J. -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Fri May 5 09:40:30 2017 From: simo at redhat.com (Simo Sorce) Date: Fri, 05 May 2017 05:40:30 -0400 Subject: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction In-Reply-To: References: Message-ID: <1493977230.8926.61.camel@redhat.com> On Thu, 2017-05-04 at 18:02 +0200, Christopher Lamb wrote: > Hi All > > Is the following statement correct? > > "If a kerberos client (e.g. a FreeIPA client) holds a service ticket > to a service principal in its credentials cache, it no longer needs > to interact with the KDC to access the service (assuming the ticket > is still valid). i.e. if a kerberos client is not caching service > tickets, each interaction with the service principal will require > getting a new ticket from the KDC." Yes this statement is correct. > Are there logs on my FreeIPA-Server I can use to track ticket > requests from clients, and prove or disprove my statement above? On each KDC you can check /var/log/krb5kdc.log which contains a log of all requests received, if you have multiple IPa servers, you may need to collect all server's logs to see a complete picture as a service may request a ticket from any of the KDCs (although normally an ipa client sticks to the same KDC via a locator plugin for libkrb5 and only falls back to other KDCs if the preferred KDC is unreachable). Simo. From christopher.lamb at ch.ibm.com Fri May 5 11:29:19 2017 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Fri, 5 May 2017 13:29:19 +0200 Subject: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction In-Reply-To: <1493977230.8926.61.camel@redhat.com> References: <1493977230.8926.61.camel@redhat.com> Message-ID: Hi Simo Thanks, I was hoping you would throw your hat in the ring! The background to the question, is that I have a throwaway Python Kerberos Client using the GSS-API that caches service tickets, an a non-throwaway Java Kerberos Client, also using the GSS-API that does not (yet) cache service tickets. This implies the Java Client could be hammering the KDC with requests. I should now be able to confirm this with /var/log/krb5kdc.log on my KDC. On the issue of the Java Client non-caching service tickets I posted a Stack Overflow question last night. http://stackoverflow.com/questions/43786908/java-gss-api-service-ticket-not-saved-in-credentials-cache-using-java thanks Chris From: Simo Sorce To: Christopher Lamb/Switzerland/IBM at IBMCH, freeipa-users at redhat.com Date: 05/05/2017 11:40 Subject: Re: [Freeipa-users] Kerberos clients, service tickets, and client to KDC interaction On Thu, 2017-05-04 at 18:02 +0200, Christopher Lamb wrote: > Hi All > > Is the following statement correct? > > "If a kerberos client (e.g. a FreeIPA client) holds a service ticket > to a service principal in its credentials cache, it no longer needs > to interact with the KDC to access the service (assuming the ticket > is still valid). i.e. if a kerberos client is not caching service > tickets, each interaction with the service principal will require > getting a new ticket from the KDC." Yes this statement is correct. > Are there logs on my FreeIPA-Server I can use to track ticket > requests from clients, and prove or disprove my statement above? On each KDC you can check /var/log/krb5kdc.log which contains a log of all requests received, if you have multiple IPa servers, you may need to collect all server's logs to see a complete picture as a service may request a ticket from any of the KDCs (although normally an ipa client sticks to the same KDC via a locator plugin for libkrb5 and only falls back to other KDCs if the preferred KDC is unreachable). Simo. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From Lakshan.Jayasekara at lankaclear.com Fri May 5 11:36:18 2017 From: Lakshan.Jayasekara at lankaclear.com (Lakshan Jayasekara) Date: Fri, 5 May 2017 11:36:18 +0000 Subject: [Freeipa-users] Permission Denied for IPA User Message-ID: <911114b9f04c446f88184954203db5c7@lankaclear.com> IPA user cannot login to the target centos system using the ssh. User and the password are valid and can access IPA server. Lakshanth Chandika Jayasekara [cid:image001.png at 01D1F258.46575F30] Senior Systems Engineer Mobile:+94 77 294 0396 | Dir:+94 11 235 6949 General:+94 11 235 6900 Ext: 949 | Fax:+94 11 2544346 LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office, "BOC Square", No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka. http://www.lankaclear.com Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System. P Save a tree. Don't print this e-mail unless it's really necessary. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 25203 bytes Desc: image001.png URL: From Lakshan.Jayasekara at lankaclear.com Fri May 5 11:58:42 2017 From: Lakshan.Jayasekara at lankaclear.com (Lakshan Jayasekara) Date: Fri, 5 May 2017 11:58:42 +0000 Subject: [Freeipa-users] Users can't login on some systems. Message-ID: Ipa user authentication failure on centos client. Login using a valid account and login success for other ipa client servers. It would be great if you can provide any hind or any modification to overcome the situation. Below is the audit log type=USER_START msg=audit(1493987877.034:112): pid=2333 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=CRYPTO_KEY_USER msg=audit(1493987877.052:113): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d direction=? spid=2344 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/0 res=success' type=CRYPTO_KEY_USER msg=audit(1493987877.053:114): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c direction=? spid=2344 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/0 res=success' type=CRYPTO_KEY_USER msg=audit(1493987877.053:115): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? spid=2344 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/0 res=success' type=USER_LOGIN msg=audit(1493987877.057:116): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=/dev/pts/0 res=success' type=USER_START msg=audit(1493987877.057:117): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=/dev/pts/0 res=success' type=CRED_REFR msg=audit(1493987877.063:118): pid=2344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=CRYPTO_KEY_USER msg=audit(1493987950.855:119): pid=2367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d direction=? spid=2367 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1493987950.855:120): pid=2367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c direction=? spid=2367 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1493987950.856:121): pid=2367 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? spid=2367 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1493987950.859:122): pid=2366 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha1 pfs=diffie-hellman-group-exchange-sha256 spid=2367 suid=74 rport=50587 laddr=192.168.220.5 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1493987950.859:123): pid=2366 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha1 pfs=diffie-hellman-group-exchange-sha256 spid=2367 suid=74 rport=50587 laddr=192.168.220.5 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=USER_AUTH msg=audit(1493988003.357:124): pid=2369 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="lakshan_864" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=failed' type=USER_AUTH msg=audit(1493988003.360:125): pid=2366 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=challenge-response acct="lakshan_864" exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=ssh res=failed' type=CRYPTO_KEY_USER msg=audit(1493988025.470:126): pid=2376 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d direction=? spid=2376 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1493988025.470:127): pid=2376 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c direction=? spid=2376 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1493988025.470:128): pid=2376 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? spid=2376 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1493988025.473:129): pid=2375 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha1 pfs=diffie-hellman-group-exchange-sha256 spid=2376 suid=74 rport=50620 laddr=192.168.220.5 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1493988025.473:130): pid=2375 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha1 pfs=diffie-hellman-group-exchange-sha256 spid=2376 suid=74 rport=50620 laddr=192.168.220.5 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=USER_AUTH msg=audit(1493988068.166:131): pid=2377 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=USER_ACCT msg=audit(1493988068.172:132): pid=2377 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=CRYPTO_KEY_USER msg=audit(1493988068.176:133): pid=2375 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=2376 suid=74 rport=50620 laddr=192.168.220.5 lport=22 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=? res=success' type=USER_AUTH msg=audit(1493988068.178:134): pid=2375 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="root" exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=ssh res=success' type=CRED_ACQ msg=audit(1493988068.180:135): pid=2375 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=LOGIN msg=audit(1493988068.180:136): pid=2375 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1 type=USER_ROLE_CHANGE msg=audit(1493988068.569:137): pid=2375 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=USER_START msg=audit(1493988068.606:138): pid=2375 uid=0 auid=0 ses=2 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' type=CRYPTO_KEY_USER msg=audit(1493988068.623:139): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ad:95:6a:ee:f6:9b:39:1c:e1:ea:1d:c4:04:8b:2d:6d direction=? spid=2380 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1493988068.624:140): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=ec:42:62:ce:a9:56:92:f3:0b:a2:9f:b2:eb:ca:f0:4c direction=? spid=2380 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/1 res=success' type=CRYPTO_KEY_USER msg=audit(1493988068.624:141): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=d2:56:9c:49:db:85:40:df:34:de:78:82:e5:fb:66:4e direction=? spid=2380 suid=0 exe="/usr/sbin/sshd" hostname=? addr=192.168.104.2 terminal=pts/1 res=success' type=USER_LOGIN msg=audit(1493988068.628:142): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=/dev/pts/1 res=success' type=USER_START msg=audit(1493988068.628:143): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=/dev/pts/1 res=success' type=CRED_REFR msg=audit(1493988068.633:144): pid=2380 uid=0 auid=0 ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=192.168.104.2 addr=192.168.104.2 terminal=ssh res=success' Best Regards, Reply / Forwarded by Lakshanth Chandika Jayasekara Senior Systems Engineer Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System. P Save a tree. Don't print this e-mail unless it's really necessary. From: Lakshan Jayasekara Sent: Friday, May 5, 2017 5:06 PM To: 'freeipa-users at redhat.com' Subject: Permission Denied for IPA User IPA user cannot login to the target centos system using the ssh. User and the password are valid and can access IPA server. Lakshanth Chandika Jayasekara [cid:image001.png at 01D1F258.46575F30] Senior Systems Engineer Mobile:+94 77 294 0396 | Dir:+94 11 235 6949 General:+94 11 235 6900 Ext: 949 | Fax:+94 11 2544346 LankaClear (Pvt) Ltd, Level 18, Bank of Ceylon Head Office, "BOC Square", No. 01, Bank of Ceylon Mw, Colombo 01, Sri Lanka. http://www.lankaclear.com Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System. P Save a tree. Don't print this e-mail unless it's really necessary. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 25203 bytes Desc: image001.png URL: From jhrozek at redhat.com Fri May 5 12:14:26 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Fri, 5 May 2017 14:14:26 +0200 Subject: [Freeipa-users] Users can't login on some systems. In-Reply-To: References: Message-ID: <20170505121426.7gs75re3jnju7ogs@hendrix> On Fri, May 05, 2017 at 11:58:42AM +0000, Lakshan Jayasekara wrote: > Ipa user authentication failure on centos client. Login using a valid account and login success for other ipa client servers. It would be great if you can provide any hind or any modification to overcome the situation. Things I'd try are: - make sure the user resolves on the target system - run ipa hbactest to see if the user should be permitted access - check /var/log/secure and see what does pam_sss return - increase debug_level in sssd.conf on the client and see what the sssd debug logs yield From p.m.bjornstad at medisin.uio.no Fri May 5 12:19:35 2017 From: p.m.bjornstad at medisin.uio.no (=?utf-8?Q?Marius_Bj=C3=B8rnstad?=) Date: Fri, 5 May 2017 14:19:35 +0200 Subject: [Freeipa-users] CA lost on migration In-Reply-To: References: Message-ID: <14760D38-C5AA-4180-96FA-F1840166121E@mail.uio.no> Seems like it works now, almost perfectly. I was able to get ipa-ca-install to run using an old replica package file (replica-info-xxx.gpg), by hacking the script to disable a check for existing CA, and by deleting things left over from the failed installation: - Certs in /etc/httpd/alias and another location using: certutil -d /etc/httpd/alias -D "REALM_NAME IPA CA" certutil -d /etc/httpd/alias -D ipaCert - The PKI instance: pkidestroy -s CA -i pki-tomcat - Dogtag tracking requests: from the date of CA installation. The command failed when trying to replicate to LDAP because the configuration files in /etc/ipa/default.conf. Step 26, migrating certificate profiles to LDAP stopped. I then edited /etc/ipa/default.conf so that ca_host points to the current host (this was pointing to the old CA host). This made the installation script significantly faster, and it completed all 30 steps. It did however produce an error about "subject public key info mismatch" for the cert named "REALM_NAME IPA CA". (REALM_NAME is the name of the domain in all caps). Then most things worked, even: # ipa-cacert-manage renew Couldn't join new clients, as it was downloading the old CA cert from LDAP (I had just renewed it). I updated the CA cert in LDAP under "REALM, etc, ipa, certificates, REALM IPA CA" by deleting it and calling certstore.put_ca_cert_nss in a similar way that was done in /usr/lb/python2.7/site-packages/ipaserver/install/ca.py. (when I tried to update the cert, not delete if first, I got Subject public key mismatch error, exactly same as after the CA installation!) I could then successfully enroll the other server as clients, then promoted one to a master, then installed the CA on that one too. The CA installation completed, but step 15 "Failed to restart the dogtag instance". I don't think it looks good that my primary master only has "managed suffixes" = domain, and the secondary one has domain and ca, in the Web UI, but I will leave it. Everything works well now. I realise that FreeIPA is a complex piece of software, which has been developed intensely over the last years, but I really hope that going forward it could become more stable, and that upgrading to the next RHEL version from 7 will be less of a nightmare. Marius > 3. mai 2017 kl. 17.26 skrev Marius Bj?rnstad : > > Hi, > > I have migrated some FreeIPA servers from 3.0.0-51 to 4.4.0-14 by adding new replicas. There were a lot of issues, and I'm strugglig a bit with a configuration management system set up by a central IT department, which overrides files like sssd.conf, and I have to make exceptions to the policy. I hope someone could take the time to help me with this anyway. > > I was able to join both new RHEL 7 machines, and remove one of the old RHEL 6 machines, but then I couldn't remove the last one, and couldn't install the CA on any of the new masters. I (perhaps stupidly) removed the old server using ldapdelete, based on this thread: https://www.redhat.com/archives/freeipa-users/2012-June/msg00382.html. I thought that if I could get rid of the old stuff, I may be able to successfully promote one of the new servers to CA master. The command to install the CA almost completed successfully on the first master, but stopped on one of the last steps. > > Now I get: > # ipa-ca-install > CA is already installed on this host. > > It is clear that the CA is not installed. I get errors in /var/log/httpd/error_log for hosts requesting certs, and getting NotFound. > ipa: INFO: [xmlserver] host/xxxxx at DOMAIN: cert_request(u'MIIDnzCCaoc....... > > > I then removed and uninstalled the other master, which did not have a CA, thinking it could get going with a reinstall. However, the installation fails > > ipa : ERROR Cannot issue certificates: a CA is not installed. Use the --http-cert-file, --dirsrv-cert-file options to provide custom certificates. > > (there may be some typos in the error messages, since I'm copying from an air-gapped network) > > Is there any way I can manually resurrect the CA? I have the files left over on the original (version 3) master, but did do an uninstall. If that's not possible, is there any way to migrate the users to a new domain with exactly the same name (this would be less convenient, if it's actually possible, since I have to re-enroll all the clients). > > Thanks, > Marius Bj?rnstad > From michael.plemmons at crosschx.com Fri May 5 12:19:55 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Fri, 5 May 2017 08:19:55 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> Message-ID: I just realized that I sent the reply directly to Rob and not to the list. My response is inline *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > wrote: > >> Michael Plemmons wrote: >> > I realized that I was not very clear in my statement about testing with >> > ldapsearch. I had initially run it without logging in with a DN. I was >> > just running the local ldapsearch -x command. I then tested on >> > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the admin and >> > "cn=Directory Manager" from ipa12.mgmt (broken server) and ipa11.mgmt >> > and both ldapsearch command succeeded. >> > >> > I ran the following from ipa12.mgmt and ipa11.mgmt as a non root user. >> > I also ran the command showing a line count for the output and the line >> > counts for each were the same when run from ipa12.mgmt and ipa11.mgmt. >> > >> > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> > -D "DN" -w PASSWORD -b >> > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >> > >> > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> > -D "cn=directory manager" -w PASSWORD >> dn >> >> The CA has its own suffix and replication agreements. Given the auth >> error and recent (5 months) renewal of CA credentials I'd check that the >> CA agent authentication entries are correct. >> >> Against each master with a CA run: >> >> $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b >> uid=ipara,ou=people,o=ipaca description >> >> The format is 2;serial#,subject,issuer >> >> Then on each run: >> >> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial >> >> The serial # should match that in the description everywhere. >> >> rob >> >> > > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the > serial number is 7. I then ran the certutil command on all three servers > and the serial number is 7 as well. > > > I also ran the ldapsearch command against the other two servers and they > also showed a serial number of 7. > > > > >> > >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> > www.crosschx.com >> > >> > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons >> > > >> > wrote: >> > >> > I have a three node IPA cluster. >> > >> > ipa11.mgmt - was a master over 6 months ago >> > ipa13.mgmt - current master >> > ipa12.mgmt >> > >> > ipa13 has agreements with ipa11 and ipa12. ipa11 and ipa12 do not >> > have agreements between each other. >> > >> > It appears that either ipa12.mgmt lost some level of its replication >> > agreement with ipa13. I saw some level because users / hosts were >> > replicated between all systems but we started seeing DNS was not >> > resolving properly from ipa12. I do not know when this started. >> > >> > When looking at replication agreements on ipa12 I did not see any >> > agreement with ipa13. >> > >> > When I run ipa-replica-manage list all three hosts show has master. >> > >> > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt is a >> replica. >> > >> > When I run ipa-replica-manage ipa12.mgmt nothing returned. >> > >> > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt >> > ipa12.mgmt.crosschx.com >> > ipa13.mgmt.crosschx.com on >> ipa12.mgmt >> > >> > I then ran the following >> > >> > ipa-replica-manage force-sync --from ipa13.mgmt.crosschx.com >> > >> > >> > ipa-replica-manage re-initialize --from ipa13.mgmt.crosschx.com >> > >> > >> > I was still seeing bad DNS returns when dig'ing against ipa12.mgmt. >> > I was able to create user and DNS records and see the information >> > replicated properly across all three nodes. >> > >> > I then ran ipactl stop on ipa12.mgmt and then ipactl start on >> > ipa12.mgmt because I wanted to make sure everything was running >> > fresh after the changes above. While IPA was staring up (DNS >> > started) we were able to see valid DNS queries returned but >> > pki-tomcat would not start. >> > >> > I am not sure what I need to do in order to get this working. I >> > have included the output of certutil and getcert below from all >> > three servers as well as the debug output for pki. >> > >> > >> > While the IPA system is coming up I am able to successfully run >> > ldapsearch -x as the root user and see results. I am also able to >> > login with the "cn=Directory Manager" account and see results. >> > >> > >> > The debug log shows the following error. >> > >> > >> > [03/May/2017:21:22:01][localhost-startStop-1]: >> > ============================================ >> > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG >> > SUBSYSTEM INITIALIZED ======= >> > [03/May/2017:21:22:01][localhost-startStop-1]: >> > ============================================ >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart >> at >> > autoShutdown? false >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > autoShutdown crumb file path? >> > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to >> > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> > cert:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> > id=debug >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initialized debug >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initSubsystem id=log >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to >> > init id=log >> > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ >> ca_audit) >> > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >> > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart >> at >> > autoShutdown? false >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > autoShutdown crumb file path? >> > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to >> > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> > cert:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> > id=log >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initialized log >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initSubsystem id=jss >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to >> > init id=jss >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: restart >> at >> > autoShutdown? false >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > autoShutdown crumb file path? >> > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: about to >> > look for cert for auto-shutdown support:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: found >> > cert:auditSigningCert cert-pki-ca >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: done init >> > id=jss >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initialized jss >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > initSubsystem id=dbs >> > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: ready to >> > init id=dbs >> > [03/May/2017:21:22:01][localhost-startStop-1]: DBSubsystem: init() >> > mEnableSerialMgmt=true >> > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > LdapBoundConnFactor(DBSubsystem) >> > [03/May/2017:21:22:01][localhost-startStop-1]: >> LdapBoundConnFactory: >> > init >> > [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapBoundConnFactory:doCloning true >> > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init() >> > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init >> begins >> > [03/May/2017:21:22:01][localhost-startStop-1]: LdapAuthInfo: init >> ends >> > [03/May/2017:21:22:01][localhost-startStop-1]: init: before >> > makeConnection errorIfDown is true >> > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: >> > errorIfDown true >> > [03/May/2017:21:22:02][localhost-startStop-1]: >> > SSLClientCertificateSelectionCB: Setting desired cert nickname to: >> > subsystemCert cert-pki-ca >> > [03/May/2017:21:22:02][localhost-startStop-1]: LdapJssSSLSocket: >> set >> > client auth cert nickname subsystemCert cert-pki-ca >> > [03/May/2017:21:22:02][localhost-startStop-1]: >> > SSLClientCertificatSelectionCB: Entering! >> > [03/May/2017:21:22:02][localhost-startStop-1]: >> > SSLClientCertificateSelectionCB: returning: null >> > [03/May/2017:21:22:02][localhost-startStop-1]: SSL handshake >> happened >> > Could not connect to LDAP server host ipa12.mgmt.crosschx.com >> > port 636 Error >> > netscape.ldap.LDAPException: Authentication failed (48) >> > at >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory. >> makeConnection(LdapBoundConnFactory.java:205) >> > at >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory. >> init(LdapBoundConnFactory.java:166) >> > at >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory. >> init(LdapBoundConnFactory.java:130) >> > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >> 654) >> > at >> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine >> .java:1169) >> > at >> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngin >> e.java:1075) >> > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> > at >> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSS >> tartServlet.java:114) >> > at javax.servlet.GenericServlet.init(GenericServlet.java:158) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcc >> essorImpl.java:62) >> > at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingM >> ethodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUti >> l.java:288) >> > at >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUti >> l.java:285) >> > at java.security.AccessController.doPrivileged(Native Method) >> > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> > at >> > org.apache.catalina.security.SecurityUtil.execute(SecurityU >> til.java:320) >> > at >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec >> urityUtil.java:175) >> > at >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec >> urityUtil.java:124) >> > at >> > org.apache.catalina.core.StandardWrapper.initServlet(Standa >> rdWrapper.java:1270) >> > at >> > org.apache.catalina.core.StandardWrapper.loadServlet(Standa >> rdWrapper.java:1195) >> > at >> > org.apache.catalina.core.StandardWrapper.load(StandardWrapp >> er.java:1085) >> > at >> > org.apache.catalina.core.StandardContext.loadOnStartup(Stan >> dardContext.java:5318) >> > at >> > org.apache.catalina.core.StandardContext.startInternal(Stan >> dardContext.java:5610) >> > at >> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase. >> java:147) >> > at >> > org.apache.catalina.core.ContainerBase.addChildInternal(Con >> tainerBase.java:899) >> > at >> > org.apache.catalina.core.ContainerBase.access$000(Container >> Base.java:133) >> > at >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> > at >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> > at java.security.AccessController.doPrivileged(Native Method) >> > at >> > org.apache.catalina.core.ContainerBase.addChild(ContainerBa >> se.java:873) >> > at >> > org.apache.catalina.core.StandardHost.addChild(StandardHost >> .java:652) >> > at >> > org.apache.catalina.startup.HostConfig.deployDescriptor(Hos >> tConfig.java:679) >> > at >> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run >> (HostConfig.java:1966) >> > at >> > java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> > at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> > at >> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoo >> lExecutor.java:1142) >> > at >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPo >> olExecutor.java:617) >> > at java.lang.Thread.run(Thread.java:745) >> > Internal Database Error encountered: Could not connect to LDAP >> > server host ipa12.mgmt.crosschx.com > > >> > port 636 Error netscape.ldap.LDAPException: Authentication failed >> (48) >> > at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >> 676) >> > at >> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine >> .java:1169) >> > at >> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngin >> e.java:1075) >> > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> > at >> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSS >> tartServlet.java:114) >> > at javax.servlet.GenericServlet.init(GenericServlet.java:158) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcc >> essorImpl.java:62) >> > at >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingM >> ethodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUti >> l.java:288) >> > at >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUti >> l.java:285) >> > at java.security.AccessController.doPrivileged(Native Method) >> > at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) >> > at >> > org.apache.catalina.security.SecurityUtil.execute(SecurityU >> til.java:320) >> > at >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec >> urityUtil.java:175) >> > at >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Sec >> urityUtil.java:124) >> > at >> > org.apache.catalina.core.StandardWrapper.initServlet(Standa >> rdWrapper.java:1270) >> > at >> > org.apache.catalina.core.StandardWrapper.loadServlet(Standa >> rdWrapper.java:1195) >> > at >> > org.apache.catalina.core.StandardWrapper.load(StandardWrapp >> er.java:1085) >> > at >> > org.apache.catalina.core.StandardContext.loadOnStartup(Stan >> dardContext.java:5318) >> > at >> > org.apache.catalina.core.StandardContext.startInternal(Stan >> dardContext.java:5610) >> > at >> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase. >> java:147) >> > at >> > org.apache.catalina.core.ContainerBase.addChildInternal(Con >> tainerBase.java:899) >> > at >> > org.apache.catalina.core.ContainerBase.access$000(Container >> Base.java:133) >> > at >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> > at >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> > at java.security.AccessController.doPrivileged(Native Method) >> > at >> > org.apache.catalina.core.ContainerBase.addChild(ContainerBa >> se.java:873) >> > at >> > org.apache.catalina.core.StandardHost.addChild(StandardHost >> .java:652) >> > at >> > org.apache.catalina.startup.HostConfig.deployDescriptor(Hos >> tConfig.java:679) >> > at >> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run >> (HostConfig.java:1966) >> > at >> > java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> > at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> > at >> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoo >> lExecutor.java:1142) >> > at >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPo >> olExecutor.java:617) >> > at java.lang.Thread.run(Thread.java:745) >> > [03/May/2017:21:22:02][localhost-startStop-1]: CMSEngine.shutdown() >> > >> > >> > ============================= >> > >> > >> > IPA11.MGMT >> > >> > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ >> > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert >> > u,u,u MGMT.CROSSCHX.COM IPA CA CT,C,C >> > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ Certificate >> > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert >> > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu >> > ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u >> > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d >> > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust >> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM >> > IPA CA CT,C,C (root)>certutil -L -d >> > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust >> Attributes >> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca >> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u >> > IPA12.MGMT (root)>certutil -L -d >> > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname Trust >> > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u MGMT.CROSSCHX.COM >> > IPA CA C,, (root)>certutil -L -d >> > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust >> Attributes >> > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >> > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca >> > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u >> > ================================================= IPA11.MGMT >> > (root)>getcert list Number of certificates and requests being >> > tracked: 8. Request ID '20161229155314': status: MONITORING stuck: >> > no key pair storage: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate >> > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa11.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 15:52:43 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > '20161229155652': status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155654': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:26 UTC key usage: >> > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > id-kp-OCSPSigning pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155655': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:28 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155657': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > expires: 2036-11-22 13:00:25 UTC key >> > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save >> > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155659': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa11.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-19 15:56:20 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229155921': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa11.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 15:52:46 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes >> > auto-renew: yes Request ID '20161229160009': status: MONITORING >> > stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:01:34 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: >> yes >> > ================================== IPA13.MGMT (root)>getcert list >> > Number of certificates and requests being tracked: 8. Request ID >> > '20161229143449': status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate >> > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa13.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 14:34:20 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > '20161229143826': status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143828': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:26 UTC key usage: >> > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > id-kp-OCSPSigning pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143831': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:28 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143833': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > expires: 2036-11-22 13:00:25 UTC key >> > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save >> > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229143835': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa13.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-19 14:37:54 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229144057': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa13.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 14:34:23 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes >> > auto-renew: yes Request ID '20161229144146': status: MONITORING >> > stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:01:34 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: >> yes >> > =========================== IPA12.MGMT (root)>getcert list Number of >> > certificates and requests being tracked: 8. Request ID >> > '20161229151518': status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate >> > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa12.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 15:14:51 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > '20161229151850': status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='auditSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Audit,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:00:29 UTC key usage: digitalSignature,nonRepudiation >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151852': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='ocspSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:26 UTC key usage: >> > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > id-kp-OCSPSigning pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151854': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='subsystemCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > expires: 2018-11-12 13:00:28 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151856': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias', >> nickname='caSigningCert >> > cert-pki-ca',token='NSS Certificate DB' CA: >> > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > expires: 2036-11-22 13:00:25 UTC key >> > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save >> > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: >> > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229151858': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB',pin set certificate: >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS >> > Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa12.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-19 15:18:16 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save >> > command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert >> > cert-pki-ca" track: yes auto-renew: yes Request ID '20161229152115': >> > status: MONITORING stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cer >> t',token='NSS >> > Certificate DB' CA: IPA issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=ipa12.mgmt.crosschx.com >> > ,O=MGMT.CROSSCHX.COM >> > expires: 2018-12-30 15:14:54 UTC key >> > usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save >> > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes >> > auto-renew: yes Request ID '20161229152204': status: MONITORING >> > stuck: no key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > Authority,O=MGMT.CROSSCHX.COM subject: >> > CN=IPA RA,O=MGMT.CROSSCHX.COM expires: >> > 2018-11-12 13:01:34 UTC key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: >> > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: >> yes >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> > www.crosschx.com >> > >> > >> > >> > >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 5 13:22:18 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 5 May 2017 09:22:18 -0400 Subject: [Freeipa-users] Need LDAP access for host not in IPA domain In-Reply-To: References: Message-ID: <363976b7-0eac-8ba8-f055-c527212ab9b5@redhat.com> Detlev Habicht wrote: > Hello, > > i need a simple, plain LDAP bind for authentication for a host, > which is not part of my IPA domain. > > Something like this is working in the domain: > > ldapsearch -vx -H ldaps://xxx.yyy.intern -b "cn=accounts,dc=yyy,dc=intern" > > My problem is, it is only working with the hostname xxx.yyy.intern which > is part of my domain yyy.intern. But outside of the domain i have to > use the IP address or something like xxx.yyy.zzz.de > . > > But than i have this error message: > > ldap_initialize( ldaps://xxx.yyy.zzz.de:636/??base ) > ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) > > Any idea what i can do? > > Thank you! > > Detlev > > P.S.: I have the same problem in the domain, when i am not using > xxx.yyy.intern. IP address for example is also not working. I'd slap a -d 255 onto that command. It will give you a lot more information on what is going on. It could be rejecting the request because the requested name (IP address) doesn't match anything in the cert. The 389-ds access log will also confirm whether you are making a connection or not (to rule out firewall, etc). Note that this log is buffered so you need to be patient, tail -f won't show connections immediately. rob From b.candler at pobox.com Fri May 5 13:33:09 2017 From: b.candler at pobox.com (Brian Candler) Date: Fri, 5 May 2017 14:33:09 +0100 Subject: [Freeipa-users] ubuntu 16.04 freeipa-client + sssd + sudo: "policy plugin returns 0" In-Reply-To: References: <7446b44a-ca97-e209-99e7-36f515988827@pobox.com> Message-ID: On 03/05/2017 15:05, Brian Candler wrote: > It turns out we had another 16.04 machine which was working fine. But > as soon as I updated its sudo from 1.8.16-0ubuntu1.2 to > 1.8.16-0ubuntu1.3, it stopped working too. > > So it looks like I have a reproducing case for this and I can > investigate further FYI, I finally got to the bottom of this issue. (1) The groups referred to in the sudo rule had been created as non-posix groups in FreeIPA (2) It seems that the old sudo in Ubuntu wasn't checking groups at all, and the new one did. But it could not see non-posix groups. (3) I solved the problem by adding "objectClass: posixgroup" and "gidNumber: NNNNNN" to the groups. More details at: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1688034/comments/4 Aside: I discovered that the way to debug the sudoers plugin is like this: Debug sudo /var/log/sudo-debug all at info Debug sudoers.so /var/log/sudoers-debug all at info (I had originally missed off the ".so" suffix) It's a bit frightening that sudo+sssd was not enforcing policies correctly, for who knows how long. Regards, Brian. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 5 14:53:30 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 5 May 2017 10:53:30 -0400 Subject: [Freeipa-users] how to setup freeipa project to local environment In-Reply-To: <7a5d9354-cb5f-fc36-ab08-e7b1ef84dcc4@gworks.mobi> References: <7a5d9354-cb5f-fc36-ab08-e7b1ef84dcc4@gworks.mobi> Message-ID: <78eeb786-a5ba-a040-01cd-0359ca21ea25@redhat.com> rajkumar wrote: > Hello freeipa team, > > I have download freeipa4.4.4.tar.gz and I need to setup freeipa project > as a local environment(to customize via IDE like eclipse) for > customization. suggest me how can do that. or any reference link. I'd start with the BUILD file in the tree. rob From rcritten at redhat.com Fri May 5 19:15:41 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 5 May 2017 15:15:41 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> Message-ID: <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Michael Plemmons wrote: > I just realized that I sent the reply directly to Rob and not to the > list. My response is inline Ok, this is actually good news. I made a similar proposal in another case and I was completely wrong. Flo had the user do something and it totally fixed their auth error, I just can't remember what it was or find the e-mail thread. I'm pretty sure it was this calendar year though. rob > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons > > > wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > wrote: > > Michael Plemmons wrote: > > I realized that I was not very clear in my statement about > testing with > > ldapsearch. I had initially run it without logging in with a > DN. I was > > just running the local ldapsearch -x command. I then tested on > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the > admin and > > "cn=Directory Manager" from ipa12.mgmt (broken server) and > ipa11.mgmt > > and both ldapsearch command succeeded. > > > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non > root user. > > I also ran the command showing a line count for the output and > the line > > counts for each were the same when run from ipa12.mgmt and > ipa11.mgmt. > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > -D "DN" -w PASSWORD -b > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > -D "cn=directory manager" -w > PASSWORD dn > > The CA has its own suffix and replication agreements. Given the auth > error and recent (5 months) renewal of CA credentials I'd check > that the > CA agent authentication entries are correct. > > Against each master with a CA run: > > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b > uid=ipara,ou=people,o=ipaca description > > The format is 2;serial#,subject,issuer > > Then on each run: > > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial > > The serial # should match that in the description everywhere. > > rob > > > > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the > serial number is 7. I then ran the certutil command on all three > servers and the serial number is 7 as well. > > > I also ran the ldapsearch command against the other two servers and > they also showed a serial number of 7. > > > > > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > www.crosschx.com > > > > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons > > > >> > > wrote: > > > > I have a three node IPA cluster. > > > > ipa11.mgmt - was a master over 6 months ago > > ipa13.mgmt - current master > > ipa12.mgmt > > > > ipa13 has agreements with ipa11 and ipa12. ipa11 and > ipa12 do not > > have agreements between each other. > > > > It appears that either ipa12.mgmt lost some level of its > replication > > agreement with ipa13. I saw some level because users / > hosts were > > replicated between all systems but we started seeing DNS > was not > > resolving properly from ipa12. I do not know when this > started. > > > > When looking at replication agreements on ipa12 I did not > see any > > agreement with ipa13. > > > > When I run ipa-replica-manage list all three hosts show > has master. > > > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt > is a replica. > > > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > > ipa12.mgmt.crosschx.com > > > > ipa13.mgmt.crosschx.com > > on ipa12.mgmt > > > > I then ran the following > > > > ipa-replica-manage force-sync --from > ipa13.mgmt.crosschx.com > > > > > > > ipa-replica-manage re-initialize --from > ipa13.mgmt.crosschx.com > > > > > > > I was still seeing bad DNS returns when dig'ing against > ipa12.mgmt. > > I was able to create user and DNS records and see the > information > > replicated properly across all three nodes. > > > > I then ran ipactl stop on ipa12.mgmt and then ipactl start on > > ipa12.mgmt because I wanted to make sure everything was > running > > fresh after the changes above. While IPA was staring up (DNS > > started) we were able to see valid DNS queries returned but > > pki-tomcat would not start. > > > > I am not sure what I need to do in order to get this > working. I > > have included the output of certutil and getcert below > from all > > three servers as well as the debug output for pki. > > > > > > While the IPA system is coming up I am able to > successfully run > > ldapsearch -x as the root user and see results. I am also > able to > > login with the "cn=Directory Manager" account and see results. > > > > > > The debug log shows the following error. > > > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > ============================================ > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG > > SUBSYSTEM INITIALIZED ======= > > [03/May/2017:21:22:01][localhost-startStop-1]: > > ============================================ > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=debug > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized debug > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized log > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > restart at > > autoShutdown? false > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > autoShutdown crumb file path? > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > about to > > look for cert for auto-shutdown support:auditSigningCert > cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > found > > cert:auditSigningCert cert-pki-ca > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > done init > > id=jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initialized jss > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > initSubsystem id=dbs > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > ready to > > init id=dbs > > [03/May/2017:21:22:01][localhost-startStop-1]: > DBSubsystem: init() > > mEnableSerialMgmt=true > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > LdapBoundConnFactor(DBSubsystem) > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapBoundConnFactory: > > init > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapBoundConnFactory:doCloning true > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init() > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init begins > > [03/May/2017:21:22:01][localhost-startStop-1]: > LdapAuthInfo: init ends > > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > > makeConnection errorIfDown is true > > [03/May/2017:21:22:01][localhost-startStop-1]: makeConnection: > > errorIfDown true > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificateSelectionCB: Setting desired cert > nickname to: > > subsystemCert cert-pki-ca > > [03/May/2017:21:22:02][localhost-startStop-1]: > LdapJssSSLSocket: set > > client auth cert nickname subsystemCert cert-pki-ca > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificatSelectionCB: Entering! > > [03/May/2017:21:22:02][localhost-startStop-1]: > > SSLClientCertificateSelectionCB: returning: null > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL > handshake happened > > Could not connect to LDAP server host > ipa12.mgmt.crosschx.com > > > port 636 Error > > netscape.ldap.LDAPException: Authentication failed (48) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > > at > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > > at > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > at > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native > Method) > > at javax.security.auth.Subject.do > AsPrivileged(Subject.java:549) > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > at > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > at > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > at > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > at > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > at > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > at > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Internal Database Error encountered: Could not connect to LDAP > > server host ipa12.mgmt.crosschx.com > > > > port 636 Error netscape.ldap.LDAPException: Authentication > failed (48) > > at > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > > at > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > at > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > at > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > at > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > at > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > at > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > at java.security.AccessController.doPrivileged(Native > Method) > > at javax.security.auth.Subject.do > AsPrivileged(Subject.java:549) > > at > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > at > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > at > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > at > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > at > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > at > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > at > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > at > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > at > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > at > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > at > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > at java.security.AccessController.doPrivileged(Native > Method) > > at > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > at > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > at > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > at > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > [03/May/2017:21:22:02][localhost-startStop-1]: > CMSEngine.shutdown() > > > > > > ============================= > > > > > > IPA11.MGMT > > > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI > Server-Cert > > u,u,u MGMT.CROSSCHX.COM > IPA CA CT,C,C > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > Certificate > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu > > ocspSigningCert cert-pki-ca u,u,u subsystemCert > cert-pki-ca u,u,u > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil -L -d > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > Trust > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > MGMT.CROSSCHX.COM > > IPA CA CT,C,C (root)>certutil -L -d > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > cert-pki-ca > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > cert-pki-ca u,u,u > > IPA12.MGMT (root)>certutil -L -d > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > Trust > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > MGMT.CROSSCHX.COM > > IPA CA C,, (root)>certutil -L -d > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > cert-pki-ca > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > cert-pki-ca u,u,u > > ================================================= IPA11.MGMT > > (root)>getcert list Number of certificates and requests being > > tracked: 8. Request ID '20161229155314': status: > MONITORING stuck: > > no key pair storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa11.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 15:52:43 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229155652': status: MONITORING stuck: no key pair > storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155654': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155655': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155657': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155659': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa11.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-19 15:56:20 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229155921': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa11.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 15:52:46 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229160009': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > ================================== IPA13.MGMT > (root)>getcert list > > Number of certificates and requests being tracked: 8. > Request ID > > '20161229143449': status: MONITORING stuck: no key pair > storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa13.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 14:34:20 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229143826': status: MONITORING stuck: no key pair > storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143828': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143831': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143833': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229143835': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa13.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-19 14:37:54 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229144057': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa13.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 14:34:23 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229144146': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > =========================== IPA12.MGMT (root)>getcert list > Number of > > certificates and requests being tracked: 8. Request ID > > '20161229151518': status: MONITORING stuck: no key pair > storage: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > certificate: > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa12.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 15:14:51 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > '20161229151850': status: MONITORING stuck: no key pair > storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Audit,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:00:29 UTC key usage: > digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151852': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:26 UTC key usage: > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > id-kp-OCSPSigning pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151854': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151856': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' CA: > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > expires: 2036-11-22 13:00:25 > UTC key > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > command: > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229151858': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB',pin set certificate: > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa12.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-19 15:18:16 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert > > cert-pki-ca" track: yes auto-renew: yes Request ID > '20161229152115': > > status: MONITORING stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' CA: IPA issuer: CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=ipa12.mgmt.crosschx.com > > >,O=MGMT.CROSSCHX.COM > > > expires: 2018-12-30 15:14:54 > UTC key > > usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > post-save > > command: /usr/libexec/ipa/certmonger/restart_httpd track: yes > > auto-renew: yes Request ID '20161229152204': status: > MONITORING > > stuck: no key pair storage: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > Authority,O=MGMT.CROSSCHX.COM > subject: > > CN=IPA RA,O=MGMT.CROSSCHX.COM > expires: > > 2018-11-12 13:01:34 UTC key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > command: > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > auto-renew: yes > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > > www.crosschx.com > > > > > > > > > > > > > > From michael.plemmons at crosschx.com Fri May 5 19:19:18 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Fri, 5 May 2017 15:19:18 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Message-ID: *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden wrote: > Michael Plemmons wrote: > > I just realized that I sent the reply directly to Rob and not to the > > list. My response is inline > > Ok, this is actually good news. > > I made a similar proposal in another case and I was completely wrong. > Flo had the user do something and it totally fixed their auth error, I > just can't remember what it was or find the e-mail thread. I'm pretty > sure it was this calendar year though. > > rob > > Do you or Flo know what I could search for in the past emails to find the answer to the problem? > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > www.crosschx.com > > > > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons > > > > > wrote: > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > www.crosschx.com > > > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > > wrote: > > > > Michael Plemmons wrote: > > > I realized that I was not very clear in my statement about > > testing with > > > ldapsearch. I had initially run it without logging in with a > > DN. I was > > > just running the local ldapsearch -x command. I then tested on > > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the > > admin and > > > "cn=Directory Manager" from ipa12.mgmt (broken server) and > > ipa11.mgmt > > > and both ldapsearch command succeeded. > > > > > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non > > root user. > > > I also ran the command showing a line count for the output and > > the line > > > counts for each were the same when run from ipa12.mgmt and > > ipa11.mgmt. > > > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > > > > -D "DN" -w PASSWORD -b > > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > > > > -D "cn=directory manager" -w > > PASSWORD dn > > > > The CA has its own suffix and replication agreements. Given the > auth > > error and recent (5 months) renewal of CA credentials I'd check > > that the > > CA agent authentication entries are correct. > > > > Against each master with a CA run: > > > > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b > > uid=ipara,ou=people,o=ipaca description > > > > The format is 2;serial#,subject,issuer > > > > Then on each run: > > > > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial > > > > The serial # should match that in the description everywhere. > > > > rob > > > > > > > > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the > > serial number is 7. I then ran the certutil command on all three > > servers and the serial number is 7 as well. > > > > > > I also ran the ldapsearch command against the other two servers and > > they also showed a serial number of 7. > > > > > > > > > > > > > > > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > > * > > > 614.427.2411 > > > mike.plemmons at crosschx.com > > > > > > > www.crosschx.com > > > > > > > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons > > > > > > > >> > > > wrote: > > > > > > I have a three node IPA cluster. > > > > > > ipa11.mgmt - was a master over 6 months ago > > > ipa13.mgmt - current master > > > ipa12.mgmt > > > > > > ipa13 has agreements with ipa11 and ipa12. ipa11 and > > ipa12 do not > > > have agreements between each other. > > > > > > It appears that either ipa12.mgmt lost some level of its > > replication > > > agreement with ipa13. I saw some level because users / > > hosts were > > > replicated between all systems but we started seeing DNS > > was not > > > resolving properly from ipa12. I do not know when this > > started. > > > > > > When looking at replication agreements on ipa12 I did not > > see any > > > agreement with ipa13. > > > > > > When I run ipa-replica-manage list all three hosts show > > has master. > > > > > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt > > is a replica. > > > > > > When I run ipa-replica-manage ipa12.mgmt nothing returned. > > > > > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt > > > ipa12.mgmt.crosschx.com > > >> > > > ipa13.mgmt.crosschx.com > > > > on ipa12.mgmt > > > > > > I then ran the following > > > > > > ipa-replica-manage force-sync --from > > ipa13.mgmt.crosschx.com > > > > > > > > > > > ipa-replica-manage re-initialize --from > > ipa13.mgmt.crosschx.com > > > > > > > > > > > I was still seeing bad DNS returns when dig'ing against > > ipa12.mgmt. > > > I was able to create user and DNS records and see the > > information > > > replicated properly across all three nodes. > > > > > > I then ran ipactl stop on ipa12.mgmt and then ipactl start > on > > > ipa12.mgmt because I wanted to make sure everything was > > running > > > fresh after the changes above. While IPA was staring up > (DNS > > > started) we were able to see valid DNS queries returned but > > > pki-tomcat would not start. > > > > > > I am not sure what I need to do in order to get this > > working. I > > > have included the output of certutil and getcert below > > from all > > > three servers as well as the debug output for pki. > > > > > > > > > While the IPA system is coming up I am able to > > successfully run > > > ldapsearch -x as the root user and see results. I am also > > able to > > > login with the "cn=Directory Manager" account and see > results. > > > > > > > > > The debug log shows the following error. > > > > > > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > ============================================ > > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== > DEBUG > > > SUBSYSTEM INITIALIZED ======= > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > ============================================ > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown support:auditSigningCert > > cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=debug > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized debug > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=log > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=log > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/ > signedAudit/ca_audit) > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/ > transactions) > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown support:auditSigningCert > > cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=log > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized log > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=jss > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=jss > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown support:auditSigningCert > > cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=jss > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized jss > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=dbs > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=dbs > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > DBSubsystem: init() > > > mEnableSerialMgmt=true > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > LdapBoundConnFactor(DBSubsystem) > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapBoundConnFactory: > > > init > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > LdapBoundConnFactory:doCloning true > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init() > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init begins > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init ends > > > [03/May/2017:21:22:01][localhost-startStop-1]: init: > before > > > makeConnection errorIfDown is true > > > [03/May/2017:21:22:01][localhost-startStop-1]: > makeConnection: > > > errorIfDown true > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: Setting desired cert > > nickname to: > > > subsystemCert cert-pki-ca > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > LdapJssSSLSocket: set > > > client auth cert nickname subsystemCert cert-pki-ca > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificatSelectionCB: Entering! > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: returning: null > > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL > > handshake happened > > > Could not connect to LDAP server host > > ipa12.mgmt.crosschx.com > > > > > port 636 Error > > > netscape.ldap.LDAPException: Authentication failed (48) > > > at > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory. > makeConnection(LdapBoundConnFactory.java:205) > > > at > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:166) > > > at > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init( > LdapBoundConnFactory.java:130) > > > at > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > > > at > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > at > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > > at > > > > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > > > at > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > > > at java.security.AccessController.doPrivileged(Native > > Method) > > > at javax.security.auth.Subject.do > > AsPrivileged( > Subject.java:549) > > > at > > > > > org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > > > at > > > > > org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > > > at > > > > > org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > > > at > > > > > org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > > > at > > > > > org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > > > at > > > > > org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > > > at > > > > > org.apache.catalina.util.LifecycleBase.start( > LifecycleBase.java:147) > > > at > > > > > org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > > > at > > > > > org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > > > at java.security.AccessController.doPrivileged(Native > > Method) > > > at > > > > > org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > > > at > > > > > org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > > > at > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > > > at > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > > > at > > > > > java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > > > at java.util.concurrent.FutureTask.run(FutureTask. > java:266) > > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > > at java.lang.Thread.run(Thread.java:745) > > > Internal Database Error encountered: Could not connect to > LDAP > > > server host ipa12.mgmt.crosschx.com > > > > > > > port 636 Error netscape.ldap.LDAPException: Authentication > > failed (48) > > > at > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem( > CMSEngine.java:1169) > > > at > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems( > CMSEngine.java:1075) > > > at > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > at > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init( > CMSStartServlet.java:114) > > > at > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > > at > > > > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > > > at > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:288) > > > at > > > > > org.apache.catalina.security.SecurityUtil$1.run( > SecurityUtil.java:285) > > > at java.security.AccessController.doPrivileged(Native > > Method) > > > at javax.security.auth.Subject.do > > AsPrivileged( > Subject.java:549) > > > at > > > > > org.apache.catalina.security.SecurityUtil.execute( > SecurityUtil.java:320) > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:175) > > > at > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > SecurityUtil.java:124) > > > at > > > > > org.apache.catalina.core.StandardWrapper.initServlet( > StandardWrapper.java:1270) > > > at > > > > > org.apache.catalina.core.StandardWrapper.loadServlet( > StandardWrapper.java:1195) > > > at > > > > > org.apache.catalina.core.StandardWrapper.load( > StandardWrapper.java:1085) > > > at > > > > > org.apache.catalina.core.StandardContext.loadOnStartup( > StandardContext.java:5318) > > > at > > > > > org.apache.catalina.core.StandardContext.startInternal( > StandardContext.java:5610) > > > at > > > > > org.apache.catalina.util.LifecycleBase.start( > LifecycleBase.java:147) > > > at > > > > > org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > > > at > > > > > org.apache.catalina.core.ContainerBase.access$000( > ContainerBase.java:133) > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:156) > > > at > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run( > ContainerBase.java:145) > > > at java.security.AccessController.doPrivileged(Native > > Method) > > > at > > > > > org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:873) > > > at > > > > > org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > > > at > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor( > HostConfig.java:679) > > > at > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor. > run(HostConfig.java:1966) > > > at > > > > > java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > > > at java.util.concurrent.FutureTask.run(FutureTask. > java:266) > > > at > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > > at > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > > at java.lang.Thread.run(Thread.java:745) > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > CMSEngine.shutdown() > > > > > > > > > ============================= > > > > > > > > > IPA11.MGMT > > > > > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI > > Server-Cert > > > u,u,u MGMT.CROSSCHX.COM > > IPA CA CT,C,C > > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ > > Certificate > > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert > > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu > > > ocspSigningCert cert-pki-ca u,u,u subsystemCert > > cert-pki-ca u,u,u > > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil > -L -d > > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > > Trust > > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > > MGMT.CROSSCHX.COM > > > IPA CA CT,C,C (root)>certutil > -L -d > > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > > Attributes > > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > > cert-pki-ca > > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > > cert-pki-ca u,u,u > > > IPA12.MGMT (root)>certutil -L -d > > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname > > Trust > > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u > > MGMT.CROSSCHX.COM > > > IPA CA C,, (root)>certutil -L > -d > > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust > > Attributes > > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu > > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert > > cert-pki-ca > > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert > > cert-pki-ca u,u,u > > > ================================================= > IPA11.MGMT > > > (root)>getcert list Number of certificates and requests > being > > > tracked: 8. Request ID '20161229155314': status: > > MONITORING stuck: > > > no key pair storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > pwdfile.txt' > > > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 15:52:43 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > > '20161229155652': status: MONITORING stuck: no key pair > > storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229155654': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229155655': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229155657': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > > > expires: 2036-11-22 13:00:25 > > UTC key > > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229155659': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-19 15:56:20 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp- > emailProtection > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229155921': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 15:52:46 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_httpd track: > yes > > > auto-renew: yes Request ID '20161229160009': status: > > MONITORING > > > stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > ================================== IPA13.MGMT > > (root)>getcert list > > > Number of certificates and requests being tracked: 8. > > Request ID > > > '20161229143449': status: MONITORING stuck: no key pair > > storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > pwdfile.txt' > > > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 14:34:20 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > > '20161229143826': status: MONITORING stuck: no key pair > > storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229143828': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229143831': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229143833': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > > > expires: 2036-11-22 13:00:25 > > UTC key > > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229143835': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-19 14:37:54 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp- > emailProtection > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229144057': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 14:34:23 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_httpd track: > yes > > > auto-renew: yes Request ID '20161229144146': status: > > MONITORING > > > stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > =========================== IPA12.MGMT (root)>getcert list > > Number of > > > certificates and requests being tracked: 8. Request ID > > > '20161229151518': status: MONITORING stuck: no key pair > > storage: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > pwdfile.txt' > > > certificate: > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX- > COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 15:14:51 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID > > > '20161229151850': status: MONITORING stuck: no key pair > > storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229151852': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229151854': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad post-save command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229151856': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM > > > > > expires: 2036-11-22 13:00:25 > > UTC key > > > usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229151858': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-19 15:18:16 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp- > emailProtection > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes Request ID > > '20161229152115': > > > status: MONITORING stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB' CA: IPA issuer: CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > >,O=MGMT.CROSSCHX.COM > > > > > expires: 2018-12-30 15:14:54 > > UTC key > > > usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > post-save > > > command: /usr/libexec/ipa/certmonger/restart_httpd track: > yes > > > auto-renew: yes Request ID '20161229152204': status: > > MONITORING > > > stuck: no key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname=' > ipaCert',token='NSS > > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > > * > > > 614.427.2411 > > > mike.plemmons at crosschx.com > > > > > > > > > www.crosschx.com > > > > > > > > > > > > > > > > > > > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Fri May 5 19:33:35 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Fri, 5 May 2017 15:33:35 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Message-ID: I think I found the email thread. Asking for help with crashed freeIPA istance. That email pointed to this link, https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html. That link talked about changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I made the necessary changes and PKI came up successfully. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden > wrote: > >> Michael Plemmons wrote: >> > I just realized that I sent the reply directly to Rob and not to the >> > list. My response is inline >> >> Ok, this is actually good news. >> >> I made a similar proposal in another case and I was completely wrong. >> Flo had the user do something and it totally fixed their auth error, I >> just can't remember what it was or find the e-mail thread. I'm pretty >> sure it was this calendar year though. >> >> rob >> >> > Do you or Flo know what I could search for in the past emails to find the > answer to the problem? > > > >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> > www.crosschx.com >> > >> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons >> > > >> > wrote: >> > >> > >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> > www.crosschx.com >> > >> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > > > wrote: >> > >> > Michael Plemmons wrote: >> > > I realized that I was not very clear in my statement about >> > testing with >> > > ldapsearch. I had initially run it without logging in with a >> > DN. I was >> > > just running the local ldapsearch -x command. I then tested >> on >> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the >> > admin and >> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and >> > ipa11.mgmt >> > > and both ldapsearch command succeeded. >> > > >> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non >> > root user. >> > > I also ran the command showing a line count for the output and >> > the line >> > > counts for each were the same when run from ipa12.mgmt and >> > ipa11.mgmt. >> > > >> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> > >> > > > > > -D "DN" -w PASSWORD -b >> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >> > > >> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> > >> > > > > > -D "cn=directory manager" -w >> > PASSWORD dn >> > >> > The CA has its own suffix and replication agreements. Given the >> auth >> > error and recent (5 months) renewal of CA credentials I'd check >> > that the >> > CA agent authentication entries are correct. >> > >> > Against each master with a CA run: >> > >> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b >> > uid=ipara,ou=people,o=ipaca description >> > >> > The format is 2;serial#,subject,issuer >> > >> > Then on each run: >> > >> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial >> > >> > The serial # should match that in the description everywhere. >> > >> > rob >> > >> > >> > >> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that the >> > serial number is 7. I then ran the certutil command on all three >> > servers and the serial number is 7 as well. >> > >> > >> > I also ran the ldapsearch command against the other two servers and >> > they also showed a serial number of 7. >> > >> > >> > >> > >> > > >> > > >> > > >> > > >> > > >> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > > * >> > > 614.427.2411 >> > > mike.plemmons at crosschx.com > > >> > > > > >> > > www.crosschx.com >> > >> > > >> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons >> > > > > >> > > > >> >> > > wrote: >> > > >> > > I have a three node IPA cluster. >> > > >> > > ipa11.mgmt - was a master over 6 months ago >> > > ipa13.mgmt - current master >> > > ipa12.mgmt >> > > >> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and >> > ipa12 do not >> > > have agreements between each other. >> > > >> > > It appears that either ipa12.mgmt lost some level of its >> > replication >> > > agreement with ipa13. I saw some level because users / >> > hosts were >> > > replicated between all systems but we started seeing DNS >> > was not >> > > resolving properly from ipa12. I do not know when this >> > started. >> > > >> > > When looking at replication agreements on ipa12 I did not >> > see any >> > > agreement with ipa13. >> > > >> > > When I run ipa-replica-manage list all three hosts show >> > has master. >> > > >> > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt >> > is a replica. >> > > >> > > When I run ipa-replica-manage ipa12.mgmt nothing returned. >> > > >> > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt >> > > ipa12.mgmt.crosschx.com >> > > >> >> > > ipa13.mgmt.crosschx.com >> > > > > on ipa12.mgmt >> > > >> > > I then ran the following >> > > >> > > ipa-replica-manage force-sync --from >> > ipa13.mgmt.crosschx.com >> > > > > > >> > > >> > > ipa-replica-manage re-initialize --from >> > ipa13.mgmt.crosschx.com >> > > > > > >> > > >> > > I was still seeing bad DNS returns when dig'ing against >> > ipa12.mgmt. >> > > I was able to create user and DNS records and see the >> > information >> > > replicated properly across all three nodes. >> > > >> > > I then ran ipactl stop on ipa12.mgmt and then ipactl >> start on >> > > ipa12.mgmt because I wanted to make sure everything was >> > running >> > > fresh after the changes above. While IPA was staring up >> (DNS >> > > started) we were able to see valid DNS queries returned >> but >> > > pki-tomcat would not start. >> > > >> > > I am not sure what I need to do in order to get this >> > working. I >> > > have included the output of certutil and getcert below >> > from all >> > > three servers as well as the debug output for pki. >> > > >> > > >> > > While the IPA system is coming up I am able to >> > successfully run >> > > ldapsearch -x as the root user and see results. I am also >> > able to >> > > login with the "cn=Directory Manager" account and see >> results. >> > > >> > > >> > > The debug log shows the following error. >> > > >> > > >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > > ============================================ >> > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== >> DEBUG >> > > SUBSYSTEM INITIALIZED ======= >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > > ============================================ >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > restart at >> > > autoShutdown? false >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > autoShutdown crumb file path? >> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > about to >> > > look for cert for auto-shutdown support:auditSigningCert >> > cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > done init >> > > id=debug >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initialized debug >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initSubsystem id=log >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > ready to >> > > init id=log >> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > >> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ >> ca_audit) >> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > RollingLogFile(/var/lib/pki/p >> ki-tomcat/logs/ca/transactions) >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > restart at >> > > autoShutdown? false >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > autoShutdown crumb file path? >> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > about to >> > > look for cert for auto-shutdown support:auditSigningCert >> > cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > done init >> > > id=log >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initialized log >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initSubsystem id=jss >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > ready to >> > > init id=jss >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > restart at >> > > autoShutdown? false >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > autoShutdown crumb file path? >> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > about to >> > > look for cert for auto-shutdown support:auditSigningCert >> > cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > done init >> > > id=jss >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initialized jss >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > > initSubsystem id=dbs >> > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: >> > ready to >> > > init id=dbs >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > DBSubsystem: init() >> > > mEnableSerialMgmt=true >> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > LdapBoundConnFactor(DBSubsystem) >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapBoundConnFactory: >> > > init >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > > LdapBoundConnFactory:doCloning true >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init() >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init begins >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init ends >> > > [03/May/2017:21:22:01][localhost-startStop-1]: init: >> before >> > > makeConnection errorIfDown is true >> > > [03/May/2017:21:22:01][localhost-startStop-1]: >> makeConnection: >> > > errorIfDown true >> > > [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificateSelectionCB: Setting desired cert >> > nickname to: >> > > subsystemCert cert-pki-ca >> > > [03/May/2017:21:22:02][localhost-startStop-1]: >> > LdapJssSSLSocket: set >> > > client auth cert nickname subsystemCert cert-pki-ca >> > > [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificatSelectionCB: Entering! >> > > [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificateSelectionCB: returning: null >> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL >> > handshake happened >> > > Could not connect to LDAP server host >> > ipa12.mgmt.crosschx.com >> > > > > > port 636 Error >> > > netscape.ldap.LDAPException: Authentication failed (48) >> > > at >> > > >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >> ction(LdapBoundConnFactory.java:205) >> > > at >> > > >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >> BoundConnFactory.java:166) >> > > at >> > > >> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >> BoundConnFactory.java:130) >> > > at >> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) >> > > at >> > > >> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >> java:1169) >> > > at >> > > >> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >> .java:1075) >> > > at >> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> > > at >> > > >> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> > > at >> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> > Method) >> > > at >> > > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> > > at >> > > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> > > at java.lang.reflect.Method.invoke(Method.java:498) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:288) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:285) >> > > at java.security.AccessController.doPrivileged(Native >> > Method) >> > > at javax.security.auth.Subject.do >> > AsPrivileged(Subject >> .java:549) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >> il.java:320) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >> r.java:1085) >> > > at >> > > >> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> > > at >> > > >> > org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> > > at >> > > >> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase. >> java:147) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >> ase.java:133) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> > > at java.security.AccessController.doPrivileged(Native >> > Method) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >> e.java:873) >> > > at >> > > >> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >> java:652) >> > > at >> > > >> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> > > at >> > > >> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> > > at >> > > >> > java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> > > at java.util.concurrent.FutureTas >> k.run(FutureTask.java:266) >> > > at >> > > >> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> > > at >> > > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> > > at java.lang.Thread.run(Thread.java:745) >> > > Internal Database Error encountered: Could not connect to >> LDAP >> > > server host ipa12.mgmt.crosschx.com >> > > m >> > > >> > > port 636 Error netscape.ldap.LDAPException: Authentication >> > failed (48) >> > > at >> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) >> > > at >> > > >> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >> java:1169) >> > > at >> > > >> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >> .java:1075) >> > > at >> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> > > at >> > > >> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >> ervlet.java:114) >> > > at >> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> > Method) >> > > at >> > > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >> ssorImpl.java:62) >> > > at >> > > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> > > at java.lang.reflect.Method.invoke(Method.java:498) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:288) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >> .java:285) >> > > at java.security.AccessController.doPrivileged(Native >> > Method) >> > > at javax.security.auth.Subject.do >> > AsPrivileged(Subject >> .java:549) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >> il.java:320) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:175) >> > > at >> > > >> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >> rityUtil.java:124) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >> dWrapper.java:1270) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >> dWrapper.java:1195) >> > > at >> > > >> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >> r.java:1085) >> > > at >> > > >> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >> ardContext.java:5318) >> > > at >> > > >> > org.apache.catalina.core.StandardContext.startInternal(Stand >> ardContext.java:5610) >> > > at >> > > >> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase. >> java:147) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >> ainerBase.java:899) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >> ase.java:133) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:156) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild. >> run(ContainerBase.java:145) >> > > at java.security.AccessController.doPrivileged(Native >> > Method) >> > > at >> > > >> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >> e.java:873) >> > > at >> > > >> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >> java:652) >> > > at >> > > >> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >> Config.java:679) >> > > at >> > > >> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >> HostConfig.java:1966) >> > > at >> > > >> > java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> > > at java.util.concurrent.FutureTas >> k.run(FutureTask.java:266) >> > > at >> > > >> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> > > at >> > > >> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> > > at java.lang.Thread.run(Thread.java:745) >> > > [03/May/2017:21:22:02][localhost-startStop-1]: >> > CMSEngine.shutdown() >> > > >> > > >> > > ============================= >> > > >> > > >> > > IPA11.MGMT >> > > >> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH >> X-COM/ >> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI >> > Server-Cert >> > > u,u,u MGMT.CROSSCHX.COM >> > IPA CA CT,C,C >> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >> > Certificate >> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert >> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu >> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert >> > cert-pki-ca u,u,u >> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil >> -L -d >> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname >> > Trust >> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >> > MGMT.CROSSCHX.COM >> > > IPA CA CT,C,C (root)>certutil >> -L -d >> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust >> > Attributes >> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >> > cert-pki-ca >> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >> > cert-pki-ca u,u,u >> > > IPA12.MGMT (root)>certutil -L -d >> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate Nickname >> > Trust >> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >> > MGMT.CROSSCHX.COM >> > > IPA CA C,, (root)>certutil -L >> -d >> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname Trust >> > Attributes >> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >> > cert-pki-ca >> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >> > cert-pki-ca u,u,u >> > > ================================================= >> IPA11.MGMT >> > > (root)>getcert list Number of certificates and requests >> being >> > > tracked: 8. Request ID '20161229155314': status: >> > MONITORING stuck: >> > > no key pair storage: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate >> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile. >> txt' >> > > certificate: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa11.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 15:52:43 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > > '20161229155652': status: MONITORING stuck: no key pair >> > storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > >> > expires: >> > > 2018-11-12 13:00:29 UTC key usage: >> > digitalSignature,nonRepudiation >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "auditSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229155654': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:26 UTC key usage: >> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > > id-kp-OCSPSigning pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229155655': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:28 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229155657': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2036-11-22 13:00:25 >> > UTC key >> > > usage: digitalSignature,nonRepudiatio >> n,keyCertSign,cRLSign >> > pre-save >> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229155659': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB',pin set certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa11.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-19 15:56:20 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientA >> uth,id-kp-emailProtection >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "Server-Cert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229155921': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa11.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 15:52:46 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> > > auto-renew: yes Request ID '20161229160009': status: >> > MONITORING >> > > stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >> > expires: >> > > 2018-11-12 13:01:34 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >> > auto-renew: yes >> > > ================================== IPA13.MGMT >> > (root)>getcert list >> > > Number of certificates and requests being tracked: 8. >> > Request ID >> > > '20161229143449': status: MONITORING stuck: no key pair >> > storage: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate >> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile. >> txt' >> > > certificate: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa13.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 14:34:20 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > > '20161229143826': status: MONITORING stuck: no key pair >> > storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > >> > expires: >> > > 2018-11-12 13:00:29 UTC key usage: >> > digitalSignature,nonRepudiation >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "auditSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229143828': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:26 UTC key usage: >> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > > id-kp-OCSPSigning pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229143831': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:28 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229143833': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2036-11-22 13:00:25 >> > UTC key >> > > usage: digitalSignature,nonRepudiatio >> n,keyCertSign,cRLSign >> > pre-save >> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229143835': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB',pin set certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa13.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-19 14:37:54 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientA >> uth,id-kp-emailProtection >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "Server-Cert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229144057': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa13.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 14:34:23 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> > > auto-renew: yes Request ID '20161229144146': status: >> > MONITORING >> > > stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >> > expires: >> > > 2018-11-12 13:01:34 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >> > auto-renew: yes >> > > =========================== IPA12.MGMT (root)>getcert list >> > Number of >> > > certificates and requests being tracked: 8. Request ID >> > > '20161229151518': status: MONITORING stuck: no key pair >> > storage: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate >> > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile. >> txt' >> > > certificate: >> > > >> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM', >> nickname='Server-Cert',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa12.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 15:14:51 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >> > > '20161229151850': status: MONITORING stuck: no key pair >> > storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >> ditSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > >> > expires: >> > > 2018-11-12 13:00:29 UTC key usage: >> > digitalSignature,nonRepudiation >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "auditSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229151852': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >> spSigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:26 UTC key usage: >> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >> > > id-kp-OCSPSigning pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229151854': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >> bsystemCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-11-12 13:00:28 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >> command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229151856': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >> SigningCert >> > > cert-pki-ca',token='NSS Certificate DB' CA: >> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2036-11-22 13:00:25 >> > UTC key >> > > usage: digitalSignature,nonRepudiatio >> n,keyCertSign,cRLSign >> > pre-save >> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229151858': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB',pin set certificate: >> > > >> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >> rver-Cert >> > cert-pki-ca',token='NSS >> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa12.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-19 15:18:16 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientA >> uth,id-kp-emailProtection >> > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> > post-save >> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >> > "Server-Cert >> > > cert-pki-ca" track: yes auto-renew: yes Request ID >> > '20161229152115': >> > > status: MONITORING stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > > Certificate DB' CA: IPA issuer: CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=ipa12.mgmt.crosschx.com > m> >> > > > > >,O=MGMT.CROSSCHX.COM >> > >> > > expires: 2018-12-30 15:14:54 >> > UTC key >> > > usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > post-save >> > > command: /usr/libexec/ipa/certmonger/restart_httpd >> track: yes >> > > auto-renew: yes Request ID '20161229152204': status: >> > MONITORING >> > > stuck: no key pair storage: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > > >> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert', >> token='NSS >> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >> > CN=Certificate >> > > Authority,O=MGMT.CROSSCHX.COM >> > subject: >> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >> > expires: >> > > 2018-11-12 13:01:34 UTC key usage: >> > > >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >> ment >> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >> > command: >> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >> > auto-renew: yes >> > > >> > > >> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > > * >> > > 614.427.2411 >> > > mike.plemmons at crosschx.com >> > >> > > > > >> > > www.crosschx.com >> > >> > > >> > > >> > > >> > > >> > >> > >> > >> > >> > >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From amrivkin at gmail.com Sat May 6 13:43:29 2017 From: amrivkin at gmail.com (Markovich) Date: Sat, 6 May 2017 16:43:29 +0300 Subject: [Freeipa-users] Ploblem with default user group Message-ID: Hello everyone! We are unable to delete ipausers group: The default users group cannot be removed But we can rename it! After this, if u'd like to add new user u are going to get: { "error": { "code": 4001, "data": { "reason": "no such entry" }, "message": "no such entry", "name": "NotFound" }, "id": null, "principal": "admin at XXXX, "result": null, "version": "4.4.0" } How can I delete or fully rename ipausers group? Regards, Andrey -------------- next part -------------- An HTML attachment was scrubbed... URL: From simo at redhat.com Sun May 7 09:46:14 2017 From: simo at redhat.com (Simo Sorce) Date: Sun, 07 May 2017 05:46:14 -0400 Subject: [Freeipa-users] Ploblem with default user group In-Reply-To: References: Message-ID: <1494150374.8926.63.camel@redhat.com> On Sat, 2017-05-06 at 16:43 +0300, Markovich wrote: > Hello everyone! > We are unable to delete ipausers group:?The default users group > cannot be removed > But we can rename it! > After this, if u'd like to add new user u are going to get: > { > ? ? "error": { > ? ? ? ? "code": 4001,? > ? ? ? ? "data": { > ? ? ? ? ? ? "reason": "no such entry" > ? ? ? ? },? > ? ? ? ? "message": "no such entry",? > ? ? ? ? "name": "NotFound" > ? ? },? > ? ? "id": null,? > ? ? "principal": "admin at XXXX,? > ? ? "result": null,? > ? ? "version": "4.4.0" > } > > How can I delete or fully rename ipausers group? New IPA users are put by default in a users group, you should be able to change the "default user group" in the global ipa configuration if you want to rename the ipausers to a different name. In the WebUI thi setting is under IPA Server -> Configuration You can also use the CLI, ipa config-show will show the current value, ipa config-mod will allow you to change it. HTH, Simo. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jameslast29 at gmail.com Sun May 7 18:16:00 2017 From: jameslast29 at gmail.com (Johan Vermeulen) Date: Sun, 7 May 2017 20:16:00 +0200 Subject: [Freeipa-users] Openwrt-Freeradius-FreeIPA Message-ID: Hello All, I have sent the same mail a few days ago, but I think it ended up in spam........... We have FreeIPA running on Centos7 [root at freeipa03 ~]# cat /etc/*release CentOS Linux release 7.2.1511 (Core) Not fully updated but that is planned. [root at freeipa03 ~]# yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 @updates libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates python-iniparse.noarch 0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.12 @updates We are using FreeIPA to authenticate laptops/users, that works great. Thank you for making that possible! Now I bought some Linksys access points and installed Openwrt on them. Next I'm following the second part of this wiki: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_ as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 starting from : install, configure and test RADIUS server as a frontend to IPA. That works great, up to the point where I can do the radtest: [root at freeipa03 ~]# radtest test password123 192.168.250.12 1812 testing1234 Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 User-Name = 'test' User-Password = 'password123' NAS-IP-Address = 192.168.250.12 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 26 from 192.168.250.12:1812 to 192.168.250.12:44889 length 20 where user test is in freeipa and 192.168.250.12 is the vpn address of the ipa server. My question now is: is it possible to have users connect with the Linksys/Openwrt access point using username/password from FreeIPA? So far I'm not getting past EM: Error: Ignoring request to auth address * port 1812 as server default from unknown client 10.10.20.117 port 55421 proto udp where 10.10.20.117 is the Openwrt access point. I added the access point to /etc/radddb/client.conf in a number of ways, but nothing changes. Now I'm thinking, because Freeradius now reads from FreeIPA, it doesn't recognize the access point. Thanks for any advise. greetings, J. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pfuller at 3sitracking.com Mon May 8 16:59:20 2017 From: pfuller at 3sitracking.com (Pete Fuller) Date: Mon, 8 May 2017 12:59:20 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error Message-ID: I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are IPA replicas for my North American datacenters. All seem to have the same issue that I am now unable to connect to the web UI, with the following error in the browser? Bad Request Your browser sent a request that this server could not understand. Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request. The maddening thing is I can?t find any reference in the apache logs to what is generating the error and why a direct request to the UI would error. As far as I can tell IPA is otherwise working. Logins seem to work, sudo rules are working, DNS is working. [root at lb3 httpd]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING I can see one file in the httpd/conf.d directory that was changed - nss.conf. I attempted reverting and that did not work. Has anyone run upon this error? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 8 17:20:07 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 8 May 2017 13:20:07 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: References: Message-ID: Pete Fuller wrote: > I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are > IPA replicas for my North American datacenters. All seem to have the > same issue that I am now unable to connect to the web UI, with the > following error in the browser? > > > Bad Request > > Your browser sent a request that this server could not understand. > > Additionally, a 400 Bad Request error was encountered while trying to > use an ErrorDocument to handle the request. > > > > The maddening thing is I can?t find any reference in the apache logs to > what is generating the error and why a direct request to the UI would > error. > > As far as I can tell IPA is otherwise working. Logins seem to work, > sudo rules are working, DNS is working. > > [root at lb3 httpd]# ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > ipa_memcached Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > > I can see one file in the httpd/conf.d directory that was changed - > nss.conf. I attempted reverting and that did not work. > > Has anyone run upon this error? Does the ipa command-line tool work? What are you seeing in the Apache error log? rob From perq at me.com Mon May 8 17:24:41 2017 From: perq at me.com (Per Qvindesland) Date: Mon, 08 May 2017 18:24:41 +0100 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: References: Message-ID: <7900BE24-5D03-4E29-9DB6-11F582062E67@me.com> Tried with another browser? 400 normally means an issue with cookies or cache. Sent from my Commodore 64 > On 8 May 2017, at 17:59, Pete Fuller wrote: > > an From pfuller at 3sitracking.com Mon May 8 17:36:59 2017 From: pfuller at 3sitracking.com (Pete Fuller) Date: Mon, 8 May 2017 13:36:59 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: <7900BE24-5D03-4E29-9DB6-11F582062E67@me.com> References: <7900BE24-5D03-4E29-9DB6-11F582062E67@me.com> Message-ID: That was my first thought too. Tried with different browsers, in incognito, etc. > On May 8, 2017, at 1:24 PM, Per Qvindesland wrote: > > Tried with another browser? 400 normally means an issue with cookies or cache. > > Sent from my Commodore 64 > >> On 8 May 2017, at 17:59, Pete Fuller wrote: >> >> an From rcritten at redhat.com Mon May 8 17:43:53 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 8 May 2017 13:43:53 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> References: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> Message-ID: Pete Fuller wrote: > IPA command line seems to work. Have been able to use ipa user-find > and ipa cert-find. Can also sudo and kinit from other machines as IPA user. > > Another clue here, looks like even when querying with the ipa cli tools, > I?m getting 400 errors in the access logs. The top one is obviously a > browser request. The next 4 were following a cli call to ipa user-find. > That request does respond back with users, so not sure what is failing > there. The 192.168.0.95 IP is the local ip of the IPA server itself. > > 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 > "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) > Gecko/20100101 Firefox/53.0" > 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" > 400 347 > 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" > 400 347 > 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" > 400 347 > 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" > 400 347 Note that client activity (login, sudo, etc) does not go through Apache. Only the IPA API does (so web UI and cli). Still need to see the error log. rob > > >> On May 8, 2017, at 1:20 PM, Rob Crittenden > > wrote: >> >> Pete Fuller wrote: >>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are >>> IPA replicas for my North American datacenters. All seem to have the >>> same issue that I am now unable to connect to the web UI, with the >>> following error in the browser? >>> >>> >>> Bad Request >>> >>> Your browser sent a request that this server could not understand. >>> >>> Additionally, a 400 Bad Request error was encountered while trying to >>> use an ErrorDocument to handle the request. >>> >>> >>> >>> The maddening thing is I can?t find any reference in the apache logs to >>> what is generating the error and why a direct request to the UI would >>> error. >>> >>> As far as I can tell IPA is otherwise working. Logins seem to work, >>> sudo rules are working, DNS is working. >>> >>> [root at lb3 httpd]# ipactl status >>> Directory Service: RUNNING >>> krb5kdc Service: RUNNING >>> kadmin Service: RUNNING >>> named Service: RUNNING >>> ipa_memcached Service: RUNNING >>> httpd Service: RUNNING >>> ipa-custodia Service: RUNNING >>> ntpd Service: RUNNING >>> pki-tomcatd Service: RUNNING >>> ipa-otpd Service: RUNNING >>> ipa-dnskeysyncd Service: RUNNING >>> >>> I can see one file in the httpd/conf.d directory that was changed - >>> nss.conf. I attempted reverting and that did not work. >>> >>> Has anyone run upon this error? >> >> Does the ipa command-line tool work? >> >> What are you seeing in the Apache error log? >> >> rob > From pfuller at 3sitracking.com Mon May 8 17:49:28 2017 From: pfuller at 3sitracking.com (Pete Fuller) Date: Mon, 8 May 2017 13:49:28 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: References: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> Message-ID: http error log has nothing. This is with http restart and a failed request for web ui. The request has no error. Is there a different log that I am overlooking that might have more information? [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring. [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] AH01757: generating secret for digest authentication ... [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid 25471] AH02282: No slotmem from mod_heartmonitor [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] NSSSessionCacheTimeout is deprecated. Ignoring. [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** PROCESS START *** [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** PROCESS START ** > On May 8, 2017, at 1:43 PM, Rob Crittenden wrote: > > Pete Fuller wrote: >> IPA command line seems to work. Have been able to use ipa user-find >> and ipa cert-find. Can also sudo and kinit from other machines as IPA user. >> >> Another clue here, looks like even when querying with the ipa cli tools, >> I?m getting 400 errors in the access logs. The top one is obviously a >> browser request. The next 4 were following a cli call to ipa user-find. >> That request does respond back with users, so not sure what is failing >> there. The 192.168.0.95 IP is the local ip of the IPA server itself. >> >> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 >> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) >> Gecko/20100101 Firefox/53.0" >> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" >> 400 347 >> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" >> 400 347 >> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" >> 400 347 >> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" >> 400 347 > > Note that client activity (login, sudo, etc) does not go through Apache. > Only the IPA API does (so web UI and cli). > > Still need to see the error log. > > rob > >> >> >>> On May 8, 2017, at 1:20 PM, Rob Crittenden >>> >> wrote: >>> >>> Pete Fuller wrote: >>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are >>>> IPA replicas for my North American datacenters. All seem to have the >>>> same issue that I am now unable to connect to the web UI, with the >>>> following error in the browser? >>>> >>>> >>>> Bad Request >>>> >>>> Your browser sent a request that this server could not understand. >>>> >>>> Additionally, a 400 Bad Request error was encountered while trying to >>>> use an ErrorDocument to handle the request. >>>> >>>> >>>> >>>> The maddening thing is I can?t find any reference in the apache logs to >>>> what is generating the error and why a direct request to the UI would >>>> error. >>>> >>>> As far as I can tell IPA is otherwise working. Logins seem to work, >>>> sudo rules are working, DNS is working. >>>> >>>> [root at lb3 httpd]# ipactl status >>>> Directory Service: RUNNING >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> named Service: RUNNING >>>> ipa_memcached Service: RUNNING >>>> httpd Service: RUNNING >>>> ipa-custodia Service: RUNNING >>>> ntpd Service: RUNNING >>>> pki-tomcatd Service: RUNNING >>>> ipa-otpd Service: RUNNING >>>> ipa-dnskeysyncd Service: RUNNING >>>> >>>> I can see one file in the httpd/conf.d directory that was changed - >>>> nss.conf. I attempted reverting and that did not work. >>>> >>>> Has anyone run upon this error? >>> >>> Does the ipa command-line tool work? >>> >>> What are you seeing in the Apache error log? >>> >>> rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon May 8 17:57:42 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 8 May 2017 13:57:42 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: References: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> Message-ID: <69c6556f-72d3-0d1a-0a46-ea25475364ad@redhat.com> Pete Fuller wrote: > http error log has nothing. This is with http restart and a failed > request for web ui. The request has no error. Is there a different log > that I am overlooking that might have more information? No. Create /etc/ipa/server.conf with these contents: [global] debug = True Restart Apache. Try with a browser and see what gets logged, if anything. I'd also try with the cli to compare. With the client you can add -vvv to get a lot more client-side logging: ipa -vvv user-show admin rob > > > [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] > AH01757: generating secret for digest authentication ... > [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid > 25471] AH02282: No slotmem from mod_heartmonitor > [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] > AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured > -- resuming normal operations > [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: > Command line: '/usr/sbin/httpd -D FOREGROUND' > [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** > PROCESS START *** > [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** > PROCESS START ** > > > >> On May 8, 2017, at 1:43 PM, Rob Crittenden > > wrote: >> >> Pete Fuller wrote: >>> IPA command line seems to work. Have been able to use ipa user-find >>> and ipa cert-find. Can also sudo and kinit from other machines as >>> IPA user. >>> >>> Another clue here, looks like even when querying with the ipa cli tools, >>> I?m getting 400 errors in the access logs. The top one is obviously a >>> browser request. The next 4 were following a cli call to ipa user-find. >>> That request does respond back with users, so not sure what is failing >>> there. The 192.168.0.95 IP is the local ip of the IPA server itself. >>> >>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 >>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) >>> Gecko/20100101 Firefox/53.0" >>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" >>> 400 347 >> >> Note that client activity (login, sudo, etc) does not go through Apache. >> Only the IPA API does (so web UI and cli). >> >> Still need to see the error log. >> >> rob >> >>> >>> >>>> On May 8, 2017, at 1:20 PM, Rob Crittenden >>> >>>> > wrote: >>>> >>>> Pete Fuller wrote: >>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are >>>>> IPA replicas for my North American datacenters. All seem to have the >>>>> same issue that I am now unable to connect to the web UI, with the >>>>> following error in the browser? >>>>> >>>>> >>>>> Bad Request >>>>> >>>>> Your browser sent a request that this server could not understand. >>>>> >>>>> Additionally, a 400 Bad Request error was encountered while trying to >>>>> use an ErrorDocument to handle the request. >>>>> >>>>> >>>>> >>>>> The maddening thing is I can?t find any reference in the apache logs to >>>>> what is generating the error and why a direct request to the UI would >>>>> error. >>>>> >>>>> As far as I can tell IPA is otherwise working. Logins seem to work, >>>>> sudo rules are working, DNS is working. >>>>> >>>>> [root at lb3 httpd]# ipactl status >>>>> Directory Service: RUNNING >>>>> krb5kdc Service: RUNNING >>>>> kadmin Service: RUNNING >>>>> named Service: RUNNING >>>>> ipa_memcached Service: RUNNING >>>>> httpd Service: RUNNING >>>>> ipa-custodia Service: RUNNING >>>>> ntpd Service: RUNNING >>>>> pki-tomcatd Service: RUNNING >>>>> ipa-otpd Service: RUNNING >>>>> ipa-dnskeysyncd Service: RUNNING >>>>> >>>>> I can see one file in the httpd/conf.d directory that was changed - >>>>> nss.conf. I attempted reverting and that did not work. >>>>> >>>>> Has anyone run upon this error? >>>> >>>> Does the ipa command-line tool work? >>>> >>>> What are you seeing in the Apache error log? >>>> >>>> rob > From pfuller at 3sitracking.com Mon May 8 18:16:07 2017 From: pfuller at 3sitracking.com (Pete Fuller) Date: Mon, 8 May 2017 14:16:07 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: <69c6556f-72d3-0d1a-0a46-ea25475364ad@redhat.com> References: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> <69c6556f-72d3-0d1a-0a46-ea25475364ad@redhat.com> Message-ID: From the cli - it looks like the answers I?m getting are actually coming from one of my non-upgraded servers.The window for those servers is later tonight. The request gets denied on the localhost it seems. (Lb3 is the local server. Ipa11 is offsite server that has not been upgraded) [pfuller at lb3 ~]$ ipa -vvv user-show admin ipa: INFO: trying https://lb3.sac.3si/ipa/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACAAAACjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}], "method": "ping", "id": 0}' reply: 'HTTP/1.1 400 Bad Request\r\n' header: Date: Mon, 08 May 2017 18:04:19 GMT header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 header: Content-Length: 347 header: Connection: close header: Content-Type: text/html; charset=iso-8859-1 ipa: INFO: trying https://ipa11.be.3si/ipa/json ipa: INFO: Request: { "id": 0, "method": "ping", "params": [ [], {} ] } Not seeing much in the http logs [Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471] AH00170: caught SIGWINCH, shutting down gracefully [Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is deprecated. Ignoring. [Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007] AH01757: generating secret for digest authentication ... [Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid 26007] AH02282: No slotmem from mod_heartmonitor [Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007] NSSSessionCacheTimeout is deprecated. Ignoring. [Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007] AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations [Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' [Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG: importing all plugin modules in ipaserver.plugins... [Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.aci [Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.automember [Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.automount [Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap [Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module [Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser [Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.batch [Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ca [Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.caacl [Mon May 08 10:59:15.451621 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.cert [Mon May 08 10:59:15.451817 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile [Mon May 08 10:59:15.451978 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.config [Mon May 08 10:59:15.462890 2017] [:error] [pid 26013] ipa: DEBUG: importing all plugin modules in ipaserver.plugins... [Mon May 08 10:59:15.463836 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.aci [Mon May 08 10:59:15.471193 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.delegation [Mon May 08 10:59:15.473733 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dns [Mon May 08 10:59:15.487747 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.automember [Mon May 08 10:59:15.545605 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.automount [Mon May 08 10:59:15.551746 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap [Mon May 08 10:59:15.551868 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module [Mon May 08 10:59:15.551933 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser [Mon May 08 10:59:15.585986 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.batch [Mon May 08 10:59:15.586780 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ca [Mon May 08 10:59:15.618924 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.caacl [Mon May 08 10:59:15.619251 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.cert [Mon May 08 10:59:15.619444 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile [Mon May 08 10:59:15.619593 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.config [Mon May 08 10:59:15.628108 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.delegation [Mon May 08 10:59:15.630461 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dns [Mon May 08 10:59:15.638060 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver [Mon May 08 10:59:15.639672 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag [Mon May 08 10:59:15.702799 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel [Mon May 08 10:59:15.704065 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.group [Mon May 08 10:59:15.734874 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbac [Mon May 08 10:59:15.735067 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module [Mon May 08 10:59:15.735130 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule [Mon May 08 10:59:15.735438 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc [Mon May 08 10:59:15.736517 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup [Mon May 08 10:59:15.739023 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest [Mon May 08 10:59:15.741672 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.host [Mon May 08 10:59:15.753983 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup [Mon May 08 10:59:15.754187 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.idrange [Mon May 08 10:59:15.757489 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.idviews [Mon May 08 10:59:15.757839 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.internal [Mon May 08 10:59:15.761469 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.join [Mon May 08 10:59:15.762598 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy [Mon May 08 10:59:15.763800 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 [Mon May 08 10:59:15.764794 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.location [Mon May 08 10:59:15.766411 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.migration [Mon May 08 10:59:15.770396 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver [Mon May 08 10:59:15.771955 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag [Mon May 08 10:59:15.775364 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.misc [Mon May 08 10:59:15.776219 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup [Mon May 08 10:59:15.776408 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otp [Mon May 08 10:59:15.776572 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module [Mon May 08 10:59:15.776635 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig [Mon May 08 10:59:15.777846 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken [Mon May 08 10:59:15.783145 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.passwd [Mon May 08 10:59:15.784323 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.permission [Mon May 08 10:59:15.791777 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.ping [Mon May 08 10:59:15.792052 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit [Mon May 08 10:59:15.792211 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module [Mon May 08 10:59:15.792278 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.privilege [Mon May 08 10:59:15.792476 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy [Mon May 08 10:59:15.794119 2017] [:error] [pid 26014] ipa: DEBUG: Starting external process [Mon May 08 10:59:15.794199 2017] [:error] [pid 26014] ipa: DEBUG: args=klist -V [Mon May 08 10:59:15.799162 2017] [:error] [pid 26014] ipa: DEBUG: Process finished, return code=0 [Mon May 08 10:59:15.799259 2017] [:error] [pid 26014] ipa: DEBUG: stdout=Kerberos 5 version 1.14.1 [Mon May 08 10:59:15.799265 2017] [:error] [pid 26014] [Mon May 08 10:59:15.799321 2017] [:error] [pid 26014] ipa: DEBUG: stderr= [Mon May 08 10:59:15.802573 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.rabase [Mon May 08 10:59:15.802689 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module [Mon May 08 10:59:15.802750 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy [Mon May 08 10:59:15.805507 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains [Mon May 08 10:59:15.809372 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.role [Mon May 08 10:59:15.810962 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.schema [Mon May 08 10:59:15.837359 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel [Mon May 08 10:59:15.838697 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.group [Mon May 08 10:59:15.845807 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice [Mon May 08 10:59:15.847834 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap [Mon May 08 10:59:15.848073 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.server [Mon May 08 10:59:15.869002 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbac [Mon May 08 10:59:15.869202 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module [Mon May 08 10:59:15.869281 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule [Mon May 08 10:59:15.869568 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc [Mon May 08 10:59:15.870643 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup [Mon May 08 10:59:15.873201 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest [Mon May 08 10:59:15.875843 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.host [Mon May 08 10:59:15.888407 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup [Mon May 08 10:59:15.888593 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.idrange [Mon May 08 10:59:15.891897 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.idviews [Mon May 08 10:59:15.892257 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.internal [Mon May 08 10:59:15.895872 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.join [Mon May 08 10:59:15.897012 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy [Mon May 08 10:59:15.898211 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 [Mon May 08 10:59:15.899184 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.location [Mon May 08 10:59:15.900768 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.migration [Mon May 08 10:59:15.909770 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.misc [Mon May 08 10:59:15.910620 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup [Mon May 08 10:59:15.910806 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otp [Mon May 08 10:59:15.910969 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module [Mon May 08 10:59:15.911032 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig [Mon May 08 10:59:15.912261 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken [Mon May 08 10:59:15.917579 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.passwd [Mon May 08 10:59:15.918743 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.permission [Mon May 08 10:59:15.926286 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.ping [Mon May 08 10:59:15.926569 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit [Mon May 08 10:59:15.926719 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.pkinit is not a valid plugin module [Mon May 08 10:59:15.926783 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.privilege [Mon May 08 10:59:15.926983 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy [Mon May 08 10:59:15.928679 2017] [:error] [pid 26013] ipa: DEBUG: Starting external process [Mon May 08 10:59:15.928750 2017] [:error] [pid 26013] ipa: DEBUG: args=klist -V [Mon May 08 10:59:15.933325 2017] [:error] [pid 26013] ipa: DEBUG: Process finished, return code=0 [Mon May 08 10:59:15.933413 2017] [:error] [pid 26013] ipa: DEBUG: stdout=Kerberos 5 version 1.14.1 [Mon May 08 10:59:15.933418 2017] [:error] [pid 26013] [Mon May 08 10:59:15.933474 2017] [:error] [pid 26013] ipa: DEBUG: stderr= [Mon May 08 10:59:15.936616 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.rabase [Mon May 08 10:59:15.936729 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module [Mon May 08 10:59:15.936790 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy [Mon May 08 10:59:15.939491 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains [Mon May 08 10:59:15.943097 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.role [Mon May 08 10:59:15.944624 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.schema [Mon May 08 10:59:15.978072 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice [Mon May 08 10:59:15.980171 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap [Mon May 08 10:59:15.980410 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.server [Mon May 08 10:59:16.249070 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole [Mon May 08 10:59:16.250937 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles [Mon May 08 10:59:16.251262 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.service [Mon May 08 10:59:16.251595 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation [Mon May 08 10:59:16.254904 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.session [Mon May 08 10:59:16.256507 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser [Mon May 08 10:59:16.258356 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudo [Mon May 08 10:59:16.258539 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module [Mon May 08 10:59:16.258602 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd [Mon May 08 10:59:16.259726 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup [Mon May 08 10:59:16.261571 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule [Mon May 08 10:59:16.269844 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.topology [Mon May 08 10:59:16.274894 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.trust [Mon May 08 10:59:16.286224 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.user [Mon May 08 10:59:16.286572 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.vault [Mon May 08 10:59:16.296978 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.virtual [Mon May 08 10:59:16.297081 2017] [:error] [pid 26014] ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module [Mon May 08 10:59:16.297150 2017] [:error] [pid 26014] ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver [Mon May 08 10:59:16.364668 2017] [:error] [pid 26014] ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_139942843997200 [Mon May 08 10:59:16.365568 2017] [:error] [pid 26014] ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_139942844019152 [Mon May 08 10:59:16.382070 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole [Mon May 08 10:59:16.383939 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles [Mon May 08 10:59:16.384270 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.service [Mon May 08 10:59:16.384597 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation [Mon May 08 10:59:16.387879 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.session [Mon May 08 10:59:16.389506 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser [Mon May 08 10:59:16.391398 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudo [Mon May 08 10:59:16.391582 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module [Mon May 08 10:59:16.391644 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd [Mon May 08 10:59:16.392779 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup [Mon May 08 10:59:16.394587 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule [Mon May 08 10:59:16.402782 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.topology [Mon May 08 10:59:16.407910 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.trust [Mon May 08 10:59:16.419428 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.user [Mon May 08 10:59:16.419772 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.vault [Mon May 08 10:59:16.430208 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.virtual [Mon May 08 10:59:16.430311 2017] [:error] [pid 26013] ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module [Mon May 08 10:59:16.430372 2017] [:error] [pid 26013] ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver [Mon May 08 10:59:16.451416 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' [Mon May 08 10:59:16.451555 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:16.497682 2017] [:error] [pid 26013] ipa: DEBUG: SessionAuthManager.register: name=xmlserver_session_139942843997200 [Mon May 08 10:59:16.498514 2017] [:error] [pid 26013] ipa: DEBUG: SessionAuthManager.register: name=jsonserver_session_139942844019152 [Mon May 08 10:59:16.582967 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_password() at '/session/login_password' [Mon May 08 10:59:16.583114 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.103275 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' [Mon May 08 10:59:17.148714 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' [Mon May 08 10:59:17.234845 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' [Mon May 08 10:59:17.280518 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.change_password() at '/session/change_password' [Mon May 08 10:59:17.397722 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' [Mon May 08 10:59:17.397862 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.397953 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.504097 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' [Mon May 08 10:59:17.504234 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.531236 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' [Mon May 08 10:59:17.531357 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.531447 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.602015 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509' [Mon May 08 10:59:17.602158 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.638029 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' [Mon May 08 10:59:17.638166 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.665313 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' [Mon May 08 10:59:17.665430 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.736510 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509' [Mon May 08 10:59:17.736656 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.737976 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' [Mon May 08 10:59:17.738089 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.799767 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.xmlserver() at '/xml' [Mon May 08 10:59:17.799902 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.800287 2017] [:error] [pid 26014] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' [Mon May 08 10:59:17.800404 2017] [:error] [pid 26014] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.872938 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' [Mon May 08 10:59:17.873074 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:17.935616 2017] [:error] [pid 26013] ipa: DEBUG: Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' [Mon May 08 10:59:17.935746 2017] [:error] [pid 26013] ipa: DEBUG: session_auth_duration: 0:20:00 [Mon May 08 10:59:18.179768 2017] [:error] [pid 26014] ipa: INFO: *** PROCESS START *** [Mon May 08 10:59:18.313005 2017] [:error] [pid 26013] ipa: INFO: *** PROCESS START *** > On May 8, 2017, at 1:57 PM, Rob Crittenden wrote: > > Pete Fuller wrote: >> http error log has nothing. This is with http restart and a failed >> request for web ui. The request has no error. Is there a different log >> that I am overlooking that might have more information? > > No. > > Create /etc/ipa/server.conf with these contents: > > [global] > debug = True > > Restart Apache. > > Try with a browser and see what gets logged, if anything. > > I'd also try with the cli to compare. With the client you can add -vvv > to get a lot more client-side logging: ipa -vvv user-show admin > > rob > >> >> >> [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] >> AH01757: generating secret for digest authentication ... >> [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid >> 25471] AH02282: No slotmem from mod_heartmonitor >> [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] >> NSSSessionCacheTimeout is deprecated. Ignoring. >> [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] >> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 >> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured >> -- resuming normal operations >> [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: >> Command line: '/usr/sbin/httpd -D FOREGROUND' >> [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** >> PROCESS START *** >> [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** >> PROCESS START ** >> >> >> >>> On May 8, 2017, at 1:43 PM, Rob Crittenden >> >> wrote: >>> >>> Pete Fuller wrote: >>>> IPA command line seems to work. Have been able to use ipa user-find >>>> and ipa cert-find. Can also sudo and kinit from other machines as >>>> IPA user. >>>> >>>> Another clue here, looks like even when querying with the ipa cli tools, >>>> I?m getting 400 errors in the access logs. The top one is obviously a >>>> browser request. The next 4 were following a cli call to ipa user-find. >>>> That request does respond back with users, so not sure what is failing >>>> there. The 192.168.0.95 IP is the local ip of the IPA server itself. >>>> >>>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 >>>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) >>>> Gecko/20100101 Firefox/53.0" >>>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" >>>> 400 347 >>>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" >>>> 400 347 >>>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" >>>> 400 347 >>>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" >>>> 400 347 >>> >>> Note that client activity (login, sudo, etc) does not go through Apache. >>> Only the IPA API does (so web UI and cli). >>> >>> Still need to see the error log. >>> >>> rob >>> >>>> >>>> >>>>> On May 8, 2017, at 1:20 PM, Rob Crittenden >>>>> > >>>>> > wrote: >>>>> >>>>> Pete Fuller wrote: >>>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers that are >>>>>> IPA replicas for my North American datacenters. All seem to have the >>>>>> same issue that I am now unable to connect to the web UI, with the >>>>>> following error in the browser? >>>>>> >>>>>> >>>>>> Bad Request >>>>>> >>>>>> Your browser sent a request that this server could not understand. >>>>>> >>>>>> Additionally, a 400 Bad Request error was encountered while trying to >>>>>> use an ErrorDocument to handle the request. >>>>>> >>>>>> >>>>>> >>>>>> The maddening thing is I can?t find any reference in the apache logs to >>>>>> what is generating the error and why a direct request to the UI would >>>>>> error. >>>>>> >>>>>> As far as I can tell IPA is otherwise working. Logins seem to work, >>>>>> sudo rules are working, DNS is working. >>>>>> >>>>>> [root at lb3 httpd]# ipactl status >>>>>> Directory Service: RUNNING >>>>>> krb5kdc Service: RUNNING >>>>>> kadmin Service: RUNNING >>>>>> named Service: RUNNING >>>>>> ipa_memcached Service: RUNNING >>>>>> httpd Service: RUNNING >>>>>> ipa-custodia Service: RUNNING >>>>>> ntpd Service: RUNNING >>>>>> pki-tomcatd Service: RUNNING >>>>>> ipa-otpd Service: RUNNING >>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>> >>>>>> I can see one file in the httpd/conf.d directory that was changed - >>>>>> nss.conf. I attempted reverting and that did not work. >>>>>> >>>>>> Has anyone run upon this error? >>>>> >>>>> Does the ipa command-line tool work? >>>>> >>>>> What are you seeing in the Apache error log? >>>>> >>>>> rob -------------- next part -------------- An HTML attachment was scrubbed... URL: From schogan at us.ibm.com Mon May 8 19:31:20 2017 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 8 May 2017 12:31:20 -0700 Subject: [Freeipa-users] qradar UBA to IPA Message-ID: Hello IPA, I am trying to set up User Behavioral analytics from Qradar to IPA. Having some issues with it after we got 389 and 636 open between the nets. Qradar Console is not in IPA and on differ net although we do have comms on 389 and 636 now ipa-server-3.0.0-50.el6.1.x86_64 I set up an account in IPA with no HBACS or anything and just gave it a IPA role to read data which we use in the below config. Getting file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE $1CFC0CDDB6F2F123.jpg URL I have them using ldaps://IPofIPAserver.example.com BaseDN dc=example,dc=local filter users,cn=accounts,$Suffix attributes are left default username is the user i made in ipa pw is the pw I made in ipa file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE $1B778A1810D34E76.jpg Has anyone attempted this or have any sample configs to play with or see anything I am doing incorrect? Sean Hogan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 15904322.jpg Type: image/jpeg Size: 2728 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 15172410.jpg Type: image/jpeg Size: 16331 bytes Desc: not available URL: From michael.plemmons at crosschx.com Mon May 8 20:20:00 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Mon, 8 May 2017 16:20:00 -0400 Subject: [Freeipa-users] qradar UBA to IPA In-Reply-To: References: Message-ID: >From the server running Qradar can you ping the IPA server? Are you able to telnet to port 389 or 636 of the IPA server. The error says it can't contact the LDAP server which usually means you have not gotten to the point of authentication yet. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Mon, May 8, 2017 at 3:31 PM, Sean Hogan wrote: > Hello IPA, > > I am trying to set up User Behavioral analytics from Qradar to IPA. Having > some issues with it after we got 389 and 636 open between the nets. > > Qradar Console is not in IPA and on differ net although we do have comms > on 389 and 636 now > ipa-server-3.0.0-50.el6.1.x86_64 > > > I set up an account in IPA with no HBACS or anything and just gave it a > IPA role to read data which we use in the below config. > Getting > [image: > file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg] > > URL I have them using ldaps://IPofIPAserver.example.com > BaseDN dc=example,dc=local > filter users,cn=accounts,$Suffix > attributes are left default > username is the user i made in ipa > pw is the pw I made in ipa > > > [image: > file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg] > > Has anyone attempted this or have any sample configs to play with or see > anything I am doing incorrect? > > > > > Sean Hogan > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 15904322.jpg Type: image/jpeg Size: 2728 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 15172410.jpg Type: image/jpeg Size: 16331 bytes Desc: not available URL: From schogan at us.ibm.com Mon May 8 20:47:02 2017 From: schogan at us.ibm.com (Sean Hogan) Date: Mon, 8 May 2017 13:47:02 -0700 Subject: [Freeipa-users] qradar UBA to IPA In-Reply-To: References: Message-ID: Thanks Michael, Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with success via telnet. Sean Hogan From: Michael Plemmons To: freeipa-users Date: 05/08/2017 01:21 PM Subject: Re: [Freeipa-users] qradar UBA to IPA Sent by: freeipa-users-bounces at redhat.com >From the server running Qradar can you ping the IPA server?? Are you able to telnet to port 389 or 636 of the IPA server.? The error says it can't contact the LDAP server which usually means you have not gotten to the point of authentication yet. Mike Plemmons | Senior DevOps Engineer | CROSSCHX 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Mon, May 8, 2017 at 3:31 PM, Sean Hogan wrote: Hello IPA, I am trying to set up User Behavioral analytics from Qradar to IPA. Having some issues with it after we got 389 and 636 open between the nets. Qradar Console is not in IPA and on differ net although we do have comms on 389 and 636 now ipa-server-3.0.0-50.el6.1.x86_64 I set up an account in IPA with no HBACS or anything and just gave it a IPA role to read data which we use in the below config. Getting file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE $1CFC0CDDB6F2F123.jpg URL I have them using ldaps://IPofIPAserver.example.com BaseDN dc=example,dc=local filter users,cn=accounts,$Suffix attributes are left default username is the user i made in ipa pw is the pw I made in ipa file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE $1B778A1810D34E76.jpg Has anyone attempted this or have any sample configs to play with or see anything I am doing incorrect? Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C741579.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C350018.gif Type: image/gif Size: 1650 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C022296.jpg Type: image/jpeg Size: 2728 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C340608.jpg Type: image/jpeg Size: 16331 bytes Desc: not available URL: From michael.plemmons at crosschx.com Mon May 8 20:52:22 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Mon, 8 May 2017 16:52:22 -0400 Subject: [Freeipa-users] qradar UBA to IPA In-Reply-To: References: Message-ID: Your listing of the filter seems incorrect unless that is a copy paste problem. You probably want cn=users,cn=accounts, $Suffix. The filter listed above shows user,cn=accounts,$Suffix. I am not familiar with Qradar but does it need just the uid of the user or does it need the full DN of the user? *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Mon, May 8, 2017 at 4:47 PM, Sean Hogan wrote: > Thanks Michael, > > Yes sir, the qradar box is able to hit the ipa server on 389 and 636 with > success via telnet. > > > > Sean Hogan > > > > > > > > [image: Inactive hide details for Michael Plemmons ---05/08/2017 01:21:17 > PM--->From the server running Qradar can you ping the IPA ser]Michael > Plemmons ---05/08/2017 01:21:17 PM--->From the server running Qradar can > you ping the IPA server? Are you able to telnet to port 389 or > > From: Michael Plemmons > To: freeipa-users > Date: 05/08/2017 01:21 PM > Subject: Re: [Freeipa-users] qradar UBA to IPA > Sent by: freeipa-users-bounces at redhat.com > ------------------------------ > > > > From the server running Qradar can you ping the IPA server? Are you able > to telnet to port 389 or 636 of the IPA server. The error says it can't > contact the LDAP server which usually means you have not gotten to the > point of authentication yet. > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > *mike.plemmons at crosschx.com* > *www.crosschx.com* > > On Mon, May 8, 2017 at 3:31 PM, Sean Hogan <*schogan at us.ibm.com* > > wrote: > > Hello IPA, > > I am trying to set up User Behavioral analytics from Qradar to IPA. > Having some issues with it after we got 389 and 636 open between the nets. > > Qradar Console is not in IPA and on differ net although we do have > comms on 389 and 636 now > ipa-server-3.0.0-50.el6.1.x86_64 > > > I set up an account in IPA with no HBACS or anything and just gave it > a IPA role to read data which we use in the below config. > Getting > [image: > file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1CFC0CDDB6F2F123.jpg] > > URL I have them using ldaps://*IPofIPAserver.example.com* > > BaseDN dc=example,dc=local > filter users,cn=accounts,$Suffix > attributes are left default > username is the user i made in ipa > pw is the pw I made in ipa > > > [image: > file:///home/schogan/Documents/SametimeTranscripts/[multi-way]/20170508-100730%7BJUSTIN%20L.%20BAUMAN's%20group%20chat%7D/IMAGE$1B778A1810D34E76.jpg] > > Has anyone attempted this or have any sample configs to play with or > see anything I am doing incorrect? > > > > > Sean Hogan > > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > *https://www.redhat.com/mailman/listinfo/freeipa-users* > > Go to *http://freeipa.org* for more info on the > project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C022296.jpg Type: image/jpeg Size: 2728 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C340608.jpg Type: image/jpeg Size: 16331 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C741579.jpg Type: image/jpeg Size: 27085 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1C350018.gif Type: image/gif Size: 1650 bytes Desc: not available URL: From orion at cora.nwra.com Mon May 8 21:03:22 2017 From: orion at cora.nwra.com (Orion Poplawski) Date: Mon, 8 May 2017 15:03:22 -0600 Subject: [Freeipa-users] Thank You! Message-ID: IPA/SSSD developers - I'm writing to give everyone involved in the IPA and sssd projects a big "Thank You". I've been poking at IPA for a little over 4 years now, looking to migrate away from our 389ds LDAP configuration. There have been lots of hurdles to jump, bugs to fix, as well as a complete change of direction (from migrating users to moving to an AD trust). Along the way I have received a huge amount of assistance from a large group of incredibly helpful people, including (but not limited to) Jakub Hrozek, Lukas Slebodnik, Simo Sorce, Pavel B?ezina, Nalin Dahyabhai, Rob Crittenden. My apologies if I left anyone out. I have two machines left to convert to IPA and can hardly believe sometimes that I've finally arrived at this point. So, thanks again for everyone for their work on this incredibly complex and critical set of software. - Orion -- Orion Poplawski Technical Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 http://www.nwra.com From prasun.gera at gmail.com Tue May 9 08:35:35 2017 From: prasun.gera at gmail.com (Prasun Gera) Date: Tue, 9 May 2017 04:35:35 -0400 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: <20150903071748.GM22106@redhat.com> References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> <20150903063228.GG18955@hendrix.redhat.com> <20150903071748.GM22106@redhat.com> Message-ID: Just writing to say that the automount scripts still seem to be quite broken in RHEL 7.3. I did a couple of client installs recently, and ipa-client-automount --install completed successfully, but didn't add sss to /etc/nsswitch.conf. By now, I've got used to this pattern. So I look for the presence or absence of sss in nsswitch.conf after running any of these scripts, since that seems to be the most common issue. On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy wrote: > On Wed, 02 Sep 2015, Prasun Gera wrote: > >> I have zero confidence in any of the install and uninstall scripts. And >> this is on RHEL systems. On unofficial ones like Ubuntu, things are even >> more broken. I really like freeipa, but so far even in a smallish lab >> environment, it has been a nightmare. I am really tempted to just go back >> to NIS. Does anyone have any ideas or proposals for making things more >> robust ? At the very least, I think that these sort of modifications to >> system files should only happen with package install/removal. Any changes >> that ipa's scripts do should be local to ipa's internal state. Better >> would >> be to have an internal ipa database sort of thing which keeps track of >> what >> the current state is so that even if a script dies, which has happened >> often, the next attempt reads the database and figures out what happened >> earlier. >> > File bugs with enough details. It is the only reliable way to fix any > issues where environments differ. Install/uninstall scripts work for > fresh installs in RHEL and Fedora because this is what is tested. If you > have repurposed machines from some other setups, things might differ and > only you know what is in your environment. > > That's not bad or good, that's just different -- the more different > environments we see, more robust code can be added. People are > infinitely more clever than computers when it comes to configuration > files' format mangling. > > I've seen multiple cases where a claim of 'ipa scripts broke my > configuration' was later retracted saying that puppet or other SCM run > afterwards did these changes. That just happen, if there are many > elephants dancing in the room, a careful coordination is always a good > idea. > > Coming back to your issues, please file bugs -- either upstream or > downstream, via distributions, whatever way is more suitable to you. > Contributing 'broken' config files would be good too. > > > -- > / Alexander Bokovoy > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue May 9 10:00:19 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 9 May 2017 06:00:19 -0400 Subject: [Freeipa-users] Fwd: dirsrv not starting after unplanned outage In-Reply-To: References: Message-ID: <829f038f-c99d-0fb6-1ae1-99ab3f53e30c@damascusgrp.com> We had an unplanned power outage which may have affected one of our freeipa servers. When trying to start, it now errors out. # ipactl start Starting Directory Service Failed to start Directory Service: Command '/bin/systemctl start dirsrv at SPX-NET.service' returned non-zero exit status 1 # In /var/log/messages, there is a lengthy list of errors like this: 2017-05-09T09:25:40.178252+00:00 asipa ns-slapd: [09/May/2017:09:25:40.159091115 +0000] valueset_value_symtax_cmp: slapi_attr_bvalues2keys_sv failed for type attributetypes ending with: 2017-05-09T09:25:40.178438+00:00 asiopa ns-slapd: [09/May/2017:09:25:40:161987520 +0000] dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-DAMASCUSGRP.COM /schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - attribute type aci: Unknown attribute syntax OID "1.3.6.1.4.1.1466.115.121.1.15" 2017-05-09T09:25:40.178469+00:00 asipa ns-slapd: [09/May/2017:09:25:40.162014035 +0000] dse - Please edit the file to correct the reported problems and then restart the server. The entry in 00core.ldif was verified against the other servers and the file hasn't been altered or edited that I can see. Where else can I look? I've got two servers up, but I'd like to have all 3 operational. -- *Bret Wortman* Damascus Products ph/fax: 1-855-644-2783 Wrap Buddies InDemand at http://bwortman.us/2ieQN4t -------------- next part -------------- An HTML attachment was scrubbed... URL: From jameslast29 at gmail.com Tue May 9 10:36:51 2017 From: jameslast29 at gmail.com (Johan Vermeulen) Date: Tue, 9 May 2017 12:36:51 +0200 Subject: [Freeipa-users] Openwrt-Freeradius-FreeIPA In-Reply-To: References: Message-ID: Hello All, not trying to push for an answer here; but in reply to this post I got a lot of spam that I don't want my wife of kids to see. This is only my second post here so I'm just wondering if I'm ending up in spam because I'm getting this spam or if the question is just very far fetched. Greetings, J. 2017-05-07 20:16 GMT+02:00 Johan Vermeulen : > Hello All, > > I have sent the same mail a few days ago, but I think it ended up in > spam........... > > We have FreeIPA running on Centos7 > [root at freeipa03 ~]# cat /etc/*release > CentOS Linux release 7.2.1511 (Core) > > Not fully updated but that is planned. > > [root at freeipa03 ~]# yum list installed | grep ipa > ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > libipa_hbac.x86_64 1.13.0-40.el7_2.12 > @updates > python-iniparse.noarch 0.4-9.el7 > @anaconda > python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 > @updates > sssd-ipa.x86_64 1.13.0-40.el7_2.12 > @updates > > We are using FreeIPA to authenticate laptops/users, that works great. > Thank you for making that possible! > > Now I bought some Linksys access points and installed Openwrt on them. > Next I'm following the second part of this wiki: > > https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as > _a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 > > starting from : install, configure and test RADIUS server as a frontend to > IPA. > > That works great, up to the point where I can do the radtest: > > [root at freeipa03 ~]# radtest test password123 192.168.250.12 1812 > testing1234 > Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 > User-Name = 'test' > User-Password = 'password123' > NAS-IP-Address = 192.168.250.12 > NAS-Port = 1812 > Message-Authenticator = 0x00 > Received Access-Accept Id 26 from 192.168.250.12:1812 to > 192.168.250.12:44889 length 20 > > where user test is in freeipa and 192.168.250.12 is the vpn address of > the ipa server. > > My question now is: is it possible to have users connect with the > Linksys/Openwrt access point using username/password from FreeIPA? > So far I'm not getting past EM: > > Error: Ignoring request to auth address * port 1812 as server default from > unknown client 10.10.20.117 port 55421 proto udp > > where 10.10.20.117 is the Openwrt access point. > > I added the access point to /etc/radddb/client.conf in a number of ways, > but nothing changes. Now I'm thinking, because Freeradius now reads from > FreeIPA, > it doesn't recognize the access point. > > Thanks for any advise. > > greetings, J. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Tue May 9 10:50:54 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Tue, 09 May 2017 12:50:54 +0200 Subject: [Freeipa-users] Fwd: dirsrv not starting after unplanned outage In-Reply-To: <829f038f-c99d-0fb6-1ae1-99ab3f53e30c@damascusgrp.com> References: <829f038f-c99d-0fb6-1ae1-99ab3f53e30c@damascusgrp.com> Message-ID: <59119F0E.4090501@redhat.com> looks like you lost your configuration files dse.ldif and its backup as well during the outage. could you check what you have in /etc/dirsrv/slapd- you can try to copy one of the *dse.ldif* to dse.ldif and try to restart, but that file maybe up to date. Ludwig On 05/09/2017 12:00 PM, Bret Wortman wrote: > We had an unplanned power outage which may have affected one of our > freeipa servers. When trying to start, it now errors out. > > # ipactl start > Starting Directory Service > Failed to start Directory Service: Command '/bin/systemctl start > dirsrv at SPX-NET.service' returned non-zero exit status 1 > # > > In /var/log/messages, there is a lengthy list of errors like this: > > 2017-05-09T09:25:40.178252+00:00 asipa ns-slapd: > [09/May/2017:09:25:40.159091115 +0000] valueset_value_symtax_cmp: > slapi_attr_bvalues2keys_sv failed for type attributetypes > > ending with: > > 2017-05-09T09:25:40.178438+00:00 asiopa ns-slapd: > [09/May/2017:09:25:40:161987520 +0000] dse_read_one_file - The entry > cn=schema in file /etc/dirsrv/slapd-DAMASCUSGRP.COM > /schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid > syntax) - attribute type aci: Unknown attribute syntax OID > "1.3.6.1.4.1.1466.115.121.1.15" > 2017-05-09T09:25:40.178469+00:00 asipa ns-slapd: > [09/May/2017:09:25:40.162014035 +0000] dse - Please edit the file to > correct the reported problems and then restart the server. > > The entry in 00core.ldif was verified against the other servers and > the file hasn't been altered or edited that I can see. > > Where else can I look? I've got two servers up, but I'd like to have > all 3 operational. > > > -- > *Bret Wortman* > Damascus Products > ph/fax: 1-855-644-2783 > Wrap Buddies InDemand at http://bwortman.us/2ieQN4t > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Tue May 9 11:22:37 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Tue, 9 May 2017 07:22:37 -0400 Subject: [Freeipa-users] Fwd: dirsrv not starting after unplanned outage In-Reply-To: <59119F0E.4090501@redhat.com> References: <829f038f-c99d-0fb6-1ae1-99ab3f53e30c@damascusgrp.com> <59119F0E.4090501@redhat.com> Message-ID: <4f949c28-009a-b291-867c-4f79fe26ad72@damascusgrp.com> That was it. Minor edits (nsslapd-localhost) and we're up and running. Thanks, Ludwig! On 05/09/2017 06:50 AM, Ludwig Krispenz wrote: > looks like you lost your configuration files dse.ldif and its backup > as well during the outage. > could you check what you have in /etc/dirsrv/slapd- > > you can try to copy one of the *dse.ldif* to dse.ldif and try to > restart, but that file maybe up to date. > > Ludwig > > On 05/09/2017 12:00 PM, Bret Wortman wrote: >> We had an unplanned power outage which may have affected one of our >> freeipa servers. When trying to start, it now errors out. >> >> # ipactl start >> Starting Directory Service >> Failed to start Directory Service: Command '/bin/systemctl start >> dirsrv at SPX-NET.service' returned non-zero exit status 1 >> # >> >> In /var/log/messages, there is a lengthy list of errors like this: >> >> 2017-05-09T09:25:40.178252+00:00 asipa ns-slapd: >> [09/May/2017:09:25:40.159091115 +0000] valueset_value_symtax_cmp: >> slapi_attr_bvalues2keys_sv failed for type attributetypes >> >> ending with: >> >> 2017-05-09T09:25:40.178438+00:00 asiopa ns-slapd: >> [09/May/2017:09:25:40:161987520 +0000] dse_read_one_file - The entry >> cn=schema in file /etc/dirsrv/slapd-DAMASCUSGRP.COM >> /schema/00core.ldif (lineno: 1) is invalid, error code 21 (Invalid >> syntax) - attribute type aci: Unknown attribute syntax OID >> "1.3.6.1.4.1.1466.115.121.1.15" >> 2017-05-09T09:25:40.178469+00:00 asipa ns-slapd: >> [09/May/2017:09:25:40.162014035 +0000] dse - Please edit the file to >> correct the reported problems and then restart the server. >> >> The entry in 00core.ldif was verified against the other servers and >> the file hasn't been altered or edited that I can see. >> >> Where else can I look? I've got two servers up, but I'd like to have >> all 3 operational. >> >> >> -- >> *Bret Wortman* >> Damascus Products >> ph/fax: 1-855-644-2783 >> Wrap Buddies InDemand at http://bwortman.us/2ieQN4t >> >> > > -- > Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue May 9 14:25:52 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 9 May 2017 10:25:52 -0400 Subject: [Freeipa-users] sudo (sssd) hangs due to ipa install/uninstall scripts In-Reply-To: References: <20150624074920.GF11174@hendrix.redhat.com> <20150624083122.GG11174@hendrix.redhat.com> <558EA478.9040008@redhat.com> <20150903063228.GG18955@hendrix.redhat.com> <20150903071748.GM22106@redhat.com> Message-ID: Prasun Gera wrote: > Just writing to say that the automount scripts still seem to be quite > broken in RHEL 7.3. I did a couple of client installs recently, > and ipa-client-automount --install completed successfully, but didn't > add sss to /etc/nsswitch.conf. By now, I've got used to this pattern. So > I look for the presence or absence of sss in nsswitch.conf after running > any of these scripts, since that seems to be the most common issue. https://bugzilla.redhat.com/show_bug.cgi?id=1392540 rob > > On Thu, Sep 3, 2015 at 3:17 AM, Alexander Bokovoy > wrote: > > On Wed, 02 Sep 2015, Prasun Gera wrote: > > I have zero confidence in any of the install and uninstall > scripts. And > this is on RHEL systems. On unofficial ones like Ubuntu, things > are even > more broken. I really like freeipa, but so far even in a > smallish lab > environment, it has been a nightmare. I am really tempted to > just go back > to NIS. Does anyone have any ideas or proposals for making > things more > robust ? At the very least, I think that these sort of > modifications to > system files should only happen with package install/removal. > Any changes > that ipa's scripts do should be local to ipa's internal state. > Better would > be to have an internal ipa database sort of thing which keeps > track of what > the current state is so that even if a script dies, which has > happened > often, the next attempt reads the database and figures out what > happened > earlier. > > File bugs with enough details. It is the only reliable way to fix any > issues where environments differ. Install/uninstall scripts work for > fresh installs in RHEL and Fedora because this is what is tested. If you > have repurposed machines from some other setups, things might differ and > only you know what is in your environment. > > That's not bad or good, that's just different -- the more different > environments we see, more robust code can be added. People are > infinitely more clever than computers when it comes to configuration > files' format mangling. > > I've seen multiple cases where a claim of 'ipa scripts broke my > configuration' was later retracted saying that puppet or other SCM run > afterwards did these changes. That just happen, if there are many > elephants dancing in the room, a careful coordination is always a good > idea. > > Coming back to your issues, please file bugs -- either upstream or > downstream, via distributions, whatever way is more suitable to you. > Contributing 'broken' config files would be good too. > > > -- > / Alexander Bokovoy > > > > From rcritten at redhat.com Tue May 9 18:18:03 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 9 May 2017 14:18:03 -0400 Subject: [Freeipa-users] Web UI unavailable after 4.4 upgrade - 400 error In-Reply-To: References: <97438A53-D4C3-45E3-88FB-5756B9DE65B0@3sitracking.com> <69c6556f-72d3-0d1a-0a46-ea25475364ad@redhat.com> Message-ID: <0af0c6ff-832a-a0ef-c67c-9e13ed6ee5ab@redhat.com> Pete Fuller wrote: > From the cli - it looks like the answers I?m getting are actually coming > from one of my non-upgraded servers.The window for those servers is > later tonight. The request gets denied on the localhost it seems. > > (Lb3 is the local server. Ipa11 is offsite server that has not been > upgraded) It is getting a 400 from lb3 so falling back to ipa11. I'm not sure why Apache is throwing the 400. It sure seems like it is failing before it gets to IPA though given that nothing is logged. You can try setting LogLevel debug in /etc/httpd/conf.d/nss.conf and restarting to get additional debug logging out of Apache, that might provide some insight. Or you can diff the working and non-working ipa* conf files in /etc/httpd/conf.d. rob > > [pfuller at lb3 ~]$ ipa -vvv user-show admin > ipa: INFO: trying https://lb3.sac.3si/ipa/json > ipa: INFO: Request: { > "id": 0, > "method": "ping", > "params": [ > [], > {} > ] > } > send: u'POST /ipa/json HTTP/1.1\r\nHost: lb3.sac.3si\r\nAccept-Encoding: > gzip\r\nAccept-Language: en-us\r\nReferer: > https://lb3.sac.3si/ipa/xml\r\nAuthorization: negotiate > YIICRwYJKoZIhvcSAQICAQBuggI2MIICMqADAgEFoQMCAQ6iBwMFACAAAACjggFMYYIBSDCCAUSgAwIBBaEJGwdTQUMuM1NJoh4wHKADAgEDoRUwExsESFRUUBsLbGIzLnNhYy4zc2mjggEQMIIBDKADAgESoQMCAQKigf8Egfw9Y4DEIZmX3gITIPK11rvcTf0HhPKGCAEsHKQCUTxQp1eXXl8b5vDJ/0eN6aKq23jlNcQAA4OmHLj87I/uJc4EtcXIBmFIisPr5rEIf/6haUtALoL0OJKBIbITpWDB+2IwXobDHA2/IS6TUsZx2yAseJdL4z+q6H0NfuPh3dvFmlYkY6YavX/ZG98J8IrcIqolX5YDCWBqncHZolZXbfhVCLuO9q++F+dzv6OlKLkVg0g3RTd6qkpZvy+6UyhctDbpWXB2J3oN5kkb9tqsZnG7Z/1mOUqiBVaEYKkm0jEKOVm8b1uIDeLF3vMIWli6hCnwGxW47JseV+EjGsekgcwwgcmgAwIBEqKBwQSBvgcl6IIwRu2/C0xB8WFgRQ3VfBdFwL4HtdnyOPCIx8eIHfcL6yyVvUJDMWXF9Pn7K6oDHGzKSFCVJilubuywBIhWBa/fbElFVcNfho6kGjrGZZuXGM25y28xenEFSoN6PKjl81N92gjlRdLo1QZ4YkxO9Re278sCJ8QwVb9jj7lZsJoVlut+lF0LVfgJ9AIzgmtGBBeyTNVPAcLwIDAlM7zSxTYwlOsEV8SFyrA0RSr90HrELQpotUYVeL6CgGo=\r\nUser-Agent: > xmlrpclib.py/1.0.1 (by www.pythonware.com > )\r\nContent-Type: > application/json\r\nContent-Length: 47\r\n\r\n{"params": [[], {}], > "method": "ping", "id": 0}' > reply: 'HTTP/1.1 400 Bad Request\r\n' > header: Date: Mon, 08 May 2017 18:04:19 GMT > header: Server: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 > mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 > Python/2.7.5 > header: Content-Length: 347 > header: Connection: close > header: Content-Type: text/html; charset=iso-8859-1 > ipa: INFO: trying https://ipa11.be.3si/ipa/json > ipa: INFO: Request: { > "id": 0, > "method": "ping", > "params": [ > [], > {} > ] > } > > > > Not seeing much in the http logs > > [Mon May 08 10:59:12.855952 2017] [mpm_prefork:notice] [pid 25471] > AH00170: caught SIGWINCH, shutting down gracefully > [Mon May 08 10:59:14.776824 2017] [suexec:notice] [pid 26007] AH01232: > suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) > [Mon May 08 10:59:14.777094 2017] [:warn] [pid 26007] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:59:15.044478 2017] [auth_digest:notice] [pid 26007] > AH01757: generating secret for digest authentication ... > [Mon May 08 10:59:15.045068 2017] [lbmethod_heartbeat:notice] [pid > 26007] AH02282: No slotmem from mod_heartmonitor > [Mon May 08 10:59:15.045085 2017] [:warn] [pid 26007] > NSSSessionCacheTimeout is deprecated. Ignoring. > [Mon May 08 10:59:15.053163 2017] [mpm_prefork:notice] [pid 26007] > AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 > mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured > -- resuming normal operations > [Mon May 08 10:59:15.053200 2017] [core:notice] [pid 26007] AH00094: > Command line: '/usr/sbin/httpd -D FOREGROUND' > [Mon May 08 10:59:15.321418 2017] [:error] [pid 26014] ipa: DEBUG: > importing all plugin modules in ipaserver.plugins... > [Mon May 08 10:59:15.322362 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.aci > [Mon May 08 10:59:15.345957 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.automember > [Mon May 08 10:59:15.364950 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.automount > [Mon May 08 10:59:15.370011 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.baseldap > [Mon May 08 10:59:15.370124 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.baseldap is not a valid plugin module > [Mon May 08 10:59:15.370198 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.baseuser > [Mon May 08 10:59:15.404084 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.batch > [Mon May 08 10:59:15.404901 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.ca > [Mon May 08 10:59:15.451277 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.caacl > [Mon May 08 10:59:15.451621 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.cert > [Mon May 08 10:59:15.451817 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.certprofile > [Mon May 08 10:59:15.451978 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.config > [Mon May 08 10:59:15.462890 2017] [:error] [pid 26013] ipa: DEBUG: > importing all plugin modules in ipaserver.plugins... > [Mon May 08 10:59:15.463836 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.aci > [Mon May 08 10:59:15.471193 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.delegation > [Mon May 08 10:59:15.473733 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.dns > [Mon May 08 10:59:15.487747 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.automember > [Mon May 08 10:59:15.545605 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.automount > [Mon May 08 10:59:15.551746 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.baseldap > [Mon May 08 10:59:15.551868 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.baseldap is not a valid plugin module > [Mon May 08 10:59:15.551933 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.baseuser > [Mon May 08 10:59:15.585986 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.batch > [Mon May 08 10:59:15.586780 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.ca > [Mon May 08 10:59:15.618924 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.caacl > [Mon May 08 10:59:15.619251 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.cert > [Mon May 08 10:59:15.619444 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.certprofile > [Mon May 08 10:59:15.619593 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.config > [Mon May 08 10:59:15.628108 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.delegation > [Mon May 08 10:59:15.630461 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.dns > [Mon May 08 10:59:15.638060 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.dnsserver > [Mon May 08 10:59:15.639672 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.dogtag > [Mon May 08 10:59:15.702799 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.domainlevel > [Mon May 08 10:59:15.704065 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.group > [Mon May 08 10:59:15.734874 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbac > [Mon May 08 10:59:15.735067 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.hbac is not a valid plugin module > [Mon May 08 10:59:15.735130 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacrule > [Mon May 08 10:59:15.735438 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacsvc > [Mon May 08 10:59:15.736517 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacsvcgroup > [Mon May 08 10:59:15.739023 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbactest > [Mon May 08 10:59:15.741672 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.host > [Mon May 08 10:59:15.753983 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.hostgroup > [Mon May 08 10:59:15.754187 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.idrange > [Mon May 08 10:59:15.757489 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.idviews > [Mon May 08 10:59:15.757839 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.internal > [Mon May 08 10:59:15.761469 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.join > [Mon May 08 10:59:15.762598 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.krbtpolicy > [Mon May 08 10:59:15.763800 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.ldap2 > [Mon May 08 10:59:15.764794 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.location > [Mon May 08 10:59:15.766411 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.migration > [Mon May 08 10:59:15.770396 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.dnsserver > [Mon May 08 10:59:15.771955 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.dogtag > [Mon May 08 10:59:15.775364 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.misc > [Mon May 08 10:59:15.776219 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.netgroup > [Mon May 08 10:59:15.776408 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.otp > [Mon May 08 10:59:15.776572 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.otp is not a valid plugin module > [Mon May 08 10:59:15.776635 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.otpconfig > [Mon May 08 10:59:15.777846 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.otptoken > [Mon May 08 10:59:15.783145 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.passwd > [Mon May 08 10:59:15.784323 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.permission > [Mon May 08 10:59:15.791777 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.ping > [Mon May 08 10:59:15.792052 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.pkinit > [Mon May 08 10:59:15.792211 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.pkinit is not a valid plugin module > [Mon May 08 10:59:15.792278 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.privilege > [Mon May 08 10:59:15.792476 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.pwpolicy > [Mon May 08 10:59:15.794119 2017] [:error] [pid 26014] ipa: DEBUG: > Starting external process > [Mon May 08 10:59:15.794199 2017] [:error] [pid 26014] ipa: DEBUG: > args=klist -V > [Mon May 08 10:59:15.799162 2017] [:error] [pid 26014] ipa: DEBUG: > Process finished, return code=0 > [Mon May 08 10:59:15.799259 2017] [:error] [pid 26014] ipa: DEBUG: > stdout=Kerberos 5 version 1.14.1 > [Mon May 08 10:59:15.799265 2017] [:error] [pid 26014] > [Mon May 08 10:59:15.799321 2017] [:error] [pid 26014] ipa: DEBUG: stderr= > [Mon May 08 10:59:15.802573 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.rabase > [Mon May 08 10:59:15.802689 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.rabase is not a valid plugin module > [Mon May 08 10:59:15.802750 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.radiusproxy > [Mon May 08 10:59:15.805507 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.realmdomains > [Mon May 08 10:59:15.809372 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.role > [Mon May 08 10:59:15.810962 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.schema > [Mon May 08 10:59:15.837359 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.domainlevel > [Mon May 08 10:59:15.838697 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.group > [Mon May 08 10:59:15.845807 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.selfservice > [Mon May 08 10:59:15.847834 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.selinuxusermap > [Mon May 08 10:59:15.848073 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.server > [Mon May 08 10:59:15.869002 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbac > [Mon May 08 10:59:15.869202 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.hbac is not a valid plugin module > [Mon May 08 10:59:15.869281 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacrule > [Mon May 08 10:59:15.869568 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacsvc > [Mon May 08 10:59:15.870643 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbacsvcgroup > [Mon May 08 10:59:15.873201 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hbactest > [Mon May 08 10:59:15.875843 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.host > [Mon May 08 10:59:15.888407 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.hostgroup > [Mon May 08 10:59:15.888593 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.idrange > [Mon May 08 10:59:15.891897 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.idviews > [Mon May 08 10:59:15.892257 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.internal > [Mon May 08 10:59:15.895872 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.join > [Mon May 08 10:59:15.897012 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.krbtpolicy > [Mon May 08 10:59:15.898211 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.ldap2 > [Mon May 08 10:59:15.899184 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.location > [Mon May 08 10:59:15.900768 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.migration > [Mon May 08 10:59:15.909770 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.misc > [Mon May 08 10:59:15.910620 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.netgroup > [Mon May 08 10:59:15.910806 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.otp > [Mon May 08 10:59:15.910969 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.otp is not a valid plugin module > [Mon May 08 10:59:15.911032 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.otpconfig > [Mon May 08 10:59:15.912261 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.otptoken > [Mon May 08 10:59:15.917579 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.passwd > [Mon May 08 10:59:15.918743 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.permission > [Mon May 08 10:59:15.926286 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.ping > [Mon May 08 10:59:15.926569 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.pkinit > [Mon May 08 10:59:15.926719 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.pkinit is not a valid plugin module > [Mon May 08 10:59:15.926783 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.privilege > [Mon May 08 10:59:15.926983 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.pwpolicy > [Mon May 08 10:59:15.928679 2017] [:error] [pid 26013] ipa: DEBUG: > Starting external process > [Mon May 08 10:59:15.928750 2017] [:error] [pid 26013] ipa: DEBUG: > args=klist -V > [Mon May 08 10:59:15.933325 2017] [:error] [pid 26013] ipa: DEBUG: > Process finished, return code=0 > [Mon May 08 10:59:15.933413 2017] [:error] [pid 26013] ipa: DEBUG: > stdout=Kerberos 5 version 1.14.1 > [Mon May 08 10:59:15.933418 2017] [:error] [pid 26013] > [Mon May 08 10:59:15.933474 2017] [:error] [pid 26013] ipa: DEBUG: stderr= > [Mon May 08 10:59:15.936616 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.rabase > [Mon May 08 10:59:15.936729 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.rabase is not a valid plugin module > [Mon May 08 10:59:15.936790 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.radiusproxy > [Mon May 08 10:59:15.939491 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.realmdomains > [Mon May 08 10:59:15.943097 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.role > [Mon May 08 10:59:15.944624 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.schema > [Mon May 08 10:59:15.978072 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.selfservice > [Mon May 08 10:59:15.980171 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.selinuxusermap > [Mon May 08 10:59:15.980410 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.server > [Mon May 08 10:59:16.249070 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.serverrole > [Mon May 08 10:59:16.250937 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.serverroles > [Mon May 08 10:59:16.251262 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.service > [Mon May 08 10:59:16.251595 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.servicedelegation > [Mon May 08 10:59:16.254904 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.session > [Mon May 08 10:59:16.256507 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.stageuser > [Mon May 08 10:59:16.258356 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudo > [Mon May 08 10:59:16.258539 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.sudo is not a valid plugin module > [Mon May 08 10:59:16.258602 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudocmd > [Mon May 08 10:59:16.259726 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudocmdgroup > [Mon May 08 10:59:16.261571 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudorule > [Mon May 08 10:59:16.269844 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.topology > [Mon May 08 10:59:16.274894 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.trust > [Mon May 08 10:59:16.286224 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.user > [Mon May 08 10:59:16.286572 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.vault > [Mon May 08 10:59:16.296978 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.virtual > [Mon May 08 10:59:16.297081 2017] [:error] [pid 26014] ipa: DEBUG: > ipaserver.plugins.virtual is not a valid plugin module > [Mon May 08 10:59:16.297150 2017] [:error] [pid 26014] ipa: DEBUG: > importing plugin module ipaserver.plugins.xmlserver > [Mon May 08 10:59:16.364668 2017] [:error] [pid 26014] ipa: DEBUG: > SessionAuthManager.register: name=xmlserver_session_139942843997200 > [Mon May 08 10:59:16.365568 2017] [:error] [pid 26014] ipa: DEBUG: > SessionAuthManager.register: name=jsonserver_session_139942844019152 > [Mon May 08 10:59:16.382070 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.serverrole > [Mon May 08 10:59:16.383939 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.serverroles > [Mon May 08 10:59:16.384270 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.service > [Mon May 08 10:59:16.384597 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.servicedelegation > [Mon May 08 10:59:16.387879 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.session > [Mon May 08 10:59:16.389506 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.stageuser > [Mon May 08 10:59:16.391398 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudo > [Mon May 08 10:59:16.391582 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.sudo is not a valid plugin module > [Mon May 08 10:59:16.391644 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudocmd > [Mon May 08 10:59:16.392779 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudocmdgroup > [Mon May 08 10:59:16.394587 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.sudorule > [Mon May 08 10:59:16.402782 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.topology > [Mon May 08 10:59:16.407910 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.trust > [Mon May 08 10:59:16.419428 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.user > [Mon May 08 10:59:16.419772 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.vault > [Mon May 08 10:59:16.430208 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.virtual > [Mon May 08 10:59:16.430311 2017] [:error] [pid 26013] ipa: DEBUG: > ipaserver.plugins.virtual is not a valid plugin module > [Mon May 08 10:59:16.430372 2017] [:error] [pid 26013] ipa: DEBUG: > importing plugin module ipaserver.plugins.xmlserver > [Mon May 08 10:59:16.451416 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_password() at '/session/login_password' > [Mon May 08 10:59:16.451555 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:16.497682 2017] [:error] [pid 26013] ipa: DEBUG: > SessionAuthManager.register: name=xmlserver_session_139942843997200 > [Mon May 08 10:59:16.498514 2017] [:error] [pid 26013] ipa: DEBUG: > SessionAuthManager.register: name=jsonserver_session_139942844019152 > [Mon May 08 10:59:16.582967 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_password() at '/session/login_password' > [Mon May 08 10:59:16.583114 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.103275 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' > [Mon May 08 10:59:17.148714 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.change_password() at '/session/change_password' > [Mon May 08 10:59:17.234845 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.sync_token() at '/session/sync_token' > [Mon May 08 10:59:17.280518 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.change_password() at '/session/change_password' > [Mon May 08 10:59:17.397722 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' > [Mon May 08 10:59:17.397862 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.397953 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.504097 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' > [Mon May 08 10:59:17.504234 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.531236 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver_session() at '/session/xml' > [Mon May 08 10:59:17.531357 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.531447 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.602015 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509' > [Mon May 08 10:59:17.602158 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.638029 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_kerberos() at '/session/login_kerberos' > [Mon May 08 10:59:17.638166 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.665313 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver() at '/xml' > [Mon May 08 10:59:17.665430 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.736510 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.login_x509() at '/session/login_x509' > [Mon May 08 10:59:17.736656 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.737976 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' > [Mon May 08 10:59:17.738089 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.799767 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.xmlserver() at '/xml' > [Mon May 08 10:59:17.799902 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.800287 2017] [:error] [pid 26014] ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' > [Mon May 08 10:59:17.800404 2017] [:error] [pid 26014] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.872938 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_session() at '/session/json' > [Mon May 08 10:59:17.873074 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:17.935616 2017] [:error] [pid 26013] ipa: DEBUG: > Mounting ipaserver.rpcserver.jsonserver_kerb() at '/json' > [Mon May 08 10:59:17.935746 2017] [:error] [pid 26013] ipa: DEBUG: > session_auth_duration: 0:20:00 > [Mon May 08 10:59:18.179768 2017] [:error] [pid 26014] ipa: INFO: *** > PROCESS START *** > [Mon May 08 10:59:18.313005 2017] [:error] [pid 26013] ipa: INFO: *** > PROCESS START *** > > > >> On May 8, 2017, at 1:57 PM, Rob Crittenden > > wrote: >> >> Pete Fuller wrote: >>> http error log has nothing. This is with http restart and a failed >>> request for web ui. The request has no error. Is there a different log >>> that I am overlooking that might have more information? >> >> No. >> >> Create /etc/ipa/server.conf with these contents: >> >> [global] >> debug = True >> >> Restart Apache. >> >> Try with a browser and see what gets logged, if anything. >> >> I'd also try with the cli to compare. With the client you can add -vvv >> to get a lot more client-side logging: ipa -vvv user-show admin >> >> rob >> >>> >>> >>> [Mon May 08 10:46:14.842162 2017] [:warn] [pid 25471] >>> NSSSessionCacheTimeout is deprecated. Ignoring. >>> [Mon May 08 10:46:15.136803 2017] [auth_digest:notice] [pid 25471] >>> AH01757: generating secret for digest authentication ... >>> [Mon May 08 10:46:15.137403 2017] [lbmethod_heartbeat:notice] [pid >>> 25471] AH02282: No slotmem from mod_heartmonitor >>> [Mon May 08 10:46:15.137422 2017] [:warn] [pid 25471] >>> NSSSessionCacheTimeout is deprecated. Ignoring. >>> [Mon May 08 10:46:15.145343 2017] [mpm_prefork:notice] [pid 25471] >>> AH00163: Apache/2.4.6 (CentOS) mod_auth_gssapi/1.4.0 mod_auth_kerb/5.4 >>> mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5 configured >>> -- resuming normal operations >>> [Mon May 08 10:46:15.145378 2017] [core:notice] [pid 25471] AH00094: >>> Command line: '/usr/sbin/httpd -D FOREGROUND' >>> [Mon May 08 10:46:18.234880 2017] [:error] [pid 25476] ipa: INFO: *** >>> PROCESS START *** >>> [Mon May 08 10:46:18.431700 2017] [:error] [pid 25475] ipa: INFO: *** >>> PROCESS START ** >>> >>> >>> >>>> On May 8, 2017, at 1:43 PM, Rob Crittenden >>> >>>> > wrote: >>>> >>>> Pete Fuller wrote: >>>>> IPA command line seems to work. Have been able to use ipa user-find >>>>> and ipa cert-find. Can also sudo and kinit from other machines as >>>>> IPA user. >>>>> >>>>> Another clue here, looks like even when querying with the ipa cli >>>>> tools, >>>>> I?m getting 400 errors in the access logs. The top one is obviously a >>>>> browser request. The next 4 were following a cli call to ipa >>>>> user-find. >>>>> That request does respond back with users, so not sure what is failing >>>>> there. The 192.168.0.95 IP is the local ip of the IPA server itself. >>>>> >>>>> 192.168.51.20 - - [08/May/2017:10:31:46 -0700] "GET / HTTP/1.1" 400 347 >>>>> "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) >>>>> Gecko/20100101 Firefox/53.0" >>>>> 192.168.0.95 - - [08/May/2017:10:32:40 -0700] "POST /ipa/json HTTP/1.1" >>>>> 400 347 >>>>> 192.168.0.95 - - [08/May/2017:10:32:43 -0700] "POST /ipa/json HTTP/1.1" >>>>> 400 347 >>>>> 192.168.0.95 - - [08/May/2017:10:33:01 -0700] "POST /ipa/json HTTP/1.1" >>>>> 400 347 >>>>> 192.168.0.95 - - [08/May/2017:10:33:10 -0700] "POST /ipa/json HTTP/1.1" >>>>> 400 347 >>>> >>>> Note that client activity (login, sudo, etc) does not go through Apache. >>>> Only the IPA API does (so web UI and cli). >>>> >>>> Still need to see the error log. >>>> >>>> rob >>>> >>>>> >>>>> >>>>>> On May 8, 2017, at 1:20 PM, Rob Crittenden >>>>> >>>>>> >>>>>> > wrote: >>>>>> >>>>>> Pete Fuller wrote: >>>>>>> I ran the 4.4 upgrade yesterday on a group of Centos7 servers >>>>>>> that are >>>>>>> IPA replicas for my North American datacenters. All seem to have the >>>>>>> same issue that I am now unable to connect to the web UI, with the >>>>>>> following error in the browser? >>>>>>> >>>>>>> >>>>>>> Bad Request >>>>>>> >>>>>>> Your browser sent a request that this server could not understand. >>>>>>> >>>>>>> Additionally, a 400 Bad Request error was encountered while trying to >>>>>>> use an ErrorDocument to handle the request. >>>>>>> >>>>>>> >>>>>>> >>>>>>> The maddening thing is I can?t find any reference in the apache >>>>>>> logs to >>>>>>> what is generating the error and why a direct request to the UI would >>>>>>> error. >>>>>>> >>>>>>> As far as I can tell IPA is otherwise working. Logins seem to work, >>>>>>> sudo rules are working, DNS is working. >>>>>>> >>>>>>> [root at lb3 httpd]# ipactl status >>>>>>> Directory Service: RUNNING >>>>>>> krb5kdc Service: RUNNING >>>>>>> kadmin Service: RUNNING >>>>>>> named Service: RUNNING >>>>>>> ipa_memcached Service: RUNNING >>>>>>> httpd Service: RUNNING >>>>>>> ipa-custodia Service: RUNNING >>>>>>> ntpd Service: RUNNING >>>>>>> pki-tomcatd Service: RUNNING >>>>>>> ipa-otpd Service: RUNNING >>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>> >>>>>>> I can see one file in the httpd/conf.d directory that was changed - >>>>>>> nss.conf. I attempted reverting and that did not work. >>>>>>> >>>>>>> Has anyone run upon this error? >>>>>> >>>>>> Does the ipa command-line tool work? >>>>>> >>>>>> What are you seeing in the Apache error log? >>>>>> >>>>>> rob > From jack.eidsness at zayo.com Tue May 9 20:45:06 2017 From: jack.eidsness at zayo.com (Jack Eidsness) Date: Tue, 9 May 2017 16:45:06 -0400 Subject: [Freeipa-users] Clone URI does not match available subsystems ? Message-ID: ?I'm hoping to get a lead on this issue ?from a few months back - I work with John. Maybe a more narrow question will get us somewhere. When ipa-ca-install is comparing the URI in the .gpg file to the "available subsystems", what does that mean? How do I know what the correct URLs for my "available subsystems" actually are? I reviewed the logs, and the site & port seem like they're probably right to me, unless they need a more specific path or something. Maybe it could be having trouble authenticating? I don't know why that would be. Is it safe to decrypt the .gpg file, re-encrypt it, and try running it again, if I knew what edits to make, to the URI? -Jack Eidsness > ------------------------------ > > - *From*: John Bowman > - *To*: freeipa-users redhat com > - *Subject*: [Freeipa-users] Clone URI does not match available > subsystems ? > - *Date*: Wed, 17 Aug 2016 10:41:38 -0500 > > ------------------------------ > Howdy! > > Trying to figure out how to get past the error: Clone URI does not match > available subsystems when running ipa-ca-install on new ipa server. > > A little background. We have 3 FreeIPA 3.0.0 servers running on RHEL > 6.7. We just recently (within the last month) added a new FreeIPA 4.2 > server replica running on RHEL 7.2 at a new location which will hopefully > be the start of replacing all the 3.0.0 instances. > > Unfortunately during the 4.2 install the --setup-ca was failing so we > decided to install without it to make sure everything else worked. And it > did everything seems to be replicating properly and all is good. > > Now its time to add the ca replication to the new server but its failing > with that error. > > Command output: > # ipa-ca-install --skip-conncheck /var/lib/ipa/replica-info-new- > server.example.com.gpg > Directory Manager (existing master) password: > > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/22]: creating certificate server user > [2/22]: configuring certificate server instance > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure > CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' > returned non-zero exit status 1 > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the > installation logs and the following files/directories for more information: > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki-ca-install.log > ipa.ipaserver.install.cainstance.CAInstance: CRITICAL > /var/log/pki/pki-tomcat > [error] RuntimeError: CA configuration failed. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > CA configuration failed. > > > ipareplica-ca-install.log output: > 2016-08-17T15:25:52Z DEBUG stdout=Log file: /var/log/pki/pki-ca-spawn.2016 > 0817092533.log > Loading deployment configuration from /tmp/tmp7cBK9P. > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > > Installation failed. > > > 2016-08-17T15:25:52Z DEBUG stderr=/usr/lib/python2.7/site > -packages/urllib3/connectionpool.py:769: InsecureRequestWarning: > Unverified HTTPS request is being made. Adding certificate verification is > strongly advised. See: https://urllib3.readthedo > cs.org/en/latest/security.h > tml > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 400 Client Error: Bad Request > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: {"Attributes":{"Attribute":[]},"ClassName" > :"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone > URI does not match available subsystems: https://master.idm > .example.com:443 "} > > 2016-08-17T15:25:52Z CRITICAL Failed to configure CA instance: Command > ''/usr/sbin/pkispawn' '-s' 'CA' '-f' '/tmp/tmp7cBK9P'' returned n > on-zero exit status 1 > 2016-08-17T15:25:52Z CRITICAL See the installation logs and the following > files/directories for more information: > 2016-08-17T15:25:52Z CRITICAL /var/log/pki-ca-install.log > 2016-08-17T15:25:52Z CRITICAL /var/log/pki/pki-tomcat > 2016-08-17T15:25:52Z DEBUG Traceback (most recent call last): > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 622, in __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > self.handle_setup_error(e) > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > RuntimeError: CA configuration failed. > > 2016-08-17T15:25:52Z DEBUG [error] RuntimeError: CA configuration failed. > 2016-08-17T15:25:52Z DEBUG File "/usr/lib/python2.7/site-packa > ges/ipaserver/install/installutils.py", line 732, in run_script > return_value = main_function() > > File "/sbin/ipa-ca-install", line 202, in main > install_replica(safe_options, options, filename) > > File "/sbin/ipa-ca-install", line 150, in install_replica > ca.install(True, config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 114, in install > install_step_0(standalone, replica_config, options) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line > 138, in install_step_0 > ra_p12=getattr(options, 'ra_p12', None)) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 1545, in install_replica_ca > subject_base=config.subject_base) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 488, in configure_instance > self.start_creation(runtime=210) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 418, in start_creation > run_step(full_msg, method) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", > line 408, in run_step > method() > > File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", > line 622, in __spawn_instance > DogtagInstance.spawn_instance(self, cfg_file) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 201, in spawn_instance > self.handle_setup_error(e) > > File "/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py", > line 465, in handle_setup_error > raise RuntimeError("%s configuration failed." % self.subsystem) > > 2016-08-17T15:25:52Z DEBUG The ipa-ca-install command failed, exception: > RuntimeError: CA configuration failed. > > > **** > > I've tried running the pkispawn command manually by using the > deployment.cfg file but it gives the same error: > > # pkidestroy -s CA -i pki-tomcat > Log file: /var/log/pki/pki-ca-destroy.20160817093402.log > Loading deployment configuration from /var/lib/pki/pki-tomcat/ca/reg > istry/ca/deployment.cfg. > Uninstalling CA from /var/lib/pki/pki-tomcat. > pkidestroy : WARNING ....... this 'CA' entry will NOT be deleted from > security domain 'unknown'! > pkidestroy : ERROR ....... No security domain defined. > If this is an unconfigured instance, then that is OK. > Otherwise, manually delete the entry from the security domain master. > > Uninstallation complete. > > # /usr/sbin/pkispawn -s CA -f /tmp/replica_file > Log file: /var/log/pki/pki-ca-spawn.20160817093444.log > Loading deployment configuration from /tmp/replica_file. > /usr/lib/python2.7/site-packages/urllib3/connectionpool.py:769: > InsecureRequestWarning: Unverified HTTPS request is being made. Adding > certificate verification is strongly advised. See: > https://urllib3.readthedocs.org/en/latest/security.html > InsecureRequestWarning) > pkispawn : WARNING ....... unable to validate security domain > user/password through REST interface. Interface not available > Installing CA into /var/lib/pki/pki-tomcat. > Storing deployment configuration into /etc/sysconfig/pki/tomcat/pki- > tomcat/ca/deployment.cfg. > pkispawn : ERROR ....... Exception from Java Configuration Servlet: > 400 Client Error: Bad Request > pkispawn : ERROR ....... ParseError: not well-formed (invalid > token): line 1, column 0: {"Attributes":{"Attribute":[]} > ,"ClassName":"com.netscape.certsrv.base.BadRequestException","Code":400,"Message":"Clone > URI does not match available subsystems: https://master.idm > .example.com:443 "} > > Installation failed. > > > Any ideas on how to proceed would be much appreciated! > > Thanks! > -John > -- *Jack Eidsness* *Developer, NOPSS | Zayo Group* 13861 Sunrise Valley Dr, Herndon, VA 20171 Cell: 301.706.3912 <%28301%29%20706-3912> | jack.eidsness at zayo.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuxderlinuxfuchs77 at gmail.com Tue May 9 21:12:13 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Tue, 9 May 2017 23:12:13 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa Message-ID: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> Hello everyone, I set up my freeIPA instance and it works very well for my client computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a freeIPA managed user account. My own HBAC rule also works for that. I disabled the "allow all" rule and created my own one. Works fine for SSH. But I cannot login to the GNOME 3 Desktop on the client. I used the netinstall ISO image of Ubuntu. During installation, I have chose "Ubuntu GNOME Desktop" as the only desktop. So my display manager is gdm3. I added the "gdm" and "gdm-password" services to my HBAC rule. To be on the safe side, I rebooted the client machine. But I still can't login to the GNOME Desktop with an account that can login via SSH. So the services in my rule are login, gdm, gdm-password If you need any logs or other information, I will provide them. Thanks in advance! From jason at tresgeek.net Tue May 9 22:11:30 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Tue, 9 May 2017 17:11:30 -0500 (CDT) Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> Message-ID: <172344132.4225.1494367890094.JavaMail.zimbra@tresgeek.net> > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. It sounds as if GDM has its own PAM module that isn't configured to use SSSD. Check out /etc/pam.d/gdm or similar and see if it includes the "common-*" modules (and verify that they include the SSSD libraries in their stacks). You can compare it to the SSH module. Regards, j From jason at tresgeek.net Wed May 10 02:32:59 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Tue, 9 May 2017 21:32:59 -0500 (CDT) Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> Message-ID: <944360055.5753.1494383578997.JavaMail.zimbra@tresgeek.net> > I set up my freeIPA instance and it works very well for my client > computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > freeIPA managed user account. > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. Err, actually, I missed something here. You say you're running Ubuntu Desktop 16.04.2 LTS with Gnome 3 and GDM. However, that version/bundle ships with Unity and LightDM. I'm not saying it won't work but just trying to get clarity on your setup and letting you know you may be deviating from the "easy" path. Regards, j From jason at tresgeek.net Wed May 10 15:40:58 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Wed, 10 May 2017 10:40:58 -0500 (CDT) Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <172344132.4225.1494367890094.JavaMail.zimbra@tresgeek.net> <34d86f3d-f8a1-809c-60d5-7ad6a4e3dfa1@gmail.com> <2017952226.5693.1494380425455.JavaMail.zimbra@tresgeek.net> Message-ID: <1318335734.1156.1494430858406.JavaMail.zimbra@tresgeek.net> Make sure you are using "reply-all" as your replies are falling off the mailing list and coming to me only. > They do have some of these lines. Assuming your common-* modules are setup correctly (which you can verify by looking at your ssh module and seeing if it uses common-* or if the sssd libraries are in there directly) at this point we'll need to go to logs. Tail your logs while attempting to do a GDM login and compare them to a tail when doing an SSH login. j > These are the contents: > > > gdm-password: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_succeed_if.so user != root quiet_success > @include common-auth > auth optional pam_gnome_keyring.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so close > session required pam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > session optional pam_gnome_keyring.so auto_start > @include common-password > > > gdm-autologin: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_succeed_if.so user != root quiet_success > auth required pam_permit.so > @include common-account > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible > # that a module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so close > session required pam_loginuid.so > # SELinux needs to intervene at login time to ensure that the process > # starts in the proper default security context. Only sessions which are > # intended to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore > default=bad] pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > > gdm-launch-environment: > > #%PAM-1.0 > auth requisite pam_nologin.so > auth required pam_permit.so > @include common-account > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_env.so readenv=1 > session required pam_env.so readenv=1 user_readenv=1 > envfile=/etc/default/locale > @include common-session > @include common-password > > Thanks already! > > On 10-May-17 3:40 AM, Jason B. Nance wrote: >>> I have three files: >>> >>> /etc/pam.d/gdm-autologin >>> >>> /etc/pam.d/gdm-launch-environment >>> >>> /etc/pam.d/gdm-password >>> >>> They all have a line "@ include common-session" >>> >>> The common-session file has a line "session optional pam_sss.so" >>> >>> I don't really know what to compare to the SSH module (which I guess is >>> the /etc/pam.d/sshd file) >> Do they only have session lines and no auth, account, or password? >> From jason at deeplocal.com Wed May 10 16:38:43 2017 From: jason at deeplocal.com (Jason Sherrill) Date: Wed, 10 May 2017 12:38:43 -0400 Subject: [Freeipa-users] DNS update failing Message-ID: Hello, I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 and Windows 10 with limited issues! One issue is that updating the reverse zone via nsupdate works without issue, updating to the forward zone results in a REFUSED status. Below is my zone config, named.conf, and an example of client-side behavior. I'm new to nearly all systems involved- misconfiguration is likely. Thanks! >From freeIPA server: # ipa dnszone-show int.dplcl.com --all dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com Zone name: int.dplcl.com. Active zone: TRUE Authoritative nameserver: ipa-1.int.dplcl.com. Administrator e-mail address: hostmaster.int.dplcl.com. SOA serial: 1494344164 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * SSHFP; Dynamic update: TRUE Allow query: any; Allow transfer: none; Allow PTR sync: TRUE Allow in-line DNSSEC signing: FALSE nsrecord: ipa-1.int.dplcl.com. objectclass: idnszone, top, idnsrecord, ipadnszone /etc/named.conf from IPA server: options { // turns on IPv6 for port 53, IPv4 is on by default for all ifaces listen-on-v6 {any;}; // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; // Any host is permitted to issue recursive queries allow-recursion { any; }; tkey-gssapi-keytab "/etc/named.keytab"; pid-file "/run/named/named.pid"; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ logging { channel default_debug { file "data/named.run"; severity dynamic; print-time yes; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; dynamic-db "ipa" { library "ldap.so"; arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; arg "base cn=dns, dc=int,dc=dplcl,dc=com"; arg "server_id ipa-1.int.dplcl.com"; arg "auth_method sasl"; arg "sasl_mech GSSAPI"; arg "sasl_user DNS/ipa-1.int.dplcl.com"; arg "serial_autoincrement yes"; }; >From client macbook: testbook3:etc jsherrill$ nsupdate > debug > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 > Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;testbook3.int.dplcl.com. IN SOA ;; AUTHORITY SECTION: int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. 1494425173 3600 900 1209600 3600 Found zone name: int.dplcl.com The master is: ipa-1.int.dplcl.com Sending update to 10.0.1.5#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;int.dplcl.com. IN SOA -- *Jason Sherrill* Deeplocal Inc. mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Wed May 10 17:59:54 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Wed, 10 May 2017 13:59:54 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> Message-ID: <13fe2534-77d9-8617-504d-c56baf869a62@damascusgrp.com> The log slog continues but isn't turning up anything useful, or I'm looking in the wrong logs. Now getting twice-daily visits from users who need new SSL certs wondering when I'm going to be able to create them. I'm happy to do the work to figure out what went wrong, I just don't grok these individual components at this level very well. When something goes wrong, it's not trivial to solve. Well, for me it isn't, anyway. ;-) Bret On 05/02/2017 10:50 AM, Bret Wortman wrote: > I plowed through /var/log/pki/pki-tomcat/ca/debug, but nothing jumps > out as looking like an error. > > The cert-show failure is troubling, but my inability to get CSRs > turned into certs is what's actually driving this. > > > Bret > > > On 04/26/2017 06:02 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> So I can see my certs using cert-find, but can't get details using >>> cert-show or add new ones using cert-request. >>> >>> # ipa cert-find >>> : >>> ------------------------------ >>> Number of entries returned 385 >>> ------------------------------ >>> # ipa cert-show 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-show 1 (which does not exist) >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-status 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # >>> >>> Is this an IPV6 thing? Because ipactl shows everything green and >>> certmonger is running. >> Doubtful. >> >> cert-find and cert-show use different APIs in dogtag. cert-find uses the >> newer RESTful API and cert-show uses the older XML-based API (and is >> authenticated). I'm guessing that is where the issue lies. >> >> What I'd recommend doing is noting the time, restarting the CA, and then >> plow through the debug log looking for failures. It could be that the CA >> is only partially up (and I'd check your CA subsystem certs as well). >> >> rob >> >>> Bret >>> >>> >>> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>>> Digging still deeper: >>>> >>>> # ipa cert-request f.f >>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> >>>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>>> it has a CA but there's no CMS available? >>>> >>>> >>>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>>> Using the firefox debugger, I get these errors when trying to pop up >>>>> the New Certificate dialog: >>>>> >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: u is undefined >>>>> app.js:1:362059 >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: t is undefined >>>>> app.js:1:217432 >>>>> >>>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>>> "Action -> New Certificate" not do anything on this or any other >>>>>> server? >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>>> past month or so. >>>>>>> >>>>>>> Today, someone came and asked me to generate a new certificate for >>>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>>> and no error, either. >>>>>>> >>>>>>> I suspect the problem might be that we no longer have a CA server >>>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>>> the CA. >>>>>>> >>>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>>> not sure if this shows that I'm missing a CA or not: >>>>>>> >>>>>>> # ipa ca-find >>>>>>> ------------ >>>>>>> 1 CA matched >>>>>>> ------------ >>>>>>> Name: ipa >>>>>>> Description IPA CA >>>>>>> Authority ID: 3ce3346[...] >>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>>> O=DAMASCUSGRP.COM" >>>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>>> # klist >>>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>>> >>>>>>> Valid starting Expires Service principal >>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>>> # >>>>>>> >>>>>>> >>>>>>> What's my best path of recovery? >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> The Damascus Group >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> > From michael.plemmons at crosschx.com Wed May 10 19:35:05 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 10 May 2017 15:35:05 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Message-ID: The PKI service came up successfully but only when it uses BasicAuth rather than SSL auth. I am not sure about what I need to do in order to get the auth working over SSL again. None of the certs are expired when I run getcert list and ipa-getcert list. Since the failure is with attempts to login to LDAP over 636. I have been attempting to auth to LDAP via port 636 and the ldapsearch is not completing. When looking at packet captures, I see some the TCP handshake and what appears to be the start of a SSL process and then everything hangs. What is the proper method to test performing a ldapsearch over 636? Also, the CS.cfg shows it wants to auth as cn=Directory Manager. I can successfully auth with cn=Directory Manager over 389 but I think I am not performing ldapsearch over 636 correctly. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > I think I found the email thread. Asking for help with crashed freeIPA > istance. That email pointed to this link, https://www.redhat.com/a > rchives/freeipa-users/2017-January/msg00215.html. That link talked about > changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I made > the necessary changes and PKI came up successfully. > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons < > michael.plemmons at crosschx.com> wrote: > >> >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden >> wrote: >> >>> Michael Plemmons wrote: >>> > I just realized that I sent the reply directly to Rob and not to the >>> > list. My response is inline >>> >>> Ok, this is actually good news. >>> >>> I made a similar proposal in another case and I was completely wrong. >>> Flo had the user do something and it totally fixed their auth error, I >>> just can't remember what it was or find the e-mail thread. I'm pretty >>> sure it was this calendar year though. >>> >>> rob >>> >>> >> Do you or Flo know what I could search for in the past emails to find the >> answer to the problem? >> >> >> >>> > >>> > >>> > >>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>> > * >>> > 614.427.2411 >>> > mike.plemmons at crosschx.com >>> > www.crosschx.com >>> > >>> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons >>> > > >>> > wrote: >>> > >>> > >>> > >>> > >>> > >>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>> > * >>> > 614.427.2411 >>> > mike.plemmons at crosschx.com >>> > www.crosschx.com >>> > >>> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden < >>> rcritten at redhat.com >>> > > wrote: >>> > >>> > Michael Plemmons wrote: >>> > > I realized that I was not very clear in my statement about >>> > testing with >>> > > ldapsearch. I had initially run it without logging in with a >>> > DN. I was >>> > > just running the local ldapsearch -x command. I then tested >>> on >>> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the >>> > admin and >>> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and >>> > ipa11.mgmt >>> > > and both ldapsearch command succeeded. >>> > > >>> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non >>> > root user. >>> > > I also ran the command showing a line count for the output >>> and >>> > the line >>> > > counts for each were the same when run from ipa12.mgmt and >>> > ipa11.mgmt. >>> > > >>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >>> > >>> > > >> > > -D "DN" -w PASSWORD -b >>> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >>> > > >>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >>> > >>> > > >> > > -D "cn=directory manager" -w >>> > PASSWORD dn >>> > >>> > The CA has its own suffix and replication agreements. Given >>> the auth >>> > error and recent (5 months) renewal of CA credentials I'd check >>> > that the >>> > CA agent authentication entries are correct. >>> > >>> > Against each master with a CA run: >>> > >>> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b >>> > uid=ipara,ou=people,o=ipaca description >>> > >>> > The format is 2;serial#,subject,issuer >>> > >>> > Then on each run: >>> > >>> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial >>> > >>> > The serial # should match that in the description everywhere. >>> > >>> > rob >>> > >>> > >>> > >>> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that >>> the >>> > serial number is 7. I then ran the certutil command on all three >>> > servers and the serial number is 7 as well. >>> > >>> > >>> > I also ran the ldapsearch command against the other two servers and >>> > they also showed a serial number of 7. >>> > >>> > >>> > >>> > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>> > > * >>> > > 614.427.2411 >>> > > mike.plemmons at crosschx.com >> .com> >>> > >> > > >>> > > www.crosschx.com >>> > >>> > > >>> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons >>> > > >> > >>> > >> > >> >>> > > wrote: >>> > > >>> > > I have a three node IPA cluster. >>> > > >>> > > ipa11.mgmt - was a master over 6 months ago >>> > > ipa13.mgmt - current master >>> > > ipa12.mgmt >>> > > >>> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and >>> > ipa12 do not >>> > > have agreements between each other. >>> > > >>> > > It appears that either ipa12.mgmt lost some level of its >>> > replication >>> > > agreement with ipa13. I saw some level because users / >>> > hosts were >>> > > replicated between all systems but we started seeing DNS >>> > was not >>> > > resolving properly from ipa12. I do not know when this >>> > started. >>> > > >>> > > When looking at replication agreements on ipa12 I did not >>> > see any >>> > > agreement with ipa13. >>> > > >>> > > When I run ipa-replica-manage list all three hosts show >>> > has master. >>> > > >>> > > When I run ipa-replica-manage ipa11.mgmt I see ipa13.mgmt >>> > is a replica. >>> > > >>> > > When I run ipa-replica-manage ipa12.mgmt nothing >>> returned. >>> > > >>> > > I ran ipa-replica-manage connect --cacert=/etc/ipa/ca.crt >>> > > ipa12.mgmt.crosschx.com >>> > >> m>> >>> > > ipa13.mgmt.crosschx.com >>> > >> > > on ipa12.mgmt >>> > > >>> > > I then ran the following >>> > > >>> > > ipa-replica-manage force-sync --from >>> > ipa13.mgmt.crosschx.com >>> > > >> > > >>> > > >>> > > ipa-replica-manage re-initialize --from >>> > ipa13.mgmt.crosschx.com >>> > > >> > > >>> > > >>> > > I was still seeing bad DNS returns when dig'ing against >>> > ipa12.mgmt. >>> > > I was able to create user and DNS records and see the >>> > information >>> > > replicated properly across all three nodes. >>> > > >>> > > I then ran ipactl stop on ipa12.mgmt and then ipactl >>> start on >>> > > ipa12.mgmt because I wanted to make sure everything was >>> > running >>> > > fresh after the changes above. While IPA was staring up >>> (DNS >>> > > started) we were able to see valid DNS queries returned >>> but >>> > > pki-tomcat would not start. >>> > > >>> > > I am not sure what I need to do in order to get this >>> > working. I >>> > > have included the output of certutil and getcert below >>> > from all >>> > > three servers as well as the debug output for pki. >>> > > >>> > > >>> > > While the IPA system is coming up I am able to >>> > successfully run >>> > > ldapsearch -x as the root user and see results. I am >>> also >>> > able to >>> > > login with the "cn=Directory Manager" account and see >>> results. >>> > > >>> > > >>> > > The debug log shows the following error. >>> > > >>> > > >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > > ============================================ >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== >>> DEBUG >>> > > SUBSYSTEM INITIALIZED ======= >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > > ============================================ >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > restart at >>> > > autoShutdown? false >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > autoShutdown crumb file path? >>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > about to >>> > > look for cert for auto-shutdown support:auditSigningCert >>> > cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > found >>> > > cert:auditSigningCert cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > done init >>> > > id=debug >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initialized debug >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initSubsystem id=log >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > ready to >>> > > init id=log >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> > > >>> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/c >>> a_audit) >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> > > RollingLogFile(/var/lib/pki/p >>> ki-tomcat/logs/ca/transactions) >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > restart at >>> > > autoShutdown? false >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > autoShutdown crumb file path? >>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > about to >>> > > look for cert for auto-shutdown support:auditSigningCert >>> > cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > found >>> > > cert:auditSigningCert cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > done init >>> > > id=log >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initialized log >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initSubsystem id=jss >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > ready to >>> > > init id=jss >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > restart at >>> > > autoShutdown? false >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > autoShutdown crumb file path? >>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > about to >>> > > look for cert for auto-shutdown support:auditSigningCert >>> > cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > found >>> > > cert:auditSigningCert cert-pki-ca >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > done init >>> > > id=jss >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initialized jss >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > > initSubsystem id=dbs >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> CMSEngine: >>> > ready to >>> > > init id=dbs >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > DBSubsystem: init() >>> > > mEnableSerialMgmt=true >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>> > > LdapBoundConnFactor(DBSubsystem) >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > LdapBoundConnFactory: >>> > > init >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > > LdapBoundConnFactory:doCloning true >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > LdapAuthInfo: init() >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > LdapAuthInfo: init begins >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> > LdapAuthInfo: init ends >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: init: >>> before >>> > > makeConnection errorIfDown is true >>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>> makeConnection: >>> > > errorIfDown true >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>> > > SSLClientCertificateSelectionCB: Setting desired cert >>> > nickname to: >>> > > subsystemCert cert-pki-ca >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>> > LdapJssSSLSocket: set >>> > > client auth cert nickname subsystemCert cert-pki-ca >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>> > > SSLClientCertificatSelectionCB: Entering! >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>> > > SSLClientCertificateSelectionCB: returning: null >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL >>> > handshake happened >>> > > Could not connect to LDAP server host >>> > ipa12.mgmt.crosschx.com >>> > > >> > > port 636 Error >>> > > netscape.ldap.LDAPException: Authentication failed (48) >>> > > at >>> > > >>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >>> ction(LdapBoundConnFactory.java:205) >>> > > at >>> > > >>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>> BoundConnFactory.java:166) >>> > > at >>> > > >>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>> BoundConnFactory.java:130) >>> > > at >>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >>> 654) >>> > > at >>> > > >>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>> java:1169) >>> > > at >>> > > >>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>> .java:1075) >>> > > at >>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>> > > at >>> > > >>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>> ervlet.java:114) >>> > > at >>> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>> > Method) >>> > > at >>> > > >>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> > > at >>> > > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> > > at java.lang.reflect.Method.invoke(Method.java:498) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:288) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:285) >>> > > at java.security.AccessController.doPrivileged(Native >>> > Method) >>> > > at javax.security.auth.Subject.do >>> > AsPrivileged(Subject >>> .java:549) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>> il.java:320) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:175) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:124) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >>> dWrapper.java:1270) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>> dWrapper.java:1195) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>> r.java:1085) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>> ardContext.java:5318) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardContext.startInternal(Stand >>> ardContext.java:5610) >>> > > at >>> > > >>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>> ava:147) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>> ainerBase.java:899) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >>> ase.java:133) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:156) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:145) >>> > > at java.security.AccessController.doPrivileged(Native >>> > Method) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>> e.java:873) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >>> java:652) >>> > > at >>> > > >>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>> Config.java:679) >>> > > at >>> > > >>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>> HostConfig.java:1966) >>> > > at >>> > > >>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor >>> s.java:511) >>> > > at java.util.concurrent.FutureTas >>> k.run(FutureTask.java:266) >>> > > at >>> > > >>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> > > at >>> > > >>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> > > at java.lang.Thread.run(Thread.java:745) >>> > > Internal Database Error encountered: Could not connect >>> to LDAP >>> > > server host ipa12.mgmt.crosschx.com >>> > < >>> http://ipa12.mgmt.crosschx.com >>> > > >>> > > port 636 Error netscape.ldap.LDAPException: >>> Authentication >>> > failed (48) >>> > > at >>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >>> 676) >>> > > at >>> > > >>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>> java:1169) >>> > > at >>> > > >>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>> .java:1075) >>> > > at >>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>> > > at >>> > > >>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>> ervlet.java:114) >>> > > at >>> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >>> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >>> > Method) >>> > > at >>> > > >>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>> ssorImpl.java:62) >>> > > at >>> > > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>> thodAccessorImpl.java:43) >>> > > at java.lang.reflect.Method.invoke(Method.java:498) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:288) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>> .java:285) >>> > > at java.security.AccessController.doPrivileged(Native >>> > Method) >>> > > at javax.security.auth.Subject.do >>> > AsPrivileged(Subject >>> .java:549) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>> il.java:320) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:175) >>> > > at >>> > > >>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>> rityUtil.java:124) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >>> dWrapper.java:1270) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>> dWrapper.java:1195) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>> r.java:1085) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>> ardContext.java:5318) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardContext.startInternal(Stand >>> ardContext.java:5610) >>> > > at >>> > > >>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>> ava:147) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>> ainerBase.java:899) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >>> ase.java:133) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:156) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>> n(ContainerBase.java:145) >>> > > at java.security.AccessController.doPrivileged(Native >>> > Method) >>> > > at >>> > > >>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>> e.java:873) >>> > > at >>> > > >>> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >>> java:652) >>> > > at >>> > > >>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>> Config.java:679) >>> > > at >>> > > >>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>> HostConfig.java:1966) >>> > > at >>> > > >>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor >>> s.java:511) >>> > > at java.util.concurrent.FutureTas >>> k.run(FutureTask.java:266) >>> > > at >>> > > >>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> > > at >>> > > >>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> > > at java.lang.Thread.run(Thread.java:745) >>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>> > CMSEngine.shutdown() >>> > > >>> > > >>> > > ============================= >>> > > >>> > > >>> > > IPA11.MGMT >>> > > >>> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH >>> X-COM/ >>> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI >>> > Server-Cert >>> > > u,u,u MGMT.CROSSCHX.COM >>> > IPA CA CT,C,C >>> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >>> > Certificate >>> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI >>> caSigningCert >>> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu >>> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert >>> > cert-pki-ca u,u,u >>> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT (root)>certutil >>> -L -d >>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate >>> Nickname >>> > Trust >>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >>> > MGMT.CROSSCHX.COM >>> > > IPA CA CT,C,C >>> (root)>certutil -L -d >>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname >>> Trust >>> > Attributes >>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >>> > cert-pki-ca >>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >>> > cert-pki-ca u,u,u >>> > > IPA12.MGMT (root)>certutil -L -d >>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate >>> Nickname >>> > Trust >>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >>> > MGMT.CROSSCHX.COM >>> > > IPA CA C,, (root)>certutil >>> -L -d >>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname >>> Trust >>> > Attributes >>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >>> > cert-pki-ca >>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >>> > cert-pki-ca u,u,u >>> > > ================================================= >>> IPA11.MGMT >>> > > (root)>getcert list Number of certificates and requests >>> being >>> > > tracked: 8. Request ID '20161229155314': status: >>> > MONITORING stuck: >>> > > no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate >>> > > DB',pinfile='/etc/dirsrv/slap >>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>> > > certificate: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa11.mgmt.crosschx.com < >>> http://ipa11.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 15:52:43 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>> > > '20161229155652': status: MONITORING stuck: no key pair >>> > storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>> http://MGMT.CROSSCHX.COM> >>> > expires: >>> > > 2018-11-12 13:00:29 UTC key usage: >>> > digitalSignature,nonRepudiation >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229155654': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >>> > > id-kp-OCSPSigning pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229155655': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229155657': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2036-11-22 13:00:25 >>> > UTC key >>> > > usage: digitalSignature,nonRepudiatio >>> n,keyCertSign,cRLSign >>> > pre-save >>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229155659': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB',pin set certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa11.mgmt.crosschx.com < >>> http://ipa11.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-19 15:56:20 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientA >>> uth,id-kp-emailProtection >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "Server-Cert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229155921': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa11.mgmt.crosschx.com < >>> http://ipa11.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 15:52:46 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> > > auto-renew: yes Request ID '20161229160009': status: >>> > MONITORING >>> > > stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > expires: >>> > > 2018-11-12 13:01:34 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>> > auto-renew: yes >>> > > ================================== IPA13.MGMT >>> > (root)>getcert list >>> > > Number of certificates and requests being tracked: 8. >>> > Request ID >>> > > '20161229143449': status: MONITORING stuck: no key pair >>> > storage: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate >>> > > DB',pinfile='/etc/dirsrv/slap >>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>> > > certificate: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa13.mgmt.crosschx.com < >>> http://ipa13.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 14:34:20 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>> > > '20161229143826': status: MONITORING stuck: no key pair >>> > storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>> http://MGMT.CROSSCHX.COM> >>> > expires: >>> > > 2018-11-12 13:00:29 UTC key usage: >>> > digitalSignature,nonRepudiation >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229143828': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >>> > > id-kp-OCSPSigning pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229143831': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229143833': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2036-11-22 13:00:25 >>> > UTC key >>> > > usage: digitalSignature,nonRepudiatio >>> n,keyCertSign,cRLSign >>> > pre-save >>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229143835': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB',pin set certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa13.mgmt.crosschx.com < >>> http://ipa13.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-19 14:37:54 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientA >>> uth,id-kp-emailProtection >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "Server-Cert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229144057': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa13.mgmt.crosschx.com < >>> http://ipa13.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 14:34:23 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> > > auto-renew: yes Request ID '20161229144146': status: >>> > MONITORING >>> > > stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > expires: >>> > > 2018-11-12 13:01:34 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>> > auto-renew: yes >>> > > =========================== IPA12.MGMT (root)>getcert >>> list >>> > Number of >>> > > certificates and requests being tracked: 8. Request ID >>> > > '20161229151518': status: MONITORING stuck: no key pair >>> > storage: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate >>> > > DB',pinfile='/etc/dirsrv/slap >>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>> > > certificate: >>> > > >>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>> ckname='Server-Cert',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa12.mgmt.crosschx.com < >>> http://ipa12.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 15:14:51 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>> > > '20161229151850': status: MONITORING stuck: no key pair >>> > storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>> ditSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>> http://MGMT.CROSSCHX.COM> >>> > expires: >>> > > 2018-11-12 13:00:29 UTC key usage: >>> > digitalSignature,nonRepudiation >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "auditSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229151852': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>> spSigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: >>> > > id-kp-OCSPSigning pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229151854': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>> bsystemCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>> command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229151856': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>> certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>> SigningCert >>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2036-11-22 13:00:25 >>> > UTC key >>> > > usage: digitalSignature,nonRepudiatio >>> n,keyCertSign,cRLSign >>> > pre-save >>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229151858': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB',pin set certificate: >>> > > >>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>> rver-Cert >>> > cert-pki-ca',token='NSS >>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa12.mgmt.crosschx.com < >>> http://ipa12.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-19 15:18:16 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientA >>> uth,id-kp-emailProtection >>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>> op_pkicad >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> > "Server-Cert >>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>> > '20161229152115': >>> > > status: MONITORING stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>> ',token='NSS >>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=ipa12.mgmt.crosschx.com < >>> http://ipa12.mgmt.crosschx.com> >>> > > >> > >,O=MGMT.CROSSCHX.COM >>> > >>> > > expires: 2018-12-30 15:14:54 >>> > UTC key >>> > > usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > post-save >>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>> track: yes >>> > > auto-renew: yes Request ID '20161229152204': status: >>> > MONITORING >>> > > stuck: no key pair storage: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>> > certificate: >>> > > >>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>> ken='NSS >>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>> > CN=Certificate >>> > > Authority,O=MGMT.CROSSCHX.COM >>> > subject: >>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > expires: >>> > > 2018-11-12 13:01:34 UTC key usage: >>> > > >>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>> ment >>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>> > command: >>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>> > auto-renew: yes >>> > > >>> > > >>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>> > > * >>> > > 614.427.2411 >>> > > mike.plemmons at crosschx.com >>> > >>> > >> > > >>> > > www.crosschx.com >>> > >>> > > >>> > > >>> > > >>> > > >>> > >>> > >>> > >>> > >>> > >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed May 10 19:42:16 2017 From: sbose at redhat.com (Sumit Bose) Date: Wed, 10 May 2017 21:42:16 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> Message-ID: <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > Hello everyone, > > I set up my freeIPA instance and it works very well for my client > computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > freeIPA managed user account. > > My own HBAC rule also works for that. I disabled the "allow all" rule > and created my own one. Works fine for SSH. > > But I cannot login to the GNOME 3 Desktop on the client. I used the > netinstall ISO image of Ubuntu. During installation, I have chose > "Ubuntu GNOME Desktop" as the only desktop. > > So my display manager is gdm3. > > I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > the safe side, I rebooted the client machine. But I still can't login to > the GNOME Desktop with an account that can login via SSH. > > So the services in my rule are > > login, gdm, gdm-password > > If you need any logs or other information, I will provide them. Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in the [pam] and [domain/...] section of sssd.conf. bye, Sumit > > > Thanks in advance! > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From michael.plemmons at crosschx.com Wed May 10 20:42:08 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Wed, 10 May 2017 16:42:08 -0400 Subject: [Freeipa-users] Domain Levels Message-ID: I am currently running 4.4.0 on a three node cluster. My domain level is currently 0 on all three nodes. Is there a reason to keep the domain level at 0? I do not plan on adding any older versions of IPA into the cluster. Is there anything I need to worry about if I elevate the domain level to 1? My current setup is the server A is the master and B and C are replicas. I do not have replication agreements between B and C and I am looking into creating those agreements. If I increase the domain level do I have to handle anything differently if I add the B to C replication agreement? *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Thu May 11 03:24:45 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Thu, 11 May 2017 03:24:45 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 Message-ID: Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built out a "minimal server" with some normal base packages which did include the freeipa-client but otherwise, just standard tools. Here's a pastebin of the output of the install: https://pastebin.com/zAWCgkUU Robert -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu May 11 03:56:32 2017 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 11 May 2017 13:56:32 +1000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: Message-ID: Robert, did you look in /var/log/ipaserver-install.log as it says? Was there any other information? cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, *Black Lives Matter founder* On 11 May 2017 at 13:24, Robert L. Harris wrote: > Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built out > a "minimal server" with some normal base packages which did include the > freeipa-client but otherwise, just standard tools. Here's a pastebin of > the output of the install: https://pastebin.com/zAWCgkUU > > Robert > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Thu May 11 04:06:28 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Thu, 11 May 2017 04:06:28 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: Message-ID: Sigh... Sorry, it's been a long day, I thought I put that log in the first pastebin. It's in this one: https://pastebin.com/18PAXXNS Also, Anyone else get the constant spam when mailing this list? Got an address to block for it? Robert On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman wrote: > Robert, did you look in /var/log/ipaserver-install.log as it says? > > Was there any other information? > > cheers > L. > > ------ > "Mission Statement: To provide hope and inspiration for collective action, > to build collective power, to achieve collective transformation, rooted in > grief and rage but pointed towards vision and dreams." > > - Patrice Cullors, *Black Lives Matter founder* > > On 11 May 2017 at 13:24, Robert L. Harris > wrote: > >> Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built >> out a "minimal server" with some normal base packages which did include the >> freeipa-client but otherwise, just standard tools. Here's a pastebin of >> the output of the install: https://pastebin.com/zAWCgkUU >> >> Robert >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From felix.chu at bbpos.com Thu May 11 07:06:31 2017 From: felix.chu at bbpos.com (Felix Chu) Date: Thu, 11 May 2017 07:06:31 +0000 Subject: [Freeipa-users] Windows client authentication with OTP not supported Message-ID: Hi , I would like to implement SSO for my Linux+Windows2012 machines with MFA. I have installed FreeIPA, it works well for my Linux client authentication with OTP enabled. However, for Windows client, I can only make it works with FreeIPA without OTP. The Windows machines are 2012 R2 without AD(workgroup only). When I login Windows using FreeIPA user accounts enabled with OTP, it shows "An unsupported preauthentication mechanism was presented to the Kerberos package", is that not supported ? or something I configured wrong? I setup Windows authentication by referring this link: https://www.freeipa.org/page/Windows_authentication_against_FreeIPA Regards, Felix [http://www.bbpos.com/images/marketing/signature_banner.jpg] -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Thu May 11 07:42:30 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Thu, 11 May 2017 10:42:30 +0300 Subject: [Freeipa-users] Windows client authentication with OTP not supported In-Reply-To: References: Message-ID: <20170511074230.qecvezalikf5lbpd@redhat.com> On to, 11 touko 2017, Felix Chu wrote: >Hi , I would like to implement SSO for my Linux+Windows2012 machines >with MFA. > >I have installed FreeIPA, it works well for my Linux client >authentication with OTP enabled. However, for Windows client, I can >only make it works with FreeIPA without OTP. > >The Windows machines are 2012 R2 without AD(workgroup only). When I >login Windows using FreeIPA user accounts enabled with OTP, it shows >"An unsupported preauthentication mechanism was presented to the >Kerberos package", is that not supported ? or something I configured >wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy From mbasti at redhat.com Thu May 11 08:09:19 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 11 May 2017 10:09:19 +0200 Subject: [Freeipa-users] DNS update failing In-Reply-To: References: Message-ID: <28977985-f994-12b1-9b48-65306a0d2c3f@redhat.com> On 10.05.2017 18:38, Jason Sherrill wrote: > Hello, > > I've recently implemented freeIPA in a mixed environment of Mac OS > 10.12 and Windows 10 with limited issues! > > One issue is that updating the reverse zone via nsupdate works without > issue, updating to the forward zone results in a REFUSED status. Below > is my zone config, named.conf, and an example of client-side > behavior. I'm new to nearly all systems involved- misconfiguration is > likely. Thanks! > > > From freeIPA server: > > # ipa dnszone-show int.dplcl.com --all > > > dn: idnsname=int.dplcl.com > .,cn=dns,dc=int,dc=dplcl,dc=com > > Zone name: int.dplcl.com . > > Active zone: TRUE > > Authoritative nameserver: ipa-1.int.dplcl.com > . > > Administrator e-mail address: hostmaster.int.dplcl.com > . > > SOA serial: 1494344164 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > BIND update policy: grant INT.DPLCL.COM > krb5-self * A; grant INT.DPLCL.COM > krb5-self * AAAA; grant INT.DPLCL.COM > krb5-self * > > SSHFP; > > Dynamic update: TRUE > > Allow query: any; > > Allow transfer: none; > > Allow PTR sync: TRUE > > Allow in-line DNSSEC signing: FALSE > > nsrecord: ipa-1.int.dplcl.com . > > objectclass: idnszone, top, idnsrecord, ipadnszone > > > /etc/named.conf from IPA server: > > options { > > // turns on IPv6 for port 53, IPv4 is on by default for all > ifaces > > listen-on-v6 {any;}; > > > // Put files that named is allowed to write in the data/ > directory: > > directory "/var/named"; // the default > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > > // Any host is permitted to issue recursive queries > > allow-recursion { any; }; > > > tkey-gssapi-keytab "/etc/named.keytab"; > > pid-file "/run/named/named.pid"; > > > dnssec-enable no; > > dnssec-validation no; > > > /* Path to ISC DLV key */ > > bindkeys-file "/etc/named.iscdlv.key"; > > > managed-keys-directory "/var/named/dynamic"; > > }; > > > /* If you want to enable debugging, eg. using the 'rndc trace' > command, > > * By default, SELinux policy does not allow named to modify the > /var/named directory, > > * so put the default debug log file in data/ : > > */ > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > print-time yes; > > }; > > }; > > > zone "." IN { > > type hint; > > file "named.ca "; > > }; > > > include "/etc/named.rfc1912.zones"; > > include "/etc/named.root.key"; > > > dynamic-db "ipa" { > > library "ldap.so"; > > arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; > > arg "base cn=dns, dc=int,dc=dplcl,dc=com"; > > arg "server_id ipa-1.int.dplcl.com > "; > > arg "auth_method sasl"; > > arg "sasl_mech GSSAPI"; > > arg "sasl_user DNS/ipa-1.int.dplcl.com > "; > > arg "serial_autoincrement yes"; > > }; > > > > From client macbook: > > testbook3:etc jsherrill$ nsupdate > > > debug > > > update add testbook3.int.dplcl.com 86400 a > 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com .INSOA > > > ;; AUTHORITY SECTION: > > int.dplcl.com .0INSOAipa-1.int.dplcl.com > . hostmaster.int.dplcl.com > . 1494425173 3600 900 1209600 3600 > > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com . > 86400INA10.0.1.36 > > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; ZONE SECTION: > > ;int.dplcl.com .INSOA > -- > > > *Jason Sherrill* > Deeplocal Inc. > mobile: 412-636-2073 > office: 412-362-0201 > > Hello, DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you cannot use plain nsupdate without providing credentials Here is policy, hosts can update only its records using GSS-TSIG (kerberos) BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * SSHFP; So for manual updates via nsupdate, you have to do following steps: 1, kinit -kt /etc/krb5.keytab 2, nsupdate -g ... update A records ... I don't know why a reverse zone works for you, you should check policy of the reverse zone. Martin -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 11 08:13:19 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 11 May 2017 10:13:19 +0200 Subject: [Freeipa-users] Domain Levels In-Reply-To: References: Message-ID: On 10.05.2017 22:42, Michael Plemmons wrote: > I am currently running 4.4.0 on a three node cluster. My domain level > is currently 0 on all three nodes. Is there a reason to keep the > domain level at 0? I do not plan on adding any older versions of IPA > into the cluster. Is there anything I need to worry about if I > elevate the domain level to 1? > > My current setup is the server A is the master and B and C are > replicas. I do not have replication agreements between B and C and I > am looking into creating those agreements. If I increase the domain > level do I have to handle anything differently if I add the B to C > replication agreement? > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > Hello, we recommend to raise DL to 1, it opens new functionality. With DL1 you can create that replication agreement via webUI, and you will see your replication topology, so no more ipa-replica-manage for connecting replicas. Martin -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 11 08:19:43 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 11 May 2017 10:19:43 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: Message-ID: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Hello, comments inline On 11.05.2017 06:06, Robert L. Harris wrote: > > Sigh... Sorry, it's been a long day, I thought I put that log in the > first pastebin. It's in this one: https://pastebin.com/18PAXXNS Could you please provide journalctl -u httpd and /var/log/httpd/error_log ? > > Also, > Anyone else get the constant spam when mailing this list? Got an > address to block for it? Sorry for that, there is a bot mining public archives. We plan to resolve this issue but it may take time as we are not maintaining our mailman. Martin > > Robert > > > > > On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman > wrote: > > Robert, did you look in /var/log/ipaserver-install.log as it says? > > Was there any other information? > > cheers > L. > > ------ > "Mission Statement: To provide hope and inspiration for collective > action, to build collective power, to achieve collective > transformation, rooted in grief and rage but pointed towards > vision and dreams." > > - Patrice Cullors, /Black Lives Matter founder/ > > On 11 May 2017 at 13:24, Robert L. Harris > > wrote: > > Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. > I built out a "minimal server" with some normal base packages > which did include the freeipa-client but otherwise, just > standard tools. Here's a pastebin of the output of the > install: https://pastebin.com/zAWCgkUU > > Robert > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuxderlinuxfuchs77 at gmail.com Thu May 11 11:29:33 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Thu, 11 May 2017 13:29:33 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> Hello, I have attached the requested files. Thanks in advance! On 10-May-17 9:42 PM, Sumit Bose wrote: > On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >> Hello everyone, >> >> I set up my freeIPA instance and it works very well for my client >> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a >> freeIPA managed user account. >> >> My own HBAC rule also works for that. I disabled the "allow all" rule >> and created my own one. Works fine for SSH. >> >> But I cannot login to the GNOME 3 Desktop on the client. I used the >> netinstall ISO image of Ubuntu. During installation, I have chose >> "Ubuntu GNOME Desktop" as the only desktop. >> >> So my display manager is gdm3. >> >> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on >> the safe side, I rebooted the client machine. But I still can't login to >> the GNOME Desktop with an account that can login via SSH. >> >> So the services in my rule are >> >> login, gdm, gdm-password >> >> If you need any logs or other information, I will provide them. > Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > the [pam] and [domain/...] section of sssd.conf. > > bye, > Sumit > >> >> Thanks in advance! >> >> >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- (Wed May 10 22:48:16 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8145a48 (Wed May 10 22:48:16 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:16 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:16 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 325 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 325 timeout 6 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 325 finished (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a370 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a370 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a370 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a370 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a370 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a370 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:20 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 326 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 326 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 326 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b888 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b888 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8189ff8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140600 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8189ff8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140600 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8189ff8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e2b0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e2b0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ae18 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ae18 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 327 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 327 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 327 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8189ff8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8189ff8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dba8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dba8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dba8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 328 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 328 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 328 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a370 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a370 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a370 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a370 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a370 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817ae70 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81714b8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81714b8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81714b8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817ae70 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81714b8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81714b8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 329 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 329 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 329 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81402a8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144cc0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81402a8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144cc0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81402a8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81715b8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81715b8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141170 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141170 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141170 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141170 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 330 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 330 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 330 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140da8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140da8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140da8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140da8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140da8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e3c8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e3c8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140da8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140da8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140da8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140da8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140da8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140460 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140460 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140460 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140460 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140460 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140460 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140460 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140460 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 331 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 331 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 331 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dd90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dd90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 332 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 332 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 332 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81655e8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81655e8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81655e8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81655e8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f50 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f50 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140c60 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140c60 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81407a0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81407a0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140c60 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140c60 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 333 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 333 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 333 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e408 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e408 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e408 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e408 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140748 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140748 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140748 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140748 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140748 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140748 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140748 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 334 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 334 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 334 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dd60 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dd60 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 335 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 335 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 335 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a3f8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a3f8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81655e8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81655e8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d518 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d518 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6c0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6c0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ae18 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ae18 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818ae18 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818ae18 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 336 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 336 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 336 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142048 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142048 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140190 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140190 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140538 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140538 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140538 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140538 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 337 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 337 timeout 6 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 337 finished (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b888 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b888 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81659d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81659d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8189ff8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d4e0 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8189ff8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d4e0 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8189ff8 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140520 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140520 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81659d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81659d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81659d8 (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81659d8 "ltdb_timeout" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:21 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:26 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8145a48 (Wed May 10 22:48:26 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:26 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:26 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81655e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81406e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81655e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81406e8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81655e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=vmuser1)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 338 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 338 timeout 6 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=vmuser1,cn=users,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [homeDirectory] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [loginShell] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPrincipalName] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbLastPwdChange] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [krbPasswordExpiration] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 338 finished (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Storing the user (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x0400): Save user (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x4000): objectSID: not available for user (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_primary_name] (0x0400): Processing object vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x0400): Processing user vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x2000): Adding originalDN [uid=vmuser1,cn=users,cn=accounts,dc=example,dc=org] to attributes of [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20170510204531Z] to attributes of [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x0400): Adding user principal [vmuser1 at EXAMPLE.ORG] to attributes of [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbLastPwdChange [20170508212607Z] to attributes of [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding krbPasswordExpiration [20170806212607Z] to attributes of [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): adAccountExpires is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): adUserAccountControl is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): authType is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_attrs_add_ldap_attr] (0x2000): userCertificate is not available for [vmuser1]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_save_user] (0x0400): Storing info for user vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81411f0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141250 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81411f0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141250 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81411f0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f7d8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f838 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f7d8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f838 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f7d8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816ee28 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8166fd8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816ee28 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8166fd8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816ee28 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [objectSIDString] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816b090 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167ac8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816b090 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167ac8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816b090 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8167038 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81679d0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8167038 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81679d0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8167038 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167000 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167000 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167de0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167de0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816b1f0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816b1f0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141230 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813df30 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813df30 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141230 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813df30 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813df30 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813df30 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141230 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813df30 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8167c10 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816edb0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8167c10 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816edb0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8167c10 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142fd0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141230 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142fd0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141230 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142fd0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142e38 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142ee0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142e38 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142ee0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142e38 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adAccountExpires] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8167a88 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142e38 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8167a88 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142e38 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8167a88 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [adUserAccountControl] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816ae78 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142960 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816ae78 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142960 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816ae78 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142960 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142960 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f8e8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142960 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813df48 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813df48 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816b1f0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816b1f0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81415d8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81415d8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816ae78 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816ae78 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f8e8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816ae78 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [sshPublicKey] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813e640 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816ae78 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813e640 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816ae78 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813e640 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authType] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e640 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e640 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userCertificate] from [vmuser1] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f8e8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813eb10 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813eb10 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f8e8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Commit change (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141718 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141778 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141718 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141778 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141718 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Process user's groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_primary_name] (0x0400): Processing object vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=ipausers,cn=groups,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 339 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 339 timeout 6 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ipausers,cn=groups,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 339 finished (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 340 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 340 timeout 6 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 340 finished (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*))][ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 341 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 341 timeout 6 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x813fbd8], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 341 finished (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_search] (0x0040): Search for group ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org, returned 0 results. Skipping (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143258 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81432b8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143258 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81432b8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143258 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813df10 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81429f8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813df10 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81429f8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813df10 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_primary_name] (0x0400): Processing object ipausers (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=ipausers,cn=groups,cn=example.org,cn=sysdb))] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81429f8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142a58 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81429f8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142a58 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81429f8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x1000): ipausers is a member of 0 sysdb groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_direct_parents] (0x4000): Looking up direct parents for group [cn=ipausers,cn=groups,cn=accounts,dc=example,dc=org] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_direct_parents] (0x4000): The group [cn=ipausers,cn=groups,cn=accounts,dc=example,dc=org] has 0 direct parents (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group ipausers is a direct member of 0 LDAP groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_primary_name] (0x0400): Processing object vmusers (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=vmusers,cn=groups,cn=example.org,cn=sysdb))] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81429f8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142a58 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81429f8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142a58 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81429f8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x1000): vmusers is a member of 0 sysdb groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_direct_parents] (0x4000): Looking up direct parents for group [cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_direct_parents] (0x4000): The group [cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org] has 0 direct parents (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_nested_get_membership_diff] (0x1000): The group vmusers is a direct member of 0 LDAP groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_store_user_memberships] (0x1000): The user vmuser1 is a direct member of 2 LDAP groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x2000): searching sysdb with filter [(&(objectClass=group)(member=name=vmuser1,cn=users,cn=example.org,cn=sysdb))] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813deb0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813df10 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813deb0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813df10 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813deb0 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sysdb_get_direct_parents] (0x1000): vmuser1 is a member of 2 sysdb groups (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_initgr_store_user_memberships] (0x2000): Updating memberships for vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_done] (0x4000): Initgroups done (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141250 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f630 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141250 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f630 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141250 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8145288 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8145288 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:example.org:ea340e58-3430-11e7-841a-00155d036505))]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:example.org:ea340e58-3430-11e7-841a-00155d036505))][cn=Default Trust View,cn=views,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 342 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 342 timeout 6 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: No such object(32), no errmsg set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 342 finished (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:IPA:example.org:ea340e58-3430-11e7-841a-00155d036505))]. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140030 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818ae70 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818ae70 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_add_timeout] (0x2000): 0x8166098 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_remove_timeout] (0x2000): 0x8166098 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [vmuser1] is empty, running request [0x813d4f0] immediately. (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [krb5_setup] (0x4000): No mapping for: vmuser1 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143670 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143670 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143670 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [get_server_status] (0x1000): Status of server 'ubusrv.example.org' is 'working' (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [get_port_status] (0x1000): Port status of port 0 for server 'ubusrv.example.org' is 'working' (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [get_server_status] (0x1000): Status of server 'ubusrv.example.org' is 'working' (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [be_resolve_server_process] (0x0200): Found address for server ubusrv.example.org: [192.168.4.104] TTL 7200 (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ubusrv.example.org' (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_Q0nEPp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_Q0nEPp] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [1774] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [child_handler_setup] (0x2000): Signal handler set up for pid [1774] (Wed May 10 22:48:33 2017) [sssd[be[example.org]]] [write_pipe_handler] (0x0400): All data has been sent! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [read_pipe_handler] (0x0400): EOF received, client finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [parse_krb5_child_response] (0x1000): child response [0][3][40]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][20]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [parse_krb5_child_response] (0x1000): TGT times are [1494449314][1494449314][1494535713][0]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [parse_krb5_child_response] (0x1000): child response [0][6][8]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: ../src/providers/krb5/krb5_auth.c: krb5_auth_done: 1039 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ubusrv.example.org' as 'working' (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [set_server_common_status] (0x0100): Marking server 'ubusrv.example.org' as 'working' (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ubusrv.example.org' as 'working' (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:126400004] for user [vmuser1]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a958 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a958 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a958 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140ed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81714f8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140ed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81714f8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140ed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [check_wait_queue] (0x1000): Wait queue for user [vmuser1] is empty. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x813d4f0] done. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Sent result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [child_sig_handler] (0x1000): Waiting for child [1774]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [child_sig_handler] (0x0100): child [1774] finished successfully. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_access_send] (0x0400): Performing access check for user [vmuser1] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_account_expired_rhds] (0x0400): Performing RHDS access check for user [vmuser1] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_account_expired_rhds] (0x4000): Account for user [vmuser1] is not locked. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_retry] (0x4000): Connection status is [online]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaHost)(fqdn=ubugdm.example.org))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fqdn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serverHostname] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 343 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 343 timeout 60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [fqdn=ubugdm.example.org,cn=computers,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [fqdn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverHostname] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 343 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_has_deref_support] (0x0400): The server supports deref method OpenLDAP (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_deref_search_send] (0x2000): Server supports OpenLDAP deref (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_x_deref_search_send] (0x0400): Dereferencing entry [fqdn=ubugdm.example.org,cn=computers,cn=accounts,dc=example,dc=org] using OpenLDAP deref (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][fqdn=ubugdm.example.org,cn=computers,cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 344 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 344 timeout 60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_x_deref_parse_entry] (0x0400): Got deref control (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_deref] (0x1000): Dereferenced DN: ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_deref] (0x4000): Dereferenced objectClass value: ipaassociation (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_deref] (0x4000): Dereferenced objectClass value: ipahbacrule (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_x_deref_parse_entry] (0x0400): All deref results from a single control parsed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 344 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hostgroup_info_done] (0x0200): No host groups were dereferenced (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_service_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=org][2][(objectClass=ipaHBACService)] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACService)][cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 345 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 345 timeout 60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sshd,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=login,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=su-l,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=sudo-i,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm-password,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=kdm,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=crond,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=vsftpd,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=proftpd,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=pure-ftpd,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gssftp,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ssh,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm3,cn=hbacservices,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 345 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_servicegroup_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=org][2][(objectClass=ipaHBACServiceGroup)] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectClass=ipaHBACServiceGroup)][cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 346 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 346 timeout 60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x81670e0], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x81670e0], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Sudo,cn=hbacservicegroups,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x81670e0], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=ftp,cn=hbacservicegroups,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x81670e0], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=gdm,cn=hbacservicegroups,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x81670e0], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 346 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_rule_info_next] (0x0400): Sending request for next search base: [cn=hbac,dc=example,dc=org][2][(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=ubugdm.example.org,cn=computers,cn=accounts,dc=example,dc=org)(memberHost=ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org)))] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipaHBACRule)(ipaenabledflag=TRUE)(accessRuleType=allow)(|(hostCategory=all)(memberHost=fqdn=ubugdm.example.org,cn=computers,cn=accounts,dc=example,dc=org)(memberHost=ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org)))][cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaenabledflag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accessRuleType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberUser] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCategory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [serviceCategory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHost] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sourceHostCategory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [externalHost] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberHost] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [hostCategory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 347 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 347 timeout 60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectclass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipauniqueid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaenabledflag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [accessRuleType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberUser] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberHost] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x2000): Total count [0] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 347 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81681d0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8168230 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81681d0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8168230 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81681d0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Found [1] items to delete. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=ubugdm.example.org,cn=hbac_hosts,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8168230 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169378 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8168230 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816a278 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816a2d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169378 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8168230 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816a278 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816a2d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816a278 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [ubugdm.example.org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169670 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167dd0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169670 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167dd0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169670 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816cd90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816cd90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816cd90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167dd0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167dd0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Found [17] items to delete. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=kdm,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7810 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7870 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7810 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8130 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8190 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7870 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7810 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8130 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8190 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8130 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=su,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a87c8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7210 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7270 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a87c8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7210 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7270 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7210 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=gssftp,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81abbf0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a73f0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7450 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81abbf0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a73f0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7450 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a73f0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=ssh,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7238 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a75f8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8ca0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a75f8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=sshd,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8dd0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7870 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8dd0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8af0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b08b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7870 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8dd0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8af0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b08b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8af0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=sudo,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b2c18 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b2d08 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aba48 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b2c18 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b2d08 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aba48 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b2d08 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=gdm,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b30e0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8940 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a5eb8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b2e38 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8940 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a5eb8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b2e38 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a5eb8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=crond,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8940 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8940 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b2d08 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b36e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8578 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8940 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b2d08 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b36e8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b2d08 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=gdm-password,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b30e0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b36e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a5eb8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b36e8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a5eb8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=gdm3,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b4f98 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b36e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b4f98 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b36e8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=vsftpd,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b30e0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b52c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b36e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b52c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b30e0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b36e8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=ftp,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b52c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b08b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aba48 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b52c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b08b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aba48 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b08b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=su-l,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b52c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81ab768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b08b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b52c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81ab768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b08b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81ab768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=proftpd,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81ab768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b52c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7b90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8578 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81ab768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b52c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81ab768 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=login,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b5220 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b5220 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b4f98 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b52c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a7b90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b5220 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b4f98 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b52c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b4f98 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=pure-ftpd,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7b90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b4f98 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aba48 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8ca0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7b90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b4f98 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aba48 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b4f98 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=sudo-i,cn=hbac_services,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b9bf0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b9bf0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b9ac8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b96a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8ca0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b9bf0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b9ac8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b96a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b9ac8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [sshd]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8168138 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8168138 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b4f98 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b4f98 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [ftp]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81af840 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81af840 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7aa8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7aa8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b39d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7aa8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [su]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aa368 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169378 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b4b28 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169378 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b4b28 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169378 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [login]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a8ca0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816e3b8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816e3b8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a8ca0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [su-l]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81ab768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81ab768 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [sudo]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81ab768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81ab768 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [sudo-i]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816e3b8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816e3b8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [gdm]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8169470 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167b88 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167b88 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [gdm-password]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140d20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81af840 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81af840 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [kdm]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169470 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169470 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167b88 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167b88 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140d20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [crond]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b35d0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b35d0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [vsftpd]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140d20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [proftpd]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140d20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816a228 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816a228 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [pure-ftpd]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140d20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140d20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [gssftp]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aa368 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b39d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [ssh]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81aa368 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b39d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [gdm3]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b39d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81aa368 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81aa368 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b39d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Found [3] items to delete. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=gdm,cn=hbac_servicegroups,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8169b38 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a9ee0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8169b38 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81694f0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8298 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a9ee0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8169b38 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81694f0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8298 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81694f0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=Sudo,cn=hbac_servicegroups,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7848 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b39d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7848 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a78e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b39d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7848 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a78e8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b3890 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a78e8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=ftp,cn=hbac_servicegroups,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816a228 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a78e8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816e630 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b4c20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a78e8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816e630 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b4c20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816e630 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [Sudo]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81abbf0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81abbf0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [ftp]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81a7750 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816e948 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81a7750 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816e948 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81a7750 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [gdm]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816a228 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b3890 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81684a8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816a228 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b3890 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Found [1] items to delete. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=e88579e2-3431-11e7-841a-00155d036505,cn=hbac_rules,cn=custom,cn=example.org,cn=sysdb]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b3890 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81a8bc0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816e278 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816def0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81a8bc0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b3890 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816e278 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816def0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816e278 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_save_list] (0x4000): Object name: [e88579e2-3431-11e7-841a-00155d036505]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816a228 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81684a8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81684a8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816a228 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): start ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81b8f58 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81b8fb8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81b8f58 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81b8fb8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81b8f58 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 3) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8167198 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8167198 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_attrs_to_rule] (0x1000): Processing rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_user_attrs_to_rule] (0x1000): Processing users for rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143418 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_users] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=cn=vmusers,cn=groups,cn=accounts,dc=example,dc=org)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f168 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813fb18 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f168 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813fb18 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f168 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_user_attrs_to_rule] (0x2000): Added POSIX group [vmusers] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x1000): Processing PAM services for rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140258 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140258 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [login] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81418b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813ef70 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813ef70 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [sshd] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143418 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140258 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140258 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [ssh] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8167198 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81418b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8167198 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81418b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8167198 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [gdm] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140bb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140bb0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140bb0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [gdm-password] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81418b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81414c0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81414c0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_service_attrs_to_rule] (0x2000): Added service [gdm3] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_thost_attrs_to_rule] (0x1000): Processing target hosts for rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143418 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140258 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140258 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_host_attrs_to_rule] (0x1000): [fqdn=ubumate.example.org,cn=computers,cn=accounts,dc=example,dc=org] does not map to either a host or hostgroup. Skipping (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813fb18 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140bb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813fb18 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140bb0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813fb18 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_host_attrs_to_rule] (0x2000): Added host [ubugdm.example.org] to rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_shost_attrs_to_rule] (0x0400): Processing source hosts for rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_shost_attrs_to_rule] (0x2000): Source hosts disabled, setting ALL (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140bb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813da60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140bb0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813da60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140bb0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_eval_user_element] (0x1000): [3] groups for [vmuser1] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_eval_user_element] (0x1000): Added group [ipausers] for user [vmuser1] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_eval_user_element] (0x1000): Added group [vmusers] for user [vmuser1] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [hbac_eval_user_element] (0x2000): Skipping non-group memberOf [ipaUniqueID=e88579e2-3431-11e7-841a-00155d036505,cn=hbac,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143418 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143418 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813da60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813fb18 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813da60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813fb18 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813da60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_hbac_evaluate_rules] (0x0080): Access granted by HBAC rule [vmusers_can_login] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, Success) [Success] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler_callback] (0x0100): Sent result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81654a0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81413a0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81654a0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81413a0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81654a0 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 348 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 348 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 348 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81416a0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81416a0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81416a0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81416a0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 349 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 349 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 349 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817ae70 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817ae70 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 350 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 350 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 350 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8145288 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8145288 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a358 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165460 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141a28 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141a28 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 351 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 351 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 351 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813db98 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813db98 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8171538 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8171538 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8171538 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 352 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 352 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x818cfd8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 352 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d700 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d700 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818aed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818aed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 353 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 353 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 353 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141d48 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141d48 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141d48 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f50 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f50 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 354 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 354 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 354 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140030 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e3a0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e3a0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141238 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141238 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141238 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141238 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 355 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 355 timeout 6 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 355 finished (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8171578 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8171578 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:34 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 356 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 356 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 356 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 357 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 357 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 357 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165fa0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165fa0 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165fa0 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 358 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 358 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 358 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165e50 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165e50 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165e50 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165e50 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 359 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 359 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 359 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81714b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81714b8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81714b8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81714b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81714b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 360 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 360 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 360 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143f78 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143f78 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141b50 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141b50 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141b50 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141b50 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141b50 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 361 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 361 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 361 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81655e8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81655e8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81715f8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81715f8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81715f8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141dc0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141dc0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817ae30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817ae30 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817ae30 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae30 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 362 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 362 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 362 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165460 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 363 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 363 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172438], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 363 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813db58 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813db58 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 364 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 364 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 364 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 365 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 365 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 365 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dfe8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dfe8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81714b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81714b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81411b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81411b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141738 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141738 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 366 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 366 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 366 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141ce0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141ce0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dd30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dd30 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 367 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 367 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 367 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141480 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141480 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141480 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d5e0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d5e0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141bb8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141bb8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 368 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 368 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 368 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141be8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141be8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141130 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141130 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141130 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141130 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141130 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 369 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 369 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 369 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141870 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141870 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141870 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81414b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81414b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 370 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 370 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 370 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b888 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b888 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b60 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b60 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813de30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813de30 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813de30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813de30 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813de30 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813de30 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813de30 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 371 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 371 timeout 6 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 371 finished (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:35 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8145a48 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=admin] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=admin)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 372 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 372 timeout 6 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 372 finished (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b888 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b888 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=user] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 373 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 373 timeout 6 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 373 finished (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [user] found. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818af30 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81416b8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818af30 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81416b8 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818af30 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dee0 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dee0 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [user] in cache (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [user] [2]: No such file or directory. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=user)) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143918 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143918 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143918 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=user] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 374 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 374 timeout 6 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 374 finished (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b888 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b888 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [user] found. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142058 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142058 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [user] in cache (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [user] [2]: No such file or directory. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6b8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=user)) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172438 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=admin] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=admin)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 375 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 375 timeout 6 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 375 finished (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813df48 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813df48 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813df48 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172438 (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172438 "ltdb_timeout" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:36 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x815d700 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Got request with the following data (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): ruser: (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): rhost: (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [pam_print_data] (0x0100): logon name: not set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_pam_handler] (0x0100): Sending result [0][example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 376 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 376 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 376 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141f28 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141f28 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 377 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 377 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 377 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140f40 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140f40 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140f40 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140f40 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140f40 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817ae18 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817ae18 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817ae18 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813ddd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813ddd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dcd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dcd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dcd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dcd8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dcd8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dcd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dcd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 378 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 378 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 378 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 379 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 379 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 379 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e408 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e408 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141f00 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141f00 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141f00 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141f00 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141f00 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141f00 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141f00 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 380 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 380 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 380 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6c8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dbd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dbd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141130 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141130 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141130 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141130 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141130 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 381 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 381 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 381 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 382 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 382 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 382 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dbd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dbd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6c8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6c8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6c8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6c8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6c8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 383 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 383 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 383 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813db98 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813db98 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141870 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141870 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141870 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141870 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 384 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 384 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 384 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dbd8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dbd8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 385 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 385 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 385 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dd40 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dd40 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81413b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81413b0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81413b0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 386 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 386 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 386 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142058 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142058 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142058 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142058 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165460 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141e28 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141e28 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dd98 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dd98 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 387 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 387 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 387 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141678 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141678 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813deb0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813deb0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141cb0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141cb0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141cb0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813ddf0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813ddf0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813ddf0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813ddf0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813ddf0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141cb0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813ddf0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141cb0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813ddf0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141cb0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 388 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 388 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=admin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=admin)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 389 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 389 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 388 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fb28 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fb28 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b860 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b860 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b860 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818aed8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f5d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dec0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dec0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dec0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dec0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dec0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 389 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813f5d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f5d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dec0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813f5d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dec0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813f5d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dec0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 390 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 390 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=user] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140030 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a3f8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a3f8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140030 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 391 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 391 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8142060], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 390 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8142060], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 391 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [user] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140488 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140488 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [user] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [user] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=user)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 392 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 392 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=user] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142060 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a060 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142060 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a060 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142060 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=user)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 393 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 393 timeout 6 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 392 finished (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dfe8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a3f8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dfe8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a3f8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dfe8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d7b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dfe8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d7b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dfe8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d7b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141c48 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141c48 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141c48 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ce20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818ce20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818ce20 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ce20 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:37 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818ce20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142060 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142060 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818ce20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 394 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 394 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 393 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a3f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a3f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a3f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [user] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140148 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140068 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140148 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140068 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140148 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142378 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d620 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142378 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d620 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142378 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [user] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [user] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8140418 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8140418 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8140418 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=user)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140418 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140418 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1002][FAST BE_REQ_GROUP][1][name=admin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=admin)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [posixGroup] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaExternalMember] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 395 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 395 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 394 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a3f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a3f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a3f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d980 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813da60 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813da60 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d980 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d980 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81667a8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813da60 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813da60 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813da60 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d980 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813da60 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813da60 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d980 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d980 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 396 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 396 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 395 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 0 results. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141570 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141570 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141570 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_group] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 396 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141130 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141130 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143958 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143958 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143958 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143958 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 397 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 397 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 397 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a358 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dfe8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dfe8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d5e0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141728 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d5e0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141728 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d5e0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817adb0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817adb0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817adb0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817adb0 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 398 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 398 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 398 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142060 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142060 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142060 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8142060 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8142060 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143958 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8143958 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8143958 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8143958 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8143958 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 399 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 399 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 399 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81655e8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81655e8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81715f8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81715f8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d940 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d940 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d940 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d940 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d940 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 400 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 400 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 400 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81416b8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81416b8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 401 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 401 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 401 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813dcf8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813dcf8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813dcf8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x816fac8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x816fac8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 402 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 402 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 402 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8142058 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141410 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8142058 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141410 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8142058 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8171578 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8171578 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 403 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 403 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 403 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 404 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 404 timeout 6 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x818cfd8], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 404 finished (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141e68 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818aed8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141e68 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818aed8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141e68 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6c8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6c8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6c8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6c8 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6c8 "ltdb_callback" (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:38 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 405 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 405 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x818cfd8], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 405 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8187a08 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8187a08 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8187a08 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8187a08 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 406 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 406 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 406 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165460 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141e00 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141e00 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165460 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 407 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 407 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 407 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81415c8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81415c8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81415c8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165ed0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165ed0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165ed0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817ae70 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817ae70 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 408 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 408 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 408 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813df40 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813df40 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813df40 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813df40 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81715b8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81715b8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 409 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 409 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 409 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813df48 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813df48 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813df48 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8189ff8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8189ff8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8144b20 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b20 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81418b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81418b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b20 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81418b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81418b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81418b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 410 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 410 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 410 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8145288 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8145288 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818a358 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x81395b0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x817a8f8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x817a8f8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813deb0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813deb0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813deb0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813db18 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813db18 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8144b60 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813db18 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813db18 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8144b60 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 411 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 411 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 411 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8140030 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8140030 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6d0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6d0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6d0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6d0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6d0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81667a8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81667a8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 412 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 412 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815b6d8], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 412 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d7b8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d7b8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141560 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141560 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813e330 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813e330 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b898 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b898 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b898 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b898 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b898 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 413 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 413 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 413 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81654a0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81654a0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817adb0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817adb0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815ac90 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813d6b8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813d6b8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x813d6b8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172238 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172238 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x813d6b8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8172498 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172238 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172238 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 414 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 414 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 414 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141870 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141870 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818a358 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818a358 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x813dc18 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x813dc18 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x817a8f8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x817a8f8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x815b6d8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 415 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 415 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x8172498], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 415 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8141b68 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8141b68 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8141b68 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f10 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f10 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818b820 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f10 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f10 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818b820 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8172498 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f10 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f10 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8172498 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818aed8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165f10 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165f10 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818aed8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8160918 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_get_account_info] (0x0200): Got request for [0x1003][FAST BE_REQ_INITGROUPS][1][name=gdm] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [be_req_set_domain] (0x0400): Changing request domain from [example.org] to [example.org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x8165f10 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818b820 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x8165f10 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818b820 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x8165f10 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_send] (0x4000): Retrieving info for initgroups call (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=example,dc=org] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_print_server] (0x2000): Searching 192.168.4.104 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gdm)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=example,dc=org]. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUniqueID] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaUserAuthType] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 416 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_add] (0x2000): New operation 416 timeout 6 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[0x815ac90], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_op_destructor] (0x2000): Operation 416 finished (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_get_initgr_user] (0x4000): Receiving info for the user (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815ac90 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815ac90 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [gdm] found. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x818cfd0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x816fac8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x818cfd0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x816fac8 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x818cfd0 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_entry_by_sid_str] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x81395b0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x81395b0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_object_by_str_attr] (0x0400): No such entry. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_get_real_name] (0x0040): Cannot find user [gdm] in cache (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [gdm] [2]: No such file or directory. (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x818cfd0 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x818cfd0 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=gdm)) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8165460 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8165460 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_groups] (0x2000): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x815b6d8 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x8141d70 (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Running timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Destroying timer event 0x8141d70 "ltdb_timeout" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ldb] (0x4000): Ending timer event 0x815b6d8 "ltdb_callback" (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sysdb_search_by_name] (0x0400): No such entry (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,0,Account info lookup failed (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: sh[0x8165508], connected[1], ops[(nil)], ldap[0x81658f8] (Wed May 10 22:48:39 2017) [sssd[be[example.org]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed May 10 22:48:46 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): dbus conn: 0x8145a48 (Wed May 10 22:48:46 2017) [sssd[be[example.org]]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:46 2017) [sssd[be[example.org]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:46 2017) [sssd[be[example.org]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit -------------- next part -------------- (Wed May 10 22:48:28 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87e0cd0 (Wed May 10 22:48:28 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:28 2017) [sssd[pam]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:28 2017) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:33 2017) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[1768]. (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [vmuser1] not found in PAM cache. (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8056de0:3:vmuser1 at example.org] (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [example.org][0x3][BE_REQ_INITGROUPS][1][name=vmuser1] (Wed May 10 22:48:33 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x8056de0:3:vmuser1 at example.org] (Wed May 10 22:48:33 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:33 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:33 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:33 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e3b08 (Wed May 10 22:48:33 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87ed9b0 (Wed May 10 22:48:33 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e3b08 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87ed9b0 "ltdb_timeout" (Wed May 10 22:48:33 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e3b08 "ltdb_callback" (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [vmuser1] added to PAM initgroup cache (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:33 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:33 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:33 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8056de0:3:vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e1878 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87ee628 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e1878 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87ee628 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e1878 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 76 (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): entering pam_cmd_acct_mgmt (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [vmuser1] found in PAM cache. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e7820 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87e3610 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e7820 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87e3610 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e7820 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [vmuser1] found in PAM cache. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e34d8 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87e3610 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e34d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87e3610 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e34d8 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty7 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [vmuser1] found in PAM cache. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e3868 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87e3950 (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e3868 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87e3950 "ltdb_timeout" (Wed May 10 22:48:34 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e3868 "ltdb_callback" (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e4cf0 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:34 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:34 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Wed May 10 22:48:34 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_cmd_close_session] (0x0100): entering pam_cmd_close_session (Wed May 10 22:48:37 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [vmuser1] found in PAM cache. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e3be0 (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87e3950 (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e3be0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87e3950 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e3be0 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87f02f0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87f02f0 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Wed May 10 22:48:37 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_cmd_setcred] (0x0100): entering pam_cmd_setcred (Wed May 10 22:48:37 2017) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'vmuser1' matched without domain, user is vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/example.org/vmuser1] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x2000): User [vmuser1] found in PAM cache. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [vmuser1 at example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x87e46b8 (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x87e3950 (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x87e46b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x87e3950 "ltdb_timeout" (Wed May 10 22:48:37 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x87e46b8 "ltdb_callback" (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [vmuser1 at example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): domain: example.org (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): user: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-password (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty2 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1768 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: vmuser1 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x87e3d38 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87dfd98 (Wed May 10 22:48:37 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [0 (Success)][example.org] (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success. (Wed May 10 22:48:37 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 28 (Wed May 10 22:48:37 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x87e3c70][20] (Wed May 10 22:48:37 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Wed May 10 22:48:37 2017) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x87e3c70][20] (Wed May 10 22:48:38 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87e0cd0 (Wed May 10 22:48:38 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:38 2017) [sssd[pam]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:38 2017) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed May 10 22:48:38 2017) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [vmuser1] removed from PAM initgroup cache (Wed May 10 22:48:48 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x87e0cd0 (Wed May 10 22:48:48 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed May 10 22:48:48 2017) [sssd[pam]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Wed May 10 22:48:48 2017) [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit From sbose at redhat.com Thu May 11 11:54:28 2017 From: sbose at redhat.com (Sumit Bose) Date: Thu, 11 May 2017 13:54:28 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> Message-ID: <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > Hello, > > I have attached the requested files. The logs indicate that access was granted by SSSD and that gdm even called pam_open_session. Did gdm login worked with the 'allow all' rule? Are there any other hints in the system or gdm logs with gdm might have failed? bye, Sumit > > Thanks in advance! > > On 10-May-17 9:42 PM, Sumit Bose wrote: > > On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >> Hello everyone, > >> > >> I set up my freeIPA instance and it works very well for my client > >> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > >> freeIPA managed user account. > >> > >> My own HBAC rule also works for that. I disabled the "allow all" rule > >> and created my own one. Works fine for SSH. > >> > >> But I cannot login to the GNOME 3 Desktop on the client. I used the > >> netinstall ISO image of Ubuntu. During installation, I have chose > >> "Ubuntu GNOME Desktop" as the only desktop. > >> > >> So my display manager is gdm3. > >> > >> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > >> the safe side, I rebooted the client machine. But I still can't login to > >> the GNOME Desktop with an account that can login via SSH. > >> > >> So the services in my rule are > >> > >> login, gdm, gdm-password > >> > >> If you need any logs or other information, I will provide them. > > Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > > the [pam] and [domain/...] section of sssd.conf. > > > > bye, > > Sumit > > > >> > >> Thanks in advance! > >> > >> > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > From michael.plemmons at crosschx.com Thu May 11 12:35:00 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Thu, 11 May 2017 08:35:00 -0400 Subject: [Freeipa-users] Domain Levels In-Reply-To: References: Message-ID: Thank you for the reply. Is there a specific order I should perform the DL upgrade? Should I upgrade the master first then the replicas? Does the IPA service need to be restarted after the DL upgrade? *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Thu, May 11, 2017 at 4:13 AM, Martin Ba?ti wrote: > > > On 10.05.2017 22:42, Michael Plemmons wrote: > > I am currently running 4.4.0 on a three node cluster. My domain level is > currently 0 on all three nodes. Is there a reason to keep the domain level > at 0? I do not plan on adding any older versions of IPA into the cluster. > Is there anything I need to worry about if I elevate the domain level to 1? > > My current setup is the server A is the master and B and C are replicas. > I do not have replication agreements between B and C and I am looking into > creating those agreements. If I increase the domain level do I have to > handle anything differently if I add the B to C replication agreement? > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > > > Hello, > we recommend to raise DL to 1, it opens new functionality. > > With DL1 you can create that replication agreement via webUI, and you will > see your replication topology, so no more ipa-replica-manage for connecting > replicas. > > Martin > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From walter.berkouwer at sogeti.com Thu May 11 13:07:25 2017 From: walter.berkouwer at sogeti.com (Berkouwer, Walter) Date: Thu, 11 May 2017 13:07:25 +0000 Subject: [Freeipa-users] Preauth module encrypted_challenge Cannot read password Message-ID: <42DA515BFFD95043B6254FD3F348710D215FF476@DE-CM-MBX08.corp.capgemini.com> Hello I am trying to setup an IPA configuration at an remote site. I got the ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I can't get it working with a 7.3 client ( ipa-client version 4.4.0 ). Version of the server is 4.4.0. Can some help me with this problem. >From the logfiles I got the following messages. /var/log/secure: May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.72.145 user=berkouwa May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): received for user berkouwa: 17 (Failure setting user credentials) May 11 13:05:10 edsnfmwsv009 sshd[14021]: error: PAM: Authentication failure for berkouwa from 192.168.72.145 May 11 13:05:10 edsnfmwsv009 sshd[14021]: Postponed keyboard-interactive for berkouwa from 192.168.72.145 port 51772 ssh2 [preauth] /var/log/sssd/krb5_child.log: (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640900: Received cookie: MIT (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_responder] (0x4000): Got question [password]. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for berkouwa at EDSN.LOCAL]. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640958: Preauth module encrypted_challenge (138) (real) returned: -1765328254/Cannot read password (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328254} during pre-auth. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data] (0x0200): Received error code 0 (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [pack_response_packet] (0x2000): response packet size: [12] (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data] (0x4000): Response sent. (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [main] (0x0400): krb5_child completed successfully I placed the full logfiles and the sssd.conf here: https://drive.google.com/open?id=0B66tVXzcZy1CdFZNb1dvUjk4Tnc Walter -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Thu May 11 13:33:10 2017 From: sbose at redhat.com (Sumit Bose) Date: Thu, 11 May 2017 15:33:10 +0200 Subject: [Freeipa-users] Preauth module encrypted_challenge Cannot read password In-Reply-To: <42DA515BFFD95043B6254FD3F348710D215FF476@DE-CM-MBX08.corp.capgemini.com> References: <42DA515BFFD95043B6254FD3F348710D215FF476@DE-CM-MBX08.corp.capgemini.com> Message-ID: <20170511133310.GG17159@p.Speedport_W_724V_Typ_A_05011603_00_011> On Thu, May 11, 2017 at 01:07:25PM +0000, Berkouwer, Walter wrote: > Hello > > I am trying to setup an IPA configuration at an remote site. I got the ssh-connection working with a 6.6 client ( ipa-client version 3.0.0), but I can't get it working with a 7.3 client ( ipa-client version 4.4.0 ). > > Version of the server is 4.4.0. > > Can some help me with this problem. > > >From the logfiles I got the following messages. > /var/log/secure: > > May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.72.145 user=berkouwa > May 11 13:05:10 edsnfmwsv009 sshd[14026]: pam_sss(sshd:auth): received for user berkouwa: 17 (Failure setting user credentials) > May 11 13:05:10 edsnfmwsv009 sshd[14021]: error: PAM: Authentication failure for berkouwa from 192.168.72.145 > May 11 13:05:10 edsnfmwsv009 sshd[14021]: Postponed keyboard-interactive for berkouwa from 192.168.72.145 port 51772 ssh2 [preauth] > > /var/log/sssd/krb5_child.log: > > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640900: Received cookie: MIT > > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_responder] (0x4000): Got question [password]. > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for berkouwa at EDSN.LOCAL]. > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [sss_child_krb5_trace_cb] (0x4000): [14030] 1494500710.640958: Preauth module encrypted_challenge (138) (real) returned: -1765328254/Cannot read password > > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328254} during pre-auth. Errors are expected during the pre-auth phase, I guess I should make the debug message more clear about it. The actual error is: [[sssd[krb5_child[17076]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1750600185][Invalid UID in persistent keyring name] Please check your /etc/krb5.conf if accidentally there are some additional config option on the same line as 'default_ccache_name = KEYRING:persistent:%{uid}'. HTH bye, Sumit > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data] (0x0200): Received error code 0 > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [pack_response_packet] (0x2000): response packet size: [12] > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [k5c_send_data] (0x4000): Response sent. > (Thu May 11 13:05:10 2017) [[sssd[krb5_child[14030]]]] [main] (0x0400): krb5_child completed successfully > > I placed the full logfiles and the sssd.conf here: https://drive.google.com/open?id=0B66tVXzcZy1CdFZNb1dvUjk4Tnc > > Walter > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Thu May 11 14:11:55 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 11 May 2017 16:11:55 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Message-ID: Please keep freeipa-users in CC Snapshot is always better, so I suggest to use it. Otherwise there is an option --ignore-last-of-role to unblock uninstallation. Martin On 11.05.2017 16:00, Robert L. Harris wrote: > > Looks like you hit it, apache didn't have a group: > > -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu 2017-05-11 > 07:48:27 MDT. -- > May 10 20:36:00 ipa.rdlg.net systemd[1]: > Starting The Apache HTTP Server... > May 10 20:36:00 ipa.rdlg.net > ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy enabled > May 10 20:36:00 ipa.rdlg.net httpd[28809]: > AH00544: httpd: bad group name apache > May 10 20:36:00 ipa.rdlg.net systemd[1]: > httpd.service: main process exited, code=exited, status=1/FAILURE > May 10 20:36:00 ipa.rdlg.net kill[28812]: kill: > cannot find process "" > May 10 20:36:00 ipa.rdlg.net systemd[1]: > httpd.service: control process exited, code=exited status=1 > May 10 20:36:00 ipa.rdlg.net systemd[1]: Failed > to start The Apache HTTP Server. > May 10 20:36:00 ipa.rdlg.net systemd[1]: Unit > httpd.service entered failed state. > May 10 20:36:00 ipa.rdlg.net systemd[1]: > httpd.service failed. > > Thanks, didn't know that command. I tried to continue the process: > > {0}:/root>ipa-server-install > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ipa.ipapython.install.cli.install_tool(Server): ERROR IPA server is > already configured on this system. > If you want to reinstall the IPA server, please uninstall it first > using 'ipa-server-install --uninstall'. > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log > for more information > > root at ipa > {1}:/root>ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > ipa : ERROR Server removal aborted: Deleting this server is > not allowed as it would leave your installation without a CA.. > > > > This is a VM and I took a snapshot right before I started the install, > so I can revert, just make sure ti add the apache user before starting > the install. Or if you have a better command to continue the > clean-up/install..... > > > On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti > wrote: > > Hello, > > comments inline > > > On 11.05.2017 06:06, Robert L. Harris wrote: >> >> Sigh... Sorry, it's been a long day, I thought I put that log in >> the first pastebin. It's in this one: https://pastebin.com/18PAXXNS > > Could you please provide journalctl -u httpd and > /var/log/httpd/error_log ? > > > >> >> Also, >> Anyone else get the constant spam when mailing this list? Got >> an address to block for it? > > Sorry for that, there is a bot mining public archives. We plan to > resolve this issue but it may take time as we are not maintaining > our mailman. > > Martin > > >> >> Robert >> >> >> >> >> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >> > wrote: >> >> Robert, did you look in /var/log/ipaserver-install.log as it >> says? >> >> Was there any other information? >> >> cheers >> L. >> >> ------ >> "Mission Statement: To provide hope and inspiration for >> collective action, to build collective power, to achieve >> collective transformation, rooted in grief and rage but >> pointed towards vision and dreams." >> >> - Patrice Cullors, /Black Lives Matter founder/ >> >> On 11 May 2017 at 13:24, Robert L. Harris >> > > wrote: >> >> Ok, I gave up on Ubuntu. I'm now trying the latest >> CentOS7. I built out a "minimal server" with some normal >> base packages which did include the freeipa-client but >> otherwise, just standard tools. Here's a pastebin of the >> output of the install: https://pastebin.com/zAWCgkUU >> >> Robert >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> >> >> > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Thu May 11 14:53:24 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Thu, 11 May 2017 10:53:24 -0400 Subject: [Freeipa-users] Domain Levels In-Reply-To: References: Message-ID: I got my answer. I did not have to restart any services. I ran the domainlevel-set command on the master and it propagated to all cluster nodes. I verified this by running domainlevel-get on each server and they all showed 1. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Thu, May 11, 2017 at 8:35 AM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > Thank you for the reply. Is there a specific order I should perform the > DL upgrade? Should I upgrade the master first then the replicas? Does the > IPA service need to be restarted after the DL upgrade? > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Thu, May 11, 2017 at 4:13 AM, Martin Ba?ti wrote: > >> >> >> On 10.05.2017 22:42, Michael Plemmons wrote: >> >> I am currently running 4.4.0 on a three node cluster. My domain level is >> currently 0 on all three nodes. Is there a reason to keep the domain level >> at 0? I do not plan on adding any older versions of IPA into the cluster. >> Is there anything I need to worry about if I elevate the domain level to 1? >> >> My current setup is the server A is the master and B and C are replicas. >> I do not have replication agreements between B and C and I am looking into >> creating those agreements. If I increase the domain level do I have to >> handle anything differently if I add the B to C replication agreement? >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX * >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> >> >> Hello, >> we recommend to raise DL to 1, it opens new functionality. >> >> With DL1 you can create that replication agreement via webUI, and you >> will see your replication topology, so no more ipa-replica-manage for >> connecting replicas. >> >> Martin >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From goranm at ecobee.com Thu May 11 16:53:49 2017 From: goranm at ecobee.com (Goran Marik) Date: Thu, 11 May 2017 16:53:49 +0000 Subject: [Freeipa-users] Replica cannot be reinitialized after upgrade Message-ID: Hi, After an upgrade to Centos 7.3.1611 with ?yum update", we started seeing the following messages in the logs: ??? May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. ??? The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located. This happens only on one replica out of 4. We?ve tried "ipa-replica-manage re-initialize ?from? and ?ipa-csreplica-manage re-initialize ?from? several times, but while both commands report success, the log messages continue to happen. The server was rebooted and ?systemctl restart ipa? was done few times as well. The replica seems to be working fine despite the errors, but I?m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades. The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks, Goran -- Goran Marik Senior Systems Developer ecobee 250 University Ave, Suite 400 Toronto, ON M5H 3E5 From robert.l.harris at gmail.com Thu May 11 20:23:15 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Thu, 11 May 2017 20:23:15 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Message-ID: Odd, must have clicked reply instead of reply-all. Anyway, I did the revert and re-install. Actual install went through fine then the "ipa-server-install" ran until this: [8/9]: restoring configuration [9/9]: starting directory server Done. Restarting the directory server Restarting the KDC Please add records in this file to your DNS system: /tmp/ipa.system.records.v5Jwrt.db Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa.rdlg.net Realm: RDLG.NET DNS Domain: rdlg.net IPA Server: ipa.rdlg.net BaseDN: dc=rdlg,dc=net Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://ipa.rdlg.net/ipa/json Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' It's been sitting there for a while ( 4 hours? ) I don't see anyting in the ipaserver-install.log, but it's here: https://pastebin.com/biK1Dmv7 On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti wrote: > Please keep freeipa-users in CC > > Snapshot is always better, so I suggest to use it. Otherwise there is an > option --ignore-last-of-role to unblock uninstallation. > > Martin > > On 11.05.2017 16:00, Robert L. Harris wrote: > > > Looks like you hit it, apache didn't have a group: > > -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu 2017-05-11 > 07:48:27 MDT. -- > May 10 20:36:00 ipa.rdlg.net systemd[1]: Starting The Apache HTTP > Server... > May 10 20:36:00 ipa.rdlg.net ipa-httpd-kdcproxy[28808]: ipa : > INFO KDC proxy enabled > May 10 20:36:00 ipa.rdlg.net httpd[28809]: AH00544: httpd: bad group name > apache > May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: main process > exited, code=exited, status=1/FAILURE > May 10 20:36:00 ipa.rdlg.net kill[28812]: kill: cannot find process "" > May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: control process > exited, code=exited status=1 > May 10 20:36:00 ipa.rdlg.net systemd[1]: Failed to start The Apache HTTP > Server. > May 10 20:36:00 ipa.rdlg.net systemd[1]: Unit httpd.service entered > failed state. > May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service failed. > > Thanks, didn't know that command. I tried to continue the process: > > {0}:/root>ipa-server-install > > The log file for this installation can be found in > /var/log/ipaserver-install.log > ipa.ipapython.install.cli.install_tool(Server): ERROR IPA server is > already configured on this system. > If you want to reinstall the IPA server, please uninstall it first using > 'ipa-server-install --uninstall'. > ipa.ipapython.install.cli.install_tool(Server): ERROR The > ipa-server-install command failed. See /var/log/ipaserver-install.log for > more information > > root at ipa > {1}:/root>ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? [no]: yes > ipa : ERROR Server removal aborted: Deleting this server is not > allowed as it would leave your installation without a CA.. > > > > This is a VM and I took a snapshot right before I started the install, so > I can revert, just make sure ti add the apache user before starting the > install. Or if you have a better command to continue the > clean-up/install..... > > > On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti wrote: > >> Hello, >> >> comments inline >> >> On 11.05.2017 06:06, Robert L. Harris wrote: >> >> >> Sigh... Sorry, it's been a long day, I thought I put that log in the >> first pastebin. It's in this one: https://pastebin.com/18PAXXNS >> >> >> Could you please provide journalctl -u httpd and /var/log/httpd/error_log >> ? >> >> >> >> >> Also, >> Anyone else get the constant spam when mailing this list? Got an >> address to block for it? >> >> >> Sorry for that, there is a bot mining public archives. We plan to resolve >> this issue but it may take time as we are not maintaining our mailman. >> >> Martin >> >> >> >> Robert >> >> >> >> >> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >> wrote: >> >>> Robert, did you look in /var/log/ipaserver-install.log as it says? >>> >>> Was there any other information? >>> >>> cheers >>> L. >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for collective >>> action, to build collective power, to achieve collective transformation, >>> rooted in grief and rage but pointed towards vision and dreams." >>> >>> - Patrice Cullors, *Black Lives Matter founder* >>> >>> On 11 May 2017 at 13:24, Robert L. Harris >>> wrote: >>> >>>> Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built >>>> out a "minimal server" with some normal base packages which did include the >>>> freeipa-client but otherwise, just standard tools. Here's a pastebin of >>>> the output of the install: https://pastebin.com/zAWCgkUU >>>> >>>> Robert >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> >> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuxderlinuxfuchs77 at gmail.com Thu May 11 22:50:08 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Fri, 12 May 2017 00:50:08 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: I have attached the syslog with gdm debug mode enabled On 11-May-17 1:54 PM, Sumit Bose wrote: > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >> Hello, >> >> I have attached the requested files. > The logs indicate that access was granted by SSSD and that gdm even > called pam_open_session. > > Did gdm login worked with the 'allow all' rule? Are there any other > hints in the system or gdm logs with gdm might have failed? > > bye, > Sumit > >> Thanks in advance! >> >> On 10-May-17 9:42 PM, Sumit Bose wrote: >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >>>> Hello everyone, >>>> >>>> I set up my freeIPA instance and it works very well for my client >>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a >>>> freeIPA managed user account. >>>> >>>> My own HBAC rule also works for that. I disabled the "allow all" rule >>>> and created my own one. Works fine for SSH. >>>> >>>> But I cannot login to the GNOME 3 Desktop on the client. I used the >>>> netinstall ISO image of Ubuntu. During installation, I have chose >>>> "Ubuntu GNOME Desktop" as the only desktop. >>>> >>>> So my display manager is gdm3. >>>> >>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on >>>> the safe side, I rebooted the client machine. But I still can't login to >>>> the GNOME Desktop with an account that can login via SSH. >>>> >>>> So the services in my rule are >>>> >>>> login, gdm, gdm-password >>>> >>>> If you need any logs or other information, I will provide them. >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in >>> the [pam] and [domain/...] section of sssd.conf. >>> >>> bye, >>> Sumit >>> >>>> Thanks in advance! >>>> >>>> >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project -------------- next part -------------- May 11 23:41:44 ubugdm systemd[1189]: Time has been changed May 11 23:41:44 ubugdm systemd[1387]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: Time has been changed May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 29min 52.376524s random time. May 11 23:41:44 ubugdm systemd[1]: snapd.refresh.timer: Adding 3h 33min 1.143840s random time. May 11 23:41:44 ubugdm systemd[1]: apt-daily.timer: Adding 9h 27min 47.330771s random time. May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:48 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:49 ubugdm systemd[1]: Time has been changed May 11 23:41:49 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 21min 18.851504s random time. May 11 23:41:49 ubugdm systemd[1]: snapd.refresh.timer: Adding 4h 29min 48.498665s random time. May 11 23:41:49 ubugdm systemd[1]: apt-daily.timer: Adding 1h 35min 49.309647s random time. May 11 23:41:49 ubugdm systemd[1387]: Time has been changed May 11 23:41:49 ubugdm systemd[1189]: Time has been changed May 11 23:41:50 ubugdm gdm3: GdmManager: trying to open reauthentication channel for user vmuser1 May 11 23:41:50 ubugdm gdm3: GdmSession: starting conversation gdm-password May 11 23:41:50 ubugdm gdm3: GdmSessionWorkerJob: Starting worker... May 11 23:41:50 ubugdm gdm3: GdmSessionWorkerJob: Running session_worker_job process: gdm-session-worker [pam/gdm-password] /usr/lib/gdm3/gdm-session-worker May 11 23:41:50 ubugdm gdm3: GdmSessionWorkerJob: : SessionWorkerJob on pid 1731 May 11 23:41:50 ubugdm gdm-password]: Enabling debugging May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: connecting to address: unix:abstract=/tmp/dbus-GtqUdQIa May 11 23:41:50 ubugdm gdm3: GdmDBusServer: new connection 0x9e9ba50 May 11 23:41:50 ubugdm gdm3: GdmSession: Handling new connection from worker May 11 23:41:50 ubugdm gdm3: GdmSession: Authenticating new connection May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: calling 'ListCachedUsers' May 11 23:41:50 ubugdm gdm-password]: AccountsService: Failed to identify the current session: No such device or address May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: seat unloaded, so trying to set loaded property May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: Listing cached users, so not setting loaded property May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: Listing cached users, so not setting loaded property May 11 23:41:50 ubugdm gdm3: GdmSession: worker connection is 0x9e9ba50 May 11 23:41:50 ubugdm gdm3: GdmSession: Emitting conversation-started signal May 11 23:41:50 ubugdm gdm3: GdmManager: session conversation started for service gdm-password May 11 23:41:50 ubugdm gdm3: GdmSession: Setting user: 'vmuser1' May 11 23:41:50 ubugdm gdm3: GdmSession: Beginning setup for user vmuser1 May 11 23:41:50 ubugdm gdm3: GdmSession: getting session command for file 'gnome.desktop' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: ListCachedUsers finished, will set loaded property after list is fully loaded May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: tracking new user with object path /org/freedesktop/Accounts/User1000 May 11 23:41:50 ubugdm gdm3: GdmSession: Conversation started May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: tracking new user with object path /org/freedesktop/Accounts/User126400004 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: unrefing manager owned by finished ListCachedUsers call May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: trying to track new user with username vmuser1 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: finding user 'vmuser1' state 1 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: waiting for user manager to load before finding user 'vmuser1' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user user is now loaded May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user user was not yet known, adding it May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: tracking user 'user' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: not all users loaded yet May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user vmuser1 is now loaded May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user vmuser1 was not yet known, adding it May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: tracking user 'vmuser1' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: not yet loaded, so not emitting user-added signal May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: no pending users, trying to set loaded property May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user manager now loaded, proceeding with fetch user request for user 'vmuser1' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: finding user 'vmuser1' state 2 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: Looking for user 'vmuser1' in accounts service May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: updating user vmuser1 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: Found object path of user 'vmuser1': /org/freedesktop/Accounts/User126400004 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: finding user 'vmuser1' state 3 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user 'vmuser1' fetched May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: finished handling request for user 'vmuser1' May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: unrefing manager owned by fetch user request May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: user vmuser1 is now loaded May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: sessions changed (user vmuser1) num=0 May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: no pending users, trying to set loaded property May 11 23:41:50 ubugdm gdm-password]: AccountsService: ActUserManager: already loaded, so not setting loaded property May 11 23:41:50 ubugdm gdm-password]: GdmSessionSettings: saved session is May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: Saved session is May 11 23:41:50 ubugdm gdm-password]: GdmSessionSettings: saved language is en_US May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: Saved language is en_US May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: queuing setup for user: vmuser1 May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to SETUP_COMPLETE May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: initializing PAM; service=gdm-password username=vmuser1 seat=seat0 May 11 23:41:50 ubugdm gdm3: GdmSession: getting session command for file '.desktop' May 11 23:41:50 ubugdm gdm3: GdmSession: File '.desktop' not found: Valid key file could not be found in search dirs May 11 23:41:50 ubugdm gdm3: GdmSession: not using invalid .dmrc session: May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0' May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: state SETUP_COMPLETE May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to AUTHENTICATED May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: authenticating user vmuser1 May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: 1 new messages received from PAM May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: username is 'vmuser1' May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: old-username='vmuser1' new-username='vmuser1' May 11 23:41:50 ubugdm gdm-password]: GdmSessionWorker: received pam message of type 1 with payload 'Password: ' May 11 23:41:53 ubugdm gdm-password]: GdmSessionWorker: trying to get updated username May 11 23:41:53 ubugdm gdm-password]: GdmSessionWorker: PAM conversation returning 0: Success May 11 23:41:53 ubugdm kernel: [ 165.969923] audit: type=1400 audit(1494538913.855:35): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/run/systemd/users/126400004" pid=1735 comm="krb5_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: state AUTHENTICATED May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: trying to get updated username May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: username is 'vmuser1' May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: old-username='vmuser1' new-username='vmuser1' May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to AUTHORIZED May 11 23:41:54 ubugdm gdm-password]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session May 11 23:41:54 ubugdm systemd[1189]: Time has been changed May 11 23:41:54 ubugdm systemd[1387]: Time has been changed May 11 23:41:54 ubugdm systemd[1]: Time has been changed May 11 23:41:54 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 9min 10.307481s random time. May 11 23:41:54 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 36min 45.825869s random time. May 11 23:41:54 ubugdm systemd[1]: apt-daily.timer: Adding 10h 48min 24.084193s random time. May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: state AUTHORIZED May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to ACCREDITED May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'LOGNAME=vmuser1' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'USER=vmuser1' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'USERNAME=vmuser1' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'HOME=/home/vmuser1' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'SHELL=/bin/sh' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/games' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: state ACCREDITED May 11 23:41:55 ubugdm gdm3: GdmSession: type (null), program? no, seat seat0 May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: session display mode set to new-vt May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'XDG_SESSION_TYPE=x11' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to ACCOUNT_DETAILS_SAVED May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: saving account details for user vmuser1 May 11 23:41:55 ubugdm accounts-daemon[966]: (accounts-daemon:966): GLib-GIO-CRITICAL **: g_dbus_method_invocation_return_value_internal: assertion 'G_IS_DBUS_METHOD_INVOCATION (invocation)' failed May 11 23:41:55 ubugdm gdm-password]: AccountsService: SetLanguage call failed: GDBus.Error:org.freedesktop.Accounts.Error.Failed: not access to HOME yet so language not saved May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to SESSION_OPENED May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'XDG_VTNR=2' May 11 23:41:55 ubugdm gdm-password]: Trying script /etc/gdm3/PostLogin May 11 23:41:55 ubugdm gdm-password]: script /etc/gdm3/PostLogin not found; skipping May 11 23:41:55 ubugdm gdm-password]: Trying script /etc/gdm3/PostLogin/Default May 11 23:41:55 ubugdm gdm-password]: script /etc/gdm3/PostLogin/Default not found; skipping May 11 23:41:55 ubugdm gdm-password]: no script found May 11 23:41:55 ubugdm systemd[1]: Started Session 3 of user vmuser1. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): GsmSystemd: received logind signal: SessionNew May 11 23:41:55 ubugdm gnome-session-binary[1204]: DEBUG(+): GsmSystemd: received logind signal: SessionNew May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): GsmSystemd: ignoring SessionNew signal May 11 23:41:55 ubugdm gnome-session-binary[1204]: DEBUG(+): GsmSystemd: ignoring SessionNew signal May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: state SESSION_OPENED May 11 23:41:55 ubugdm gdm-password]: Trying script /etc/gdm3/PreSession May 11 23:41:55 ubugdm gdm-password]: script /etc/gdm3/PreSession not found; skipping May 11 23:41:55 ubugdm gdm-password]: Trying script /etc/gdm3/PreSession/Default May 11 23:41:55 ubugdm gdm-password]: Running process: /etc/gdm3/PreSession/Default May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: DISPLAY= May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: HOME=/home/vmuser1 May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: RUNNING_UNDER_GDM=true May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: LOGNAME=vmuser1 May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: XAUTHORITY= May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: USERNAME=vmuser1 May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: PWD=/home/vmuser1 May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: USER=vmuser1 May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: SHELL=/bin/sh May 11 23:41:55 ubugdm gdm-password]: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games May 11 23:41:55 ubugdm gdm-password]: Process exit status: 0 May 11 23:41:55 ubugdm gdm3: GdmSession: Emitting 'session-opened' signal May 11 23:41:55 ubugdm gdm3: GdmManager: Will start session when ready May 11 23:41:55 ubugdm gdm3: GdmManager: start or jump to session May 11 23:41:55 ubugdm gdm3: GdmManager: migrated: 0 May 11 23:41:55 ubugdm gdm3: GdmSession: type (null), program? no, seat seat0 May 11 23:41:55 ubugdm gdm3: GdmManager: session has its display server, reusing our server for another login screen May 11 23:41:55 ubugdm gdm3: GdmSession: Creating D-Bus server for worker for session May 11 23:41:55 ubugdm gdm3: GdmSession: D-Bus server for workers listening on unix:abstract=/tmp/dbus-S6efSC9o May 11 23:41:55 ubugdm gdm3: GdmSession: Creating D-Bus server for greeters and such May 11 23:41:55 ubugdm gdm3: GdmSession: D-Bus server for greeters listening on unix:abstract=/tmp/dbus-3JN3fGfb May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: (null) May 11 23:41:55 ubugdm gdm3: GdmDisplay: id: (null) May 11 23:41:55 ubugdm gdm3: GdmDisplay: seat id: (null) May 11 23:41:55 ubugdm gdm3: GdmDisplay: session class: greeter May 11 23:41:55 ubugdm gdm3: GdmDisplay: initial: no May 11 23:41:55 ubugdm gdm3: GdmDisplay: allow timed login: yes May 11 23:41:55 ubugdm gdm3: GdmDisplay: local: yes May 11 23:41:55 ubugdm gdm3: GdmDisplay: session class: user May 11 23:41:55 ubugdm gdm3: GdmDisplay: seat id: seat0 May 11 23:41:55 ubugdm gdm3: GdmDisplay: session id: 3 May 11 23:41:55 ubugdm gdm3: GdmDisplayStore: Adding display /org/gnome/DisplayManager/Displays/166430824 to store May 11 23:41:55 ubugdm gdm3: GdmSession: Stopping all conversations except for gdm-password May 11 23:41:55 ubugdm gdm3: GdmSession: type (null), program? no, seat seat0 May 11 23:41:55 ubugdm gdm3: GdmSession: getting session command for file 'gnome.desktop' May 11 23:41:55 ubugdm gdm3: message repeated 2 times: [ GdmSession: getting session command for file 'gnome.desktop'] May 11 23:41:55 ubugdm gdm3: GdmSession: checking if file 'gnome.desktop' is wayland session: no May 11 23:41:55 ubugdm gdm3: GdmSession: getting session command for file 'gnome.desktop' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:55 ubugdm gdm3: GdmSession: getting session command for file 'gnome.desktop' May 11 23:41:55 ubugdm gdm3: message repeated 3 times: [ GdmSession: getting session command for file 'gnome.desktop'] May 11 23:41:55 ubugdm gdm3: GdmSession: getting desktop names for file 'gnome.desktop' May 11 23:41:55 ubugdm gdm3: GdmSession: type (null), program? no, seat seat0 May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'LANG=en_US.UTF-8' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'GDMSESSION=gnome' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'XDG_SESSION_DESKTOP=gnome' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:68 May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'DESKTOP_SESSION=gnome' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: Set PAM environment variable: 'XDG_CURRENT_DESKTOP=GNOME' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: start program: /usr/lib/gdm3/gdm-x-session --run-script "gnome-session --session=gnome" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:67 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:66 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:65 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:64 May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: attempting to change state to SESSION_STARTED May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: opening user session with program '/usr/lib/gdm3/gdm-x-session' May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: jumping to VT 2 May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: first setting graphics mode to prevent flicker May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: VT mode did not need to be fixed May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: session opened creating reply... May 11 23:41:55 ubugdm gdm-password]: GdmSessionWorker: state SESSION_STARTED May 11 23:41:55 ubugdm gdm-password]: GdmSession worker: watching pid 1741 May 11 23:41:55 ubugdm gdm3: GdmSession: Emitting 'session-started' signal with pid '1741' May 11 23:41:55 ubugdm gdm3: GdmManager: session started 1741 May 11 23:41:55 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:55 ubugdm gdm-x-session: Enabling debugging May 11 23:41:55 ubugdm gdm-x-session: Preparing auth file for X server May 11 23:41:55 ubugdm gdm-x-session: Running X server May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: _XSERVTransSocketUNIXCreateListener: ...SocketCreateListener() failed May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: _XSERVTransMakeAllCOTSServerListeners: server already running May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) Log file renamed from "/var/log/Xorg.pid-1743.log" to "/var/log/Xorg.1.log" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: X.Org X Server 1.18.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Release Date: 2016-07-19 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: X Protocol Version 11, Revision 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Build Operating System: Linux 4.4.0-45-generic i686 Ubuntu May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Current Operating System: Linux ubugdm 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:33:44 UTC 2017 i686 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.4.0-77-generic root=UUID=58a2f840-4ae7-4d11-9ae4-df108f6c1e79 ro splash quiet vt.handoff=7 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Build Date: 02 November 2016 10:05:16PM May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: xorg-server 2:1.18.4-0ubuntu0.2 (For technical support please see http://www.ubuntu.com/support) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Current version of pixman: 0.33.6 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Before reporting problems, check http://wiki.x.org May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011to make sure that you have the latest version. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Markers: (--) probed, (**) from config file, (==) default setting, May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011(++) from command line, (!!) notice, (II) informational, May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011(WW) warning, (EE) error, (NI) not implemented, (??) unknown. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Log file: "/var/log/Xorg.1.log", Time: Thu May 11 23:41:55 2017 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Using system config directory "/usr/share/X11/xorg.conf.d" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) No Layout section. Using the first Screen section. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) No screen section available. Using defaults. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) |-->Screen "Default Screen Section" (0) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) | |-->Monitor "" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) No monitor specified for screen "Default Screen Section". May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Using a default monitor configuration. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Automatically adding devices May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Automatically enabling devices May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Automatically adding GPU devices May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Max clients allowed: 256, resource mask: 0x1fffff May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) The directory "/usr/share/fonts/X11/cyrillic" does not exist. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Entry deleted from font path. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) The directory "/usr/share/fonts/X11/100dpi/" does not exist. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Entry deleted from font path. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) The directory "/usr/share/fonts/X11/75dpi/" does not exist. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Entry deleted from font path. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) The directory "/usr/share/fonts/X11/100dpi" does not exist. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Entry deleted from font path. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) The directory "/usr/share/fonts/X11/75dpi" does not exist. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Entry deleted from font path. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FontPath set to: May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011/usr/share/fonts/X11/misc, May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011/usr/share/fonts/X11/Type1, May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011built-ins May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) ModulePath set to "/usr/lib/i386-linux-gnu/xorg/extra-modules,/usr/lib/xorg/extra-modules,/usr/lib/xorg/modules" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) The server relies on udev to provide the list of input devices. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011If no devices become available, reconfigure udev or disable AutoAddDevices. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loader magic: 0x802ae700 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module ABI versions: May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011X.Org ANSI C Emulation: 0.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011X.Org Video Driver: 20.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011X.Org XInput driver : 22.1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011X.Org Server Extension : 9.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (++) using VT number 2 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: took control of session /org/freedesktop/login1/session/_33 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) PCI:*(0:0:8:0) 1414:5353:0000:0000 rev 0, Mem @ 0xf8000000/67108864 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "glx" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/extensions/libglx.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module glx: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.4, module version = 1.0.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org Server Extension, version 9.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) AIGLX enabled May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Matched modesetting as autoconfigured driver 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Matched fbdev as autoconfigured driver 1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Matched vesa as autoconfigured driver 2 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Assigned the driver to the xf86ConfigLayout May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "modesetting" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/drivers/modesetting_drv.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module modesetting: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.4, module version = 1.18.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Module class: X.Org Video Driver May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org Video Driver, version 20.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "fbdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/drivers/fbdev_drv.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module fbdev: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.1, module version = 0.4.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Module class: X.Org Video Driver May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org Video Driver, version 20.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "vesa" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/drivers/vesa_drv.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module vesa: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.1, module version = 2.3.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Module class: X.Org Video Driver May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org Video Driver, version 20.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) modesetting: Driver for Modesetting Kernel Drivers: kms May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV: driver for framebuffer: fbdev May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) VESA: driver for VESA chipsets: vesa May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (EE) open /dev/dri/card0: No such file or directory May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) Falling back to old probe method for modesetting May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (EE) open /dev/dri/card0: No such file or directory May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading sub module "fbdevhw" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "fbdevhw" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/libfbdevhw.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module fbdevhw: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.4, module version = 0.0.2 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org Video Driver, version 20.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) FBDEV(1): claimed PCI slot 0 at 0:8:0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV(1): using default device May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) Falling back to old probe method for vesa May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (EE) Screen 0 deleted because of no matching config section. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "modesetting" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV(0): Creating default Display subsection in Screen section May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011"Default Screen Section" for depth/fbbpp 24/32 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): Depth 24, (==) framebuffer bpp 32 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): RGB weight 888 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): Default visual is TrueColor May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): Using gamma correction (1.0, 1.0, 1.0) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV(0): hardware: hyperv_fb (video memory: 8192kB) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV(0): checking modes against framebuffer device... May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) FBDEV(0): checking modes against monitor... May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) FBDEV(0): Virtual size is 1152x864 (pitch 1152) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) FBDEV(0): Built-in mode "current" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): DPI set to (96, 96) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading sub module "fb" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "fb" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/libfb.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module fb: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.4, module version = 1.0.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org ANSI C Emulation, version 0.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) FBDEV(0): using shadow framebuffer May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading sub module "shadow" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "shadow" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/libshadow.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module shadow: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.4, module version = 1.1.0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org ANSI C Emulation, version 0.4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "vesa" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Unloading vesa May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) Depth 24 pixmap format is 32 bpp May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): Backing store enabled May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) FBDEV(0): DPMS enabled May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (==) RandR enabled May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) SELinux: Disabled on system May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) AIGLX: Screen 0 is not DRI2 capable May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (EE) AIGLX: reverting to software rendering May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) AIGLX: enabled GLX_MESA_copy_sub_buffer May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) AIGLX: Loaded and initialized swrast May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) GLX: Initialized DRISWRAST GL provider for screen 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XKB: Reusing cached keymap May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device Microsoft Vmbus HID-compliant Mouse (/dev/input/event2) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: Applying InputClass "evdev pointer catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) LoadModule: "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Loading /usr/lib/xorg/modules/input/evdev_drv.so May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Module evdev: vendor="X.Org Foundation" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011compiled for 1.18.1, module version = 2.10.1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Module class: X.Org XInput Driver May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011ABI class: X.Org XInput driver, version 22.1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: got fd for /dev/input/event2 13:66 fd 15 paused 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Using input driver 'evdev' for 'Microsoft Vmbus HID-compliant Mouse' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "_source" "server/udev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "name" "Microsoft Vmbus HID-compliant Mouse" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "path" "/dev/input/event2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "device" "/dev/input/event2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "major" "13" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "minor" "66" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "config_info" "udev:/sys/devices/0006:045E:0621.0001/input/input4/event2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "driver" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "fd" "15" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: always reports core events May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: Microsoft Vmbus HID-compliant Mouse: Device: "/dev/input/event2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: absolute axis 0 [0..32767] May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: absolute axis 0x1 [0..32767] May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Vendor 0x45e Product 0x621 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found 9 mouse buttons May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found scroll wheel(s) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found relative axes May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found absolute axes May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found x and y absolute axes May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Microsoft Vmbus HID-compliant Mouse: Found absolute touchscreen May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: Configuring as touchscreen May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: Adding scrollwheel support May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: Microsoft Vmbus HID-compliant Mouse: YAxisMapping: buttons 4 and 5 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: Microsoft Vmbus HID-compliant Mouse: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "config_info" "udev:/sys/devices/0006:045E:0621.0001/input/input4/event2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XINPUT: Adding extended input device "Microsoft Vmbus HID-compliant Mouse" (type: TOUCHSCREEN, id 6) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (WW) evdev: Microsoft Vmbus HID-compliant Mouse: touchpads, tablets and touchscreens ignore relative axes. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: initialized for absolute axes. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: (accel) keeping acceleration scheme 1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: (accel) acceleration profile 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: (accel) acceleration factor: 2.000 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Microsoft Vmbus HID-compliant Mouse: (accel) acceleration threshold: 4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device Microsoft Vmbus HID-compliant Mouse (/dev/input/js0) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) No input driver specified, ignoring this device. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device may have been added with another device file. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device Microsoft Vmbus HID-compliant Mouse (/dev/input/mouse0) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) No input driver specified, ignoring this device. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device may have been added with another device file. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device Power Button (/dev/input/event0) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Power Button: Applying InputClass "evdev keyboard catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: got fd for /dev/input/event0 13:64 fd 16 paused 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Using input driver 'evdev' for 'Power Button' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "_source" "server/udev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "name" "Power Button" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "path" "/dev/input/event0" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "device" "/dev/input/event0" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "major" "13" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "minor" "64" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "config_info" "udev:/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/event0" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "driver" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "fd" "16" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Power Button: always reports core events May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: Power Button: Device: "/dev/input/event0" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Power Button: Vendor 0 Product 0x1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: Power Button: Found keys May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Power Button: Configuring as keyboard May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "config_info" "udev:/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0/event0" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XINPUT: Adding extended input device "Power Button" (type: KEYBOARD, id 7) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_rules" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: > Ignoring extra symbols May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Errors from xkbcomp are not fatal to the X server May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device AT Translated Set 2 keyboard (/dev/input/event4) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) AT Translated Set 2 keyboard: Applying InputClass "evdev keyboard catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: got fd for /dev/input/event4 13:68 fd 17 paused 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Using input driver 'evdev' for 'AT Translated Set 2 keyboard' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "_source" "server/udev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "name" "AT Translated Set 2 keyboard" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "path" "/dev/input/event4" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "device" "/dev/input/event4" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "major" "13" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "minor" "68" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "config_info" "udev:/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/d34b2567-b9b6-42b9-8778-0a4ec0b955bf/serio2/input/input5/event4" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "driver" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "fd" "17" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) AT Translated Set 2 keyboard: always reports core events May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: AT Translated Set 2 keyboard: Device: "/dev/input/event4" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: AT Translated Set 2 keyboard: Vendor 0x1 Product 0x1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: AT Translated Set 2 keyboard: Found keys May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Configuring as keyboard May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "config_info" "udev:/sys/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/device:07/VMBUS:01/d34b2567-b9b6-42b9-8778-0a4ec0b955bf/serio2/input/input5/event4" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XINPUT: Adding extended input device "AT Translated Set 2 keyboard" (type: KEYBOARD, id 8) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_rules" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XKB: Reusing cached keymap May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device AT Translated Set 2 keyboard (/dev/input/event1) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) AT Translated Set 2 keyboard: Applying InputClass "evdev keyboard catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: got fd for /dev/input/event1 13:65 fd 18 paused 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Using input driver 'evdev' for 'AT Translated Set 2 keyboard' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "_source" "server/udev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "name" "AT Translated Set 2 keyboard" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "path" "/dev/input/event1" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "device" "/dev/input/event1" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "major" "13" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "minor" "65" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "config_info" "udev:/sys/devices/platform/i8042/serio0/input/input1/event1" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "driver" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "fd" "18" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) AT Translated Set 2 keyboard: always reports core events May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: AT Translated Set 2 keyboard: Device: "/dev/input/event1" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: AT Translated Set 2 keyboard: Vendor 0x1 Product 0x1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: AT Translated Set 2 keyboard: Found keys May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Configuring as keyboard May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "config_info" "udev:/sys/devices/platform/i8042/serio0/input/input1/event1" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XINPUT: Adding extended input device "AT Translated Set 2 keyboard" (type: KEYBOARD, id 9) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_rules" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_model" "pc105" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_layout" "de" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "xkb_variant" "nodeadkeys" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XKB: Reusing cached keymap May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device TPPS/2 IBM TrackPoint (/dev/input/event3) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: Applying InputClass "evdev pointer catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: Applying InputClass "trackpoint catchall" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: got fd for /dev/input/event3 13:67 fd 19 paused 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Using input driver 'evdev' for 'TPPS/2 IBM TrackPoint' May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "_source" "server/udev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "name" "TPPS/2 IBM TrackPoint" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "path" "/dev/input/event3" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "device" "/dev/input/event3" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "major" "13" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "minor" "67" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "config_info" "udev:/sys/devices/platform/i8042/serio1/input/input3/event3" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "driver" "evdev" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "Emulate3Buttons" "true" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "EmulateWheel" "true" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "EmulateWheelButton" "2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "XAxisMapping" "6 7" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "YAxisMapping" "4 5" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: #011Option "fd" "19" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: always reports core events May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: TPPS/2 IBM TrackPoint: Device: "/dev/input/event3" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: TPPS/2 IBM TrackPoint: Vendor 0x2 Product 0xa May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: TPPS/2 IBM TrackPoint: Found 3 mouse buttons May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: TPPS/2 IBM TrackPoint: Found relative axes May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (--) evdev: TPPS/2 IBM TrackPoint: Found x and y relative axes May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: TPPS/2 IBM TrackPoint: Configuring as mouse May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "Emulate3Buttons" "true" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "EmulateWheel" "true" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "EmulateWheelButton" "2" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "YAxisMapping" "4 5" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: TPPS/2 IBM TrackPoint: YAxisMapping: buttons 4 and 5 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "XAxisMapping" "6 7" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: TPPS/2 IBM TrackPoint: XAxisMapping: buttons 6 and 7 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) evdev: TPPS/2 IBM TrackPoint: EmulateWheelButton: 2, EmulateWheelInertia: 10, EmulateWheelTimeout: 200 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) Option "config_info" "udev:/sys/devices/platform/i8042/serio1/input/input3/event3" May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) XINPUT: Adding extended input device "TPPS/2 IBM TrackPoint" (type: MOUSE, id 10) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: TPPS/2 IBM TrackPoint: initialized for relative axes. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: (accel) keeping acceleration scheme 1 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: (accel) acceleration profile 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: (accel) acceleration factor: 2.000 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (**) TPPS/2 IBM TrackPoint: (accel) acceleration threshold: 4 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) config/udev: Adding input device TPPS/2 IBM TrackPoint (/dev/input/mouse1) May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) No input driver specified, ignoring this device. May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device may have been added with another device file. May 11 23:41:55 ubugdm gdm-x-session: Running session message bus May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2 May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1 May 11 23:41:55 ubugdm gdm3: Writing login record May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915 May 11 23:41:55 ubugdm gdm3: using ut_pid 1741 May 11 23:41:55 ubugdm gdm3: using ut_host :1 May 11 23:41:55 ubugdm gdm3: using ut_line tty2 May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 2 May 11 23:41:55 ubugdm gdm-x-session: Running X session May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1 May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; skipping May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default May 11 23:41:55 ubugdm gdm-x-session: Running process: /etc/gdm3/Prime/Default May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: DISPLAY=:1 May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: SHELL=/bin/sh May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: XAUTHORITY=/run/user/126400004/gdm/Xauthority May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: RUNNING_UNDER_GDM=true May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: HOME=/ May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PWD=/ May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games May 11 23:41:55 ubugdm gdm-x-session: Process exit status: 0 May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: Beginning session setup... May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: line 41: /dev/stderr: No such device or address May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Desktop May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Downloads May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Templates May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Public May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Documents May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Music May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Pictures May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Videos May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: openConnection: connect: No such file or directory May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: cannot connect to brltty at :0 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: systemd --user not found, ignoring --systemd argument May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting CLUTTER_IM_MODULE=xim May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHELL=/bin/sh May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_LINUX_ACCESSIBILITY_ALWAYS_ON=1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_MODULES=gail:atk-bridge May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USER=vmuser1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_ACCESSIBILITY=1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DEFAULTS_PATH=/usr/share/gconf/gnome.default.path May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USERNAME=vmuser1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CONFIG_DIRS=/etc/xdg/xdg-gnome:/etc/xdg May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DESKTOP_SESSION=gnome May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_IM_MODULE=ibus May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PWD=/ May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_TYPE=x11 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XMODIFIERS=@im=ibus May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LANG=en_US.UTF-8 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting MANDATORY_PATH=/usr/share/gconf/gnome.mandatory.path May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting IM_CONFIG_PHASE=1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GDMSESSION=gnome May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting KRB5CCNAME=KEYRING:persistent:126400004 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHLVL=1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting HOME=/home/vmuser1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_DESKTOP=gnome May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LOGNAME=vmuser1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT4_IM_MODULE=xim May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-sIl0NbD3YZ,guid=ce7f419f97490ed005e5a7275914daa3 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting WINDOWPATH=2 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DISPLAY=:1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_RUNTIME_DIR=/run/user/126400004 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_IM_MODULE=ibus May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CURRENT_DESKTOP=GNOME May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XAUTHORITY=/run/user/126400004/gdm/Xauthority May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting _=/usr/bin/dbus-update-activation-environment May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.a11y.Bus' May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user user May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user user May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user user May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user vmuser1 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.a11y.Bus' May 11 23:41:56 ubugdm org.a11y.Bus[1748]: ** (process:1839): WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Activating service name='org.a11y.atspi.Registry' May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.gtk.vfs.Daemon' May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Successfully activated service 'org.a11y.atspi.Registry' May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.gtk.vfs.Daemon' May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-is-accelerated: llvmpipe detected. May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory May 11 23:41:56 ubugdm gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory May 11 23:41:56 ubugdm gdm-x-session: session exited with status 1 May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":1" May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: after 21 requests (21 known processed) with 0 events remaining. May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: TPPS/2 IBM TrackPoint: Close May 11 23:41:56 ubugdm org.gtk.vfs.Daemon[1748]: A connection to the bus can't be made May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:67 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:65 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:68 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Power Button: Close May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:64 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: Close May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:66 May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Server terminated successfully (0). Closing log file. May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: child (pid:1741) done (status:1) May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: uninitializing PAM May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: jumping to VT 7 May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: couldn't finalize jump to VT 7: Interrupted system call May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: state NONE May 11 23:41:56 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:41:56 ubugdm gdm3: GdmSession: Emitting 'session-exited' signal with exit code '1' May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 May 11 23:41:56 ubugdm gdm3: GdmManager: session exited with status 1 May 11 23:41:57 ubugdm gdm3: Writing logout record May 11 23:41:57 ubugdm gdm3: using ut_type DEAD_PROCESS May 11 23:41:57 ubugdm gdm3: using ut_tv time 1494538917 May 11 23:41:57 ubugdm gdm3: using ut_pid 1741 May 11 23:41:57 ubugdm gdm3: using ut_host :1 May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output May 11 23:41:57 ubugdm gdm3: using ut_line tty2 May 11 23:41:57 ubugdm gdm3: Writing wtmp logout record to /var/log/wtmp May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 May 11 23:41:57 ubugdm gdm-password]: script /etc/gdm3/PostSession not found; skipping May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession/Default May 11 23:41:57 ubugdm gdm-password]: Running process: /etc/gdm3/PostSession/Default May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: DISPLAY= May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: HOME=/home/vmuser1 May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: RUNNING_UNDER_GDM=true May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: LOGNAME=vmuser1 May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: XAUTHORITY= May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USERNAME=vmuser1 May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PWD=/home/vmuser1 May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USER=vmuser1 May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: SHELL=/bin/sh May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games May 11 23:41:57 ubugdm gdm3: Adding or updating utmp record for logout May 11 23:41:57 ubugdm gdm3: GdmDisplay: unmanage display May 11 23:41:57 ubugdm gdm3: GdmDisplay: display lasted 1.615491 seconds May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 4 May 11 23:41:57 ubugdm gdm3: GdmDisplayStore: Unreffing display: 0x9eb8868 May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 3 May 11 23:41:57 ubugdm gdm3: GdmDisplay: finish display May 11 23:41:57 ubugdm gdm3: GdmSession: Closing session May 11 23:41:57 ubugdm gdm3: GdmSession: Stopping all conversations May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Stopping job pid:1731 May 11 23:41:57 ubugdm gdm3: GdmCommon: sending signal 15 to process 1731 May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Waiting on process 1731 May 11 23:41:57 ubugdm gdm-password]: Process exit status: 0 May 11 23:41:57 ubugdm gdm-password]: Worker finished May 11 23:41:57 ubugdm gdm3: GdmCommon: process (pid:1731) done (status:0) May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: SessionWorkerJob died May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server May 11 23:41:57 ubugdm gdm3: GdmManager: trying to open new session May 11 23:41:57 ubugdm gdm3: GdmDBusServer: new connection 0x9e9bad8 May 11 23:41:57 ubugdm gdm3: GdmSession: Handling new connection from outside May 11 23:41:57 ubugdm gdm3: GdmManager: client connected May 11 23:41:57 ubugdm gdm3: GdmDisplay: Got timed login details for display: 0 May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 May 11 23:41:59 ubugdm systemd[1]: Time has been changed May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 14min 24.101040s random time. May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 49min 37.111737s random time. May 11 23:41:59 ubugdm systemd[1]: apt-daily.timer: Adding 41min 17.722076s random time. May 11 23:41:59 ubugdm systemd[1387]: Time has been changed May 11 23:41:59 ubugdm systemd[1189]: Time has been changed May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:42:00 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:68 May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:67 May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:66 May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:65 May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:64 May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed May 11 23:42:04 ubugdm systemd[1189]: Time has been changed May 11 23:42:04 ubugdm systemd[1387]: Time has been changed May 11 23:42:04 ubugdm systemd[1]: Time has been changed May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 1min 38.593189s random time. May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 41min 21.874821s random time. May 11 23:42:04 ubugdm systemd[1]: apt-daily.timer: Adding 5h 39min 55.997378s random time. May 11 23:42:09 ubugdm systemd[1]: Time has been changed May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 2h 33min 11.994432s random time. May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 4h 23min 50.841896s random time. May 11 23:42:09 ubugdm systemd[1]: apt-daily.timer: Adding 3h 23min 33.465902s random time. May 11 23:42:09 ubugdm systemd[1387]: Time has been changed May 11 23:42:09 ubugdm systemd[1189]: Time has been changed From felix.chu at bbpos.com Fri May 12 03:46:47 2017 From: felix.chu at bbpos.com (Felix Chu) Date: Fri, 12 May 2017 03:46:47 +0000 Subject: [Freeipa-users] Windows client authentication with OTP not supported In-Reply-To: <20170511074230.qecvezalikf5lbpd@redhat.com> References: <20170511074230.qecvezalikf5lbpd@redhat.com> Message-ID: Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012? Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. -----Original Message----- From: Alexander Bokovoy [mailto:abokovoy at redhat.com] Sent: Thursday, May 11, 2017 3:43 PM To: Felix Chu Cc: 'freeipa-users at redhat.com' Subject: Re: [Freeipa-users] Windows client authentication with OTP not supported On to, 11 touko 2017, Felix Chu wrote: >Hi , I would like to implement SSO for my Linux+Windows2012 machines >with MFA. > >I have installed FreeIPA, it works well for my Linux client >authentication with OTP enabled. However, for Windows client, I can >only make it works with FreeIPA without OTP. > >The Windows machines are 2012 R2 without AD(workgroup only). When I >login Windows using FreeIPA user accounts enabled with OTP, it shows >"An unsupported preauthentication mechanism was presented to the >Kerberos package", is that not supported ? or something I configured >wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy [http://www.bbpos.com/images/marketing/signature_banner.jpg] From abokovoy at redhat.com Fri May 12 03:53:17 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 12 May 2017 06:53:17 +0300 Subject: [Freeipa-users] Windows client authentication with OTP not supported In-Reply-To: References: <20170511074230.qecvezalikf5lbpd@redhat.com> Message-ID: <20170512035317.s5b5eczg3bwfdfpw@redhat.com> On pe, 12 touko 2017, Felix Chu wrote: >Thanks your info. So it means we cannot use FreeIPA server if we >require MFA under Windows 2012? > >Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new >requirement forcing MFA on non-console access to servers. That's why we >look for FreeIPA. We do not even support the mode you are operating in -- we do not support using Windows machines as clients to FreeIPA, as clearly stated on the wiki page you have used to configure. OTP in Kerberos supportability in Windows is not related to FreeIPA. -- / Alexander Bokovoy From tlau at tetrioncapital.com Fri May 12 06:19:33 2017 From: tlau at tetrioncapital.com (Thomas Lau) Date: Fri, 12 May 2017 14:19:33 +0800 Subject: [Freeipa-users] k5login loophole even account is disabled on FreeIPA Message-ID: Folks, let's say I am user thomas, and user "temp1" already marked as "disabled" on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even account is disabled. Did I miss any setting or it's normal? -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 12 06:29:11 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 08:29:11 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > I have attached the syslog with gdm debug mode enabled > > > On 11-May-17 1:54 PM, Sumit Bose wrote: > > On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >> Hello, > >> > >> I have attached the requested files. > > The logs indicate that access was granted by SSSD and that gdm even > > called pam_open_session. > > > > Did gdm login worked with the 'allow all' rule? Are there any other > > hints in the system or gdm logs with gdm might have failed? > > > > bye, > > Sumit > > > >> Thanks in advance! > >> > >> On 10-May-17 9:42 PM, Sumit Bose wrote: > >>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >>>> Hello everyone, > >>>> > >>>> I set up my freeIPA instance and it works very well for my client > >>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a > >>>> freeIPA managed user account. > >>>> > >>>> My own HBAC rule also works for that. I disabled the "allow all" rule > >>>> and created my own one. Works fine for SSH. > >>>> > >>>> But I cannot login to the GNOME 3 Desktop on the client. I used the > >>>> netinstall ISO image of Ubuntu. During installation, I have chose > >>>> "Ubuntu GNOME Desktop" as the only desktop. > >>>> > >>>> So my display manager is gdm3. > >>>> > >>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on > >>>> the safe side, I rebooted the client machine. But I still can't login to > >>>> the GNOME Desktop with an account that can login via SSH. > >>>> > >>>> So the services in my rule are > >>>> > >>>> login, gdm, gdm-password > >>>> > >>>> If you need any logs or other information, I will provide them. > >>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in > >>> the [pam] and [domain/...] section of sssd.conf. > >>> > >>> bye, > >>> Sumit > >>> > >>>> Thanks in advance! > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > > .... > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device may have been added with another device file. > May 11 23:41:55 ubugdm gdm-x-session: Running session message bus > May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display > May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2 > May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1 > May 11 23:41:55 ubugdm gdm3: Writing login record > May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS > May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915 > May 11 23:41:55 ubugdm gdm3: using ut_pid 1741 > May 11 23:41:55 ubugdm gdm3: using ut_host :1 > May 11 23:41:55 ubugdm gdm3: using ut_line tty2 > May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp > May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login > May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 2 > May 11 23:41:55 ubugdm gdm-x-session: Running X session > May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1 > May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; skipping > May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default > May 11 23:41:55 ubugdm gdm-x-session: Running process: /etc/gdm3/Prime/Default > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: DISPLAY=:1 > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: SHELL=/bin/sh > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: XAUTHORITY=/run/user/126400004/gdm/Xauthority > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: RUNNING_UNDER_GDM=true > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: HOME=/ > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PWD=/ > May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games > May 11 23:41:55 ubugdm gdm-x-session: Process exit status: 0 > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: Beginning session setup... > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: line 41: /dev/stderr: No such device or address > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list > May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Desktop > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Downloads > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Templates > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Public > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Documents > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Music > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Pictures > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Videos ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: openConnection: connect: No such file or directory > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: cannot connect to brltty at :0 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: systemd --user not found, ignoring --systemd argument > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting CLUTTER_IM_MODULE=xim > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHELL=/bin/sh > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_LINUX_ACCESSIBILITY_ALWAYS_ON=1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_MODULES=gail:atk-bridge > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USER=vmuser1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_ACCESSIBILITY=1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DEFAULTS_PATH=/usr/share/gconf/gnome.default.path > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USERNAME=vmuser1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CONFIG_DIRS=/etc/xdg/xdg-gnome:/etc/xdg > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DESKTOP_SESSION=gnome > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_IM_MODULE=ibus > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PWD=/ > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_TYPE=x11 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XMODIFIERS=@im=ibus > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LANG=en_US.UTF-8 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting MANDATORY_PATH=/usr/share/gconf/gnome.mandatory.path > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting IM_CONFIG_PHASE=1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GDMSESSION=gnome > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting KRB5CCNAME=KEYRING:persistent:126400004 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHLVL=1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting HOME=/home/vmuser1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_DESKTOP=gnome > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LOGNAME=vmuser1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT4_IM_MODULE=xim > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-sIl0NbD3YZ,guid=ce7f419f97490ed005e5a7275914daa3 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting WINDOWPATH=2 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DISPLAY=:1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_RUNTIME_DIR=/run/user/126400004 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_IM_MODULE=ibus > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CURRENT_DESKTOP=GNOME > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XAUTHORITY=/run/user/126400004/gdm/Xauthority > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting _=/usr/bin/dbus-update-activation-environment > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.a11y.Bus' > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user user > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user user > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user user > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 > May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 > May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user vmuser1 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.a11y.Bus' > May 11 23:41:56 ubugdm org.a11y.Bus[1748]: ** (process:1839): WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files > May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Activating service name='org.a11y.atspi.Registry' > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.gtk.vfs.Daemon' > May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Successfully activated service 'org.a11y.atspi.Registry' > May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.gtk.vfs.Daemon' > May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-is-accelerated: llvmpipe detected. > May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory > May 11 23:41:56 ubugdm gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory ^^^^^^^^^^^^^^^^^^^^^^^^^ Does the user have a home directory and permissions to write into it? Maybe you have to add pam_oddjob_mkhomedir.so or similar to your PAM configuration to create it automatically? HTH bye, Sumit > May 11 23:41:56 ubugdm gdm-x-session: session exited with status 1 > May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":1" > May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: after 21 requests (21 known processed) with 0 events remaining. > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: TPPS/2 IBM TrackPoint: Close > May 11 23:41:56 ubugdm org.gtk.vfs.Daemon[1748]: A connection to the bus can't be made > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:67 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:65 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:68 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Power Button: Close > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:64 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: Close > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:66 > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Server terminated successfully (0). Closing log file. > May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: child (pid:1741) done (status:1) > May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: uninitializing PAM > May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: jumping to VT 7 > May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: couldn't finalize jump to VT 7: Interrupted system call > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive > May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: state NONE > May 11 23:41:56 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive > May 11 23:41:56 ubugdm gdm3: GdmSession: Emitting 'session-exited' signal with exit code '1' > May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 > May 11 23:41:56 ubugdm gdm3: GdmManager: session exited with status 1 > May 11 23:41:57 ubugdm gdm3: Writing logout record > May 11 23:41:57 ubugdm gdm3: using ut_type DEAD_PROCESS > May 11 23:41:57 ubugdm gdm3: using ut_tv time 1494538917 > May 11 23:41:57 ubugdm gdm3: using ut_pid 1741 > May 11 23:41:57 ubugdm gdm3: using ut_host :1 > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output > May 11 23:41:57 ubugdm gdm3: using ut_line tty2 > May 11 23:41:57 ubugdm gdm3: Writing wtmp logout record to /var/log/wtmp > May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 > May 11 23:41:57 ubugdm gdm-password]: script /etc/gdm3/PostSession not found; skipping > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 > May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession/Default > May 11 23:41:57 ubugdm gdm-password]: Running process: /etc/gdm3/PostSession/Default > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: DISPLAY= > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: HOME=/home/vmuser1 > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: RUNNING_UNDER_GDM=true > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: LOGNAME=vmuser1 > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: XAUTHORITY= > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USERNAME=vmuser1 > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PWD=/home/vmuser1 > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USER=vmuser1 > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: SHELL=/bin/sh > May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games > May 11 23:41:57 ubugdm gdm3: Adding or updating utmp record for logout > May 11 23:41:57 ubugdm gdm3: GdmDisplay: unmanage display > May 11 23:41:57 ubugdm gdm3: GdmDisplay: display lasted 1.615491 seconds > May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 4 > May 11 23:41:57 ubugdm gdm3: GdmDisplayStore: Unreffing display: 0x9eb8868 > May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 3 > May 11 23:41:57 ubugdm gdm3: GdmDisplay: finish display > May 11 23:41:57 ubugdm gdm3: GdmSession: Closing session > May 11 23:41:57 ubugdm gdm3: GdmSession: Stopping all conversations > May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Stopping job pid:1731 > May 11 23:41:57 ubugdm gdm3: GdmCommon: sending signal 15 to process 1731 > May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Waiting on process 1731 > May 11 23:41:57 ubugdm gdm-password]: Process exit status: 0 > May 11 23:41:57 ubugdm gdm-password]: Worker finished > May 11 23:41:57 ubugdm gdm3: GdmCommon: process (pid:1731) done (status:0) > May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: SessionWorkerJob died > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols > May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server > May 11 23:41:57 ubugdm gdm3: GdmManager: trying to open new session > May 11 23:41:57 ubugdm gdm3: GdmDBusServer: new connection 0x9e9bad8 > May 11 23:41:57 ubugdm gdm3: GdmSession: Handling new connection from outside > May 11 23:41:57 ubugdm gdm3: GdmManager: client connected > May 11 23:41:57 ubugdm gdm3: GdmDisplay: Got timed login details for display: 0 > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 > May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 > May 11 23:41:59 ubugdm systemd[1]: Time has been changed > May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 14min 24.101040s random time. > May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 49min 37.111737s random time. > May 11 23:41:59 ubugdm systemd[1]: apt-daily.timer: Adding 41min 17.722076s random time. > May 11 23:41:59 ubugdm systemd[1387]: Time has been changed > May 11 23:41:59 ubugdm systemd[1189]: Time has been changed > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive > May 11 23:42:00 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:68 > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:67 > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:66 > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:65 > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:64 > May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed > May 11 23:42:04 ubugdm systemd[1189]: Time has been changed > May 11 23:42:04 ubugdm systemd[1387]: Time has been changed > May 11 23:42:04 ubugdm systemd[1]: Time has been changed > May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 1min 38.593189s random time. > May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 41min 21.874821s random time. > May 11 23:42:04 ubugdm systemd[1]: apt-daily.timer: Adding 5h 39min 55.997378s random time. > May 11 23:42:09 ubugdm systemd[1]: Time has been changed > May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 2h 33min 11.994432s random time. > May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 4h 23min 50.841896s random time. > May 11 23:42:09 ubugdm systemd[1]: apt-daily.timer: Adding 3h 23min 33.465902s random time. > May 11 23:42:09 ubugdm systemd[1387]: Time has been changed > May 11 23:42:09 ubugdm systemd[1189]: Time has been changed > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From abokovoy at redhat.com Fri May 12 06:35:40 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 12 May 2017 09:35:40 +0300 Subject: [Freeipa-users] k5login loophole even account is disabled on FreeIPA In-Reply-To: References: Message-ID: <20170512063540.buoo64dohov6a32g@redhat.com> On pe, 12 touko 2017, Thomas Lau wrote: >Folks, > >let's say I am user thomas, and user "temp1" already marked as "disabled" >on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come >I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even >account is disabled. Did I miss any setting or it's normal? This is normal. sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: auth sufficient pam_rootok.so E.g. if su is executed as root, it is enough, no other authentication checks are done. -- / Alexander Bokovoy From sbose at redhat.com Fri May 12 06:41:07 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 08:41:07 +0200 Subject: [Freeipa-users] k5login loophole even account is disabled on FreeIPA In-Reply-To: <20170512063540.buoo64dohov6a32g@redhat.com> References: <20170512063540.buoo64dohov6a32g@redhat.com> Message-ID: <20170512064107.GF32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > On pe, 12 touko 2017, Thomas Lau wrote: > > Folks, > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even > > account is disabled. Did I miss any setting or it's normal? > This is normal. > > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: > > auth sufficient pam_rootok.so > > E.g. if su is executed as root, it is enough, no other authentication > checks are done. And no authorization checks either becasue there is account sufficient pam_succeed_if.so uid = 0 use_uid quiet bye, Sumit > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From sbose at redhat.com Fri May 12 06:49:26 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 08:49:26 +0200 Subject: [Freeipa-users] k5login loophole even account is disabled on FreeIPA In-Reply-To: <20170512064107.GF32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170512063540.buoo64dohov6a32g@redhat.com> <20170512064107.GF32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170512064926.GG32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 08:41:07AM +0200, Sumit Bose wrote: > On Fri, May 12, 2017 at 09:35:40AM +0300, Alexander Bokovoy wrote: > > On pe, 12 touko 2017, Thomas Lau wrote: > > > Folks, > > > > > > let's say I am user thomas, and user "temp1" already marked as "disabled" > > > on FreeIPA, but thomas at DOMAIN.COM is on /home/temp1/.k5login list, how come > > > I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even > > > account is disabled. Did I miss any setting or it's normal? > > This is normal. > > > > sudo brings you to root. PAM module for su (/etc/pam.d/su) has this: > > > > auth sufficient pam_rootok.so > > > > E.g. if su is executed as root, it is enough, no other authentication > > checks are done. > > And no authorization checks either becasue there is > > account sufficient pam_succeed_if.so uid = 0 use_uid quiet and btw, this is completely unrelated to .k5login, even if you remove thomas at DOMAIN.COM from the file it would still work. bye, Sumit > > > > > -- > > / Alexander Bokovoy > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Fri May 12 07:17:07 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 12 May 2017 09:17:07 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Message-ID: That's weird, it should be super fast, anything in /var/log/httpd/error_log? On 11.05.2017 22:23, Robert L. Harris wrote: > > Odd, must have clicked reply instead of reply-all. > > Anyway, I did the revert and re-install. Actual install went through > fine then the "ipa-server-install" ran until this: > > [8/9]: restoring configuration > [9/9]: starting directory server > Done. > Restarting the directory server > Restarting the KDC > Please add records in this file to your DNS system: > /tmp/ipa.system.records.v5Jwrt.db > Restarting the web server > Configuring client side components > Using existing certificate '/etc/ipa/ca.crt'. > Client hostname: ipa.rdlg.net > Realm: RDLG.NET > DNS Domain: rdlg.net > IPA Server: ipa.rdlg.net > BaseDN: dc=rdlg,dc=net > > Skipping synchronizing time with NTP server. > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > trying https://ipa.rdlg.net/ipa/json > Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' > > > It's been sitting there for a while ( 4 hours? ) I don't see anyting > in the ipaserver-install.log, but it's here: https://pastebin.com/biK1Dmv7 > > > > On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti > wrote: > > Please keep freeipa-users in CC > > Snapshot is always better, so I suggest to use it. Otherwise there > is an option --ignore-last-of-role to unblock uninstallation. > > Martin > > > On 11.05.2017 16:00, Robert L. Harris wrote: >> >> Looks like you hit it, apache didn't have a group: >> >> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >> 2017-05-11 07:48:27 MDT. -- >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> Starting The Apache HTTP Server... >> May 10 20:36:00 ipa.rdlg.net >> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy enabled >> May 10 20:36:00 ipa.rdlg.net httpd[28809]: >> AH00544: httpd: bad group name apache >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> httpd.service: main process exited, code=exited, status=1/FAILURE >> May 10 20:36:00 ipa.rdlg.net kill[28812]: >> kill: cannot find process "" >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> httpd.service: control process exited, code=exited status=1 >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> Failed to start The Apache HTTP Server. >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> Unit httpd.service entered failed state. >> May 10 20:36:00 ipa.rdlg.net systemd[1]: >> httpd.service failed. >> >> Thanks, didn't know that command. I tried to continue the process: >> >> {0}:/root>ipa-server-install >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA >> server is already configured on this system. >> If you want to reinstall the IPA server, please uninstall it >> first using 'ipa-server-install --uninstall'. >> ipa.ipapython.install.cli.install_tool(Server): ERROR The >> ipa-server-install command failed. See >> /var/log/ipaserver-install.log for more information >> >> root at ipa >> {1}:/root>ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? >> [no]: yes >> ipa : ERROR Server removal aborted: Deleting this >> server is not allowed as it would leave your installation without >> a CA.. >> >> >> >> This is a VM and I took a snapshot right before I started the >> install, so I can revert, just make sure ti add the apache user >> before starting the install. Or if you have a better command to >> continue the clean-up/install..... >> >> >> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti > > wrote: >> >> Hello, >> >> comments inline >> >> >> On 11.05.2017 06:06, Robert L. Harris wrote: >>> >>> Sigh... Sorry, it's been a long day, I thought I put that >>> log in the first pastebin. It's in this one: >>> https://pastebin.com/18PAXXNS >> >> Could you please provide journalctl -u httpd and >> /var/log/httpd/error_log ? >> >> >> >>> >>> Also, >>> Anyone else get the constant spam when mailing this >>> list? Got an address to block for it? >> >> Sorry for that, there is a bot mining public archives. We >> plan to resolve this issue but it may take time as we are not >> maintaining our mailman. >> >> Martin >> >> >>> >>> Robert >>> >>> >>> >>> >>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>> > wrote: >>> >>> Robert, did you look in /var/log/ipaserver-install.log >>> as it says? >>> >>> Was there any other information? >>> >>> cheers >>> L. >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for >>> collective action, to build collective power, to achieve >>> collective transformation, rooted in grief and rage but >>> pointed towards vision and dreams." >>> >>> - Patrice Cullors, /Black Lives Matter founder/ >>> >>> On 11 May 2017 at 13:24, Robert L. Harris >>> >> > wrote: >>> >>> Ok, I gave up on Ubuntu. I'm now trying the latest >>> CentOS7. I built out a "minimal server" with some >>> normal base packages which did include the >>> freeipa-client but otherwise, just standard tools. >>> Here's a pastebin of the output of the install: >>> https://pastebin.com/zAWCgkUU >>> >>> Robert >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users >>> mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuxderlinuxfuchs77 at gmail.com Fri May 12 09:25:04 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Fri, 12 May 2017 11:25:04 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: Thanks! I followed this manual: https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir added the line session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 to the file /etc/pam.d/common-session (find attached) On 12-May-17 8:29 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:50:08AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >> I have attached the syslog with gdm debug mode enabled >> >> >> On 11-May-17 1:54 PM, Sumit Bose wrote: >>> On Thu, May 11, 2017 at 01:29:33PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >>>> Hello, >>>> >>>> I have attached the requested files. >>> The logs indicate that access was granted by SSSD and that gdm even >>> called pam_open_session. >>> >>> Did gdm login worked with the 'allow all' rule? Are there any other >>> hints in the system or gdm logs with gdm might have failed? >>> >>> bye, >>> Sumit >>> >>>> Thanks in advance! >>>> >>>> On 10-May-17 9:42 PM, Sumit Bose wrote: >>>>> On Tue, May 09, 2017 at 11:12:13PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >>>>>> Hello everyone, >>>>>> >>>>>> I set up my freeIPA instance and it works very well for my client >>>>>> computers (Ubuntu Desktop 16.04.2 LTS), I can login via SSH using a >>>>>> freeIPA managed user account. >>>>>> >>>>>> My own HBAC rule also works for that. I disabled the "allow all" rule >>>>>> and created my own one. Works fine for SSH. >>>>>> >>>>>> But I cannot login to the GNOME 3 Desktop on the client. I used the >>>>>> netinstall ISO image of Ubuntu. During installation, I have chose >>>>>> "Ubuntu GNOME Desktop" as the only desktop. >>>>>> >>>>>> So my display manager is gdm3. >>>>>> >>>>>> I added the "gdm" and "gdm-password" services to my HBAC rule. To be on >>>>>> the safe side, I rebooted the client machine. But I still can't login to >>>>>> the GNOME Desktop with an account that can login via SSH. >>>>>> >>>>>> So the services in my rule are >>>>>> >>>>>> login, gdm, gdm-password >>>>>> >>>>>> If you need any logs or other information, I will provide them. >>>>> Please send sssd_pam.log and sssd_domain.name.log with debug_level=10 in >>>>> the [pam] and [domain/...] section of sssd.conf. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project > .... >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) This device may have been added with another device file. >> May 11 23:41:55 ubugdm gdm-x-session: Running session message bus >> May 11 23:41:55 ubugdm gdm3: GdmManager: trying to register new display >> May 11 23:41:55 ubugdm gdm3: GdmSession: Setting display device: /dev/tty2 >> May 11 23:41:55 ubugdm gdm3: using ut_user vmuser1 >> May 11 23:41:55 ubugdm gdm3: Writing login record >> May 11 23:41:55 ubugdm gdm3: using ut_type USER_PROCESS >> May 11 23:41:55 ubugdm gdm3: using ut_tv time 1494538915 >> May 11 23:41:55 ubugdm gdm3: using ut_pid 1741 >> May 11 23:41:55 ubugdm gdm3: using ut_host :1 >> May 11 23:41:55 ubugdm gdm3: using ut_line tty2 >> May 11 23:41:55 ubugdm gdm3: Writing wtmp session record to /var/log/wtmp >> May 11 23:41:55 ubugdm gdm3: Adding or updating utmp record for login >> May 11 23:41:55 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 2 >> May 11 23:41:55 ubugdm gdm-x-session: Running X session >> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/:1 >> May 11 23:41:55 ubugdm gdm-x-session: script /etc/gdm3/Prime/:1 not found; skipping >> May 11 23:41:55 ubugdm gdm-x-session: Trying script /etc/gdm3/Prime/Default >> May 11 23:41:55 ubugdm gdm-x-session: Running process: /etc/gdm3/Prime/Default >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: DISPLAY=:1 >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: SHELL=/bin/sh >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: XAUTHORITY=/run/user/126400004/gdm/Xauthority >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: RUNNING_UNDER_GDM=true >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: HOME=/ >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PWD=/ >> May 11 23:41:55 ubugdm gdm-x-session: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games >> May 11 23:41:55 ubugdm gdm-x-session: Process exit status: 0 >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: Beginning session setup... >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: /etc/gdm3/Xsession: line 41: /dev/stderr: No such device or address >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list >> May 11 23:41:55 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: localuser:vmuser1 being added to access control list >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Desktop >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Downloads >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Templates >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Public >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Documents >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Music >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Pictures >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Can't create dir /home/vmuser1/Videos > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: openConnection: connect: No such file or directory >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: cannot connect to brltty at :0 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: systemd --user not found, ignoring --systemd argument >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting CLUTTER_IM_MODULE=xim >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHELL=/bin/sh >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_LINUX_ACCESSIBILITY_ALWAYS_ON=1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_MODULES=gail:atk-bridge >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USER=vmuser1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_ACCESSIBILITY=1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DEFAULTS_PATH=/usr/share/gconf/gnome.default.path >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting USERNAME=vmuser1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CONFIG_DIRS=/etc/xdg/xdg-gnome:/etc/xdg >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DESKTOP_SESSION=gnome >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT_IM_MODULE=ibus >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting PWD=/ >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_TYPE=x11 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XMODIFIERS=@im=ibus >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LANG=en_US.UTF-8 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting MANDATORY_PATH=/usr/share/gconf/gnome.mandatory.path >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting IM_CONFIG_PHASE=1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GDMSESSION=gnome >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting KRB5CCNAME=KEYRING:persistent:126400004 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting SHLVL=1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting HOME=/home/vmuser1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_SESSION_DESKTOP=gnome >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting LOGNAME=vmuser1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting QT4_IM_MODULE=xim >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-sIl0NbD3YZ,guid=ce7f419f97490ed005e5a7275914daa3 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting WINDOWPATH=2 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting DISPLAY=:1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_RUNTIME_DIR=/run/user/126400004 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting GTK_IM_MODULE=ibus >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XDG_CURRENT_DESKTOP=GNOME >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting XAUTHORITY=/run/user/126400004/gdm/Xauthority >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: dbus-update-activation-environment: setting _=/usr/bin/dbus-update-activation-environment >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.a11y.Bus' >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user user >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user user >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user user >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 >> May 11 23:41:56 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 >> May 11 23:41:56 ubugdm gdm-password]: AccountsService: ActUserManager: updating user vmuser1 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.a11y.Bus' >> May 11 23:41:56 ubugdm org.a11y.Bus[1748]: ** (process:1839): WARNING **: Failed to register client: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files >> May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Activating service name='org.a11y.atspi.Registry' >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Activating service name='org.gtk.vfs.Daemon' >> May 11 23:41:56 ubugdm org.a11y.Bus[1748]: Successfully activated service 'org.a11y.atspi.Registry' >> May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: Successfully activated service 'org.gtk.vfs.Daemon' >> May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-is-accelerated: llvmpipe detected. >> May 11 23:41:56 ubugdm gnome-session[1751]: gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory >> May 11 23:41:56 ubugdm gnome-session-binary[1751]: WARNING: IceLockAuthFile failed: No such file or directory > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > Does the user have a home directory and permissions to write into it? > Maybe you have to add pam_oddjob_mkhomedir.so or similar to your PAM > configuration to create it automatically? > > HTH > > bye, > Sumit > >> May 11 23:41:56 ubugdm gdm-x-session: session exited with status 1 >> May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: XIO: fatal IO error 11 (Resource temporarily unavailable) on X server ":1" >> May 11 23:41:56 ubugdm org.a11y.atspi.Registry[1845]: after 21 requests (21 known processed) with 0 events remaining. >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: TPPS/2 IBM TrackPoint: Close >> May 11 23:41:56 ubugdm org.gtk.vfs.Daemon[1748]: A connection to the bus can't be made >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:67 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:65 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: AT Translated Set 2 keyboard: Close >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:68 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Power Button: Close >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:64 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) evdev: Microsoft Vmbus HID-compliant Mouse: Close >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) UnloadModule: "evdev" >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) systemd-logind: releasing fd for 13:66 >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1741]: (II) Server terminated successfully (0). Closing log file. >> May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: child (pid:1741) done (status:1) >> May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: uninitializing PAM >> May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: jumping to VT 7 >> May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: couldn't finalize jump to VT 7: Interrupted system call >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive >> May 11 23:41:56 ubugdm gdm-password]: GdmSessionWorker: state NONE >> May 11 23:41:56 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive >> May 11 23:41:56 ubugdm gdm3: GdmSession: Emitting 'session-exited' signal with exit code '1' >> May 11 23:41:56 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:68 >> May 11 23:41:56 ubugdm gdm3: GdmManager: session exited with status 1 >> May 11 23:41:57 ubugdm gdm3: Writing logout record >> May 11 23:41:57 ubugdm gdm3: using ut_type DEAD_PROCESS >> May 11 23:41:57 ubugdm gdm3: using ut_tv time 1494538917 >> May 11 23:41:57 ubugdm gdm3: using ut_pid 1741 >> May 11 23:41:57 ubugdm gdm3: using ut_host :1 >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-settings-daemon:1225): color-plugin-WARNING **: unable to get EDID for xrandr-default: unable to get EDID for output >> May 11 23:41:57 ubugdm gdm3: using ut_line tty2 >> May 11 23:41:57 ubugdm gdm3: Writing wtmp logout record to /var/log/wtmp >> May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (WW) FBDEV(0): FBIOPAN_DISPLAY: Invalid argument >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:67 >> May 11 23:41:57 ubugdm gdm-password]: script /etc/gdm3/PostSession not found; skipping >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:66 >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:65 >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got resume for 13:64 >> May 11 23:41:57 ubugdm gdm-password]: Trying script /etc/gdm3/PostSession/Default >> May 11 23:41:57 ubugdm gdm-password]: Running process: /etc/gdm3/PostSession/Default >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: DISPLAY= >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: HOME=/home/vmuser1 >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: RUNNING_UNDER_GDM=true >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: LOGNAME=vmuser1 >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: XAUTHORITY= >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USERNAME=vmuser1 >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PWD=/home/vmuser1 >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: USER=vmuser1 >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: SHELL=/bin/sh >> May 11 23:41:57 ubugdm gdm-password]: GdmSlave: script environment: PATH=/usr/local/bin:/usr/bin:/bin:/usr/games >> May 11 23:41:57 ubugdm gdm3: Adding or updating utmp record for logout >> May 11 23:41:57 ubugdm gdm3: GdmDisplay: unmanage display >> May 11 23:41:57 ubugdm gdm3: GdmDisplay: display lasted 1.615491 seconds >> May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 4 >> May 11 23:41:57 ubugdm gdm3: GdmDisplayStore: Unreffing display: 0x9eb8868 >> May 11 23:41:57 ubugdm gdm3: GdmLocalDisplayFactory: display status changed: 3 >> May 11 23:41:57 ubugdm gdm3: GdmDisplay: finish display >> May 11 23:41:57 ubugdm gdm3: GdmSession: Closing session >> May 11 23:41:57 ubugdm gdm3: GdmSession: Stopping all conversations >> May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Stopping job pid:1731 >> May 11 23:41:57 ubugdm gdm3: GdmCommon: sending signal 15 to process 1731 >> May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: Waiting on process 1731 >> May 11 23:41:57 ubugdm gdm-password]: Process exit status: 0 >> May 11 23:41:57 ubugdm gdm-password]: Worker finished >> May 11 23:41:57 ubugdm gdm3: GdmCommon: process (pid:1731) done (status:0) >> May 11 23:41:57 ubugdm gdm3: GdmSessionWorkerJob: SessionWorkerJob died >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: The XKEYBOARD keymap compiler (xkbcomp) reports: >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Warning: Type "ONE_LEVEL" has 1 levels, but has 2 symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: > Ignoring extra symbols >> May 11 23:41:57 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: Errors from xkbcomp are not fatal to the X server >> May 11 23:41:57 ubugdm gdm3: GdmManager: trying to open new session >> May 11 23:41:57 ubugdm gdm3: GdmDBusServer: new connection 0x9e9bad8 >> May 11 23:41:57 ubugdm gdm3: GdmSession: Handling new connection from outside >> May 11 23:41:57 ubugdm gdm3: GdmManager: client connected >> May 11 23:41:57 ubugdm gdm3: GdmDisplay: Got timed login details for display: 0 >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user user >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user user >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user user >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sending user-changed signal for user vmuser1 >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: sent user-changed signal for user vmuser1 >> May 11 23:41:57 ubugdm gdm-launch-environment]: AccountsService: ActUserManager: updating user vmuser1 >> May 11 23:41:59 ubugdm systemd[1]: Time has been changed >> May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 14min 24.101040s random time. >> May 11 23:41:59 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 49min 37.111737s random time. >> May 11 23:41:59 ubugdm systemd[1]: apt-daily.timer: Adding 41min 17.722076s random time. >> May 11 23:41:59 ubugdm systemd[1387]: Time has been changed >> May 11 23:41:59 ubugdm systemd[1189]: Time has been changed >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive >> May 11 23:42:00 ubugdm gnome-session-binary[1204]: DEBUG(+): emitting SessionIsActive >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:68 >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:67 >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:66 >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:65 >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (II) systemd-logind: got pause for 13:64 >> May 11 23:42:00 ubugdm /usr/lib/gdm3/gdm-x-session[1194]: (gnome-shell:1243): Clutter-CRITICAL **: clutter_input_device_get_device_id: assertion 'CLUTTER_IS_INPUT_DEVICE (device)' failed >> May 11 23:42:04 ubugdm systemd[1189]: Time has been changed >> May 11 23:42:04 ubugdm systemd[1387]: Time has been changed >> May 11 23:42:04 ubugdm systemd[1]: Time has been changed >> May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 1h 1min 38.593189s random time. >> May 11 23:42:04 ubugdm systemd[1]: snapd.refresh.timer: Adding 5h 41min 21.874821s random time. >> May 11 23:42:04 ubugdm systemd[1]: apt-daily.timer: Adding 5h 39min 55.997378s random time. >> May 11 23:42:09 ubugdm systemd[1]: Time has been changed >> May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 2h 33min 11.994432s random time. >> May 11 23:42:09 ubugdm systemd[1]: snapd.refresh.timer: Adding 4h 23min 50.841896s random time. >> May 11 23:42:09 ubugdm systemd[1]: apt-daily.timer: Adding 3h 23min 33.465902s random time. >> May 11 23:42:09 ubugdm systemd[1387]: Time has been changed >> May 11 23:42:09 ubugdm systemd[1189]: Time has been changed >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so ##################################################################################### #Added the line below session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_sss.so session optional pam_systemd.so session optional pam_ecryptfs.so unwrap # end of pam-auth-update config From sbose at redhat.com Fri May 12 09:48:50 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 11:48:50 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) > > Have you checked if /home/vmuser1 exists and has the right permissions so that the user can create files in the directory? bye, Sumit From tuxderlinuxfuchs77 at gmail.com Fri May 12 10:11:28 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Fri, 12 May 2017 12:11:28 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <6bbd152c-0da2-b78b-7820-5f9eb13ef26b@gmail.com> The directory didn't exist On 12-May-17 11:48 AM, Sumit Bose wrote: > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >> Thanks! >> >> I followed this manual: >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >> >> added the line >> >> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 >> >> to the file /etc/pam.d/common-session (find attached) >> >> > Have you checked if /home/vmuser1 exists and has the right permissions > so that the user can create files in the directory? > > bye, > Sumit > From sbose at redhat.com Fri May 12 10:52:02 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 12:52:02 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <6bbd152c-0da2-b78b-7820-5f9eb13ef26b@gmail.com> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <6bbd152c-0da2-b78b-7820-5f9eb13ef26b@gmail.com> Message-ID: <20170512105202.GJ32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > The directory didn't exist Then I guess that the process doesn't has the needed permissions during the session phase anymore. Please try to replace pam_mkhomedir by pam_oddjob_mkhomedir. This will try to create the directory via oddjobd which runs with higher privileges. HTH bye, Sumit > > > On 12-May-17 11:48 AM, Sumit Bose wrote: > > On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >> Thanks! > >> > >> I followed this manual: > >> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > >> > >> added the line > >> > >> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > >> > >> to the file /etc/pam.d/common-session (find attached) > >> > >> > > Have you checked if /home/vmuser1 exists and has the right permissions > > so that the user can create files in the directory? > > > > bye, > > Sumit > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From wouter.hummelink at kpn.com Fri May 12 12:32:24 2017 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Fri, 12 May 2017 12:32:24 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Message-ID: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Hi All, We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn't work with SSH on AIX reporting Failed password for user We're using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it's supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuxderlinuxfuchs77 at gmail.com Fri May 12 13:00:42 2017 From: tuxderlinuxfuchs77 at gmail.com (tuxderlinuxfuchs77 at gmail.com) Date: Fri, 12 May 2017 15:00:42 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <20170512105202.GJ32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <6bbd152c-0da2-b78b-7820-5f9eb13ef26b@gmail.com> <20170512105202.GJ32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <1ae20c67-c9de-f77f-9634-4ae3a9877816@gmail.com> It worked with pam_mkhomedir. So I don't see anything left to do at the moment On 12-May-17 12:52 PM, Sumit Bose wrote: > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >> The directory didn't exist > Then I guess that the process doesn't has the needed permissions during > the session phase anymore. Please try to replace pam_mkhomedir by > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd > which runs with higher privileges. > > HTH > > bye, > Sumit > >> >> On 12-May-17 11:48 AM, Sumit Bose wrote: >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: >>>> Thanks! >>>> >>>> I followed this manual: >>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir >>>> >>>> added the line >>>> >>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 >>>> >>>> to the file /etc/pam.d/common-session (find attached) >>>> >>>> >>> Have you checked if /home/vmuser1 exists and has the right permissions >>> so that the user can create files in the directory? >>> >>> bye, >>> Sumit >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project From luiz.vianna at tivit.com.br Fri May 12 13:02:57 2017 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Fri, 12 May 2017 13:02:57 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at deeplocal.com Fri May 12 13:04:08 2017 From: jason at deeplocal.com (Jason Sherrill) Date: Fri, 12 May 2017 09:04:08 -0400 Subject: [Freeipa-users] Fwd: DNS update failing In-Reply-To: References: <28977985-f994-12b1-9b48-65306a0d2c3f@redhat.com> Message-ID: Mistakenly failed to post to freeipa-users. ---------- Forwarded message ---------- From: Jason Sherrill Date: Thu, May 11, 2017 at 9:16 AM Subject: Re: [Freeipa-users] DNS update failing To: Martin Ba?ti Thank you for the assistance, Martin. The reverse zone is working because of a policy I'd added: grant * tcp-self *. The same entry did for the the forward zone did not work. I ran the manual update as described and was refused. It seems GSS-TSIG is working, but the update is still refused: [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab [root at ipa-1 jsherrill]# nsupdate -g > debug > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 > Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;testbook3.int.dplcl.com. IN SOA ;; AUTHORITY SECTION: int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. 1494432187 3600 900 1209600 3600 Found zone name: int.dplcl.com The master is: ipa-1.int.dplcl.com start_gssrequest Found realm from ticket: INT.DPLCL.COM send_gssrequest Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY ;; ADDITIONAL SECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY ;; ANSWER SECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** Sending update to 10.0.1.5#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 ;; TSIG PSEUDOSECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 NOERROR 0 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;int.dplcl.com. IN SOA ;; TSIG PSEUDOSECTION: 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 NOERROR 0 On Thu, May 11, 2017 at 4:09 AM, Martin Ba?ti wrote: > > > On 10.05.2017 18:38, Jason Sherrill wrote: > > Hello, > > I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 > and Windows 10 with limited issues! > > One issue is that updating the reverse zone via nsupdate works without > issue, updating to the forward zone results in a REFUSED status. Below is > my zone config, named.conf, and an example of client-side behavior. I'm > new to nearly all systems involved- misconfiguration is likely. Thanks! > > > From freeIPA server: > > # ipa dnszone-show int.dplcl.com --all > > > dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com > > Zone name: int.dplcl.com. > > Active zone: TRUE > > Authoritative nameserver: ipa-1.int.dplcl.com. > > Administrator e-mail address: hostmaster.int.dplcl.com. > > SOA serial: 1494344164 > > SOA refresh: 3600 > > SOA retry: 900 > > SOA expire: 1209600 > > SOA minimum: 3600 > > BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant > INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * > > SSHFP; > > Dynamic update: TRUE > > Allow query: any; > > Allow transfer: none; > > Allow PTR sync: TRUE > > Allow in-line DNSSEC signing: FALSE > > nsrecord: ipa-1.int.dplcl.com. > > objectclass: idnszone, top, idnsrecord, ipadnszone > > /etc/named.conf from IPA server: > > options { > > // turns on IPv6 for port 53, IPv4 is on by default for all ifaces > > listen-on-v6 {any;}; > > // Put files that named is allowed to write in the data/ directory: > > directory "/var/named"; // the default > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > // Any host is permitted to issue recursive queries > > allow-recursion { any; }; > > tkey-gssapi-keytab "/etc/named.keytab"; > > pid-file "/run/named/named.pid"; > > dnssec-enable no; > > dnssec-validation no; > > /* Path to ISC DLV key */ > > bindkeys-file "/etc/named.iscdlv.key"; > > managed-keys-directory "/var/named/dynamic"; > > }; > > /* If you want to enable debugging, eg. using the 'rndc trace' command, > > * By default, SELinux policy does not allow named to modify the /var/named > directory, > > * so put the default debug log file in data/ : > > */ > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > print-time yes; > > }; > > }; > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > include "/etc/named.rfc1912.zones"; > > include "/etc/named.root.key"; > > dynamic-db "ipa" { > > library "ldap.so"; > > arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; > > arg "base cn=dns, dc=int,dc=dplcl,dc=com"; > > arg "server_id ipa-1.int.dplcl.com"; > > arg "auth_method sasl"; > > arg "sasl_mech GSSAPI"; > > arg "sasl_user DNS/ipa-1.int.dplcl.com"; > > arg "serial_autoincrement yes"; > > }; > > > From client macbook: > > testbook3:etc jsherrill$ nsupdate > > > debug > > > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com. IN SOA > > ;; AUTHORITY SECTION: > > int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. > 1494425173 3600 900 1209600 3600 > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > ;; ZONE SECTION: > ;int.dplcl.com. IN SOA > -- > > > *Jason Sherrill* > Deeplocal Inc. > mobile: 412-636-2073 <%28412%29%20636-2073> > office: 412-362-0201 <%28412%29%20362-0201> > > > > > Hello, > > DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so you > cannot use plain nsupdate without providing credentials > > Here is policy, hosts can update only its records using GSS-TSIG (kerberos) > > BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant INT.DPLCL.COM > krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * > > SSHFP; > > So for manual updates via nsupdate, you have to do following steps: > > 1, kinit -kt /etc/krb5.keytab > > 2, nsupdate -g > > ... update A records ... > > I don't know why a reverse zone works for you, you should check policy of > the reverse zone. > > Martin > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -- *Jason Sherrill* Deeplocal Inc. mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -- *Jason Sherrill* Deeplocal Inc. mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -------------- next part -------------- An HTML attachment was scrubbed... URL: From iulian.roman at gmail.com Fri May 12 13:25:16 2017 From: iulian.roman at gmail.com (Iulian Roman) Date: Fri, 12 May 2017 15:25:16 +0200 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: On Fri, May 12, 2017 at 2:32 PM, wrote: > Hi All, > > > > We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn?t work with SSH on AIX reporting Failed password for user > > > > We?re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash . AIXs lsuser command is able to find all of the users it?s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > =============== Configuration Excerpt ============================== > ================================== > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > I am using the following settings in in /etc/security/user: SYSTEM = KRB5LDAP registry = KRB5LDAP it works for AIX5,6 and 7 in my setup. > */etc/methods.cfg* > > LDAP: > > program = /usr/lib/security/LDAP > > program_64 =/usr/lib/security/LDAP64 > > NIS: > > program = /usr/lib/security/NIS > > program_64 = /usr/lib/security/NIS_64 > > DCE: > > program = /usr/lib/security/DCE > > KRB5: > > program = /usr/lib/security/KRB5 > > program_64 = /usr/lib/security/KRB5_64 > > options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > > options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 > > E: wouter.hummelink at kpn.com > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Fri May 12 13:26:56 2017 From: sbose at redhat.com (Sumit Bose) Date: Fri, 12 May 2017 15:26:56 +0200 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: <1ae20c67-c9de-f77f-9634-4ae3a9877816@gmail.com> References: <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512094850.GH32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <6bbd152c-0da2-b78b-7820-5f9eb13ef26b@gmail.com> <20170512105202.GJ32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <1ae20c67-c9de-f77f-9634-4ae3a9877816@gmail.com> Message-ID: <20170512132656.GK32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Fri, May 12, 2017 at 03:00:42PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > It worked with pam_mkhomedir. So I don't see anything left to do at the > moment > ah, I thought ... > > On 12-May-17 12:52 PM, Sumit Bose wrote: > > On Fri, May 12, 2017 at 12:11:28PM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >> The directory didn't exist ... meant that pam_mkhomedir didn't create the directory properly. Glad it works for you now. bye, Sumit > > Then I guess that the process doesn't has the needed permissions during > > the session phase anymore. Please try to replace pam_mkhomedir by > > pam_oddjob_mkhomedir. This will try to create the directory via oddjobd > > which runs with higher privileges. > > > > HTH > > > > bye, > > Sumit > > > >> > >> On 12-May-17 11:48 AM, Sumit Bose wrote: > >>> On Fri, May 12, 2017 at 11:25:04AM +0200, tuxderlinuxfuchs77 at gmail.com wrote: > >>>> Thanks! > >>>> > >>>> I followed this manual: > >>>> https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > >>>> > >>>> added the line > >>>> > >>>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > >>>> > >>>> to the file /etc/pam.d/common-session (find attached) > >>>> > >>>> > >>> Have you checked if /home/vmuser1 exists and has the right permissions > >>> so that the user can create files in the directory? > >>> > >>> bye, > >>> Sumit > >>> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From mbasti at redhat.com Fri May 12 13:27:03 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Fri, 12 May 2017 15:27:03 +0200 Subject: [Freeipa-users] Fwd: DNS update failing In-Reply-To: References: <28977985-f994-12b1-9b48-65306a0d2c3f@redhat.com> Message-ID: <90750a8f-c47c-b003-282e-2ac60ca2e569@redhat.com> Hello, could you check journalctl -u named-pkcs11 on server, there might be more detailed description why it failed. What do you have configured in /etc/resolv.conf on client side, is there directly IP address of the server? On 12.05.2017 15:04, Jason Sherrill wrote: > Mistakenly failed to post to freeipa-users. > > ---------- Forwarded message ---------- > From: *Jason Sherrill* > > Date: Thu, May 11, 2017 at 9:16 AM > Subject: Re: [Freeipa-users] DNS update failing > To: Martin Ba?ti > > > > Thank you for the assistance, Martin. The reverse zone is working > because of a policy I'd added: grant * tcp-self *. The same entry did > for the the forward zone did not work. I ran the manual update as > described and was refused. It seems GSS-TSIG is working, but the > update is still refused: > > [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab > > [root at ipa-1 jsherrill]# nsupdate -g > > > debug > > > update add testbook3.int.dplcl.com . 86400 a > 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com .INSOA > > > ;; AUTHORITY SECTION: > > int.dplcl.com .3600INSOAipa-1.int.dplcl.com > . hostmaster.int.dplcl.com > . 1494432187 3600 900 1209600 3600 > > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > start_gssrequest > > Found realm from ticket: INT.DPLCL.COM > > send_gssrequest > > Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com > . ANYTKEY > > > ;; ADDITIONAL SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com > . 0 ANY TKEYgss-tsig. **** > > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com > . ANYTKEY > > > ;; ANSWER SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com > . 0 ANY TKEYgss-tsig. **** > > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com . > 86400INA10.0.1.36 > > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com > . 0 ANY TSIGgss-tsig. > **** 13230 NOERROR 0 > > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > > ;; ZONE SECTION: > > ;int.dplcl.com .INSOA > > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com > . 0 ANY TSIGgss-tsig. > ****13230 NOERROR 0 > > > On Thu, May 11, 2017 at 4:09 AM, Martin Ba?ti > wrote: > > > > On 10.05.2017 18:38, Jason Sherrill wrote: >> Hello, >> >> I've recently implemented freeIPA in a mixed environment of Mac >> OS 10.12 and Windows 10 with limited issues! >> >> One issue is that updating the reverse zone via nsupdate works >> without issue, updating to the forward zone results in a REFUSED >> status. Below is my zone config, named.conf, and an example of >> client-side behavior. I'm new to nearly all systems involved- >> misconfiguration is likely. Thanks! >> >> >> From freeIPA server: >> >> # ipa dnszone-show int.dplcl.com --all >> >> >> dn: idnsname=int.dplcl.com >> .,cn=dns,dc=int,dc=dplcl,dc=com >> >> Zone name: int.dplcl.com . >> >> Active zone: TRUE >> >> Authoritative nameserver: ipa-1.int.dplcl.com >> . >> >> Administrator e-mail address: hostmaster.int.dplcl.com >> . >> >> SOA serial: 1494344164 >> >> SOA refresh: 3600 >> >> SOA retry: 900 >> >> SOA expire: 1209600 >> >> SOA minimum: 3600 >> >> BIND update policy: grant INT.DPLCL.COM >> krb5-self * A; grant INT.DPLCL.COM >> krb5-self * AAAA; grant INT.DPLCL.COM >> krb5-self * >> >> SSHFP; >> >> Dynamic update: TRUE >> >> Allow query: any; >> >> Allow transfer: none; >> >> Allow PTR sync: TRUE >> >> Allow in-line DNSSEC signing: FALSE >> >> nsrecord: ipa-1.int.dplcl.com . >> >> objectclass: idnszone, top, idnsrecord, ipadnszone >> >> >> /etc/named.conf from IPA server: >> >> options { >> >> // turns on IPv6 for port 53, IPv4 is on by default >> for all ifaces >> >> listen-on-v6 {any;}; >> >> >> // Put files that named is allowed to write in the >> data/ directory: >> >> directory "/var/named"; // the default >> >> dump-file "data/cache_dump.db"; >> >> statistics-file "data/named_stats.txt"; >> >> memstatistics-file "data/named_mem_stats.txt"; >> >> >> // Any host is permitted to issue recursive queries >> >> allow-recursion { any; }; >> >> >> tkey-gssapi-keytab "/etc/named.keytab"; >> >> pid-file "/run/named/named.pid"; >> >> >> dnssec-enable no; >> >> dnssec-validation no; >> >> >> /* Path to ISC DLV key */ >> >> bindkeys-file "/etc/named.iscdlv.key"; >> >> >> managed-keys-directory "/var/named/dynamic"; >> >> }; >> >> >> /* If you want to enable debugging, eg. using the 'rndc >> trace' command, >> >> * By default, SELinux policy does not allow named to modify >> the /var/named directory, >> >> * so put the default debug log file in data/ : >> >> */ >> >> logging { >> >> channel default_debug { >> >> file "data/named.run"; >> >> severity dynamic; >> >> print-time yes; >> >> }; >> >> }; >> >> >> zone "." IN { >> >> type hint; >> >> file "named.ca "; >> >> }; >> >> >> include "/etc/named.rfc1912.zones"; >> >> include "/etc/named.root.key"; >> >> >> dynamic-db "ipa" { >> >> library "ldap.so"; >> >> arg "uri >> ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; >> >> arg "base cn=dns, dc=int,dc=dplcl,dc=com"; >> >> arg "server_id ipa-1.int.dplcl.com >> "; >> >> arg "auth_method sasl"; >> >> arg "sasl_mech GSSAPI"; >> >> arg "sasl_user DNS/ipa-1.int.dplcl.com >> "; >> >> arg "serial_autoincrement yes"; >> >> }; >> >> >> >> From client macbook: >> >> testbook3:etc jsherrill$ nsupdate >> >> > debug >> >> > update add testbook3.int.dplcl.com >> 86400 a 10.0.1.36 >> >> > >> >> Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 >> >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;testbook3.int.dplcl.com .INSOA >> >> >> ;; AUTHORITY SECTION: >> >> int.dplcl.com >> .0INSOAipa-1.int.dplcl.com >> . hostmaster.int.dplcl.com >> . 1494425173 3600 900 >> 1209600 3600 >> >> >> Found zone name: int.dplcl.com >> >> The master is: ipa-1.int.dplcl.com >> >> Sending update to 10.0.1.5#53 >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 >> >> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 >> >> ;; UPDATE SECTION: >> >> testbook3.int.dplcl.com . >> 86400INA10.0.1.36 >> >> >> >> Reply from update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 >> >> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> >> ;; ZONE SECTION: >> >> ;int.dplcl.com .INSOA >> -- >> >> >> *Jason Sherrill* >> Deeplocal Inc. >> mobile: 412-636-2073 >> office: 412-362-0201 >> >> > > > Hello, > > DNS updates are using GSS-TSIG mechanism by default in FreeIPA, so > you cannot use plain nsupdate without providing credentials > > Here is policy, hosts can update only its records using GSS-TSIG > (kerberos) > > BIND update policy: grant INT.DPLCL.COM > krb5-self * A; grant INT.DPLCL.COM > krb5-self * AAAA; grant INT.DPLCL.COM > krb5-self * > > SSHFP; > > So for manual updates via nsupdate, you have to do following steps: > > 1, kinit -kt /etc/krb5.keytab > > 2, nsupdate -g > > ... update A records ... > > I don't know why a reverse zone works for you, you should check > policy of the reverse zone. > > Martin > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > > > > -- > > *Jason Sherrill* > Deeplocal Inc. > mobile: 412-636-2073 > office: 412-362-0201 > > > > -- > > *Jason Sherrill* > Deeplocal Inc. > mobile: 412-636-2073 > office: 412-362-0201 > > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From luiz.vianna at tivit.com.br Fri May 12 13:29:31 2017 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Fri, 12 May 2017 13:29:31 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: "Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash ." Wow, never thought of that, very elegant solution! Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 10:27, Iulian Roman escreveu: On Fri, May 12, 2017 at 2:32 PM, > wrote: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) Why don't you just use the /bin/sh as default shell in IPA ? In aix /bin/sh is the same as /bin/ksh and in linux it is a symlink to /bin/bash . AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat I am using the following settings in in /etc/security/user: SYSTEM = KRB5LDAP registry = KRB5LDAP it works for AIX5,6 and 7 in my setup. /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter.hummelink at kpn.com Fri May 12 13:31:40 2017 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Fri, 12 May 2017 13:31:40 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL>, Message-ID: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" , freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From iulian.roman at gmail.com Fri May 12 13:56:08 2017 From: iulian.roman at gmail.com (Iulian Roman) Date: Fri, 12 May 2017 15:56:08 +0200 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: On Fri, May 12, 2017 at 3:31 PM, wrote: > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? >From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. > > > > Verzonden vanaf mijn Samsung-apparaat > > > -------- Oorspronkelijk bericht -------- > Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) > Aan: "Hummelink, Wouter" , > freeipa-users at redhat.com > Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > Hello Wouter. > > It may seem silly, but try installing bash on one AIX server and test > authenticating against that one. > > Its a single rpm with no dependencies. For me it did the trick and I ended > up doing that on all my AIX servers. > > Let me know how it goes or if you have any issues. > > Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > > Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: > > Hi All, > > > > We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn?t work with SSH on AIX reporting Failed password for user > > > > We?re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > > AIXs lsuser command is able to find all of the users it?s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > =============== Configuration Excerpt ============================== > ================================== > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > > */etc/methods.cfg* > > LDAP: > > program = /usr/lib/security/LDAP > > program_64 =/usr/lib/security/LDAP64 > > NIS: > > program = /usr/lib/security/NIS > > program_64 = /usr/lib/security/NIS_64 > > DCE: > > program = /usr/lib/security/DCE > > KRB5: > > program = /usr/lib/security/KRB5 > > program_64 = /usr/lib/security/KRB5_64 > > options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > > options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 <+31%206%2012882447> > > E: wouter.hummelink at kpn.com > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter.hummelink at kpn.com Fri May 12 14:03:05 2017 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Fri, 12 May 2017 14:03:05 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn?t like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, > wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" >, freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From tymrehm at gmail.com Fri May 12 14:09:23 2017 From: tymrehm at gmail.com (Tym Rehm) Date: Fri, 12 May 2017 10:09:23 -0400 Subject: [Freeipa-users] How do you allow Active Directory Users to login to the webgui Message-ID: So I'm testing a new freeipa 4.x setup that has a one-way trust to Active Directory. I have been able to define user groups to access the AD groups and configure the groups to work with HBAC rules. So my AD users are able to ssh into the client machines if HBAC allows them to. The issue I'm having is that I would like to allow the AD users to login to the webgui. I currently have the users in the defined in the ID views (Default Trust View). I'm only setting the Home Directory at present, should I add to the ID view? Thanks -- -- Do not meddle in the affairs of dragons cause you are crunchy and good with ketchup. -------------- next part -------------- An HTML attachment was scrubbed... URL: From iulian.roman at gmail.com Fri May 12 14:34:31 2017 From: iulian.roman at gmail.com (Iulian Roman) Date: Fri, 12 May 2017 16:34:31 +0200 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: On Fri, May 12, 2017 at 4:03 PM, wrote: > Yes, kinit works with IPA users. GSSAPI authentication is not keeping it > simple, since we want passwords to work before trying TGS based logins over > GSSAPI. > > The keytab works sinds lsuser is still able to get user data. > (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user > and password moot, secldapclntd uses krb5 to identify itself to IPA) > > > > Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt > /etc/krb5/krb5.keytab > If your kerberos client works (and it looks like it works as long as you can properly kinit) the only option you have is to check the /var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have configured in syslog for auth. on the AIX client. > > > We van try using su from an unprivileged user, but su has some different > issues altogether, it doesn?t like @ in usernames which we need at the next > stage (integrating AD Trust) > > > > > > *From:* Iulian Roman [mailto:iulian.roman at gmail.com] > *Sent:* vrijdag 12 mei 2017 15:56 > *To:* Hummelink, Wouter > *Cc:* luiz.vianna at tivit.com.br; freeipa-users at redhat.com > *Subject:* Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > > > > > On Fri, May 12, 2017 at 3:31 PM, wrote: > > The shell is shown correctly as ksh in lsuser, so that doesnt appear to be > an issue for the ID view. > > > > My advice would be to start simple ,prove that your authentication works > and you can develop a more elaborated setup afterwards. If you combine them > all together it will be a trial and error which eventually will work at > some point. > > Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run > kinit (with password and with the keytab) from aix and get a ticket from > Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication > enabled in sshd_config ? > > From what you've described i would suspect that your keytab is not correct > , but that should be confirmed only by answering the questions above. > > > > > > > > Verzonden vanaf mijn Samsung-apparaat > > > > -------- Oorspronkelijk bericht -------- > Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) > Aan: "Hummelink, Wouter" , > freeipa-users at redhat.com > Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 > > > > Hello Wouter. > > It may seem silly, but try installing bash on one AIX server and test > authenticating against that one. > > Its a single rpm with no dependencies. For me it did the trick and I ended > up doing that on all my AIX servers. > > Let me know how it goes or if you have any issues. > > Best Regards > > *__________________________________________* > > *Luiz Fernando Vianna da Silva* > > > > Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: > > Hi All, > > > > We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound > module. > > All the moving parts seem to be working on their own, however logging in > doesn?t work with SSH on AIX reporting Failed password for user > > > > We?re using ID views to overwrite the user shell and home dirs. (Since AIX > will refuse a login with a nonexisting shell (like bash)) > > AIXs lsuser command is able to find all of the users it?s supposed to and > su to IPA users works. > > Also when a user tries to log in I can see a successful Kerberos > conversation to our IPA server. > > > > Tips for troubleshooting would be much appreciated, increasing SSH log > level did not produce any meaningful logging. > > > > =============== Configuration Excerpt ============================== > ================================== > > /etc/security/ldap/ldap.cfg: > > ldapservers:ipaserver.example.org > > binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org > > bindpwd:{DESv2} > > authtype:ldap_auth > > useSSL:TLS > > ldapsslkeyf:/etc/security/ldap/example.kdb > > ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 > 932F219867AA7C2C552A12BEEC0CC67 > > useKRB5:yes > > krbprincipal:host/aixlpar.example.org > > krbkeypath:/etc/krb5/krb5.keytab > > userattrmappath:/etc/security/ldap/2307user.map > > groupattrmappath:/etc/security/ldap/2307group.map > > userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org > > netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org > > automountbasedn:cn=default,cn=automount,dc=example,dc=org > > etherbasedn:cn=computers,cn=accounts,dc=example,dc=org > > userclasses:posixaccount,account,shadowaccount > > groupclasses:posixgroup > > ldapport:389 > > searchmode:ALL > > defaultentrylocation:LDAP > > > > /etc/security/user default: > > SYSTEM = KRB5LDAP or compat > > */etc/methods.cfg* > > LDAP: > > program = /usr/lib/security/LDAP > > program_64 =/usr/lib/security/LDAP64 > > NIS: > > program = /usr/lib/security/NIS > > program_64 = /usr/lib/security/NIS_64 > > DCE: > > program = /usr/lib/security/DCE > > KRB5: > > program = /usr/lib/security/KRB5 > > program_64 = /usr/lib/security/KRB5_64 > > options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no, > keep_creds=yes,allow_expired_pwd=no > > > > KRB5LDAP: > > options = auth=KRB5,db=LDAP > > > > > > Met vriendelijke groet, > > Wouter Hummelink > > Technical Consultant - Enterprise Webhosting / Tooling & Automation > > T: +31-6-12882447 <+31%206%2012882447> > > E: wouter.hummelink at kpn.com > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at deeplocal.com Fri May 12 14:34:59 2017 From: jason at deeplocal.com (Jason Sherrill) Date: Fri, 12 May 2017 10:34:59 -0400 Subject: [Freeipa-users] Fwd: DNS update failing In-Reply-To: <90750a8f-c47c-b003-282e-2ac60ca2e569@redhat.com> References: <28977985-f994-12b1-9b48-65306a0d2c3f@redhat.com> <90750a8f-c47c-b003-282e-2ac60ca2e569@redhat.com> Message-ID: The following log entry from *named-pkcs11* coincides with update attempts via nsupdate: May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone ' int.dplcl.com/IN': update failed: rejected by secure update (REFUSED) The client is running macos X with network services configured to use 10.0.1.5 and the following /etc/resolv.conf: search int.dplcl.com nameserver 10.0.1.5 nameserver 8.8.8.8 Thanks! On Fri, May 12, 2017 at 9:27 AM, Martin Ba?ti wrote: > Hello, could you check journalctl -u named-pkcs11 on server, there might > be more detailed description why it failed. What do you have configured in > /etc/resolv.conf on client side, is there directly IP address of the server? > > On 12.05.2017 15:04, Jason Sherrill wrote: > > Mistakenly failed to post to freeipa-users. > > ---------- Forwarded message ---------- > From: Jason Sherrill > Date: Thu, May 11, 2017 at 9:16 AM > Subject: Re: [Freeipa-users] DNS update failing > To: Martin Ba?ti > > > Thank you for the assistance, Martin. The reverse zone is working because > of a policy I'd added: grant * tcp-self *. The same entry did for the the > forward zone did not work. I ran the manual update as described and was > refused. It seems GSS-TSIG is working, but the update is still refused: > > [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab > > [root at ipa-1 jsherrill]# nsupdate -g > > > debug > > > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 > > > > > Reply from SOA query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 > > ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;testbook3.int.dplcl.com. IN SOA > > ;; AUTHORITY SECTION: > > int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. > 1494432187 3600 900 1209600 3600 > > Found zone name: int.dplcl.com > > The master is: ipa-1.int.dplcl.com > > start_gssrequest > > Found realm from ticket: INT.DPLCL.COM > > send_gssrequest > > Outgoing update query: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY > > ;; ADDITIONAL SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** > > recvmsg reply from GSS-TSIG query > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 > > ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY > > ;; ANSWER SECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** > > Sending update to 10.0.1.5#53 > > Outgoing update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 > > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 > > ;; UPDATE SECTION: > > testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 > NOERROR 0 > > > Reply from update query: > > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 > > ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 > > ;; ZONE SECTION: > > ;int.dplcl.com. IN SOA > > ;; TSIG PSEUDOSECTION: > > 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 > NOERROR 0 > > > On Thu, May 11, 2017 at 4:09 AM, Martin Ba?ti wrote: > >> >> >> On 10.05.2017 18:38, Jason Sherrill wrote: >> >> Hello, >> >> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 >> and Windows 10 with limited issues! >> >> One issue is that updating the reverse zone via nsupdate works without >> issue, updating to the forward zone results in a REFUSED status. Below is >> my zone config, named.conf, and an example of client-side behavior. I'm >> new to nearly all systems involved- misconfiguration is likely. Thanks! >> >> >> From freeIPA server: >> >> # ipa dnszone-show int.dplcl.com --all >> >> >> dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com >> >> Zone name: int.dplcl.com. >> >> Active zone: TRUE >> >> Authoritative nameserver: ipa-1.int.dplcl.com. >> >> Administrator e-mail address: hostmaster.int.dplcl.com. >> >> SOA serial: 1494344164 >> >> SOA refresh: 3600 >> >> SOA retry: 900 >> >> SOA expire: 1209600 >> >> SOA minimum: 3600 >> >> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant >> INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * >> >> SSHFP; >> >> Dynamic update: TRUE >> >> Allow query: any; >> >> Allow transfer: none; >> >> Allow PTR sync: TRUE >> >> Allow in-line DNSSEC signing: FALSE >> >> nsrecord: ipa-1.int.dplcl.com. >> >> objectclass: idnszone, top, idnsrecord, ipadnszone >> >> /etc/named.conf from IPA server: >> >> options { >> >> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces >> >> listen-on-v6 {any;}; >> >> // Put files that named is allowed to write in the data/ directory: >> >> directory "/var/named"; // the default >> >> dump-file "data/cache_dump.db"; >> >> statistics-file "data/named_stats.txt"; >> >> memstatistics-file "data/named_mem_stats.txt"; >> >> // Any host is permitted to issue recursive queries >> >> allow-recursion { any; }; >> >> tkey-gssapi-keytab "/etc/named.keytab"; >> >> pid-file "/run/named/named.pid"; >> >> dnssec-enable no; >> >> dnssec-validation no; >> >> /* Path to ISC DLV key */ >> >> bindkeys-file "/etc/named.iscdlv.key"; >> >> managed-keys-directory "/var/named/dynamic"; >> >> }; >> >> /* If you want to enable debugging, eg. using the 'rndc trace' command, >> >> * By default, SELinux policy does not allow named to modify the >> /var/named directory, >> >> * so put the default debug log file in data/ : >> >> */ >> >> logging { >> >> channel default_debug { >> >> file "data/named.run"; >> >> severity dynamic; >> >> print-time yes; >> >> }; >> >> }; >> >> zone "." IN { >> >> type hint; >> >> file "named.ca"; >> >> }; >> >> include "/etc/named.rfc1912.zones"; >> >> include "/etc/named.root.key"; >> >> dynamic-db "ipa" { >> >> library "ldap.so"; >> >> arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; >> >> arg "base cn=dns, dc=int,dc=dplcl,dc=com"; >> >> arg "server_id ipa-1.int.dplcl.com"; >> >> arg "auth_method sasl"; >> >> arg "sasl_mech GSSAPI"; >> >> arg "sasl_user DNS/ipa-1.int.dplcl.com"; >> >> arg "serial_autoincrement yes"; >> >> }; >> >> >> From client macbook: >> >> testbook3:etc jsherrill$ nsupdate >> >> > debug >> >> > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 >> >> > >> >> Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 >> >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;testbook3.int.dplcl.com. IN SOA >> >> ;; AUTHORITY SECTION: >> >> int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. >> 1494425173 3600 900 1209600 3600 >> >> Found zone name: int.dplcl.com >> >> The master is: ipa-1.int.dplcl.com >> >> Sending update to 10.0.1.5#53 >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 >> >> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 >> >> ;; UPDATE SECTION: >> >> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 >> >> >> Reply from update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 >> >> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> >> ;; ZONE SECTION: >> ;int.dplcl.com. >> >> ... > > [Message clipped] -- *Jason Sherrill* Deeplocal Inc. mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -------------- next part -------------- An HTML attachment was scrubbed... URL: From wouter.hummelink at kpn.com Fri May 12 14:36:41 2017 From: wouter.hummelink at kpn.com (wouter.hummelink at kpn.com) Date: Fri, 12 May 2017 14:36:41 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: <2CA71D6C07ADB544847562573DC6BF062B3D3A89@CPEMS-KPN309.KPNCNL.LOCAL> Krb5kdc issues tickets on correct passwords, and errors out on incorrect ones. syslog didn?t reveal any clear hints except ?failed password for ? from SSH Is there any way for AIX native auth to be more verbose? From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 16:35 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 4:03 PM, > wrote: Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt /etc/krb5/krb5.keytab If your kerberos client works (and it looks like it works as long as you can properly kinit) the only option you have is to check the /var/log/krb5kdc.log on the IPA and /var/log/messages or whatever you have configured in syslog for auth. on the AIX client. We van try using su from an unprivileged user, but su has some different issues altogether, it doesn?t like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, > wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" >, freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at deeplocal.com Fri May 12 14:49:46 2017 From: jason at deeplocal.com (Jason Sherrill) Date: Fri, 12 May 2017 10:49:46 -0400 Subject: [Freeipa-users] Fwd: DNS update failing In-Reply-To: References: <28977985-f994-12b1-9b48-65306a0d2c3f@redhat.com> <90750a8f-c47c-b003-282e-2ac60ca2e569@redhat.com> Message-ID: I apologize, nsupdate is working as intended, I was attempting to update a client from the host ipa. I've a separate issue from clients when running testbook3:etc jsherrill$ kinit -kt /etc/krb5.keytab Thanks again! On Fri, May 12, 2017 at 10:34 AM, Jason Sherrill wrote: > The following log entry from *named-pkcs11* coincides with update > attempts via nsupdate: > > > May 12 10:07:49 ipa-1.int.dplcl.com named-pkcs11[1350]: client > 10.0.1.5#47261/key host/ipa-1.int.dplcl.com\@INT.DPLCL.COM: updating zone > 'int.dplcl.com/IN': update failed: rejected by secure update (REFUSED) > > The client is running macos X with network services configured to use > 10.0.1.5 and the following /etc/resolv.conf: > > search int.dplcl.com > > nameserver 10.0.1.5 > > nameserver 8.8.8.8 > > > Thanks! > > > On Fri, May 12, 2017 at 9:27 AM, Martin Ba?ti wrote: > >> Hello, could you check journalctl -u named-pkcs11 on server, there might >> be more detailed description why it failed. What do you have configured in >> /etc/resolv.conf on client side, is there directly IP address of the server? >> >> On 12.05.2017 15:04, Jason Sherrill wrote: >> >> Mistakenly failed to post to freeipa-users. >> >> ---------- Forwarded message ---------- >> From: Jason Sherrill >> Date: Thu, May 11, 2017 at 9:16 AM >> Subject: Re: [Freeipa-users] DNS update failing >> To: Martin Ba?ti >> >> >> Thank you for the assistance, Martin. The reverse zone is working because >> of a policy I'd added: grant * tcp-self *. The same entry did for the the >> forward zone did not work. I ran the manual update as described and was >> refused. It seems GSS-TSIG is working, but the update is still refused: >> >> [root at ipa-1 jsherrill]# kinit -kt /etc/krb5.keytab >> >> [root at ipa-1 jsherrill]# nsupdate -g >> >> > debug >> >> > update add testbook3.int.dplcl.com. 86400 a 10.0.1.36 >> >> > >> >> Reply from SOA query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45996 >> >> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;testbook3.int.dplcl.com. IN SOA >> >> ;; AUTHORITY SECTION: >> >> int.dplcl.com. 3600 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. >> 1494432187 3600 900 1209600 3600 >> >> Found zone name: int.dplcl.com >> >> The master is: ipa-1.int.dplcl.com >> >> start_gssrequest >> >> Found realm from ticket: INT.DPLCL.COM >> >> send_gssrequest >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 >> >> ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; QUESTION SECTION: >> >> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY >> >> ;; ADDITIONAL SECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** >> >> recvmsg reply from GSS-TSIG query >> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23945 >> >> ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> >> ;3601322568.sig-ipa-1.int.dplcl.com. ANY TKEY >> >> ;; ANSWER SECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TKEY gss-tsig. **** >> >> Sending update to 10.0.1.5#53 >> >> Outgoing update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13230 >> >> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 >> >> ;; UPDATE SECTION: >> >> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 >> >> ;; TSIG PSEUDOSECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. **** 13230 >> NOERROR 0 >> >> >> Reply from update query: >> >> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 13230 >> >> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 >> >> ;; ZONE SECTION: >> >> ;int.dplcl.com. IN SOA >> >> ;; TSIG PSEUDOSECTION: >> >> 3601322568.sig-ipa-1.int.dplcl.com. 0 ANY TSIG gss-tsig. ****13230 >> NOERROR 0 >> >> >> On Thu, May 11, 2017 at 4:09 AM, Martin Ba?ti wrote: >> >>> >>> >>> On 10.05.2017 18:38, Jason Sherrill wrote: >>> >>> Hello, >>> >>> I've recently implemented freeIPA in a mixed environment of Mac OS 10.12 >>> and Windows 10 with limited issues! >>> >>> One issue is that updating the reverse zone via nsupdate works without >>> issue, updating to the forward zone results in a REFUSED status. Below is >>> my zone config, named.conf, and an example of client-side behavior. I'm >>> new to nearly all systems involved- misconfiguration is likely. Thanks! >>> >>> >>> From freeIPA server: >>> >>> # ipa dnszone-show int.dplcl.com --all >>> >>> >>> dn: idnsname=int.dplcl.com.,cn=dns,dc=int,dc=dplcl,dc=com >>> >>> Zone name: int.dplcl.com. >>> >>> Active zone: TRUE >>> >>> Authoritative nameserver: ipa-1.int.dplcl.com. >>> >>> Administrator e-mail address: hostmaster.int.dplcl.com. >>> >>> SOA serial: 1494344164 >>> >>> SOA refresh: 3600 >>> >>> SOA retry: 900 >>> >>> SOA expire: 1209600 >>> >>> SOA minimum: 3600 >>> >>> BIND update policy: grant INT.DPLCL.COM krb5-self * A; grant >>> INT.DPLCL.COM krb5-self * AAAA; grant INT.DPLCL.COM krb5-self * >>> >>> SSHFP; >>> >>> Dynamic update: TRUE >>> >>> Allow query: any; >>> >>> Allow transfer: none; >>> >>> Allow PTR sync: TRUE >>> >>> Allow in-line DNSSEC signing: FALSE >>> >>> nsrecord: ipa-1.int.dplcl.com. >>> >>> objectclass: idnszone, top, idnsrecord, ipadnszone >>> >>> /etc/named.conf from IPA server: >>> >>> options { >>> >>> // turns on IPv6 for port 53, IPv4 is on by default for all ifaces >>> >>> listen-on-v6 {any;}; >>> >>> // Put files that named is allowed to write in the data/ >>> directory: >>> >>> directory "/var/named"; // the default >>> >>> dump-file "data/cache_dump.db"; >>> >>> statistics-file "data/named_stats.txt"; >>> >>> memstatistics-file "data/named_mem_stats.txt"; >>> >>> // Any host is permitted to issue recursive queries >>> >>> allow-recursion { any; }; >>> >>> tkey-gssapi-keytab "/etc/named.keytab"; >>> >>> pid-file "/run/named/named.pid"; >>> >>> dnssec-enable no; >>> >>> dnssec-validation no; >>> >>> /* Path to ISC DLV key */ >>> >>> bindkeys-file "/etc/named.iscdlv.key"; >>> >>> managed-keys-directory "/var/named/dynamic"; >>> >>> }; >>> >>> /* If you want to enable debugging, eg. using the 'rndc trace' command, >>> >>> * By default, SELinux policy does not allow named to modify the >>> /var/named directory, >>> >>> * so put the default debug log file in data/ : >>> >>> */ >>> >>> logging { >>> >>> channel default_debug { >>> >>> file "data/named.run"; >>> >>> severity dynamic; >>> >>> print-time yes; >>> >>> }; >>> >>> }; >>> >>> zone "." IN { >>> >>> type hint; >>> >>> file "named.ca"; >>> >>> }; >>> >>> include "/etc/named.rfc1912.zones"; >>> >>> include "/etc/named.root.key"; >>> >>> dynamic-db "ipa" { >>> >>> library "ldap.so"; >>> >>> arg "uri ldapi://%2fvar%2frun%2fslapd-INT-DPLCL-COM.socket"; >>> >>> arg "base cn=dns, dc=int,dc=dplcl,dc=com"; >>> >>> arg "server_id ipa-1.int.dplcl.com"; >>> >>> arg "auth_method sasl"; >>> >>> arg "sasl_mech GSSAPI"; >>> >>> arg "sasl_user DNS/ipa-1.int.dplcl.com"; >>> >>> arg "serial_autoincrement yes"; >>> >>> }; >>> >>> >>> From client macbook: >>> >>> testbook3:etc jsherrill$ nsupdate >>> >>> > debug >>> >>> > update add testbook3.int.dplcl.com 86400 a 10.0.1.36 >>> >>> > >>> >>> Reply from SOA query: >>> >>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3049 >>> >>> ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: >>> 0 >>> >>> ;; QUESTION SECTION: >>> >>> ;testbook3.int.dplcl.com. IN SOA >>> >>> ;; AUTHORITY SECTION: >>> >>> int.dplcl.com. 0 IN SOA ipa-1.int.dplcl.com. hostmaster.int.dplcl.com. >>> 1494425173 3600 900 1209600 3600 >>> >>> Found zone name: int.dplcl.com >>> >>> The master is: ipa-1.int.dplcl.com >>> >>> Sending update to 10.0.1.5#53 >>> >>> Outgoing update query: >>> >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 33167 >>> >>> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 >>> >>> ;; UPDATE SECTION: >>> >>> testbook3.int.dplcl.com. 86400 IN A 10.0.1.36 >>> >>> >>> Reply from update query: >>> >>> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 33167 >>> >>> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> >>> ;; ZONE SECTION: >>> ;int.dplcl.com. >>> >>> ... >> >> [Message clipped] > > > > > -- > > *Jason Sherrill* > Deeplocal Inc. > mobile: 412-636-2073 <(412)%20636-2073> > office: 412-362-0201 <(412)%20362-0201> > -- *Jason Sherrill* Deeplocal Inc. mobile: 412-636-2073 <(412)%20636-2073> office: 412-362-0201 <(412)%20362-0201> -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Fri May 12 15:29:20 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Fri, 12 May 2017 17:29:20 +0200 Subject: [Freeipa-users] How do you allow Active Directory Users to login to the webgui In-Reply-To: References: Message-ID: <8b845edf-25eb-5024-d021-6a6580e0f7bb@redhat.com> On 05/12/2017 04:09 PM, Tym Rehm wrote: > So I'm testing a new freeipa 4.x setup that has a one-way trust to > Active Directory. I have been able to define user groups to access the > AD groups and configure the groups to work with HBAC rules. So my AD > users are able to ssh into the client machines if HBAC allows them to. > > The issue I'm having is that I would like to allow the AD users to login > to the webgui. I currently have the users in the defined in the ID views > (Default Trust View). I'm only setting the Home Directory at present, > should I add to the ID view? > > Thanks > > -- > -- > Do not meddle in the affairs of dragons cause you are crunchy and good > with ketchup. > > Hi Tym, this feature is available since FreeIPA 4.5.1 (see ticket 3242 [1]). You need to define a idoverrideuser for each AD user with: $ ipa idoverrideuser-add 'Default Trust View' aduser at ad-domain.com HTH, Flo. [1] https://pagure.io/freeipa/issue/3242 From abokovoy at redhat.com Fri May 12 16:14:04 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Fri, 12 May 2017 19:14:04 +0300 Subject: [Freeipa-users] How do you allow Active Directory Users to login to the webgui In-Reply-To: References: Message-ID: <20170512161404.jfstgbi5wd3wta7z@redhat.com> On pe, 12 touko 2017, Tym Rehm wrote: >So I'm testing a new freeipa 4.x setup that has a one-way trust to Active >Directory. I have been able to define user groups to access the AD groups >and configure the groups to work with HBAC rules. So my AD users are able >to ssh into the client machines if HBAC allows them to. > >The issue I'm having is that I would like to allow the AD users to login to >the webgui. I currently have the users in the defined in the ID views >(Default Trust View). I'm only setting the Home Directory at present, >should I add to the ID view? As Flo pointed out, login to web UI as AD user only works in FreeIPA 4.5.1+. If you have 4.4, you can only get AD users to access IPA CLI. To do that you only need to create ID override as admin: ipa idoverrideuser-add 'Default Trust View' user at AD.TEST Just creating an ID override without anything else is enough. Web UI support for AD users' self-service is only in 4.5.1+ which is currently not packaged anywhere, I guess. -- / Alexander Bokovoy From robert.l.harris at gmail.com Fri May 12 16:36:13 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Fri, 12 May 2017 16:36:13 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Message-ID: Hmmm {0}:/var/log>ls anaconda btmp dmesg grubby maillog ppp secure tallylog wtmp audit cron dmesg.old grubby_prune_debug messages rhsm spooler tuned yum.log boot.log cups firewalld lastlog ntpstats samba sssd vmware-vmsvc.log root at ipa {1}:/var/log>rpm -q -l http package http is not installed root at ipa {1}:/var/log>rpm -q -a | grep -i http perl-HTTP-Tiny-0.033-3.el7.noarch root at ipa {0}:/var/log>rpm -q -a | grep -i tomcat Doesn't look like an httpd was installed as a dependancy? On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti wrote: > That's weird, it should be super fast, anything in > /var/log/httpd/error_log? > > On 11.05.2017 22:23, Robert L. Harris wrote: > > > Odd, must have clicked reply instead of reply-all. > > Anyway, I did the revert and re-install. Actual install went through fine > then the "ipa-server-install" ran until this: > > [8/9]: restoring configuration > [9/9]: starting directory server > Done. > Restarting the directory server > Restarting the KDC > Please add records in this file to your DNS system: > /tmp/ipa.system.records.v5Jwrt.db > Restarting the web server > Configuring client side components > Using existing certificate '/etc/ipa/ca.crt'. > Client hostname: ipa.rdlg.net > Realm: RDLG.NET > DNS Domain: rdlg.net > IPA Server: ipa.rdlg.net > BaseDN: dc=rdlg,dc=net > > Skipping synchronizing time with NTP server. > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > trying https://ipa.rdlg.net/ipa/json > Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' > > > It's been sitting there for a while ( 4 hours? ) I don't see anyting in > the ipaserver-install.log, but it's here: https://pastebin.com/biK1Dmv7 > > > > On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti wrote: > >> Please keep freeipa-users in CC >> >> Snapshot is always better, so I suggest to use it. Otherwise there is an >> option --ignore-last-of-role to unblock uninstallation. >> >> Martin >> >> On 11.05.2017 16:00, Robert L. Harris wrote: >> >> >> Looks like you hit it, apache didn't have a group: >> >> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu 2017-05-11 >> 07:48:27 MDT. -- >> May 10 20:36:00 ipa.rdlg.net systemd[1]: Starting The Apache HTTP >> Server... >> May 10 20:36:00 ipa.rdlg.net ipa-httpd-kdcproxy[28808]: ipa : >> INFO KDC proxy enabled >> May 10 20:36:00 ipa.rdlg.net httpd[28809]: AH00544: httpd: bad group >> name apache >> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: main process >> exited, code=exited, status=1/FAILURE >> May 10 20:36:00 ipa.rdlg.net kill[28812]: kill: cannot find process "" >> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service: control process >> exited, code=exited status=1 >> May 10 20:36:00 ipa.rdlg.net systemd[1]: Failed to start The Apache HTTP >> Server. >> May 10 20:36:00 ipa.rdlg.net systemd[1]: Unit httpd.service entered >> failed state. >> May 10 20:36:00 ipa.rdlg.net systemd[1]: httpd.service failed. >> >> Thanks, didn't know that command. I tried to continue the process: >> >> {0}:/root>ipa-server-install >> >> The log file for this installation can be found in >> /var/log/ipaserver-install.log >> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA server is >> already configured on this system. >> If you want to reinstall the IPA server, please uninstall it first using >> 'ipa-server-install --uninstall'. >> ipa.ipapython.install.cli.install_tool(Server): ERROR The >> ipa-server-install command failed. See /var/log/ipaserver-install.log for >> more information >> >> root at ipa >> {1}:/root>ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: yes >> ipa : ERROR Server removal aborted: Deleting this server is >> not allowed as it would leave your installation without a CA.. >> >> >> >> This is a VM and I took a snapshot right before I started the install, so >> I can revert, just make sure ti add the apache user before starting the >> install. Or if you have a better command to continue the >> clean-up/install..... >> >> >> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti wrote: >> >>> Hello, >>> >>> comments inline >>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>> >>> >>> Sigh... Sorry, it's been a long day, I thought I put that log in the >>> first pastebin. It's in this one: https://pastebin.com/18PAXXNS >>> >>> >>> Could you please provide journalctl -u httpd and >>> /var/log/httpd/error_log ? >>> >>> >>> >>> >>> Also, >>> Anyone else get the constant spam when mailing this list? Got an >>> address to block for it? >>> >>> >>> Sorry for that, there is a bot mining public archives. We plan to >>> resolve this issue but it may take time as we are not maintaining our >>> mailman. >>> >>> Martin >>> >>> >>> >>> Robert >>> >>> >>> >>> >>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>> wrote: >>> >>>> Robert, did you look in /var/log/ipaserver-install.log as it says? >>>> >>>> Was there any other information? >>>> >>>> cheers >>>> L. >>>> >>>> ------ >>>> "Mission Statement: To provide hope and inspiration for collective >>>> action, to build collective power, to achieve collective transformation, >>>> rooted in grief and rage but pointed towards vision and dreams." >>>> >>>> - Patrice Cullors, *Black Lives Matter founder* >>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>> wrote: >>>> >>>>> Ok, I gave up on Ubuntu. I'm now trying the latest CentOS7. I built >>>>> out a "minimal server" with some normal base packages which did include the >>>>> freeipa-client but otherwise, just standard tools. Here's a pastebin of >>>>> the output of the install: https://pastebin.com/zAWCgkUU >>>>> >>>>> Robert >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> >>> >>> >>> -- >>> Martin Ba?ti >>> Software Engineer >>> Red Hat Czech >>> >>> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Fri May 12 17:14:21 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Fri, 12 May 2017 13:14:21 -0400 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> Message-ID: <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Robert L. Harris wrote: > > Hmmm > > {0}:/var/log>ls > anaconda btmp dmesg grubby maillog ppp secure > tallylog wtmp > audit cron dmesg.old grubby_prune_debug messages rhsm spooler > tuned yum.log > boot.log cups firewalld lastlog ntpstats samba sssd > vmware-vmsvc.log > > > root at ipa > {1}:/var/log>rpm -q -l http > package http is not installed > > root at ipa > {1}:/var/log>rpm -q -a | grep -i http > perl-HTTP-Tiny-0.033-3.el7.noarch > > root at ipa > {0}:/var/log>rpm -q -a | grep -i tomcat > > > Doesn't look like an httpd was installed as a dependancy? I find this very hard to believe given that it go so far as to configure things in Apache, restart it, etc. What version of [free]ipa-server is installed? How did you install it and from what repo? rob > > > > > > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti > wrote: > > That's weird, it should be super fast, anything in > /var/log/httpd/error_log? > > > On 11.05.2017 22:23, Robert L. Harris wrote: >> >> Odd, must have clicked reply instead of reply-all. >> >> Anyway, I did the revert and re-install. Actual install went >> through fine then the "ipa-server-install" ran until this: >> >> [8/9]: restoring configuration >> [9/9]: starting directory server >> Done. >> Restarting the directory server >> Restarting the KDC >> Please add records in this file to your DNS system: >> /tmp/ipa.system.records.v5Jwrt.db >> Restarting the web server >> Configuring client side components >> Using existing certificate '/etc/ipa/ca.crt'. >> Client hostname: ipa.rdlg.net >> Realm: RDLG.NET >> DNS Domain: rdlg.net >> IPA Server: ipa.rdlg.net >> BaseDN: dc=rdlg,dc=net >> >> Skipping synchronizing time with NTP server. >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> trying https://ipa.rdlg.net/ipa/json >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >> >> >> It's been sitting there for a while ( 4 hours? ) I don't see >> anyting in the ipaserver-install.log, but it's here: >> https://pastebin.com/biK1Dmv7 >> >> >> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti > > wrote: >> >> Please keep freeipa-users in CC >> >> Snapshot is always better, so I suggest to use it. Otherwise >> there is an option --ignore-last-of-role to unblock >> uninstallation. >> >> Martin >> >> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>> >>> Looks like you hit it, apache didn't have a group: >>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>> 2017-05-11 07:48:27 MDT. -- >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: Starting The Apache HTTP Server... >>> May 10 20:36:00 ipa.rdlg.net >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy >>> enabled >>> May 10 20:36:00 ipa.rdlg.net >>> httpd[28809]: AH00544: httpd: bad group name apache >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: httpd.service: main process exited, code=exited, >>> status=1/FAILURE >>> May 10 20:36:00 ipa.rdlg.net >>> kill[28812]: kill: cannot find process "" >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: httpd.service: control process exited, >>> code=exited status=1 >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: Failed to start The Apache HTTP Server. >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: Unit httpd.service entered failed state. >>> May 10 20:36:00 ipa.rdlg.net >>> systemd[1]: httpd.service failed. >>> >>> Thanks, didn't know that command. I tried to continue the >>> process: >>> >>> {0}:/root>ipa-server-install >>> >>> The log file for this installation can be found in >>> /var/log/ipaserver-install.log >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA >>> server is already configured on this system. >>> If you want to reinstall the IPA server, please uninstall it >>> first using 'ipa-server-install --uninstall'. >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>> ipa-server-install command failed. See >>> /var/log/ipaserver-install.log for more information >>> >>> root at ipa >>> {1}:/root>ipa-server-install --uninstall >>> >>> This is a NON REVERSIBLE operation and will delete all data >>> and configuration! >>> >>> Are you sure you want to continue with the uninstall >>> procedure? [no]: yes >>> ipa : ERROR Server removal aborted: Deleting this >>> server is not allowed as it would leave your installation >>> without a CA.. >>> >>> >>> >>> This is a VM and I took a snapshot right before I started the >>> install, so I can revert, just make sure ti add the apache >>> user before starting the install. Or if you have a better >>> command to continue the clean-up/install..... >>> >>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>> > wrote: >>> >>> Hello, >>> >>> comments inline >>> >>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>> that log in the first pastebin. It's in this one: >>>> https://pastebin.com/18PAXXNS >>> >>> Could you please provide journalctl -u httpd and >>> /var/log/httpd/error_log ? >>> >>> >>> >>>> >>>> Also, >>>> Anyone else get the constant spam when mailing this >>>> list? Got an address to block for it? >>> >>> Sorry for that, there is a bot mining public archives. We >>> plan to resolve this issue but it may take time as we are >>> not maintaining our mailman. >>> >>> Martin >>> >>> >>>> >>>> Robert >>>> >>>> >>>> >>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>> > wrote: >>>> >>>> Robert, did you look in >>>> /var/log/ipaserver-install.log as it says? >>>> >>>> Was there any other information? >>>> >>>> cheers >>>> L. >>>> >>>> ------ >>>> "Mission Statement: To provide hope and inspiration >>>> for collective action, to build collective power, to >>>> achieve collective transformation, rooted in grief >>>> and rage but pointed towards vision and dreams." >>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>> >>> > wrote: >>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>>> latest CentOS7. I built out a "minimal server" >>>> with some normal base packages which did include >>>> the freeipa-client but otherwise, just standard >>>> tools. Here's a pastebin of the output of the >>>> install: https://pastebin.com/zAWCgkUU >>>> >>>> Robert >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users >>>> mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the >>>> project >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users >>>> mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>>> >>> >>> -- >>> Martin Ba?ti >>> Software Engineer >>> Red Hat Czech >>> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > > From dan at cazena.com Fri May 12 18:58:48 2017 From: dan at cazena.com (Dan Dietterich) Date: Fri, 12 May 2017 18:58:48 +0000 Subject: [Freeipa-users] Timing behavior on access to AD groups Message-ID: <9295EB6D-8761-4279-B3F6-C67AA618586F@cazena.com> I have noticed this behavior when setting up an external AD group: 1. create trust 2. create external group 3. add Group at Domain to external group - FAILS: "trusted domain object not found" 4. retry: add Group at Domain to external group - SUCCESS Two questions: 1. Is this expected behavior? 2. Is there something I can do - short of sleep-retry - to make this reliably succeed? Thank you! Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From harri at afaics.de Sat May 13 04:52:56 2017 From: harri at afaics.de (Harald Dunkel) Date: Sat, 13 May 2017 06:52:56 +0200 Subject: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled Message-ID: <258df6a3-e004-17ab-29dc-946e65f1dcc9@afaics.de> Hi folks, RHEL 7.3, sssd 1.14.0: If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail (without telling why) and users cannot login. *Extremely* painful. Do you think ipa-client-install could add selinux_provider = none to the generated sssd.conf file, if selinux is disabled? Another option might be to check at runtime. Thanx in advance Harri From freeipa at stormcloud9.net Sun May 14 06:17:32 2017 From: freeipa at stormcloud9.net (Patrick Hemmer) Date: Sun, 14 May 2017 02:17:32 -0400 Subject: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found Message-ID: I'm working on spinning up a FreeIPA server with an AD trust. I've followed the official guide (https://www.freeipa.org/page/Active_Directory_trust_setup), and everything works up to the point of trying to add external members to the group. Whenever I try I get: # ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins' [member user]: [member group]: Group name: ad_admins_external Description: ad_domain admins external map Failed members: member user: member group: CHEWY\Domain Admins: trusted domain object not found ------------------------- Number of members added 0 ------------------------- I turned up the debugging to 100, re-established the trust, and tried to perform the group-add-member again. Logs have uploaded the logs here: https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz I'm just testing the procedure on a couple local development VMs, so there's nothing sensitive in there. Confusingly, according to the httpd log the operation was successful: [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: [jsonserver_session] admin at LOCAL: group_add_member/1(u'ad_admins_external', ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS I'm not sure where the issue here lies. So any insight would be appreciated. This is with: CentOS/7 7.3.1611 FreeIPA 4.4.0 AD is Windows Server 2008 R2 -Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Sun May 14 08:19:23 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Sun, 14 May 2017 11:19:23 +0300 Subject: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found In-Reply-To: References: Message-ID: <20170514081923.52vfu4jn4wti6oxw@redhat.com> On su, 14 touko 2017, Patrick Hemmer wrote: >I'm working on spinning up a FreeIPA server with an AD trust. I've >followed the official guide >(https://www.freeipa.org/page/Active_Directory_trust_setup), and >everything works up to the point of trying to add external members to >the group. Whenever I try I get: > ># ipa group-add-member ad_admins_external --external 'CHEWY\Domain Admins' >[member user]: >[member group]: > Group name: ad_admins_external > Description: ad_domain admins external map > Failed members: > member user: > member group: CHEWY\Domain Admins: trusted domain object not found >------------------------- >Number of members added 0 >------------------------- > > >I turned up the debugging to 100, re-established the trust, and tried to >perform the group-add-member again. Logs have uploaded the logs here: >https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz >I'm just testing the procedure on a couple local development VMs, so >there's nothing sensitive in there. > >Confusingly, according to the httpd log the operation was successful: >[Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: >[jsonserver_session] admin at LOCAL: >group_add_member/1(u'ad_admins_external', >ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): SUCCESS > >I'm not sure where the issue here lies. So any insight would be appreciated. The issue is in your choice of IPA domain name: local. This is not going to work with AD -- as you can see, there are subtle issues. Even though AD DC accepts a trust to LOCAL forest, it cannot really operate it internally, thus even looking up forest topology fails at the point when IPA framework attempts to authenticate. See [1] for list of limitations in pure Active Directory for single-label domains. [1] https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names We don't recommend using single-label DNS configurations. Even in a lab environment they are source of various issues. -- / Alexander Bokovoy From freeipa at stormcloud9.net Sun May 14 23:09:11 2017 From: freeipa at stormcloud9.net (Patrick Hemmer) Date: Sun, 14 May 2017 19:09:11 -0400 Subject: [Freeipa-users] Error trying to use trusted AD objects: trusted domain object not found In-Reply-To: <20170514081923.52vfu4jn4wti6oxw@redhat.com> References: <20170514081923.52vfu4jn4wti6oxw@redhat.com> Message-ID: <46fb8177-454c-d98d-e2b1-c284d0439fb1@stormcloud9.net> On 2017/5/14 04:19, Alexander Bokovoy wrote: > On su, 14 touko 2017, Patrick Hemmer wrote: >> I'm working on spinning up a FreeIPA server with an AD trust. I've >> followed the official guide >> (https://www.freeipa.org/page/Active_Directory_trust_setup), and >> everything works up to the point of trying to add external members to >> the group. Whenever I try I get: >> >> # ipa group-add-member ad_admins_external --external 'CHEWY\Domain >> Admins' >> [member user]: >> [member group]: >> Group name: ad_admins_external >> Description: ad_domain admins external map >> Failed members: >> member user: >> member group: CHEWY\Domain Admins: trusted domain object not found >> ------------------------- >> Number of members added 0 >> ------------------------- >> >> >> I turned up the debugging to 100, re-established the trust, and tried to >> perform the group-add-member again. Logs have uploaded the logs here: >> https://s3.amazonaws.com/phemmer-misc/freeipa-logs.tar.gz >> I'm just testing the procedure on a couple local development VMs, so >> there's nothing sensitive in there. >> >> Confusingly, according to the httpd log the operation was successful: >> [Sun May 14 01:49:24.171867 2017] [:error] [pid 23688] ipa: INFO: >> [jsonserver_session] admin at LOCAL: >> group_add_member/1(u'ad_admins_external', >> ipaexternalmember=(u'CHEWY\\\\Domain Admins',), version=u'2.213'): >> SUCCESS >> >> I'm not sure where the issue here lies. So any insight would be >> appreciated. > > The issue is in your choice of IPA domain name: local. This is not going > to work with AD -- as you can see, there are subtle issues. Even though > AD DC accepts a trust to LOCAL forest, it cannot really operate it > internally, thus even looking up forest topology fails at the point when > IPA framework attempts to authenticate. See [1] for list of limitations > in pure Active Directory for single-label domains. > > [1] > https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configured-by-using-single-label-dns-names > > We don't recommend using single-label DNS configurations. Even in a lab > environment they are source of various issues. > Thanks, switching to a second level domain did indeed solve the issue. -Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From freeipa at stormcloud9.net Mon May 15 01:14:51 2017 From: freeipa at stormcloud9.net (Patrick Hemmer) Date: Sun, 14 May 2017 21:14:51 -0400 Subject: [Freeipa-users] Easier management of trusted AD users from web UI Message-ID: <32fc82be-3c8c-d9d3-5939-5dcfcdbe399e@stormcloud9.net> I'm exploring using AD trusts, and am trying to find a good way to get better management of trusted objects within FreeIPA. One example, I add an AD user to an external group, and then add that group to a POSIX group. When I want to view all the members of the POSIX group, I can only see the native FreeIPA users. I have to manually go into each nested group, and view all the external members to determine who is in the top group. But from the command line a `getent group FOO` shows nested members fine. Another example, I see an external user in a group, and I want more information about this user. Their name, department, etc. I can't get it. I have to go into AD to find out who this user is. It would be nice if I could see this info from within FreeIPA. Or if I want to add an external user to a group, I have to know that user's exact AD logon name. If I only have their real name, or other information, I can't search for them and then add them to the group. Is there any way to make these types of management tasks simpler? If not, is such a thing on the road map? Or as an alternative, is it possible to use the winsync plugin to pull users from AD, but whenever such a user tries to authenticate, the authentication is performed against AD? So that FreeIPA is used for authorization, but not authentication? Thanks -Patrick -------------- next part -------------- An HTML attachment was scrubbed... URL: From BJB at jndata.dk Mon May 15 05:51:53 2017 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Mon, 15 May 2017 05:51:53 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> Message-ID: <89213DDB84447F44A8E8950A5C2185E04CD67C91@SJN01013.jnmain00.corp.jndata.net> We have a working setup on three aix servers and by comparing our config with yours, I see the following differences: LDAP: /etc/security/ldap/ldap.cfg : userattrmappath:/etc/security/ldap/FreeIPAuser.map groupattrmappath:/etc/security/ldap/FreeIPAgroup.map userclasses:posixaccount /etc/security/ldap/FreeIPAuser.map: #FreeIPAuser.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s /etc/security/ldap/FreeIPAgroup.map: #FreeIPAgroup.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m To test if the ldap is working: ls-secldapclntd lsldap -a passwd lsuser -R LDAP ALL KERBEROS: /etc/methods.cfg: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes Add Kerberos to authorized authentication entities and verify: chauthent -k5 -std #Verify lsauthent Kerberos 5 Standard Aix To test: lsuser -R KRB5LDAP Configure aix to create homedir during login: /etc/security/login.cfg: mkhomeatlogin = true usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/ usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = STD_AUTH mkhomeatlogin = true Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts. As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Hope that helps, good luck. Regards Bjarne Blichfeldt. From: wouter.hummelink at kpn.com [mailto:wouter.hummelink at kpn.com] Sent: 12. maj 2017 16:03 To: iulian.roman at gmail.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn?t like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, > wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" >, freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From abokovoy at redhat.com Mon May 15 06:04:01 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Mon, 15 May 2017 09:04:01 +0300 Subject: [Freeipa-users] Easier management of trusted AD users from web UI In-Reply-To: <32fc82be-3c8c-d9d3-5939-5dcfcdbe399e@stormcloud9.net> References: <32fc82be-3c8c-d9d3-5939-5dcfcdbe399e@stormcloud9.net> Message-ID: <20170515060401.7f2jj2yigahow5jc@redhat.com> On su, 14 touko 2017, Patrick Hemmer wrote: >I'm exploring using AD trusts, and am trying to find a good way to get >better management of trusted objects within FreeIPA. > >One example, I add an AD user to an external group, and then add that >group to a POSIX group. When I want to view all the members of the POSIX >group, I can only see the native FreeIPA users. I have to manually go >into each nested group, and view all the external members to determine >who is in the top group. But from the command line a `getent group FOO` >shows nested members fine. This is due to how AD users represented in IPA. They aren't real LDAP objects so membership plugin is not creating backlinks between groups and their members. Resolution of external members happens at the place which evaluates them, e.g. SSSD or an HBAC test tool. >Another example, I see an external user in a group, and I want more >information about this user. Their name, department, etc. I can't get >it. I have to go into AD to find out who this user is. It would be nice >if I could see this info from within FreeIPA. Yes, you need to go to the place where this user is defined, e.g. Active Directory. We do not maintain information about AD users that belongs to AD. You can only manage overrides for them and even that is optional if you are using POSIX attributes in AD LDAP. >Or if I want to add an external user to a group, I have to know that >user's exact AD logon name. If I only have their real name, or other >information, I can't search for them and then add them to the group. Sorry, that's not possible. We are able to address users only by their samAccountName, their UPN, or directly by their SID. The rest is not possible to retrieve in general case when there are more than one domain in AD forest arranged in a complex topology. Their other properties aren't guaranteed to be defined or unique. >Is there any way to make these types of management tasks simpler? If >not, is such a thing on the road map? No for both, so far. >Or as an alternative, is it possible to use the winsync plugin to pull >users from AD, but whenever such a user tries to authenticate, the >authentication is performed against AD? So that FreeIPA is used for >authorization, but not authentication? No, this is not possible. -- / Alexander Bokovoy From tjaalton at ubuntu.com Mon May 15 07:47:36 2017 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Mon, 15 May 2017 10:47:36 +0300 Subject: [Freeipa-users] Authenticate on GNOME display manager with freeipa In-Reply-To: References: <2a46b93e-5068-3bc4-9209-f1245faa71a9@gmail.com> <20170510194216.GC17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <4e4cd5a1-7446-12d1-cbe7-33ee689fda94@gmail.com> <20170511115428.GF17159@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170512062911.GE32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: On 12.05.2017 12:25, tuxderlinuxfuchs77 at gmail.com wrote: > Thanks! > > I followed this manual: > https://help.ubuntu.com/lts/serverguide/sssd-ad.html#sssd-ad-mkhomedir > > added the line > > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 > > to the file /etc/pam.d/common-session (find attached) Don't add it manually, it'll get removed next time pam-auth-update is run. Instead run pam-auth-update yourself and enable "create home directory on login". -- t From md at collective-sense.com Mon May 15 09:40:47 2017 From: md at collective-sense.com (Maciej Drobniuch) Date: Mon, 15 May 2017 11:40:47 +0200 Subject: [Freeipa-users] Replica cannot be reinitialized after upgrade In-Reply-To: References: Message-ID: Hi Goran Exact same issue here with the same troubleshooting steps taken(I've tried to reinitialize the replicas with success msg) - no luck so far. I've additionally have run ipa_check_consistency script: FreeIPA servers: ipa1 ipa2 ipa3 STATE =================================================================== Active Users 37 37 37 OK Stage Users 0 0 0 OK Preserved Users 0 0 0 OK User Groups 10 10 10 OK Hosts 69 69 69 OK Host Groups 7 7 7 OK HBAC Rules 11 11 11 OK SUDO Rules 1 1 1 OK DNS Zones 8 8 8 OK LDAP Conflicts YES YES YES FAIL Ghost Replicas NO NO NO OK Anonymous BIND YES YES YES OK Replication Status ipa2 18 ipa1 0 ipa1 0 ipa3 0 =================================================================== Besides of this the ipa master named-pkcs is sometimes crashing and ipa fails to start. I've rolled a backup from 1week ago and it's starting but I don't know how long it will last. IPA team please help. # ipa --version VERSION: 4.4.0, API_VERSION: 2.213 -- Best regards Maciej Drobniuch Network Security Engineer Collective-Sense,LLC On Thu, May 11, 2017 at 6:53 PM, Goran Marik wrote: > Hi, > > After an upgrade to Centos 7.3.1611 with ?yum update", we started seeing > the following messages in the logs: > ??? > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 > +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 > not found, we aren't as up to date, or we purged > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 > +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update > replica has been purged from the changelog. The replica must be > reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 > +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" > (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB > rc=-30988). If replication stops, the consumer may need to be reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 > +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 > not found, we aren't as up to date, or we purged > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 > +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1- > inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update > replica has been purged from the changelog. The replica must be > reinitialized. > ??? > > The log messages are pretty frequently, every few seconds, and report few > different CSN numbers that cannot be located. > > This happens only on one replica out of 4. We?ve tried "ipa-replica-manage > re-initialize ?from? and ?ipa-csreplica-manage re-initialize ?from? several > times, but while both commands report success, the log messages continue to > happen. The server was rebooted and ?systemctl restart ipa? was done few > times as well. > > The replica seems to be working fine despite the errors, but I?m worried > that the logs indicate underlaying problem we are not fully detecting. I > would like to understand better what is triggering this behaviour and how > to fix it, and if someone else saw them after a recent upgrades. > > The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and > ipa-server-4.4.0-14.el7.centos.7.x86_64 > > Thanks, > Goran > > -- > Goran Marik > Senior Systems Developer > > ecobee > 250 University Ave, Suite 400 > Toronto, ON M5H 3E5 > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Mon May 15 10:35:01 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Mon, 15 May 2017 12:35:01 +0200 Subject: [Freeipa-users] Replica cannot be reinitialized after upgrade In-Reply-To: References: Message-ID: <59198455.2020009@redhat.com> The messages you see could be transient messages, and if replication is working than this seems to be the case. If not we would need more data to investigate: deployment info, relicaIDs of all servers, ruvs, logs,..... Here is some background info: there are some scenarios where a csn could not be found in the changelog, eg if updates were aplied on the supplier during a total init, they could be part of the data and database ruv, but not in the changelog of the initialized replica. ds did try to use an alternative csn in cases where it could not be found, but this had the risk of missing updates, so we decided to change it and make this misssing csn a non fatal error, backoff and retry, if another supplier would have updated the replica in between, the starting csn could have changed and be found. so if the reported missing csns change and replication continues everything is ok, although I think the messages should stop at some point. There is a configuration parameter for a replciation agreement to trigger the previous behaviour of picking an alternative csn: nsds5ReplicaIgnoreMissingChange with potential values "once", "always". where "once" just tries to kickstart replication by using another csn and "always" changes the default behaviour On 05/11/2017 06:53 PM, Goran Marik wrote: > Hi, > > After an upgrade to Centos 7.3.1611 with ?yum update", we started seeing the following messages in the logs: > ??? > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged > May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged > May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. > ??? > > The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located. > > This happens only on one replica out of 4. We?ve tried "ipa-replica-manage re-initialize ?from? and ?ipa-csreplica-manage re-initialize ?from? several times, but while both commands report success, the log messages continue to happen. The server was rebooted and ?systemctl restart ipa? was done few times as well. > > The replica seems to be working fine despite the errors, but I?m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades. > > The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and ipa-server-4.4.0-14.el7.centos.7.x86_64 > > Thanks, > Goran > > -- > Goran Marik > Senior Systems Developer > > ecobee > 250 University Ave, Suite 400 > Toronto, ON M5H 3E5 > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From nik-weter at yandex.ru Mon May 15 10:34:55 2017 From: nik-weter at yandex.ru (=?utf-8?B?0J3QuNC60L7Qu9Cw0Lkg0KHQsNCy0LXQu9GM0LXQsg==?=) Date: Mon, 15 May 2017 17:34:55 +0700 Subject: [Freeipa-users] Freeipa and squid's helper Message-ID: <6816561494844495@web24m.yandex.ru> Hi. I used 3 servers with freipa. Replica worked fine. Autentication also But today I configured squid and looked errors. I used ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc1 user_in_domainusers ERR Next ext_kerberos_ldap_group_acl -g domainusers@ -D SOME.LAN -S dc2 Ok First server always give ERR. Other servers always give right value. Why? First server was create whith migration from open-ldap. Other servers - replicas from first. -- ? ?????????, ???????. From lslebodn at redhat.com Mon May 15 11:32:15 2017 From: lslebodn at redhat.com (Lukas Slebodnik) Date: Mon, 15 May 2017 13:32:15 +0200 Subject: [Freeipa-users] ipa-client-install: please look for SELINUX=disabled In-Reply-To: <258df6a3-e004-17ab-29dc-946e65f1dcc9@afaics.de> References: <258df6a3-e004-17ab-29dc-946e65f1dcc9@afaics.de> Message-ID: <20170515113214.GB25319@10.4.128.1> On (13/05/17 06:52), Harald Dunkel wrote: >Hi folks, > >RHEL 7.3, sssd 1.14.0: > >If /etc/selinux/config says "SELINUX=disabled", then pam seems to fail >(without telling why) and users cannot login. *Extremely* painful. > >Do you think ipa-client-install could add > > selinux_provider = none > This is just a temporary workaround and not a solution. And it is already fixed in upstream https://pagure.io/SSSD/sssd/issue/3297 LS From harald.dunkel at aixigo.de Mon May 15 11:53:15 2017 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Mon, 15 May 2017 13:53:15 +0200 Subject: [Freeipa-users] is ipa-cert-manage safe to use? Message-ID: <7821a4b0-5448-9d64-1bc6-1cf39fbceaa8@aixigo.de> Hi folks, I have to renew (or replace) the externally signed certificate on my ipa servers using a new ca. Apparently the tool of choice is ipa-cacert-manage. Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. Problem is, I cannot estimate the risk and if its worth the effort. What happens to freeipa if ipa-cacert-manage fails miserably? Does it affect the LDAP database or Kerberos? Will it break the connection between my ipa servers or between servers and clients? Would you suggest to forget all the "CA stuff" in freeipa and manage the certificates externally? The platform of the ipa servers is Centos 7.3. There are 100+ Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. I am highly concerned. Every helpful comment is appreciated. Harri From uncommonkat at gmail.com Mon May 15 12:26:01 2017 From: uncommonkat at gmail.com (Kat) Date: Mon, 15 May 2017 07:26:01 -0500 Subject: [Freeipa-users] Any passwd vault examples? Message-ID: <0c85c5ac-f974-207d-e91f-3ad5968389c4@gmail.com> Hi all -- Just wondering if there are any good examples of using the vault features to secure store, use passwords? I have devs that like to store them in git and well, I will discipline them appropriately, but I wante to see about using the vault. Is it as simple as it appears to be? Just wondering if I am missing something? Mostly it would be for application management/startup, etc. Thanks K From ronaldw at ronzo.at Mon May 15 13:54:22 2017 From: ronaldw at ronzo.at (Ronald Wimmer) Date: Mon, 15 May 2017 15:54:22 +0200 Subject: [Freeipa-users] SSSD Cache and Service Tickets Message-ID: <475e7f72-a3f9-be26-d6cb-9f2c5b106238@ronzo.at> Hi, I am confronted with a behaviour for which I do not have an explanation for. I am using NFS4 Kerberos automounted homeshares and and recently I got a permission denied (reproducible when I restart autofs on the server I want to connect to) from the Windows Domain. So here's what I tried: 1) Connected via PuTTY from a Windows Machine in the windows domain Kerberos-based login works but I get a "Permission Denied" on my home directory; klist shows no tickets 2) I try to connect form a Linux machine belonging to the IPA domain Kerberos-based login works, I can also access my home directory; klist shows nfs/ipanfs.ipadomain.at at IPADOMAIN.AT and the krbtgt for the windows domain 3) Now - of course - using the homeshares works from both domains windows and ipa 4) When I do a kdestroy on the machine, using the homeshare when logged in from windows still works - My question is WHY? Does SSSD cache the NFS ticket? (and why don't I get an nfs ticket when coming from the windows domain?) Regards Ronald From rcritten at redhat.com Mon May 15 14:44:41 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 15 May 2017 10:44:41 -0400 Subject: [Freeipa-users] is ipa-cert-manage safe to use? In-Reply-To: <7821a4b0-5448-9d64-1bc6-1cf39fbceaa8@aixigo.de> References: <7821a4b0-5448-9d64-1bc6-1cf39fbceaa8@aixigo.de> Message-ID: <7dbdf275-595c-d49e-0c01-2e750e27cb94@redhat.com> Harald Dunkel wrote: > Hi folks, > > I have to renew (or replace) the externally signed certificate > on my ipa servers using a new ca. Apparently the tool of choice > is ipa-cacert-manage. > > Of course I found https://www.freeipa.org/page/Howto/CA_Certificate_Renewal. > Problem is, I cannot estimate the risk and if its worth the effort. > What happens to freeipa if ipa-cacert-manage fails miserably? Does it > affect the LDAP database or Kerberos? Will it break the connection > between my ipa servers or between servers and clients? > > Would you suggest to forget all the "CA stuff" in freeipa and manage > the certificates externally? > > The platform of the ipa servers is Centos 7.3. There are 100+ > Debian and RedHat clients using freeipa 4.4.3 and 4.0.5 and 3.0.2. > > I am highly concerned. Every helpful comment is appreciated. I'm confused. You mention replacing some "externally signed certificate" and yet then ask switching to externally signed certificates. What is the current configuration? What is signing the existing server certs? Or do you have an external CA signing the IPA CA? ipa-cacert-manage is for managing the CA certificate, not service certificates. rob From tkrizek at redhat.com Mon May 15 15:35:19 2017 From: tkrizek at redhat.com (Tomas Krizek) Date: Mon, 15 May 2017 17:35:19 +0200 Subject: [Freeipa-users] Any passwd vault examples? In-Reply-To: <0c85c5ac-f974-207d-e91f-3ad5968389c4@gmail.com> References: <0c85c5ac-f974-207d-e91f-3ad5968389c4@gmail.com> Message-ID: <42d64c05-6e8f-b801-4845-e953ac4fddf4@redhat.com> On 05/15/2017 02:26 PM, Kat wrote: > Hi all -- > > Just wondering if there are any good examples of using the vault > features to secure store, use passwords? I have devs that like to > store them in git and well, I will discipline them appropriately, but > I wante to see about using the vault. Is it as simple as it appears to > be? Just wondering if I am missing something? > > Mostly it would be for application management/startup, etc. > > Thanks > > K > Hello, you should be able to find the information you're looking for in our Password Vault documentation on the FreeIPA wiki [1]. I think you'd probably be most interested in the Vault Management chapters in the Implementation documents. [1] - https://www.freeipa.org/page/V4/Password_Vault -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: From michael.plemmons at crosschx.com Mon May 15 18:33:04 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Mon, 15 May 2017 14:33:04 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Message-ID: I have done more searching in my logs and I see the following errors. This is in the localhost log file /var/lib/pki/pki-tomcat/logs May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log SEVERE: StandardWrapper.Throwable java.lang.NullPointerException May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext loadOnStartup SEVERE: Servlet [castart] in web application [/ca] threw load() exception java.lang.NullPointerException May 15, 2017 3:08:09 PM org.apache.catalina.core.StandardHostValve invoke SEVERE: Exception Processing /ca/admin/ca/getStatus javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Looking at the debug log it says Authentication failed for port 636. [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init() [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init begins [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init ends [15/May/2017:17:39:25][localhost-startStop-1]: init: before makeConnection errorIfDown is true [15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: errorIfDown true [15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificateSelectionCB: Setting desired cert nickname to: subsystemCert cert-pki-ca [15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set client auth cert nickname subsystemCert cert-pki-ca [15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificatSelectionCB: Entering! [15/May/2017:17:39:25][localhost-startStop-1]: SSLClientCertificateSelectionCB: returning: null [15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake happened Could not connect to LDAP server host ipa12.mgmt.crosschx.com port 636 Error netscape.ldap.LDAPException: Authentication failed (48) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) I looked at the validity of the cert it mentions and it is fine. (root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' State MONITORING, stuck: no. I then looked at the ldap errors around the time of this failure and I am seeing this log entry. [15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/ ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) When I perform a klist against that keytab nothing appears out of the ordinary compared to working IPA servers. I am not sure what to look at next. *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons < michael.plemmons at crosschx.com> wrote: > The PKI service came up successfully but only when it uses BasicAuth > rather than SSL auth. I am not sure about what I need to do in order to > get the auth working over SSL again. > > None of the certs are expired when I run getcert list and ipa-getcert list. > > Since the failure is with attempts to login to LDAP over 636. I have been > attempting to auth to LDAP via port 636 and the ldapsearch is not > completing. When looking at packet captures, I see some the TCP handshake > and what appears to be the start of a SSL process and then everything hangs. > > What is the proper method to test performing a ldapsearch over 636? Also, > the CS.cfg shows it wants to auth as cn=Directory Manager. I can > successfully auth with cn=Directory Manager over 389 but I think I am not > performing ldapsearch over 636 correctly. > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons < > michael.plemmons at crosschx.com> wrote: > >> I think I found the email thread. Asking for help with crashed freeIPA >> istance. That email pointed to this link, https://www.redhat.com/a >> rchives/freeipa-users/2017-January/msg00215.html. That link talked >> about changing the CS.cfg file to use port 389 for PKI to auth to LDAP. I >> made the necessary changes and PKI came up successfully. >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons < >> michael.plemmons at crosschx.com> wrote: >> >>> >>> >>> >>> >>> >>> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* >>> 614.427.2411 >>> mike.plemmons at crosschx.com >>> www.crosschx.com >>> >>> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden >>> wrote: >>> >>>> Michael Plemmons wrote: >>>> > I just realized that I sent the reply directly to Rob and not to the >>>> > list. My response is inline >>>> >>>> Ok, this is actually good news. >>>> >>>> I made a similar proposal in another case and I was completely wrong. >>>> Flo had the user do something and it totally fixed their auth error, I >>>> just can't remember what it was or find the e-mail thread. I'm pretty >>>> sure it was this calendar year though. >>>> >>>> rob >>>> >>>> >>> Do you or Flo know what I could search for in the past emails to find >>> the answer to the problem? >>> >>> >>> >>>> > >>>> > >>>> > >>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>>> > * >>>> > 614.427.2411 >>>> > mike.plemmons at crosschx.com >>>> > www.crosschx.com >>>> > >>>> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons >>>> > >>> >> >>>> > wrote: >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>>> > * >>>> > 614.427.2411 >>>> > mike.plemmons at crosschx.com >>>> > www.crosschx.com >>>> > >>>> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden < >>>> rcritten at redhat.com >>>> > > wrote: >>>> > >>>> > Michael Plemmons wrote: >>>> > > I realized that I was not very clear in my statement about >>>> > testing with >>>> > > ldapsearch. I had initially run it without logging in with >>>> a >>>> > DN. I was >>>> > > just running the local ldapsearch -x command. I then >>>> tested on >>>> > > ipa12.mgmt and ipa11.mgmt logging in with a full DN for the >>>> > admin and >>>> > > "cn=Directory Manager" from ipa12.mgmt (broken server) and >>>> > ipa11.mgmt >>>> > > and both ldapsearch command succeeded. >>>> > > >>>> > > I ran the following from ipa12.mgmt and ipa11.mgmt as a non >>>> > root user. >>>> > > I also ran the command showing a line count for the output >>>> and >>>> > the line >>>> > > counts for each were the same when run from ipa12.mgmt and >>>> > ipa11.mgmt. >>>> > > >>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >>>> > >>>> > > >>> > > -D "DN" -w PASSWORD -b >>>> > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >>>> > > >>>> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >>>> > >>>> > > >>> > > -D "cn=directory manager" >>>> -w >>>> > PASSWORD dn >>>> > >>>> > The CA has its own suffix and replication agreements. Given >>>> the auth >>>> > error and recent (5 months) renewal of CA credentials I'd >>>> check >>>> > that the >>>> > CA agent authentication entries are correct. >>>> > >>>> > Against each master with a CA run: >>>> > >>>> > $ ldapsearch -LLL -x -D 'cn=directory manager' -W -b >>>> > uid=ipara,ou=people,o=ipaca description >>>> > >>>> > The format is 2;serial#,subject,issuer >>>> > >>>> > Then on each run: >>>> > >>>> > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial >>>> > >>>> > The serial # should match that in the description everywhere. >>>> > >>>> > rob >>>> > >>>> > >>>> > >>>> > On the CA (IPA13.MGMT) I ran the ldapsearch command and see that >>>> the >>>> > serial number is 7. I then ran the certutil command on all three >>>> > servers and the serial number is 7 as well. >>>> > >>>> > >>>> > I also ran the ldapsearch command against the other two servers >>>> and >>>> > they also showed a serial number of 7. >>>> > >>>> > >>>> > >>>> > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>>> > > * >>>> > > 614.427.2411 >>>> > > mike.plemmons at crosschx.com >>> .com> >>>> > >>> > > >>>> > > www.crosschx.com >>>> > >>>> > > >>>> > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons >>>> > > >>> > >>>> > >>> > >> >>>> > > wrote: >>>> > > >>>> > > I have a three node IPA cluster. >>>> > > >>>> > > ipa11.mgmt - was a master over 6 months ago >>>> > > ipa13.mgmt - current master >>>> > > ipa12.mgmt >>>> > > >>>> > > ipa13 has agreements with ipa11 and ipa12. ipa11 and >>>> > ipa12 do not >>>> > > have agreements between each other. >>>> > > >>>> > > It appears that either ipa12.mgmt lost some level of its >>>> > replication >>>> > > agreement with ipa13. I saw some level because users / >>>> > hosts were >>>> > > replicated between all systems but we started seeing DNS >>>> > was not >>>> > > resolving properly from ipa12. I do not know when this >>>> > started. >>>> > > >>>> > > When looking at replication agreements on ipa12 I did >>>> not >>>> > see any >>>> > > agreement with ipa13. >>>> > > >>>> > > When I run ipa-replica-manage list all three hosts show >>>> > has master. >>>> > > >>>> > > When I run ipa-replica-manage ipa11.mgmt I see >>>> ipa13.mgmt >>>> > is a replica. >>>> > > >>>> > > When I run ipa-replica-manage ipa12.mgmt nothing >>>> returned. >>>> > > >>>> > > I ran ipa-replica-manage connect >>>> --cacert=/etc/ipa/ca.crt >>>> > > ipa12.mgmt.crosschx.com >>> > >>>> > >>> http://ipa12.mgmt.crosschx.com>> >>>> > > ipa13.mgmt.crosschx.com >>> > >>>> > >>> > > on ipa12.mgmt >>>> > > >>>> > > I then ran the following >>>> > > >>>> > > ipa-replica-manage force-sync --from >>>> > ipa13.mgmt.crosschx.com >>>> > > >>> > > >>>> > > >>>> > > ipa-replica-manage re-initialize --from >>>> > ipa13.mgmt.crosschx.com >>>> > > >>> > > >>>> > > >>>> > > I was still seeing bad DNS returns when dig'ing against >>>> > ipa12.mgmt. >>>> > > I was able to create user and DNS records and see the >>>> > information >>>> > > replicated properly across all three nodes. >>>> > > >>>> > > I then ran ipactl stop on ipa12.mgmt and then ipactl >>>> start on >>>> > > ipa12.mgmt because I wanted to make sure everything was >>>> > running >>>> > > fresh after the changes above. While IPA was staring >>>> up (DNS >>>> > > started) we were able to see valid DNS queries returned >>>> but >>>> > > pki-tomcat would not start. >>>> > > >>>> > > I am not sure what I need to do in order to get this >>>> > working. I >>>> > > have included the output of certutil and getcert below >>>> > from all >>>> > > three servers as well as the debug output for pki. >>>> > > >>>> > > >>>> > > While the IPA system is coming up I am able to >>>> > successfully run >>>> > > ldapsearch -x as the root user and see results. I am >>>> also >>>> > able to >>>> > > login with the "cn=Directory Manager" account and see >>>> results. >>>> > > >>>> > > >>>> > > The debug log shows the following error. >>>> > > >>>> > > >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > > ============================================ >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== >>>> DEBUG >>>> > > SUBSYSTEM INITIALIZED ======= >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > > ============================================ >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > restart at >>>> > > autoShutdown? false >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > autoShutdown crumb file path? >>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > about to >>>> > > look for cert for auto-shutdown support:auditSigningCert >>>> > cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > found >>>> > > cert:auditSigningCert cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > done init >>>> > > id=debug >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initialized debug >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initSubsystem id=log >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > ready to >>>> > > init id=log >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>>> > > >>>> > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/c >>>> a_audit) >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>>> > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>>> > > RollingLogFile(/var/lib/pki/p >>>> ki-tomcat/logs/ca/transactions) >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > restart at >>>> > > autoShutdown? false >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > autoShutdown crumb file path? >>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > about to >>>> > > look for cert for auto-shutdown support:auditSigningCert >>>> > cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > found >>>> > > cert:auditSigningCert cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > done init >>>> > > id=log >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initialized log >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initSubsystem id=jss >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > ready to >>>> > > init id=jss >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > restart at >>>> > > autoShutdown? false >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > autoShutdown crumb file path? >>>> > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > about to >>>> > > look for cert for auto-shutdown support:auditSigningCert >>>> > cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > found >>>> > > cert:auditSigningCert cert-pki-ca >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > done init >>>> > > id=jss >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initialized jss >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > > initSubsystem id=dbs >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> CMSEngine: >>>> > ready to >>>> > > init id=dbs >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > DBSubsystem: init() >>>> > > mEnableSerialMgmt=true >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating >>>> > > LdapBoundConnFactor(DBSubsystem) >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > LdapBoundConnFactory: >>>> > > init >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > > LdapBoundConnFactory:doCloning true >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > LdapAuthInfo: init() >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > LdapAuthInfo: init begins >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> > LdapAuthInfo: init ends >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: init: >>>> before >>>> > > makeConnection errorIfDown is true >>>> > > [03/May/2017:21:22:01][localhost-startStop-1]: >>>> makeConnection: >>>> > > errorIfDown true >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>>> > > SSLClientCertificateSelectionCB: Setting desired cert >>>> > nickname to: >>>> > > subsystemCert cert-pki-ca >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>>> > LdapJssSSLSocket: set >>>> > > client auth cert nickname subsystemCert cert-pki-ca >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>>> > > SSLClientCertificatSelectionCB: Entering! >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>>> > > SSLClientCertificateSelectionCB: returning: null >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL >>>> > handshake happened >>>> > > Could not connect to LDAP server host >>>> > ipa12.mgmt.crosschx.com >>>> > > >>> > > port 636 Error >>>> > > netscape.ldap.LDAPException: Authentication failed (48) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >>>> ction(LdapBoundConnFactory.java:205) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>>> BoundConnFactory.java:166) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(Ldap >>>> BoundConnFactory.java:130) >>>> > > at >>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >>>> 654) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>>> java:1169) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>>> .java:1075) >>>> > > at >>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>>> > > at >>>> > > >>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>>> ervlet.java:114) >>>> > > at >>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >>>> > > at sun.reflect.NativeMethodAccess >>>> orImpl.invoke0(Native >>>> > Method) >>>> > > at >>>> > > >>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>> ssorImpl.java:62) >>>> > > at >>>> > > >>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>> thodAccessorImpl.java:43) >>>> > > at java.lang.reflect.Method.invoke(Method.java:498) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>>> .java:288) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>>> .java:285) >>>> > > at java.security.AccessController.doPrivileged(Native >>>> > Method) >>>> > > at javax.security.auth.Subject.do >>>> > AsPrivileged(Subject >>>> .java:549) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>>> il.java:320) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>>> rityUtil.java:175) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>>> rityUtil.java:124) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >>>> dWrapper.java:1270) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>>> dWrapper.java:1195) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>>> r.java:1085) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>>> ardContext.java:5318) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardContext.startInternal(Stand >>>> ardContext.java:5610) >>>> > > at >>>> > > >>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>>> ava:147) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>>> ainerBase.java:899) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >>>> ase.java:133) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>>> n(ContainerBase.java:156) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>>> n(ContainerBase.java:145) >>>> > > at java.security.AccessController.doPrivileged(Native >>>> > Method) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>>> e.java:873) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >>>> java:652) >>>> > > at >>>> > > >>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>>> Config.java:679) >>>> > > at >>>> > > >>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>>> HostConfig.java:1966) >>>> > > at >>>> > > >>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>> s.java:511) >>>> > > at java.util.concurrent.FutureTas >>>> k.run(FutureTask.java:266) >>>> > > at >>>> > > >>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> > > at >>>> > > >>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> > > at java.lang.Thread.run(Thread.java:745) >>>> > > Internal Database Error encountered: Could not connect >>>> to LDAP >>>> > > server host ipa12.mgmt.crosschx.com >>>> > < >>>> http://ipa12.mgmt.crosschx.com >>>> > > >>>> > > port 636 Error netscape.ldap.LDAPException: >>>> Authentication >>>> > failed (48) >>>> > > at >>>> > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java: >>>> 676) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine. >>>> java:1169) >>>> > > at >>>> > > >>>> > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine >>>> .java:1075) >>>> > > at >>>> > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) >>>> > > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) >>>> > > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >>>> > > at >>>> > > >>>> > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartS >>>> ervlet.java:114) >>>> > > at >>>> > javax.servlet.GenericServlet.init(GenericServlet.java:158) >>>> > > at sun.reflect.NativeMethodAccess >>>> orImpl.invoke0(Native >>>> > Method) >>>> > > at >>>> > > >>>> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>> ssorImpl.java:62) >>>> > > at >>>> > > >>>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>> thodAccessorImpl.java:43) >>>> > > at java.lang.reflect.Method.invoke(Method.java:498) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>>> .java:288) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil >>>> .java:285) >>>> > > at java.security.AccessController.doPrivileged(Native >>>> > Method) >>>> > > at javax.security.auth.Subject.do >>>> > AsPrivileged(Subject >>>> .java:549) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.execute(SecurityUt >>>> il.java:320) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>>> rityUtil.java:175) >>>> > > at >>>> > > >>>> > org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu >>>> rityUtil.java:124) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.initServlet(Standar >>>> dWrapper.java:1270) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.loadServlet(Standar >>>> dWrapper.java:1195) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardWrapper.load(StandardWrappe >>>> r.java:1085) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardContext.loadOnStartup(Stand >>>> ardContext.java:5318) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardContext.startInternal(Stand >>>> ardContext.java:5610) >>>> > > at >>>> > > >>>> > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.j >>>> ava:147) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.addChildInternal(Cont >>>> ainerBase.java:899) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.access$000(ContainerB >>>> ase.java:133) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>>> n(ContainerBase.java:156) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.ru >>>> n(ContainerBase.java:145) >>>> > > at java.security.AccessController.doPrivileged(Native >>>> > Method) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.ContainerBase.addChild(ContainerBas >>>> e.java:873) >>>> > > at >>>> > > >>>> > org.apache.catalina.core.StandardHost.addChild(StandardHost. >>>> java:652) >>>> > > at >>>> > > >>>> > org.apache.catalina.startup.HostConfig.deployDescriptor(Host >>>> Config.java:679) >>>> > > at >>>> > > >>>> > org.apache.catalina.startup.HostConfig$DeployDescriptor.run( >>>> HostConfig.java:1966) >>>> > > at >>>> > > >>>> > java.util.concurrent.Executors$RunnableAdapter.call(Executor >>>> s.java:511) >>>> > > at java.util.concurrent.FutureTas >>>> k.run(FutureTask.java:266) >>>> > > at >>>> > > >>>> > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>>> Executor.java:1142) >>>> > > at >>>> > > >>>> > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>>> lExecutor.java:617) >>>> > > at java.lang.Thread.run(Thread.java:745) >>>> > > [03/May/2017:21:22:02][localhost-startStop-1]: >>>> > CMSEngine.shutdown() >>>> > > >>>> > > >>>> > > ============================= >>>> > > >>>> > > >>>> > > IPA11.MGMT >>>> > > >>>> > > (root)>certutil -L -d /etc/dirsrv/slapd-MGMT-CROSSCH >>>> X-COM/ >>>> > > Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI >>>> > Server-Cert >>>> > > u,u,u MGMT.CROSSCHX.COM >>>> > IPA CA CT,C,C >>>> > > (root)>certutil -L -d /var/lib/pki/pki-tomcat/alias/ >>>> > Certificate >>>> > > Nickname Trust Attributes SSL,S/MIME,JAR/XPI >>>> caSigningCert >>>> > > cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca >>>> u,u,Pu >>>> > > ocspSigningCert cert-pki-ca u,u,u subsystemCert >>>> > cert-pki-ca u,u,u >>>> > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT >>>> (root)>certutil -L -d >>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate >>>> Nickname >>>> > Trust >>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >>>> > MGMT.CROSSCHX.COM >>>> > > IPA CA CT,C,C >>>> (root)>certutil -L -d >>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname >>>> Trust >>>> > Attributes >>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >>>> > cert-pki-ca >>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >>>> > cert-pki-ca u,u,u >>>> > > IPA12.MGMT (root)>certutil -L -d >>>> > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ Certificate >>>> Nickname >>>> > Trust >>>> > > Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u >>>> > MGMT.CROSSCHX.COM >>>> > > IPA CA C,, (root)>certutil >>>> -L -d >>>> > > /var/lib/pki/pki-tomcat/alias/ Certificate Nickname >>>> Trust >>>> > Attributes >>>> > > SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu >>>> > > auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert >>>> > cert-pki-ca >>>> > > u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert >>>> > cert-pki-ca u,u,u >>>> > > ================================================= >>>> IPA11.MGMT >>>> > > (root)>getcert list Number of certificates and requests >>>> being >>>> > > tracked: 8. Request ID '20161229155314': status: >>>> > MONITORING stuck: >>>> > > no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate >>>> > > DB',pinfile='/etc/dirsrv/slap >>>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>>> > > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa11.mgmt.crosschx.com < >>>> http://ipa11.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 15:52:43 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>>> > > '20161229155652': status: MONITORING stuck: no key pair >>>> > storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>>> http://MGMT.CROSSCHX.COM> >>>> > expires: >>>> > > 2018-11-12 13:00:29 UTC key usage: >>>> > digitalSignature,nonRepudiation >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "auditSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229155654': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> eku: >>>> > > id-kp-OCSPSigning pre-save command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229155655': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "subsystemCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229155657': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2036-11-22 13:00:25 >>>> > UTC key >>>> > > usage: digitalSignature,nonRepudiatio >>>> n,keyCertSign,cRLSign >>>> > pre-save >>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "caSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229155659': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB',pin set certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa11.mgmt.crosschx.com < >>>> http://ipa11.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-19 15:56:20 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientA >>>> uth,id-kp-emailProtection >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "Server-Cert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229155921': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa11.mgmt.crosschx.com < >>>> http://ipa11.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 15:52:46 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>>> track: yes >>>> > > auto-renew: yes Request ID '20161229160009': status: >>>> > MONITORING >>>> > > stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > >>>> > expires: >>>> > > 2018-11-12 13:01:34 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>>> > auto-renew: yes >>>> > > ================================== IPA13.MGMT >>>> > (root)>getcert list >>>> > > Number of certificates and requests being tracked: 8. >>>> > Request ID >>>> > > '20161229143449': status: MONITORING stuck: no key pair >>>> > storage: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate >>>> > > DB',pinfile='/etc/dirsrv/slap >>>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>>> > > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa13.mgmt.crosschx.com < >>>> http://ipa13.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 14:34:20 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>>> > > '20161229143826': status: MONITORING stuck: no key pair >>>> > storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>>> http://MGMT.CROSSCHX.COM> >>>> > expires: >>>> > > 2018-11-12 13:00:29 UTC key usage: >>>> > digitalSignature,nonRepudiation >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "auditSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229143828': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> eku: >>>> > > id-kp-OCSPSigning pre-save command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229143831': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "subsystemCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229143833': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2036-11-22 13:00:25 >>>> > UTC key >>>> > > usage: digitalSignature,nonRepudiatio >>>> n,keyCertSign,cRLSign >>>> > pre-save >>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "caSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229143835': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB',pin set certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa13.mgmt.crosschx.com < >>>> http://ipa13.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-19 14:37:54 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientA >>>> uth,id-kp-emailProtection >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "Server-Cert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229144057': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa13.mgmt.crosschx.com < >>>> http://ipa13.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 14:34:23 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>>> track: yes >>>> > > auto-renew: yes Request ID '20161229144146': status: >>>> > MONITORING >>>> > > stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > >>>> > expires: >>>> > > 2018-11-12 13:01:34 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>>> > auto-renew: yes >>>> > > =========================== IPA12.MGMT (root)>getcert >>>> list >>>> > Number of >>>> > > certificates and requests being tracked: 8. Request ID >>>> > > '20161229151518': status: MONITORING stuck: no key pair >>>> > storage: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate >>>> > > DB',pinfile='/etc/dirsrv/slap >>>> d-MGMT-CROSSCHX-COM/pwdfile.txt' >>>> > > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',ni >>>> ckname='Server-Cert',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa12.mgmt.crosschx.com < >>>> http://ipa12.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 15:14:51 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_dirsrv >>>> > > MGMT-CROSSCHX-COM track: yes auto-renew: yes Request ID >>>> > > '20161229151850': status: MONITORING stuck: no key pair >>>> > storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='au >>>> ditSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Audit,O=MGMT.CROSSCHX.COM < >>>> http://MGMT.CROSSCHX.COM> >>>> > expires: >>>> > > 2018-11-12 13:00:29 UTC key usage: >>>> > digitalSignature,nonRepudiation >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "auditSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229151852': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='oc >>>> spSigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:26 UTC key usage: >>>> > > digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>> eku: >>>> > > id-kp-OCSPSigning pre-save command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "ocspSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229151854': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='su >>>> bsystemCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-11-12 13:00:28 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/stop_pkicad post-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "subsystemCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229151856': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB',pin set >>>> certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ca >>>> SigningCert >>>> > > cert-pki-ca',token='NSS Certificate DB' CA: >>>> > > dogtag-ipa-ca-renew-agent issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=Certificate Authority,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2036-11-22 13:00:25 >>>> > UTC key >>>> > > usage: digitalSignature,nonRepudiatio >>>> n,keyCertSign,cRLSign >>>> > pre-save >>>> > > command: /usr/libexec/ipa/certmonger/stop_pkicad >>>> post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ca_cert >>>> "caSigningCert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229151858': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB',pin set certificate: >>>> > > >>>> > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Se >>>> rver-Cert >>>> > cert-pki-ca',token='NSS >>>> > > Certificate DB' CA: dogtag-ipa-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa12.mgmt.crosschx.com < >>>> http://ipa12.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-19 15:18:16 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientA >>>> uth,id-kp-emailProtection >>>> > > pre-save command: /usr/libexec/ipa/certmonger/st >>>> op_pkicad >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>> > "Server-Cert >>>> > > cert-pki-ca" track: yes auto-renew: yes Request ID >>>> > '20161229152115': >>>> > > status: MONITORING stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > > Certificate DB' CA: IPA issuer: CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=ipa12.mgmt.crosschx.com < >>>> http://ipa12.mgmt.crosschx.com> >>>> > > >>> > >,O=MGMT.CROSSCHX.COM >>>> > >>>> > > expires: 2018-12-30 15:14:54 >>>> > UTC key >>>> > > usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > post-save >>>> > > command: /usr/libexec/ipa/certmonger/restart_httpd >>>> track: yes >>>> > > auto-renew: yes Request ID '20161229152204': status: >>>> > MONITORING >>>> > > stuck: no key pair storage: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > > >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',to >>>> ken='NSS >>>> > > Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: >>>> > CN=Certificate >>>> > > Authority,O=MGMT.CROSSCHX.COM >>> > >>>> > subject: >>>> > > CN=IPA RA,O=MGMT.CROSSCHX.COM >>> > >>>> > expires: >>>> > > 2018-11-12 13:01:34 UTC key usage: >>>> > > >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipher >>>> ment >>>> > > eku: id-kp-serverAuth,id-kp-clientAuth pre-save >>>> command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save >>>> > command: >>>> > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes >>>> > auto-renew: yes >>>> > > >>>> > > >>>> > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >>>> > > * >>>> > > 614.427.2411 >>>> > > mike.plemmons at crosschx.com >>>> > >>>> > >>> > > >>>> > > www.crosschx.com >>>> > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Mon May 15 19:27:48 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Mon, 15 May 2017 21:27:48 +0200 Subject: [Freeipa-users] SSSD Cache and Service Tickets In-Reply-To: <475e7f72-a3f9-be26-d6cb-9f2c5b106238@ronzo.at> References: <475e7f72-a3f9-be26-d6cb-9f2c5b106238@ronzo.at> Message-ID: <20170515192748.hhn2un7il4f4e4s3@hendrix> First, I'm sorry if this mail is not helpful enough, I'm really just replying to the part I'm familiar with On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: > Hi, > > I am confronted with a behaviour for which I do not have an explanation for. > > I am using NFS4 Kerberos automounted homeshares and and recently I got a > permission denied (reproducible when I restart autofs on the server I want > to connect to) from the Windows Domain. So here's what I tried: > > 1) Connected via PuTTY from a Windows Machine in the windows domain > Kerberos-based login works but I get a "Permission Denied" on my home > directory; klist shows no tickets No tickets at all? Not even an expired ticket? Does running klist in cmd.exe show anything? > > 2) I try to connect form a Linux machine belonging to the IPA domain > Kerberos-based login works, I can also access my home directory; > klist shows nfs/ipanfs.ipadomain.at at IPADOMAIN.AT and the krbtgt for the > windows domain > > 3) Now - of course - using the homeshares works from both domains windows > and ipa > > 4) When I do a kdestroy on the machine, using the homeshare when logged in > from windows still works - > My question is WHY? Does SSSD cache the NFS ticket? It does not. The only code in SSSD that caches anything Kerberos related is the KRB5CCNAME variable value. > (and why don't I get an nfs ticket when coming from the windows domain?) From ronaldw at ronzo.at Tue May 16 09:30:25 2017 From: ronaldw at ronzo.at (Ronald Wimmer) Date: Tue, 16 May 2017 11:30:25 +0200 Subject: [Freeipa-users] SSSD Cache and Service Tickets In-Reply-To: <20170515192748.hhn2un7il4f4e4s3@hendrix> References: <475e7f72-a3f9-be26-d6cb-9f2c5b106238@ronzo.at> <20170515192748.hhn2un7il4f4e4s3@hendrix> Message-ID: <929c7869-14ec-73b5-d8b4-f18cafbe75e4@ronzo.at> On 2017-05-15 21:27, Jakub Hrozek wrote: > [...] > > On Mon, May 15, 2017 at 03:54:22PM +0200, Ronald Wimmer wrote: >> Hi, >> >> I am confronted with a behaviour for which I do not have an explanation for. >> >> I am using NFS4 Kerberos automounted homeshares and and recently I got a >> permission denied (reproducible when I restart autofs on the server I want >> to connect to) from the Windows Domain. So here's what I tried: >> >> 1) Connected via PuTTY from a Windows Machine in the windows domain >> Kerberos-based login works but I get a "Permission Denied" on my home >> directory; klist shows no tickets > No tickets at all? Not even an expired ticket? Unfortunately no tickets. > Does running klist in cmd.exe show anything? Yes, it does: -bash-4.2$ klist klist: Credentials cache keyring 'persistent:1073895519:1073895519' not found And again... If I connect from my linux machine (within the ipa domain), tickets are there: -bash-4.2$ klist Ticket cache: KEYRING:persistent:1073895519:1073895519 Default principal: myuser at MYWINDOWDOMAIN.AT Valid starting Expires Service principal 2017-05-16 11:29:04 2017-05-16 15:43:45 nfs/ipanfs.myipadomain.at at MYIPADOMAIN.AT 2017-05-16 11:25:09 2017-05-16 15:43:45 krbtgt/MYWINDOWDOMAIN.AT at MYWINDOWDOMAIN.AT renew until 2017-05-16 15:43:45 From this point on login from windows (AD domain) does - of course - work. Any ideas how to bring some light into this? From harald.dunkel at aixigo.de Tue May 16 13:13:46 2017 From: harald.dunkel at aixigo.de (Harald Dunkel) Date: Tue, 16 May 2017 15:13:46 +0200 Subject: [Freeipa-users] is ipa-cert-manage safe to use? In-Reply-To: <7dbdf275-595c-d49e-0c01-2e750e27cb94@redhat.com> References: <7821a4b0-5448-9d64-1bc6-1cf39fbceaa8@aixigo.de> <7dbdf275-595c-d49e-0c01-2e750e27cb94@redhat.com> Message-ID: On 05/15/17 16:44, Rob Crittenden wrote: > > I'm confused. You mention replacing some "externally signed certificate" > and yet then ask switching to externally signed certificates. What is > the current configuration? What is signing the existing server certs? Or > do you have an external CA signing the IPA CA? > The current servers have been installed with --external-ca. freeipa created a csr, it was signed by an external CA and handed off back to the freeipa server. The question was if I should drop the whole certificate support in freeipa. Its called "CA-less install", if I got this correctly. I am not sure if it is possible to switch from external-ca to CA-less. > ipa-cacert-manage is for managing the CA certificate, not service > certificates. > Sure. Point is that I don't see how a problem on replacing freeipa's (externally signed) CA certificate by a new one affects freeipa. Sorry to say, but at install time I did not had the impression, that "ipa-server-install --external-ca" was thoroughly tested before. I ran straight into a problem, but fortunately that didn't matter, cause freeipa was not in production use, yet. (Look for "ipa-server-install --external-ca failed" on this mailing list, thread started 2015-12-15.) Today it is in production use. If I brick freeipa today, then I have a huge problem, so I am concerned. Regards Harri From dudin.andrey at gmail.com Tue May 16 13:48:42 2017 From: dudin.andrey at gmail.com (Andrey Dudin) Date: Tue, 16 May 2017 16:48:42 +0300 Subject: [Freeipa-users] Password and OTP auth Message-ID: Hello all. tell me please. Is it possible to use password and otp auth at the one moment? For example I have DEV/STAGE servers and want to be able use password auth for ssh, but for PROD servers I want to use OTP auth for same user. -------------- next part -------------- An HTML attachment was scrubbed... URL: From houser at nso.edu Tue May 16 13:56:38 2017 From: houser at nso.edu (Janet Houser) Date: Tue, 16 May 2017 07:56:38 -0600 Subject: [Freeipa-users] Freeipa and limiting access by group (memberOf) Message-ID: Hi Folks, Last week I deployed freeipa on a CentOS7 VM. The installation went very smoothly using: yum install ipa-server and ipa-server-install My issue is with connecting a CentOS 7 client. On my client, I yum installed ipa-client and ipa-admintools. I than ran "ipa-client-install" and answered the setup questions (very easy and smooth). The "getent passwd" command didn't return any users, but the "getent passwd jdoe" does give the information for the user. I found in the archives that I can set "enumerate=True" so I get a complete user listing. That seems to be working, and I was able to login with the account "jdoe" (brilliant!). Problem 1: ======== I created a user group on the ipa server with the following attributes: name = xyx, gid = 1000 I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa client, I get the following message after logging in: /usr/bin/id: cannot find name for group ID 1000 A "getent group" command does list the group: xyz:*:1000: A "groups" command issued by the user shows: xyz files created by the user show the correct ownership and group. Problem 2: ======= I've been looking through the freeipa groups and literature and I can't figure out how to limit user login access to an ipa client by a memberOf group. When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a group filter like: passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) I tried changing the access_provider to simple and using the "simply_allow_groups = test", but that didn't work. However, using "access_provider = ipa" and "filter_users" did allow me to filter out a user from the "getent passwd" command. I tried changing the access_provider to ldap and using the filter "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu but that failed too. I'd appreciate any suggestions Thanks, - signed an "ipa newbie" -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Tue May 16 14:16:58 2017 From: sbose at redhat.com (Sumit Bose) Date: Tue, 16 May 2017 16:16:58 +0200 Subject: [Freeipa-users] Password and OTP auth In-Reply-To: References: Message-ID: <20170516141658.GB32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > Hello all. > > tell me please. Is it possible to use password and otp auth at the one > moment? > > For example I have DEV/STAGE servers and want to be able use password auth > for ssh, but for PROD servers I want to use OTP auth for same user. Authentication indicators can be used for this. If you add ipa host-mod --auth-ind=otp prod.server Only 2-factor authentication should be possible on prod.server. But please note that e.g. ssh-key based authentication will still be possible as well. HTH bye, Sumit > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project From luiz.vianna at tivit.com.br Tue May 16 14:43:08 2017 From: luiz.vianna at tivit.com.br (Luiz Fernando Vianna da Silva) Date: Tue, 16 May 2017 14:43:08 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> <89213DDB84447F44A8E8950A5C2185E04CD67C91@SJN01013.jnmain00.corp.jndata.net> Message-ID: As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Thats where you are mistaken. It is possible to integrate sudo rules into AIX, I've done it and have documented it here: https://www.freeipa.org/page/SUDO_Integration_for_AIX Give it a try, its a fairly simple procedure. P.S. IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM server. I haven't tried using these new RPMs yet to see if they work with sudo integration. If you want to keep it safe, user perzl RPMs as I describe on the documentation. If you want, and I would appreciate it if you would, give the new RPMs from toolbox a go and if it works please update the documentaion, or send me your notes and I'll update it. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu: We have a working setup on three aix servers and by comparing our config with yours, I see the following differences: LDAP: /etc/security/ldap/ldap.cfg : userattrmappath:/etc/security/ldap/FreeIPAuser.map groupattrmappath:/etc/security/ldap/FreeIPAgroup.map userclasses:posixaccount /etc/security/ldap/FreeIPAuser.map: #FreeIPAuser.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s /etc/security/ldap/FreeIPAgroup.map: #FreeIPAgroup.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m To test if the ldap is working: ls-secldapclntd lsldap -a passwd lsuser -R LDAP ALL KERBEROS: /etc/methods.cfg: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes Add Kerberos to authorized authentication entities and verify: chauthent -k5 -std #Verify lsauthent Kerberos 5 Standard Aix To test: lsuser -R KRB5LDAP Configure aix to create homedir during login: /etc/security/login.cfg: mkhomeatlogin = true usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/ usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = STD_AUTH mkhomeatlogin = true Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts. As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Hope that helps, good luck. Regards Bjarne Blichfeldt. From: wouter.hummelink at kpn.com [mailto:wouter.hummelink at kpn.com] Sent: 12. maj 2017 16:03 To: iulian.roman at gmail.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn?t like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, > wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? >From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" >, freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We?re running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn?t work with SSH on AIX reporting Failed password for user We?re using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it?s supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From dudin.andrey at gmail.com Tue May 16 15:05:06 2017 From: dudin.andrey at gmail.com (Andrey Dudin) Date: Tue, 16 May 2017 18:05:06 +0300 Subject: [Freeipa-users] Password and OTP auth In-Reply-To: <20170516141658.GB32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170516141658.GB32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: Thanks, but I think I have a problem. I have test user: [root at ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: test at MYDOMAIN.COM Principal alias: test at MYDOMAIN.COM Email address: test at mydomain.com UID: 152200001 GID: 152200001 Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True And test host: [root at ipa-centos]# ipa host-show ipa-client.mydomain.com Host name: ipa-client.mydomain.com Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM SSH public key fingerprint: %SOME FINGERPRINTS% Authentication Indicators: otp Password: False Keytab: True Managed by: ipa-client.mydomain.com When I trying to login to ipa-client.mydomain.com with password+otptoken I have error: [mynotebook]$ ssh test at ipa-client.mydomain.com test at ipa-client.mydomain.com's password: Permission denied, please try again. Same if I trying to use just password. On ipa server in krb5kdc.log I see: May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 What's wrong? 2017-05-16 17:16 GMT+03:00 Sumit Bose : > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > Hello all. > > > > tell me please. Is it possible to use password and otp auth at the one > > moment? > > > > For example I have DEV/STAGE servers and want to be able use password > auth > > for ssh, but for PROD servers I want to use OTP auth for same user. > > Authentication indicators can be used for this. If you add > > ipa host-mod --auth-ind=otp prod.server > > Only 2-factor authentication should be possible on prod.server. But > please note that e.g. ssh-key based authentication will still be > possible as well. > > HTH > > bye, > Sumit > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- ? ????????? ????? ?????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Tue May 16 15:16:54 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Tue, 16 May 2017 15:16:54 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: Last night I rolled back my snapshot. Here's what I have after the yum install "minimal" install of Centos7 + basic build. {0}:/var/log>cat /etc/*elease CentOS Linux release 7.3.1611 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.3.1611 (Core) CentOS Linux release 7.3.1611 (Core) {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-common-4.4.0-14.el7.centos.7.noarch perl-HTTP-Tiny-0.033-3.el7.noarch python-iniparse-0.4-9.el7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch pam_krb5-2.4.8-6.el7.x86_64 sssd-krb5-1.14.0-43.el7_3.14.x86_64 python-ipaddress-1.0.16-2.el7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch krb5-libs-1.14.1-27.el7_3.x86_64 libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 sssd-ipa-1.14.0-43.el7_3.14.x86_64 krb5-workstation-1.14.1-27.el7_3.x86_64 ipa-client-4.4.0-14.el7.centos.7.x86_64 Tried to pull an exact client. The "yum install ipa-server" went fine: {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server ipa-server-4.4.0-14.el7.centos.7.x86_64 ipa-server-common-4.4.0-14.el7.centos.7.noarch "ipa-server-install" ran clean but has been stuck for 2 days: Restarting the directory server Restarting the KDC Please add records in this file to your DNS system: /tmp/ipa.system.records.qLsLyx.db Restarting the web server Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Client hostname: ipa.rdlg.net Realm: RDLG.NET DNS Domain: rdlg.net IPA Server: ipa.rdlg.net BaseDN: dc=rdlg,dc=net Skipping synchronizing time with NTP server. New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://ipa.rdlg.net/ipa/json Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' Checking the /var/log/httpd/error.log has 2 days of just this: [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS database exist? Robert On Fri, May 12, 2017 at 11:14 AM Rob Crittenden wrote: > Robert L. Harris wrote: > > > > Hmmm > > > > {0}:/var/log>ls > > anaconda btmp dmesg grubby maillog ppp secure > > tallylog wtmp > > audit cron dmesg.old grubby_prune_debug messages rhsm spooler > > tuned yum.log > > boot.log cups firewalld lastlog ntpstats samba sssd > > vmware-vmsvc.log > > > > > > root at ipa > > {1}:/var/log>rpm -q -l http > > package http is not installed > > > > root at ipa > > {1}:/var/log>rpm -q -a | grep -i http > > perl-HTTP-Tiny-0.033-3.el7.noarch > > > > root at ipa > > {0}:/var/log>rpm -q -a | grep -i tomcat > > > > > > Doesn't look like an httpd was installed as a dependancy? > > I find this very hard to believe given that it go so far as to configure > things in Apache, restart it, etc. What version of [free]ipa-server is > installed? How did you install it and from what repo? > > rob > > > > > > > > > > > > > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti > > wrote: > > > > That's weird, it should be super fast, anything in > > /var/log/httpd/error_log? > > > > > > On 11.05.2017 22:23, Robert L. Harris wrote: > >> > >> Odd, must have clicked reply instead of reply-all. > >> > >> Anyway, I did the revert and re-install. Actual install went > >> through fine then the "ipa-server-install" ran until this: > >> > >> [8/9]: restoring configuration > >> [9/9]: starting directory server > >> Done. > >> Restarting the directory server > >> Restarting the KDC > >> Please add records in this file to your DNS system: > >> /tmp/ipa.system.records.v5Jwrt.db > >> Restarting the web server > >> Configuring client side components > >> Using existing certificate '/etc/ipa/ca.crt'. > >> Client hostname: ipa.rdlg.net > >> Realm: RDLG.NET > >> DNS Domain: rdlg.net > >> IPA Server: ipa.rdlg.net > >> BaseDN: dc=rdlg,dc=net > >> > >> Skipping synchronizing time with NTP server. > >> New SSSD config will be created > >> Configured sudoers in /etc/nsswitch.conf > >> Configured /etc/sssd/sssd.conf > >> trying https://ipa.rdlg.net/ipa/json > >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' > >> > >> > >> It's been sitting there for a while ( 4 hours? ) I don't see > >> anyting in the ipaserver-install.log, but it's here: > >> https://pastebin.com/biK1Dmv7 > >> > >> > >> > >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti >> > wrote: > >> > >> Please keep freeipa-users in CC > >> > >> Snapshot is always better, so I suggest to use it. Otherwise > >> there is an option --ignore-last-of-role to unblock > >> uninstallation. > >> > >> Martin > >> > >> > >> On 11.05.2017 16:00, Robert L. Harris wrote: > >>> > >>> Looks like you hit it, apache didn't have a group: > >>> > >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu > >>> 2017-05-11 07:48:27 MDT. -- > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: Starting The Apache HTTP Server... > >>> May 10 20:36:00 ipa.rdlg.net > >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy > >>> enabled > >>> May 10 20:36:00 ipa.rdlg.net > >>> httpd[28809]: AH00544: httpd: bad group name apache > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: httpd.service: main process exited, code=exited, > >>> status=1/FAILURE > >>> May 10 20:36:00 ipa.rdlg.net > >>> kill[28812]: kill: cannot find process "" > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: httpd.service: control process exited, > >>> code=exited status=1 > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: Failed to start The Apache HTTP Server. > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: Unit httpd.service entered failed state. > >>> May 10 20:36:00 ipa.rdlg.net > >>> systemd[1]: httpd.service failed. > >>> > >>> Thanks, didn't know that command. I tried to continue the > >>> process: > >>> > >>> {0}:/root>ipa-server-install > >>> > >>> The log file for this installation can be found in > >>> /var/log/ipaserver-install.log > >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA > >>> server is already configured on this system. > >>> If you want to reinstall the IPA server, please uninstall it > >>> first using 'ipa-server-install --uninstall'. > >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The > >>> ipa-server-install command failed. See > >>> /var/log/ipaserver-install.log for more information > >>> > >>> root at ipa > >>> {1}:/root>ipa-server-install --uninstall > >>> > >>> This is a NON REVERSIBLE operation and will delete all data > >>> and configuration! > >>> > >>> Are you sure you want to continue with the uninstall > >>> procedure? [no]: yes > >>> ipa : ERROR Server removal aborted: Deleting this > >>> server is not allowed as it would leave your installation > >>> without a CA.. > >>> > >>> > >>> > >>> This is a VM and I took a snapshot right before I started the > >>> install, so I can revert, just make sure ti add the apache > >>> user before starting the install. Or if you have a better > >>> command to continue the clean-up/install..... > >>> > >>> > >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti > >>> > wrote: > >>> > >>> Hello, > >>> > >>> comments inline > >>> > >>> > >>> On 11.05.2017 06:06, Robert L. Harris wrote: > >>>> > >>>> Sigh... Sorry, it's been a long day, I thought I put > >>>> that log in the first pastebin. It's in this one: > >>>> https://pastebin.com/18PAXXNS > >>> > >>> Could you please provide journalctl -u httpd and > >>> /var/log/httpd/error_log ? > >>> > >>> > >>> > >>>> > >>>> Also, > >>>> Anyone else get the constant spam when mailing this > >>>> list? Got an address to block for it? > >>> > >>> Sorry for that, there is a bot mining public archives. We > >>> plan to resolve this issue but it may take time as we are > >>> not maintaining our mailman. > >>> > >>> Martin > >>> > >>> > >>>> > >>>> Robert > >>>> > >>>> > >>>> > >>>> > >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman > >>>> > wrote: > >>>> > >>>> Robert, did you look in > >>>> /var/log/ipaserver-install.log as it says? > >>>> > >>>> Was there any other information? > >>>> > >>>> cheers > >>>> L. > >>>> > >>>> ------ > >>>> "Mission Statement: To provide hope and inspiration > >>>> for collective action, to build collective power, to > >>>> achieve collective transformation, rooted in grief > >>>> and rage but pointed towards vision and dreams." > >>>> > >>>> - Patrice Cullors, /Black Lives Matter founder/ > >>>> > >>>> On 11 May 2017 at 13:24, Robert L. Harris > >>>> >>>> > wrote: > >>>> > >>>> Ok, I gave up on Ubuntu. I'm now trying the > >>>> latest CentOS7. I built out a "minimal server" > >>>> with some normal base packages which did include > >>>> the freeipa-client but otherwise, just standard > >>>> tools. Here's a pastebin of the output of the > >>>> install: https://pastebin.com/zAWCgkUU > >>>> > >>>> Robert > >>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users > >>>> mailing list: > >>>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the > >>>> project > >>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users > >>>> mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>>> > >>>> > >>>> > >>> > >>> -- > >>> Martin Ba?ti > >>> Software Engineer > >>> Red Hat Czech > >>> > >> > >> -- > >> Martin Ba?ti > >> Software Engineer > >> Red Hat Czech > >> > > > > -- > > Martin Ba?ti > > Software Engineer > > Red Hat Czech > > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From huston at astro.princeton.edu Tue May 16 15:21:32 2017 From: huston at astro.princeton.edu (Steve Huston) Date: Tue, 16 May 2017 11:21:32 -0400 Subject: [Freeipa-users] UI customization: Default values on host addition Message-ID: I've extended the UI for host addition by including a multivalued widget which stores puppetVar values (as well as the accompanying Python plugin to handle it and schema update in the directory). This works well, but I'd like to add one more thing and am not sure how to do it. There are certain variables which are basically always set for every host, and so I'd like them to default to those values in the UI, while still giving the admin the choice to edit or remove them just like they were entered by hand. I'm not sure, however, how to "push" values into the UI that way. Is there some attribute of a field I can edit to insert a default value into the UI, while still allowing that to be removed or edited before the user submits the page? -- Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci Princeton University | ICBM Address: 40.346344 -74.652242 345 Lewis Library |"On my ship, the Rocinante, wheeling through Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus, (267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1' From andrew.holway at gmail.com Tue May 16 18:29:22 2017 From: andrew.holway at gmail.com (Andrew Holway) Date: Tue, 16 May 2017 20:29:22 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: Hallo, How much memory do you have on the machine. I have a sneaking suspicion that you're running out. Ta, Andrew On 16 May 2017 at 17:16, Robert L. Harris wrote: > > Last night I rolled back my snapshot. Here's what I have after the yum > install > > "minimal" install of Centos7 + basic build. > {0}:/var/log>cat /etc/*elease > CentOS Linux release 7.3.1611 (Core) > NAME="CentOS Linux" > VERSION="7 (Core)" > ID="centos" > ID_LIKE="rhel fedora" > VERSION_ID="7" > PRETTY_NAME="CentOS Linux 7 (Core)" > ANSI_COLOR="0;31" > CPE_NAME="cpe:/o:centos:centos:7" > HOME_URL="https://www.centos.org/" > BUG_REPORT_URL="https://bugs.centos.org/" > > CENTOS_MANTISBT_PROJECT="CentOS-7" > CENTOS_MANTISBT_PROJECT_VERSION="7" > REDHAT_SUPPORT_PRODUCT="centos" > REDHAT_SUPPORT_PRODUCT_VERSION="7" > > CentOS Linux release 7.3.1611 (Core) > CentOS Linux release 7.3.1611 (Core) > > > {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' > sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 > python2-ipaclient-4.4.0-14.el7.centos.7.noarch > ipa-common-4.4.0-14.el7.centos.7.noarch > perl-HTTP-Tiny-0.033-3.el7.noarch > python-iniparse-0.4-9.el7.noarch > ipa-client-common-4.4.0-14.el7.centos.7.noarch > pam_krb5-2.4.8-6.el7.x86_64 > sssd-krb5-1.14.0-43.el7_3.14.x86_64 > python-ipaddress-1.0.16-2.el7.noarch > python2-ipalib-4.4.0-14.el7.centos.7.noarch > krb5-libs-1.14.1-27.el7_3.x86_64 > libipa_hbac-1.14.0-43.el7_3.14.x86_64 > python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 > sssd-ipa-1.14.0-43.el7_3.14.x86_64 > krb5-workstation-1.14.1-27.el7_3.x86_64 > ipa-client-4.4.0-14.el7.centos.7.x86_64 > > Tried to pull an exact client. The "yum install ipa-server" went fine: > > {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server > ipa-server-4.4.0-14.el7.centos.7.x86_64 > ipa-server-common-4.4.0-14.el7.centos.7.noarch > > > "ipa-server-install" ran clean but has been stuck for 2 days: > > Restarting the directory server > Restarting the KDC > Please add records in this file to your DNS system: > /tmp/ipa.system.records.qLsLyx.db > Restarting the web server > Configuring client side components > Using existing certificate '/etc/ipa/ca.crt'. > Client hostname: ipa.rdlg.net > Realm: RDLG.NET > DNS Domain: rdlg.net > IPA Server: ipa.rdlg.net > BaseDN: dc=rdlg,dc=net > > Skipping synchronizing time with NTP server. > New SSSD config will be created > Configured sudoers in /etc/nsswitch.conf > Configured /etc/sssd/sssd.conf > trying https://ipa.rdlg.net/ipa/json > Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' > > Checking the /var/log/httpd/error.log has 2 days of just this: > > [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize > failed. Certificate database: /etc/httpd/alias. > [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error: > -8038 SEC_ERROR_NOT_INITIALIZED > [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS > database exist? > > > Robert > > On Fri, May 12, 2017 at 11:14 AM Rob Crittenden > wrote: > >> Robert L. Harris wrote: >> > >> > Hmmm >> > >> > {0}:/var/log>ls >> > anaconda btmp dmesg grubby maillog ppp secure >> > tallylog wtmp >> > audit cron dmesg.old grubby_prune_debug messages rhsm spooler >> > tuned yum.log >> > boot.log cups firewalld lastlog ntpstats samba sssd >> > vmware-vmsvc.log >> > >> > >> > root at ipa >> > {1}:/var/log>rpm -q -l http >> > package http is not installed >> > >> > root at ipa >> > {1}:/var/log>rpm -q -a | grep -i http >> > perl-HTTP-Tiny-0.033-3.el7.noarch >> > >> > root at ipa >> > {0}:/var/log>rpm -q -a | grep -i tomcat >> > >> > >> > Doesn't look like an httpd was installed as a dependancy? >> >> I find this very hard to believe given that it go so far as to configure >> things in Apache, restart it, etc. What version of [free]ipa-server is >> installed? How did you install it and from what repo? >> >> rob >> >> > >> > >> > >> > >> > >> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti > > > wrote: >> > >> > That's weird, it should be super fast, anything in >> > /var/log/httpd/error_log? >> > >> > >> > On 11.05.2017 22:23, Robert L. Harris wrote: >> >> >> >> Odd, must have clicked reply instead of reply-all. >> >> >> >> Anyway, I did the revert and re-install. Actual install went >> >> through fine then the "ipa-server-install" ran until this: >> >> >> >> [8/9]: restoring configuration >> >> [9/9]: starting directory server >> >> Done. >> >> Restarting the directory server >> >> Restarting the KDC >> >> Please add records in this file to your DNS system: >> >> /tmp/ipa.system.records.v5Jwrt.db >> >> Restarting the web server >> >> Configuring client side components >> >> Using existing certificate '/etc/ipa/ca.crt'. >> >> Client hostname: ipa.rdlg.net >> >> Realm: RDLG.NET >> >> DNS Domain: rdlg.net >> >> IPA Server: ipa.rdlg.net >> >> BaseDN: dc=rdlg,dc=net >> >> >> >> Skipping synchronizing time with NTP server. >> >> New SSSD config will be created >> >> Configured sudoers in /etc/nsswitch.conf >> >> Configured /etc/sssd/sssd.conf >> >> trying https://ipa.rdlg.net/ipa/json >> >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >> >> >> >> >> >> It's been sitting there for a while ( 4 hours? ) I don't see >> >> anyting in the ipaserver-install.log, but it's here: >> >> https://pastebin.com/biK1Dmv7 >> >> >> >> >> >> >> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti > >> > wrote: >> >> >> >> Please keep freeipa-users in CC >> >> >> >> Snapshot is always better, so I suggest to use it. Otherwise >> >> there is an option --ignore-last-of-role to unblock >> >> uninstallation. >> >> >> >> Martin >> >> >> >> >> >> On 11.05.2017 16:00, Robert L. Harris wrote: >> >>> >> >>> Looks like you hit it, apache didn't have a group: >> >>> >> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >> >>> 2017-05-11 07:48:27 MDT. -- >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: Starting The Apache HTTP Server... >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy >> >>> enabled >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> httpd[28809]: AH00544: httpd: bad group name apache >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: httpd.service: main process exited, code=exited, >> >>> status=1/FAILURE >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> kill[28812]: kill: cannot find process "" >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: httpd.service: control process exited, >> >>> code=exited status=1 >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: Failed to start The Apache HTTP Server. >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: Unit httpd.service entered failed state. >> >>> May 10 20:36:00 ipa.rdlg.net >> >>> systemd[1]: httpd.service failed. >> >>> >> >>> Thanks, didn't know that command. I tried to continue the >> >>> process: >> >>> >> >>> {0}:/root>ipa-server-install >> >>> >> >>> The log file for this installation can be found in >> >>> /var/log/ipaserver-install.log >> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA >> >>> server is already configured on this system. >> >>> If you want to reinstall the IPA server, please uninstall it >> >>> first using 'ipa-server-install --uninstall'. >> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >> >>> ipa-server-install command failed. See >> >>> /var/log/ipaserver-install.log for more information >> >>> >> >>> root at ipa >> >>> {1}:/root>ipa-server-install --uninstall >> >>> >> >>> This is a NON REVERSIBLE operation and will delete all data >> >>> and configuration! >> >>> >> >>> Are you sure you want to continue with the uninstall >> >>> procedure? [no]: yes >> >>> ipa : ERROR Server removal aborted: Deleting this >> >>> server is not allowed as it would leave your installation >> >>> without a CA.. >> >>> >> >>> >> >>> >> >>> This is a VM and I took a snapshot right before I started the >> >>> install, so I can revert, just make sure ti add the apache >> >>> user before starting the install. Or if you have a better >> >>> command to continue the clean-up/install..... >> >>> >> >>> >> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >> >>> > wrote: >> >>> >> >>> Hello, >> >>> >> >>> comments inline >> >>> >> >>> >> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >> >>>> >> >>>> Sigh... Sorry, it's been a long day, I thought I put >> >>>> that log in the first pastebin. It's in this one: >> >>>> https://pastebin.com/18PAXXNS >> >>> >> >>> Could you please provide journalctl -u httpd and >> >>> /var/log/httpd/error_log ? >> >>> >> >>> >> >>> >> >>>> >> >>>> Also, >> >>>> Anyone else get the constant spam when mailing this >> >>>> list? Got an address to block for it? >> >>> >> >>> Sorry for that, there is a bot mining public archives. We >> >>> plan to resolve this issue but it may take time as we are >> >>> not maintaining our mailman. >> >>> >> >>> Martin >> >>> >> >>> >> >>>> >> >>>> Robert >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >> >>>> > wrote: >> >>>> >> >>>> Robert, did you look in >> >>>> /var/log/ipaserver-install.log as it says? >> >>>> >> >>>> Was there any other information? >> >>>> >> >>>> cheers >> >>>> L. >> >>>> >> >>>> ------ >> >>>> "Mission Statement: To provide hope and inspiration >> >>>> for collective action, to build collective power, to >> >>>> achieve collective transformation, rooted in grief >> >>>> and rage but pointed towards vision and dreams." >> >>>> >> >>>> - Patrice Cullors, /Black Lives Matter founder/ >> >>>> >> >>>> On 11 May 2017 at 13:24, Robert L. Harris >> >>>> > >>>> > wrote: >> >>>> >> >>>> Ok, I gave up on Ubuntu. I'm now trying the >> >>>> latest CentOS7. I built out a "minimal server" >> >>>> with some normal base packages which did include >> >>>> the freeipa-client but otherwise, just standard >> >>>> tools. Here's a pastebin of the output of the >> >>>> install: https://pastebin.com/zAWCgkUU >> >>>> >> >>>> Robert >> >>>> >> >>>> >> >>>> -- >> >>>> Manage your subscription for the Freeipa-users >> >>>> mailing list: >> >>>> https://www.redhat.com/ >> mailman/listinfo/freeipa-users >> >>>> Go to http://freeipa.org for more info on the >> >>>> project >> >>>> >> >>>> >> >>>> -- >> >>>> Manage your subscription for the Freeipa-users >> >>>> mailing list: >> >>>> https://www.redhat.com/ >> mailman/listinfo/freeipa-users >> >>>> Go to http://freeipa.org for more info on the >> project >> >>>> >> >>>> >> >>>> >> >>> >> >>> -- >> >>> Martin Ba?ti >> >>> Software Engineer >> >>> Red Hat Czech >> >>> >> >> >> >> -- >> >> Martin Ba?ti >> >> Software Engineer >> >> Red Hat Czech >> >> >> > >> > -- >> > Martin Ba?ti >> > Software Engineer >> > Red Hat Czech >> > >> > >> > >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Tue May 16 19:48:53 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Tue, 16 May 2017 19:48:53 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: 2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms on VMWare ) On Tue, May 16, 2017 at 12:29 PM Andrew Holway wrote: > Hallo, > > How much memory do you have on the machine. I have a sneaking suspicion > that you're running out. > > Ta, > > Andrew > > On 16 May 2017 at 17:16, Robert L. Harris > wrote: > >> >> Last night I rolled back my snapshot. Here's what I have after the yum >> install >> >> "minimal" install of Centos7 + basic build. >> {0}:/var/log>cat /etc/*elease >> CentOS Linux release 7.3.1611 (Core) >> NAME="CentOS Linux" >> VERSION="7 (Core)" >> ID="centos" >> ID_LIKE="rhel fedora" >> VERSION_ID="7" >> PRETTY_NAME="CentOS Linux 7 (Core)" >> ANSI_COLOR="0;31" >> CPE_NAME="cpe:/o:centos:centos:7" >> HOME_URL="https://www.centos.org/" >> BUG_REPORT_URL="https://bugs.centos.org/" >> >> CENTOS_MANTISBT_PROJECT="CentOS-7" >> CENTOS_MANTISBT_PROJECT_VERSION="7" >> REDHAT_SUPPORT_PRODUCT="centos" >> REDHAT_SUPPORT_PRODUCT_VERSION="7" >> >> CentOS Linux release 7.3.1611 (Core) >> CentOS Linux release 7.3.1611 (Core) >> >> >> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >> ipa-common-4.4.0-14.el7.centos.7.noarch >> perl-HTTP-Tiny-0.033-3.el7.noarch >> python-iniparse-0.4-9.el7.noarch >> ipa-client-common-4.4.0-14.el7.centos.7.noarch >> pam_krb5-2.4.8-6.el7.x86_64 >> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >> python-ipaddress-1.0.16-2.el7.noarch >> python2-ipalib-4.4.0-14.el7.centos.7.noarch >> krb5-libs-1.14.1-27.el7_3.x86_64 >> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >> krb5-workstation-1.14.1-27.el7_3.x86_64 >> ipa-client-4.4.0-14.el7.centos.7.x86_64 >> >> Tried to pull an exact client. The "yum install ipa-server" went fine: >> >> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >> ipa-server-4.4.0-14.el7.centos.7.x86_64 >> ipa-server-common-4.4.0-14.el7.centos.7.noarch >> >> >> "ipa-server-install" ran clean but has been stuck for 2 days: >> >> Restarting the directory server >> Restarting the KDC >> Please add records in this file to your DNS system: >> /tmp/ipa.system.records.qLsLyx.db >> Restarting the web server >> Configuring client side components >> Using existing certificate '/etc/ipa/ca.crt'. >> Client hostname: ipa.rdlg.net >> Realm: RDLG.NET >> DNS Domain: rdlg.net >> IPA Server: ipa.rdlg.net >> BaseDN: dc=rdlg,dc=net >> >> Skipping synchronizing time with NTP server. >> New SSSD config will be created >> Configured sudoers in /etc/nsswitch.conf >> Configured /etc/sssd/sssd.conf >> trying https://ipa.rdlg.net/ipa/json >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >> >> Checking the /var/log/httpd/error.log has 2 days of just this: >> >> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >> failed. Certificate database: /etc/httpd/alias. >> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error: >> -8038 SEC_ERROR_NOT_INITIALIZED >> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >> database exist? >> >> >> Robert >> >> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >> wrote: >> >>> Robert L. Harris wrote: >>> > >>> > Hmmm >>> > >>> > {0}:/var/log>ls >>> > anaconda btmp dmesg grubby maillog ppp secure >>> > tallylog wtmp >>> > audit cron dmesg.old grubby_prune_debug messages rhsm spooler >>> > tuned yum.log >>> > boot.log cups firewalld lastlog ntpstats samba sssd >>> > vmware-vmsvc.log >>> > >>> > >>> > root at ipa >>> > {1}:/var/log>rpm -q -l http >>> > package http is not installed >>> > >>> > root at ipa >>> > {1}:/var/log>rpm -q -a | grep -i http >>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>> > >>> > root at ipa >>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>> > >>> > >>> > Doesn't look like an httpd was installed as a dependancy? >>> >>> I find this very hard to believe given that it go so far as to configure >>> things in Apache, restart it, etc. What version of [free]ipa-server is >>> installed? How did you install it and from what repo? >>> >>> rob >>> >>> > >>> > >>> > >>> > >>> > >>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >> > > wrote: >>> > >>> > That's weird, it should be super fast, anything in >>> > /var/log/httpd/error_log? >>> > >>> > >>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>> >> >>> >> Odd, must have clicked reply instead of reply-all. >>> >> >>> >> Anyway, I did the revert and re-install. Actual install went >>> >> through fine then the "ipa-server-install" ran until this: >>> >> >>> >> [8/9]: restoring configuration >>> >> [9/9]: starting directory server >>> >> Done. >>> >> Restarting the directory server >>> >> Restarting the KDC >>> >> Please add records in this file to your DNS system: >>> >> /tmp/ipa.system.records.v5Jwrt.db >>> >> Restarting the web server >>> >> Configuring client side components >>> >> Using existing certificate '/etc/ipa/ca.crt'. >>> >> Client hostname: ipa.rdlg.net >>> >> Realm: RDLG.NET >>> >> DNS Domain: rdlg.net >>> >> IPA Server: ipa.rdlg.net >>> >> BaseDN: dc=rdlg,dc=net >>> >> >>> >> Skipping synchronizing time with NTP server. >>> >> New SSSD config will be created >>> >> Configured sudoers in /etc/nsswitch.conf >>> >> Configured /etc/sssd/sssd.conf >>> >> trying https://ipa.rdlg.net/ipa/json >>> >> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json >>> ' >>> >> >>> >> >>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>> >> anyting in the ipaserver-install.log, but it's here: >>> >> https://pastebin.com/biK1Dmv7 >>> >> >>> >> >>> >> >>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti >> >> > wrote: >>> >> >>> >> Please keep freeipa-users in CC >>> >> >>> >> Snapshot is always better, so I suggest to use it. Otherwise >>> >> there is an option --ignore-last-of-role to unblock >>> >> uninstallation. >>> >> >>> >> Martin >>> >> >>> >> >>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>> >>> >>> >>> Looks like you hit it, apache didn't have a group: >>> >>> >>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>> >>> 2017-05-11 07:48:27 MDT. -- >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: Starting The Apache HTTP Server... >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy >>> >>> enabled >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: httpd.service: main process exited, code=exited, >>> >>> status=1/FAILURE >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> kill[28812]: kill: cannot find process "" >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: httpd.service: control process exited, >>> >>> code=exited status=1 >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: Unit httpd.service entered failed state. >>> >>> May 10 20:36:00 ipa.rdlg.net >>> >>> systemd[1]: httpd.service failed. >>> >>> >>> >>> Thanks, didn't know that command. I tried to continue the >>> >>> process: >>> >>> >>> >>> {0}:/root>ipa-server-install >>> >>> >>> >>> The log file for this installation can be found in >>> >>> /var/log/ipaserver-install.log >>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR IPA >>> >>> server is already configured on this system. >>> >>> If you want to reinstall the IPA server, please uninstall it >>> >>> first using 'ipa-server-install --uninstall'. >>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR The >>> >>> ipa-server-install command failed. See >>> >>> /var/log/ipaserver-install.log for more information >>> >>> >>> >>> root at ipa >>> >>> {1}:/root>ipa-server-install --uninstall >>> >>> >>> >>> This is a NON REVERSIBLE operation and will delete all data >>> >>> and configuration! >>> >>> >>> >>> Are you sure you want to continue with the uninstall >>> >>> procedure? [no]: yes >>> >>> ipa : ERROR Server removal aborted: Deleting this >>> >>> server is not allowed as it would leave your installation >>> >>> without a CA.. >>> >>> >>> >>> >>> >>> >>> >>> This is a VM and I took a snapshot right before I started the >>> >>> install, so I can revert, just make sure ti add the apache >>> >>> user before starting the install. Or if you have a better >>> >>> command to continue the clean-up/install..... >>> >>> >>> >>> >>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>> >>> > wrote: >>> >>> >>> >>> Hello, >>> >>> >>> >>> comments inline >>> >>> >>> >>> >>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>> >>>> >>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>> >>>> that log in the first pastebin. It's in this one: >>> >>>> https://pastebin.com/18PAXXNS >>> >>> >>> >>> Could you please provide journalctl -u httpd and >>> >>> /var/log/httpd/error_log ? >>> >>> >>> >>> >>> >>> >>> >>>> >>> >>>> Also, >>> >>>> Anyone else get the constant spam when mailing this >>> >>>> list? Got an address to block for it? >>> >>> >>> >>> Sorry for that, there is a bot mining public archives. We >>> >>> plan to resolve this issue but it may take time as we are >>> >>> not maintaining our mailman. >>> >>> >>> >>> Martin >>> >>> >>> >>> >>> >>>> >>> >>>> Robert >>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>> >>>> > wrote: >>> >>>> >>> >>>> Robert, did you look in >>> >>>> /var/log/ipaserver-install.log as it says? >>> >>>> >>> >>>> Was there any other information? >>> >>>> >>> >>>> cheers >>> >>>> L. >>> >>>> >>> >>>> ------ >>> >>>> "Mission Statement: To provide hope and inspiration >>> >>>> for collective action, to build collective power, to >>> >>>> achieve collective transformation, rooted in grief >>> >>>> and rage but pointed towards vision and dreams." >>> >>>> >>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>> >>>> >>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>> >>>> >> >>>> > wrote: >>> >>>> >>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>> >>>> latest CentOS7. I built out a "minimal server" >>> >>>> with some normal base packages which did include >>> >>>> the freeipa-client but otherwise, just standard >>> >>>> tools. Here's a pastebin of the output of the >>> >>>> install: https://pastebin.com/zAWCgkUU >>> >>>> >>> >>>> Robert >>> >>>> >>> >>>> >>> >>>> -- >>> >>>> Manage your subscription for the Freeipa-users >>> >>>> mailing list: >>> >>>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>>> Go to http://freeipa.org for more info on the >>> >>>> project >>> >>>> >>> >>>> >>> >>>> -- >>> >>>> Manage your subscription for the Freeipa-users >>> >>>> mailing list: >>> >>>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>>> Go to http://freeipa.org for more info on the >>> project >>> >>>> >>> >>>> >>> >>>> >>> >>> >>> >>> -- >>> >>> Martin Ba?ti >>> >>> Software Engineer >>> >>> Red Hat Czech >>> >>> >>> >> >>> >> -- >>> >> Martin Ba?ti >>> >> Software Engineer >>> >> Red Hat Czech >>> >> >>> > >>> > -- >>> > Martin Ba?ti >>> > Software Engineer >>> > Red Hat Czech >>> > >>> > >>> > >>> >>> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dudin.andrey at gmail.com Tue May 16 19:51:52 2017 From: dudin.andrey at gmail.com (Andrey Dudin) Date: Tue, 16 May 2017 22:51:52 +0300 Subject: [Freeipa-users] Why OTP not working Message-ID: Hello all. I trying to use OTP auth in Freeipa but have some problems. I have user *test:* [root at ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: test at MYDOMAIN.COM Principal alias: test at MYDOMAIN.COM Email address: test at mydomain.com UID: 152200001 GID: 152200001 Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True And his token: [root at ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd Type: TOTP Owner: test Manager: test Server with FreeIpa: [root at ipa-centos]# ipa host-show ipa-centos.mydomain.com Host name: ipa-centos.mydomain.com Principal name: host/ipa-centos.mydomain.com at MYDOMAIN.COM Principal alias: host/ipa-centos.mydomain.com at MYDOMAIN.COM SSH public key fingerprint: %some fingerprints% Authentication Indicators: otp Password: False Member of host-groups: ipaservers Keytab: True Managed by: ipa-centos.mydomain.com And service for freeipa http by default: [root at ipa-centos]# ipa service-show http/ipa-centos.mydomain.com Principal name: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM Principal alias: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM Certificate: %cert% Subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM Serial Number: 9 Serial Number (hex): 0x9 Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Not Before: Tue May 16 11:32:36 2017 UTC Not After: Fri May 17 11:32:36 2019 UTC Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1 Fingerprint (SHA1): de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04 Authentication Indicators: otp Keytab: True Managed by: ipa-centos.mydomain.com As u can see, all properties for OTP auth in Freeipa web interface are applied, but I can login into web interface only using password, if I try logging in with password+otptoken I have error. What's wrong? [root at ipa-centos]# ipa --version VERSION: 4.4.0, API_VERSION: 2.213 [root at ipa-centos]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Tue May 16 19:52:06 2017 From: andrew.holway at gmail.com (Andrew Holway) Date: Tue, 16 May 2017 21:52:06 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: This is pretty weird. FreeIPA installation normally works. Has the operating system image been changed or optimised somehow? Perhaps SELinux has been disabled? Have you tried installing Centos7 from the ISO? On 16 May 2017 at 21:48, Robert L. Harris wrote: > > 2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms > on VMWare ) > > > On Tue, May 16, 2017 at 12:29 PM Andrew Holway > wrote: > >> Hallo, >> >> How much memory do you have on the machine. I have a sneaking suspicion >> that you're running out. >> >> Ta, >> >> Andrew >> >> On 16 May 2017 at 17:16, Robert L. Harris >> wrote: >> >>> >>> Last night I rolled back my snapshot. Here's what I have after the yum >>> install >>> >>> "minimal" install of Centos7 + basic build. >>> {0}:/var/log>cat /etc/*elease >>> CentOS Linux release 7.3.1611 (Core) >>> NAME="CentOS Linux" >>> VERSION="7 (Core)" >>> ID="centos" >>> ID_LIKE="rhel fedora" >>> VERSION_ID="7" >>> PRETTY_NAME="CentOS Linux 7 (Core)" >>> ANSI_COLOR="0;31" >>> CPE_NAME="cpe:/o:centos:centos:7" >>> HOME_URL="https://www.centos.org/" >>> BUG_REPORT_URL="https://bugs.centos.org/" >>> >>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>> REDHAT_SUPPORT_PRODUCT="centos" >>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>> >>> CentOS Linux release 7.3.1611 (Core) >>> CentOS Linux release 7.3.1611 (Core) >>> >>> >>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>> ipa-common-4.4.0-14.el7.centos.7.noarch >>> perl-HTTP-Tiny-0.033-3.el7.noarch >>> python-iniparse-0.4-9.el7.noarch >>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>> pam_krb5-2.4.8-6.el7.x86_64 >>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>> python-ipaddress-1.0.16-2.el7.noarch >>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>> krb5-libs-1.14.1-27.el7_3.x86_64 >>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>> >>> Tried to pull an exact client. The "yum install ipa-server" went fine: >>> >>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>> >>> >>> "ipa-server-install" ran clean but has been stuck for 2 days: >>> >>> Restarting the directory server >>> Restarting the KDC >>> Please add records in this file to your DNS system: >>> /tmp/ipa.system.records.qLsLyx.db >>> Restarting the web server >>> Configuring client side components >>> Using existing certificate '/etc/ipa/ca.crt'. >>> Client hostname: ipa.rdlg.net >>> Realm: RDLG.NET >>> DNS Domain: rdlg.net >>> IPA Server: ipa.rdlg.net >>> BaseDN: dc=rdlg,dc=net >>> >>> Skipping synchronizing time with NTP server. >>> New SSSD config will be created >>> Configured sudoers in /etc/nsswitch.conf >>> Configured /etc/sssd/sssd.conf >>> trying https://ipa.rdlg.net/ipa/json >>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>> >>> Checking the /var/log/httpd/error.log has 2 days of just this: >>> >>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>> failed. Certificate database: /etc/httpd/alias. >>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library Error: >>> -8038 SEC_ERROR_NOT_INITIALIZED >>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>> database exist? >>> >>> >>> Robert >>> >>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >>> wrote: >>> >>>> Robert L. Harris wrote: >>>> > >>>> > Hmmm >>>> > >>>> > {0}:/var/log>ls >>>> > anaconda btmp dmesg grubby maillog ppp secure >>>> > tallylog wtmp >>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>> spooler >>>> > tuned yum.log >>>> > boot.log cups firewalld lastlog ntpstats samba sssd >>>> > vmware-vmsvc.log >>>> > >>>> > >>>> > root at ipa >>>> > {1}:/var/log>rpm -q -l http >>>> > package http is not installed >>>> > >>>> > root at ipa >>>> > {1}:/var/log>rpm -q -a | grep -i http >>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>> > >>>> > root at ipa >>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>> > >>>> > >>>> > Doesn't look like an httpd was installed as a dependancy? >>>> >>>> I find this very hard to believe given that it go so far as to configure >>>> things in Apache, restart it, etc. What version of [free]ipa-server is >>>> installed? How did you install it and from what repo? >>>> >>>> rob >>>> >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>> > > wrote: >>>> > >>>> > That's weird, it should be super fast, anything in >>>> > /var/log/httpd/error_log? >>>> > >>>> > >>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>> >> >>>> >> Odd, must have clicked reply instead of reply-all. >>>> >> >>>> >> Anyway, I did the revert and re-install. Actual install went >>>> >> through fine then the "ipa-server-install" ran until this: >>>> >> >>>> >> [8/9]: restoring configuration >>>> >> [9/9]: starting directory server >>>> >> Done. >>>> >> Restarting the directory server >>>> >> Restarting the KDC >>>> >> Please add records in this file to your DNS system: >>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>> >> Restarting the web server >>>> >> Configuring client side components >>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>> >> Client hostname: ipa.rdlg.net >>>> >> Realm: RDLG.NET >>>> >> DNS Domain: rdlg.net >>>> >> IPA Server: ipa.rdlg.net >>>> >> BaseDN: dc=rdlg,dc=net >>>> >> >>>> >> Skipping synchronizing time with NTP server. >>>> >> New SSSD config will be created >>>> >> Configured sudoers in /etc/nsswitch.conf >>>> >> Configured /etc/sssd/sssd.conf >>>> >> trying https://ipa.rdlg.net/ipa/json >>>> >> Forwarding 'schema' to json server ' >>>> https://ipa.rdlg.net/ipa/json' >>>> >> >>>> >> >>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>> >> anyting in the ipaserver-install.log, but it's here: >>>> >> https://pastebin.com/biK1Dmv7 >>>> >> >>>> >> >>>> >> >>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti >>> >> > wrote: >>>> >> >>>> >> Please keep freeipa-users in CC >>>> >> >>>> >> Snapshot is always better, so I suggest to use it. Otherwise >>>> >> there is an option --ignore-last-of-role to unblock >>>> >> uninstallation. >>>> >> >>>> >> Martin >>>> >> >>>> >> >>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>> >>> >>>> >>> Looks like you hit it, apache didn't have a group: >>>> >>> >>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>> >>> 2017-05-11 07:48:27 MDT. -- >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy >>>> >>> enabled >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: httpd.service: main process exited, code=exited, >>>> >>> status=1/FAILURE >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> kill[28812]: kill: cannot find process "" >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: httpd.service: control process exited, >>>> >>> code=exited status=1 >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>> >>> May 10 20:36:00 ipa.rdlg.net >>>> >>> systemd[1]: httpd.service failed. >>>> >>> >>>> >>> Thanks, didn't know that command. I tried to continue the >>>> >>> process: >>>> >>> >>>> >>> {0}:/root>ipa-server-install >>>> >>> >>>> >>> The log file for this installation can be found in >>>> >>> /var/log/ipaserver-install.log >>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>> IPA >>>> >>> server is already configured on this system. >>>> >>> If you want to reinstall the IPA server, please uninstall it >>>> >>> first using 'ipa-server-install --uninstall'. >>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>> The >>>> >>> ipa-server-install command failed. See >>>> >>> /var/log/ipaserver-install.log for more information >>>> >>> >>>> >>> root at ipa >>>> >>> {1}:/root>ipa-server-install --uninstall >>>> >>> >>>> >>> This is a NON REVERSIBLE operation and will delete all data >>>> >>> and configuration! >>>> >>> >>>> >>> Are you sure you want to continue with the uninstall >>>> >>> procedure? [no]: yes >>>> >>> ipa : ERROR Server removal aborted: Deleting this >>>> >>> server is not allowed as it would leave your installation >>>> >>> without a CA.. >>>> >>> >>>> >>> >>>> >>> >>>> >>> This is a VM and I took a snapshot right before I started >>>> the >>>> >>> install, so I can revert, just make sure ti add the apache >>>> >>> user before starting the install. Or if you have a better >>>> >>> command to continue the clean-up/install..... >>>> >>> >>>> >>> >>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>> >>> > wrote: >>>> >>> >>>> >>> Hello, >>>> >>> >>>> >>> comments inline >>>> >>> >>>> >>> >>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>> >>>> >>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>> >>>> that log in the first pastebin. It's in this one: >>>> >>>> https://pastebin.com/18PAXXNS >>>> >>> >>>> >>> Could you please provide journalctl -u httpd and >>>> >>> /var/log/httpd/error_log ? >>>> >>> >>>> >>> >>>> >>> >>>> >>>> >>>> >>>> Also, >>>> >>>> Anyone else get the constant spam when mailing this >>>> >>>> list? Got an address to block for it? >>>> >>> >>>> >>> Sorry for that, there is a bot mining public archives. >>>> We >>>> >>> plan to resolve this issue but it may take time as we >>>> are >>>> >>> not maintaining our mailman. >>>> >>> >>>> >>> Martin >>>> >>> >>>> >>> >>>> >>>> >>>> >>>> Robert >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>> >>>> > wrote: >>>> >>>> >>>> >>>> Robert, did you look in >>>> >>>> /var/log/ipaserver-install.log as it says? >>>> >>>> >>>> >>>> Was there any other information? >>>> >>>> >>>> >>>> cheers >>>> >>>> L. >>>> >>>> >>>> >>>> ------ >>>> >>>> "Mission Statement: To provide hope and inspiration >>>> >>>> for collective action, to build collective power, >>>> to >>>> >>>> achieve collective transformation, rooted in grief >>>> >>>> and rage but pointed towards vision and dreams." >>>> >>>> >>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>> >>>> >>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>> >>>> >>> >>>> > wrote: >>>> >>>> >>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>>> >>>> latest CentOS7. I built out a "minimal server" >>>> >>>> with some normal base packages which did >>>> include >>>> >>>> the freeipa-client but otherwise, just standard >>>> >>>> tools. Here's a pastebin of the output of the >>>> >>>> install: https://pastebin.com/zAWCgkUU >>>> >>>> >>>> >>>> Robert >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Manage your subscription for the Freeipa-users >>>> >>>> mailing list: >>>> >>>> https://www.redhat.com/ >>>> mailman/listinfo/freeipa-users >>>> >>>> Go to http://freeipa.org for more info on the >>>> >>>> project >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> Manage your subscription for the Freeipa-users >>>> >>>> mailing list: >>>> >>>> https://www.redhat.com/ >>>> mailman/listinfo/freeipa-users >>>> >>>> Go to http://freeipa.org for more info on the >>>> project >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>>> >>> -- >>>> >>> Martin Ba?ti >>>> >>> Software Engineer >>>> >>> Red Hat Czech >>>> >>> >>>> >> >>>> >> -- >>>> >> Martin Ba?ti >>>> >> Software Engineer >>>> >> Red Hat Czech >>>> >> >>>> > >>>> > -- >>>> > Martin Ba?ti >>>> > Software Engineer >>>> > Red Hat Czech >>>> > >>>> > >>>> > >>>> >>>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Tue May 16 19:57:46 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Tue, 16 May 2017 19:57:46 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: I did disable selinux as it gave errors setting up my standard users, etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable selinux and then try again. On Tue, May 16, 2017 at 1:52 PM Andrew Holway wrote: > This is pretty weird. FreeIPA installation normally works. > > Has the operating system image been changed or optimised somehow? Perhaps > SELinux has been disabled? Have you tried installing Centos7 from the ISO? > > On 16 May 2017 at 21:48, Robert L. Harris > wrote: > >> >> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no alarms >> on VMWare ) >> >> >> On Tue, May 16, 2017 at 12:29 PM Andrew Holway >> wrote: >> >>> Hallo, >>> >>> How much memory do you have on the machine. I have a sneaking suspicion >>> that you're running out. >>> >>> Ta, >>> >>> Andrew >>> >>> On 16 May 2017 at 17:16, Robert L. Harris >>> wrote: >>> >>>> >>>> Last night I rolled back my snapshot. Here's what I have after the yum >>>> install >>>> >>>> "minimal" install of Centos7 + basic build. >>>> {0}:/var/log>cat /etc/*elease >>>> CentOS Linux release 7.3.1611 (Core) >>>> NAME="CentOS Linux" >>>> VERSION="7 (Core)" >>>> ID="centos" >>>> ID_LIKE="rhel fedora" >>>> VERSION_ID="7" >>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>> ANSI_COLOR="0;31" >>>> CPE_NAME="cpe:/o:centos:centos:7" >>>> HOME_URL="https://www.centos.org/" >>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>> >>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>> REDHAT_SUPPORT_PRODUCT="centos" >>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>> >>>> CentOS Linux release 7.3.1611 (Core) >>>> CentOS Linux release 7.3.1611 (Core) >>>> >>>> >>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>> python-iniparse-0.4-9.el7.noarch >>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>> pam_krb5-2.4.8-6.el7.x86_64 >>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>> python-ipaddress-1.0.16-2.el7.noarch >>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>> >>>> Tried to pull an exact client. The "yum install ipa-server" went fine: >>>> >>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>> >>>> >>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>> >>>> Restarting the directory server >>>> Restarting the KDC >>>> Please add records in this file to your DNS system: >>>> /tmp/ipa.system.records.qLsLyx.db >>>> Restarting the web server >>>> Configuring client side components >>>> Using existing certificate '/etc/ipa/ca.crt'. >>>> Client hostname: ipa.rdlg.net >>>> Realm: RDLG.NET >>>> DNS Domain: rdlg.net >>>> IPA Server: ipa.rdlg.net >>>> BaseDN: dc=rdlg,dc=net >>>> >>>> Skipping synchronizing time with NTP server. >>>> New SSSD config will be created >>>> Configured sudoers in /etc/nsswitch.conf >>>> Configured /etc/sssd/sssd.conf >>>> trying https://ipa.rdlg.net/ipa/json >>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>> >>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>> >>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>> failed. Certificate database: /etc/httpd/alias. >>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>> database exist? >>>> >>>> >>>> Robert >>>> >>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >>>> wrote: >>>> >>>>> Robert L. Harris wrote: >>>>> > >>>>> > Hmmm >>>>> > >>>>> > {0}:/var/log>ls >>>>> > anaconda btmp dmesg grubby maillog ppp >>>>> secure >>>>> > tallylog wtmp >>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>> spooler >>>>> > tuned yum.log >>>>> > boot.log cups firewalld lastlog ntpstats samba sssd >>>>> > vmware-vmsvc.log >>>>> > >>>>> > >>>>> > root at ipa >>>>> > {1}:/var/log>rpm -q -l http >>>>> > package http is not installed >>>>> > >>>>> > root at ipa >>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>> > >>>>> > root at ipa >>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>> > >>>>> > >>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>> >>>>> I find this very hard to believe given that it go so far as to >>>>> configure >>>>> things in Apache, restart it, etc. What version of [free]ipa-server is >>>>> installed? How did you install it and from what repo? >>>>> >>>>> rob >>>>> >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>> > > wrote: >>>>> > >>>>> > That's weird, it should be super fast, anything in >>>>> > /var/log/httpd/error_log? >>>>> > >>>>> > >>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>> >> >>>>> >> Odd, must have clicked reply instead of reply-all. >>>>> >> >>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>> >> through fine then the "ipa-server-install" ran until this: >>>>> >> >>>>> >> [8/9]: restoring configuration >>>>> >> [9/9]: starting directory server >>>>> >> Done. >>>>> >> Restarting the directory server >>>>> >> Restarting the KDC >>>>> >> Please add records in this file to your DNS system: >>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>> >> Restarting the web server >>>>> >> Configuring client side components >>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>> >> Client hostname: ipa.rdlg.net >>>>> >> Realm: RDLG.NET >>>>> >> DNS Domain: rdlg.net >>>>> >> IPA Server: ipa.rdlg.net >>>>> >> BaseDN: dc=rdlg,dc=net >>>>> >> >>>>> >> Skipping synchronizing time with NTP server. >>>>> >> New SSSD config will be created >>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>> >> Configured /etc/sssd/sssd.conf >>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>> >> Forwarding 'schema' to json server ' >>>>> https://ipa.rdlg.net/ipa/json' >>>>> >> >>>>> >> >>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>> >> https://pastebin.com/biK1Dmv7 >>>>> >> >>>>> >> >>>>> >> >>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti >>>> >> > wrote: >>>>> >> >>>>> >> Please keep freeipa-users in CC >>>>> >> >>>>> >> Snapshot is always better, so I suggest to use it. Otherwise >>>>> >> there is an option --ignore-last-of-role to unblock >>>>> >> uninstallation. >>>>> >> >>>>> >> Martin >>>>> >> >>>>> >> >>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>> >>> >>>>> >>> Looks like you hit it, apache didn't have a group: >>>>> >>> >>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC proxy >>>>> >>> enabled >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: httpd.service: main process exited, >>>>> code=exited, >>>>> >>> status=1/FAILURE >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> kill[28812]: kill: cannot find process "" >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: httpd.service: control process exited, >>>>> >>> code=exited status=1 >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>> >>> systemd[1]: httpd.service failed. >>>>> >>> >>>>> >>> Thanks, didn't know that command. I tried to continue the >>>>> >>> process: >>>>> >>> >>>>> >>> {0}:/root>ipa-server-install >>>>> >>> >>>>> >>> The log file for this installation can be found in >>>>> >>> /var/log/ipaserver-install.log >>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>> IPA >>>>> >>> server is already configured on this system. >>>>> >>> If you want to reinstall the IPA server, please uninstall >>>>> it >>>>> >>> first using 'ipa-server-install --uninstall'. >>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>> The >>>>> >>> ipa-server-install command failed. See >>>>> >>> /var/log/ipaserver-install.log for more information >>>>> >>> >>>>> >>> root at ipa >>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>> >>> >>>>> >>> This is a NON REVERSIBLE operation and will delete all data >>>>> >>> and configuration! >>>>> >>> >>>>> >>> Are you sure you want to continue with the uninstall >>>>> >>> procedure? [no]: yes >>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>> this >>>>> >>> server is not allowed as it would leave your installation >>>>> >>> without a CA.. >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> This is a VM and I took a snapshot right before I started >>>>> the >>>>> >>> install, so I can revert, just make sure ti add the apache >>>>> >>> user before starting the install. Or if you have a better >>>>> >>> command to continue the clean-up/install..... >>>>> >>> >>>>> >>> >>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>> >>> > wrote: >>>>> >>> >>>>> >>> Hello, >>>>> >>> >>>>> >>> comments inline >>>>> >>> >>>>> >>> >>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>> >>>> >>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>>> >>>> that log in the first pastebin. It's in this one: >>>>> >>>> https://pastebin.com/18PAXXNS >>>>> >>> >>>>> >>> Could you please provide journalctl -u httpd and >>>>> >>> /var/log/httpd/error_log ? >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>>> >>>>> >>>> Also, >>>>> >>>> Anyone else get the constant spam when mailing this >>>>> >>>> list? Got an address to block for it? >>>>> >>> >>>>> >>> Sorry for that, there is a bot mining public archives. >>>>> We >>>>> >>> plan to resolve this issue but it may take time as we >>>>> are >>>>> >>> not maintaining our mailman. >>>>> >>> >>>>> >>> Martin >>>>> >>> >>>>> >>> >>>>> >>>> >>>>> >>>> Robert >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>> >>>> > wrote: >>>>> >>>> >>>>> >>>> Robert, did you look in >>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>> >>>> >>>>> >>>> Was there any other information? >>>>> >>>> >>>>> >>>> cheers >>>>> >>>> L. >>>>> >>>> >>>>> >>>> ------ >>>>> >>>> "Mission Statement: To provide hope and >>>>> inspiration >>>>> >>>> for collective action, to build collective power, >>>>> to >>>>> >>>> achieve collective transformation, rooted in grief >>>>> >>>> and rage but pointed towards vision and dreams." >>>>> >>>> >>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>>> >>>> >>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>> >>>> >>>> >>>> > wrote: >>>>> >>>> >>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>>>> >>>> latest CentOS7. I built out a "minimal >>>>> server" >>>>> >>>> with some normal base packages which did >>>>> include >>>>> >>>> the freeipa-client but otherwise, just >>>>> standard >>>>> >>>> tools. Here's a pastebin of the output of the >>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>> >>>> >>>>> >>>> Robert >>>>> >>>> >>>>> >>>> >>>>> >>>> -- >>>>> >>>> Manage your subscription for the Freeipa-users >>>>> >>>> mailing list: >>>>> >>>> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> Go to http://freeipa.org for more info on the >>>>> >>>> project >>>>> >>>> >>>>> >>>> >>>>> >>>> -- >>>>> >>>> Manage your subscription for the Freeipa-users >>>>> >>>> mailing list: >>>>> >>>> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> Go to http://freeipa.org for more info on the >>>>> project >>>>> >>>> >>>>> >>>> >>>>> >>>> >>>>> >>> >>>>> >>> -- >>>>> >>> Martin Ba?ti >>>>> >>> Software Engineer >>>>> >>> Red Hat Czech >>>>> >>> >>>>> >> >>>>> >> -- >>>>> >> Martin Ba?ti >>>>> >> Software Engineer >>>>> >> Red Hat Czech >>>>> >> >>>>> > >>>>> > -- >>>>> > Martin Ba?ti >>>>> > Software Engineer >>>>> > Red Hat Czech >>>>> > >>>>> > >>>>> > >>>>> >>>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Tue May 16 20:12:05 2017 From: andrew.holway at gmail.com (Andrew Holway) Date: Tue, 16 May 2017 22:12:05 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: Yea, I would try installing IPA then making the changes that you want. I think SELinux should be left enabled however. It makes admin super fun! :) On 16 May 2017 at 21:57, Robert L. Harris wrote: > > I did disable selinux as it gave errors setting up my standard users, > etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable > selinux and then try again. > > > On Tue, May 16, 2017 at 1:52 PM Andrew Holway > wrote: > >> This is pretty weird. FreeIPA installation normally works. >> >> Has the operating system image been changed or optimised somehow? Perhaps >> SELinux has been disabled? Have you tried installing Centos7 from the ISO? >> >> On 16 May 2017 at 21:48, Robert L. Harris >> wrote: >> >>> >>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>> alarms on VMWare ) >>> >>> >>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway >>> wrote: >>> >>>> Hallo, >>>> >>>> How much memory do you have on the machine. I have a sneaking suspicion >>>> that you're running out. >>>> >>>> Ta, >>>> >>>> Andrew >>>> >>>> On 16 May 2017 at 17:16, Robert L. Harris >>>> wrote: >>>> >>>>> >>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>> yum install >>>>> >>>>> "minimal" install of Centos7 + basic build. >>>>> {0}:/var/log>cat /etc/*elease >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> NAME="CentOS Linux" >>>>> VERSION="7 (Core)" >>>>> ID="centos" >>>>> ID_LIKE="rhel fedora" >>>>> VERSION_ID="7" >>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>> ANSI_COLOR="0;31" >>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>> HOME_URL="https://www.centos.org/" >>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>> >>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>> >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> CentOS Linux release 7.3.1611 (Core) >>>>> >>>>> >>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>> python-iniparse-0.4-9.el7.noarch >>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>> >>>>> Tried to pull an exact client. The "yum install ipa-server" went fine: >>>>> >>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>> >>>>> >>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>> >>>>> Restarting the directory server >>>>> Restarting the KDC >>>>> Please add records in this file to your DNS system: >>>>> /tmp/ipa.system.records.qLsLyx.db >>>>> Restarting the web server >>>>> Configuring client side components >>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>> Client hostname: ipa.rdlg.net >>>>> Realm: RDLG.NET >>>>> DNS Domain: rdlg.net >>>>> IPA Server: ipa.rdlg.net >>>>> BaseDN: dc=rdlg,dc=net >>>>> >>>>> Skipping synchronizing time with NTP server. >>>>> New SSSD config will be created >>>>> Configured sudoers in /etc/nsswitch.conf >>>>> Configured /etc/sssd/sssd.conf >>>>> trying https://ipa.rdlg.net/ipa/json >>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>> >>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>> >>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>>> failed. Certificate database: /etc/httpd/alias. >>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>> database exist? >>>>> >>>>> >>>>> Robert >>>>> >>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >>>>> wrote: >>>>> >>>>>> Robert L. Harris wrote: >>>>>> > >>>>>> > Hmmm >>>>>> > >>>>>> > {0}:/var/log>ls >>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>> secure >>>>>> > tallylog wtmp >>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>> spooler >>>>>> > tuned yum.log >>>>>> > boot.log cups firewalld lastlog ntpstats samba sssd >>>>>> > vmware-vmsvc.log >>>>>> > >>>>>> > >>>>>> > root at ipa >>>>>> > {1}:/var/log>rpm -q -l http >>>>>> > package http is not installed >>>>>> > >>>>>> > root at ipa >>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>> > >>>>>> > root at ipa >>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>> > >>>>>> > >>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>> >>>>>> I find this very hard to believe given that it go so far as to >>>>>> configure >>>>>> things in Apache, restart it, etc. What version of [free]ipa-server is >>>>>> installed? How did you install it and from what repo? >>>>>> >>>>>> rob >>>>>> >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>>> > > wrote: >>>>>> > >>>>>> > That's weird, it should be super fast, anything in >>>>>> > /var/log/httpd/error_log? >>>>>> > >>>>>> > >>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>> >> >>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>> >> >>>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>> >> >>>>>> >> [8/9]: restoring configuration >>>>>> >> [9/9]: starting directory server >>>>>> >> Done. >>>>>> >> Restarting the directory server >>>>>> >> Restarting the KDC >>>>>> >> Please add records in this file to your DNS system: >>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>> >> Restarting the web server >>>>>> >> Configuring client side components >>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>> >> Client hostname: ipa.rdlg.net >>>>>> >> Realm: RDLG.NET >>>>>> >> DNS Domain: rdlg.net >>>>>> >> IPA Server: ipa.rdlg.net >>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>> >> >>>>>> >> Skipping synchronizing time with NTP server. >>>>>> >> New SSSD config will be created >>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>> >> Configured /etc/sssd/sssd.conf >>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>> >> Forwarding 'schema' to json server ' >>>>>> https://ipa.rdlg.net/ipa/json' >>>>>> >> >>>>>> >> >>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>> mbasti at redhat.com >>>>>> >> > wrote: >>>>>> >> >>>>>> >> Please keep freeipa-users in CC >>>>>> >> >>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>> Otherwise >>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>> >> uninstallation. >>>>>> >> >>>>>> >> Martin >>>>>> >> >>>>>> >> >>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>> >>> >>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>> >>> >>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>> proxy >>>>>> >>> enabled >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>> code=exited, >>>>>> >>> status=1/FAILURE >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>> >>> code=exited status=1 >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>> >>> systemd[1]: httpd.service failed. >>>>>> >>> >>>>>> >>> Thanks, didn't know that command. I tried to continue the >>>>>> >>> process: >>>>>> >>> >>>>>> >>> {0}:/root>ipa-server-install >>>>>> >>> >>>>>> >>> The log file for this installation can be found in >>>>>> >>> /var/log/ipaserver-install.log >>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>> IPA >>>>>> >>> server is already configured on this system. >>>>>> >>> If you want to reinstall the IPA server, please uninstall >>>>>> it >>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>> The >>>>>> >>> ipa-server-install command failed. See >>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>> >>> >>>>>> >>> root at ipa >>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>> >>> >>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>> data >>>>>> >>> and configuration! >>>>>> >>> >>>>>> >>> Are you sure you want to continue with the uninstall >>>>>> >>> procedure? [no]: yes >>>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>>> this >>>>>> >>> server is not allowed as it would leave your installation >>>>>> >>> without a CA.. >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> This is a VM and I took a snapshot right before I started >>>>>> the >>>>>> >>> install, so I can revert, just make sure ti add the apache >>>>>> >>> user before starting the install. Or if you have a better >>>>>> >>> command to continue the clean-up/install..... >>>>>> >>> >>>>>> >>> >>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>> >>> > wrote: >>>>>> >>> >>>>>> >>> Hello, >>>>>> >>> >>>>>> >>> comments inline >>>>>> >>> >>>>>> >>> >>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>> >>>> >>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>> >>> >>>>>> >>> Could you please provide journalctl -u httpd and >>>>>> >>> /var/log/httpd/error_log ? >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>>> >>>>>> >>>> Also, >>>>>> >>>> Anyone else get the constant spam when mailing >>>>>> this >>>>>> >>>> list? Got an address to block for it? >>>>>> >>> >>>>>> >>> Sorry for that, there is a bot mining public >>>>>> archives. We >>>>>> >>> plan to resolve this issue but it may take time as we >>>>>> are >>>>>> >>> not maintaining our mailman. >>>>>> >>> >>>>>> >>> Martin >>>>>> >>> >>>>>> >>> >>>>>> >>>> >>>>>> >>>> Robert >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>> >>>> > >>>>>> wrote: >>>>>> >>>> >>>>>> >>>> Robert, did you look in >>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>> >>>> >>>>>> >>>> Was there any other information? >>>>>> >>>> >>>>>> >>>> cheers >>>>>> >>>> L. >>>>>> >>>> >>>>>> >>>> ------ >>>>>> >>>> "Mission Statement: To provide hope and >>>>>> inspiration >>>>>> >>>> for collective action, to build collective >>>>>> power, to >>>>>> >>>> achieve collective transformation, rooted in >>>>>> grief >>>>>> >>>> and rage but pointed towards vision and dreams." >>>>>> >>>> >>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>>>> >>>> >>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>> >>>> >>>>> >>>> > wrote: >>>>>> >>>> >>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying the >>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>> server" >>>>>> >>>> with some normal base packages which did >>>>>> include >>>>>> >>>> the freeipa-client but otherwise, just >>>>>> standard >>>>>> >>>> tools. Here's a pastebin of the output of >>>>>> the >>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>> >>>> >>>>>> >>>> Robert >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Manage your subscription for the >>>>>> Freeipa-users >>>>>> >>>> mailing list: >>>>>> >>>> https://www.redhat.com/ >>>>>> mailman/listinfo/freeipa-users >>>>>> >>>> Go to http://freeipa.org for more info on >>>>>> the >>>>>> >>>> project >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> -- >>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>> >>>> mailing list: >>>>>> >>>> https://www.redhat.com/ >>>>>> mailman/listinfo/freeipa-users >>>>>> >>>> Go to http://freeipa.org for more info on the >>>>>> project >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>> >>>>>> >>> -- >>>>>> >>> Martin Ba?ti >>>>>> >>> Software Engineer >>>>>> >>> Red Hat Czech >>>>>> >>> >>>>>> >> >>>>>> >> -- >>>>>> >> Martin Ba?ti >>>>>> >> Software Engineer >>>>>> >> Red Hat Czech >>>>>> >> >>>>>> > >>>>>> > -- >>>>>> > Martin Ba?ti >>>>>> > Software Engineer >>>>>> > Red Hat Czech >>>>>> > >>>>>> > >>>>>> > >>>>>> >>>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Tue May 16 20:37:50 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Tue, 16 May 2017 20:37:50 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: I left SELinux enabled, no change, still streaming the same error: [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize failed. Certificate database: /etc/httpd/alias. [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS database exist? On Tue, May 16, 2017 at 2:12 PM Andrew Holway wrote: > Yea, I would try installing IPA then making the changes that you want. I > think SELinux should be left enabled however. It makes admin super fun! :) > > > On 16 May 2017 at 21:57, Robert L. Harris > wrote: > >> >> I did disable selinux as it gave errors setting up my standard users, >> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable >> selinux and then try again. >> >> >> On Tue, May 16, 2017 at 1:52 PM Andrew Holway >> wrote: >> >>> This is pretty weird. FreeIPA installation normally works. >>> >>> Has the operating system image been changed or optimised somehow? >>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from >>> the ISO? >>> >>> On 16 May 2017 at 21:48, Robert L. Harris >>> wrote: >>> >>>> >>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>>> alarms on VMWare ) >>>> >>>> >>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway >>>> wrote: >>>> >>>>> Hallo, >>>>> >>>>> How much memory do you have on the machine. I have a sneaking >>>>> suspicion that you're running out. >>>>> >>>>> Ta, >>>>> >>>>> Andrew >>>>> >>>>> On 16 May 2017 at 17:16, Robert L. Harris >>>>> wrote: >>>>> >>>>>> >>>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>>> yum install >>>>>> >>>>>> "minimal" install of Centos7 + basic build. >>>>>> {0}:/var/log>cat /etc/*elease >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> NAME="CentOS Linux" >>>>>> VERSION="7 (Core)" >>>>>> ID="centos" >>>>>> ID_LIKE="rhel fedora" >>>>>> VERSION_ID="7" >>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>> ANSI_COLOR="0;31" >>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>> HOME_URL="https://www.centos.org/" >>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>> >>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>> >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>> >>>>>> >>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>> python-iniparse-0.4-9.el7.noarch >>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>> >>>>>> Tried to pull an exact client. The "yum install ipa-server" went >>>>>> fine: >>>>>> >>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>> >>>>>> >>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>> >>>>>> Restarting the directory server >>>>>> Restarting the KDC >>>>>> Please add records in this file to your DNS system: >>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>> Restarting the web server >>>>>> Configuring client side components >>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>> Client hostname: ipa.rdlg.net >>>>>> Realm: RDLG.NET >>>>>> DNS Domain: rdlg.net >>>>>> IPA Server: ipa.rdlg.net >>>>>> BaseDN: dc=rdlg,dc=net >>>>>> >>>>>> Skipping synchronizing time with NTP server. >>>>>> New SSSD config will be created >>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>> Configured /etc/sssd/sssd.conf >>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>>> >>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>> >>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>>>> failed. Certificate database: /etc/httpd/alias. >>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>>> database exist? >>>>>> >>>>>> >>>>>> Robert >>>>>> >>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >>>>>> wrote: >>>>>> >>>>>>> Robert L. Harris wrote: >>>>>>> > >>>>>>> > Hmmm >>>>>>> > >>>>>>> > {0}:/var/log>ls >>>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>>> secure >>>>>>> > tallylog wtmp >>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>>> spooler >>>>>>> > tuned yum.log >>>>>>> > boot.log cups firewalld lastlog ntpstats samba >>>>>>> sssd >>>>>>> > vmware-vmsvc.log >>>>>>> > >>>>>>> > >>>>>>> > root at ipa >>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>> > package http is not installed >>>>>>> > >>>>>>> > root at ipa >>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>> > >>>>>>> > root at ipa >>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>> > >>>>>>> > >>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>> >>>>>>> I find this very hard to believe given that it go so far as to >>>>>>> configure >>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server >>>>>>> is >>>>>>> installed? How did you install it and from what repo? >>>>>>> >>>>>>> rob >>>>>>> >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>>>> > > wrote: >>>>>>> > >>>>>>> > That's weird, it should be super fast, anything in >>>>>>> > /var/log/httpd/error_log? >>>>>>> > >>>>>>> > >>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>> >> >>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>> >> >>>>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>>> >> >>>>>>> >> [8/9]: restoring configuration >>>>>>> >> [9/9]: starting directory server >>>>>>> >> Done. >>>>>>> >> Restarting the directory server >>>>>>> >> Restarting the KDC >>>>>>> >> Please add records in this file to your DNS system: >>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>> >> Restarting the web server >>>>>>> >> Configuring client side components >>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>> >> Client hostname: ipa.rdlg.net >>>>>>> >> Realm: RDLG.NET >>>>>>> >> DNS Domain: rdlg.net >>>>>>> >> IPA Server: ipa.rdlg.net >>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>> >> >>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>> >> New SSSD config will be created >>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>> >> Forwarding 'schema' to json server ' >>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>> >> >>>>>>> >> >>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>>> mbasti at redhat.com >>>>>>> >> > wrote: >>>>>>> >> >>>>>>> >> Please keep freeipa-users in CC >>>>>>> >> >>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>> Otherwise >>>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>>> >> uninstallation. >>>>>>> >> >>>>>>> >> Martin >>>>>>> >> >>>>>>> >> >>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>> >>> >>>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>>> >>> >>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>>> proxy >>>>>>> >>> enabled >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>> code=exited, >>>>>>> >>> status=1/FAILURE >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>>> >>> code=exited status=1 >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>> >>> >>>>>>> >>> Thanks, didn't know that command. I tried to continue >>>>>>> the >>>>>>> >>> process: >>>>>>> >>> >>>>>>> >>> {0}:/root>ipa-server-install >>>>>>> >>> >>>>>>> >>> The log file for this installation can be found in >>>>>>> >>> /var/log/ipaserver-install.log >>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>> IPA >>>>>>> >>> server is already configured on this system. >>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>> uninstall it >>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>> The >>>>>>> >>> ipa-server-install command failed. See >>>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>>> >>> >>>>>>> >>> root at ipa >>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>> >>> >>>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>>> data >>>>>>> >>> and configuration! >>>>>>> >>> >>>>>>> >>> Are you sure you want to continue with the uninstall >>>>>>> >>> procedure? [no]: yes >>>>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>>>> this >>>>>>> >>> server is not allowed as it would leave your installation >>>>>>> >>> without a CA.. >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>> started the >>>>>>> >>> install, so I can revert, just make sure ti add the >>>>>>> apache >>>>>>> >>> user before starting the install. Or if you have a >>>>>>> better >>>>>>> >>> command to continue the clean-up/install..... >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>>> >>> > wrote: >>>>>>> >>> >>>>>>> >>> Hello, >>>>>>> >>> >>>>>>> >>> comments inline >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>> >>>> >>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I put >>>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>> >>> >>>>>>> >>> Could you please provide journalctl -u httpd and >>>>>>> >>> /var/log/httpd/error_log ? >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>> Also, >>>>>>> >>>> Anyone else get the constant spam when mailing >>>>>>> this >>>>>>> >>>> list? Got an address to block for it? >>>>>>> >>> >>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>> archives. We >>>>>>> >>> plan to resolve this issue but it may take time as >>>>>>> we are >>>>>>> >>> not maintaining our mailman. >>>>>>> >>> >>>>>>> >>> Martin >>>>>>> >>> >>>>>>> >>> >>>>>>> >>>> >>>>>>> >>>> Robert >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>>> >>>> > >>>>>>> wrote: >>>>>>> >>>> >>>>>>> >>>> Robert, did you look in >>>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>>> >>>> >>>>>>> >>>> Was there any other information? >>>>>>> >>>> >>>>>>> >>>> cheers >>>>>>> >>>> L. >>>>>>> >>>> >>>>>>> >>>> ------ >>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>> inspiration >>>>>>> >>>> for collective action, to build collective >>>>>>> power, to >>>>>>> >>>> achieve collective transformation, rooted in >>>>>>> grief >>>>>>> >>>> and rage but pointed towards vision and dreams." >>>>>>> >>>> >>>>>>> >>>> - Patrice Cullors, /Black Lives Matter founder/ >>>>>>> >>>> >>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>>> >>>> >>>>>> >>>> > wrote: >>>>>>> >>>> >>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying >>>>>>> the >>>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>>> server" >>>>>>> >>>> with some normal base packages which did >>>>>>> include >>>>>>> >>>> the freeipa-client but otherwise, just >>>>>>> standard >>>>>>> >>>> tools. Here's a pastebin of the output of >>>>>>> the >>>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>>> >>>> >>>>>>> >>>> Robert >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> -- >>>>>>> >>>> Manage your subscription for the >>>>>>> Freeipa-users >>>>>>> >>>> mailing list: >>>>>>> >>>> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>> Go to http://freeipa.org for more info on >>>>>>> the >>>>>>> >>>> project >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> -- >>>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>>> >>>> mailing list: >>>>>>> >>>> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> >>>> Go to http://freeipa.org for more info on the >>>>>>> project >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>>> >>>>>>> >>> >>>>>>> >>> -- >>>>>>> >>> Martin Ba?ti >>>>>>> >>> Software Engineer >>>>>>> >>> Red Hat Czech >>>>>>> >>> >>>>>>> >> >>>>>>> >> -- >>>>>>> >> Martin Ba?ti >>>>>>> >> Software Engineer >>>>>>> >> Red Hat Czech >>>>>>> >> >>>>>>> > >>>>>>> > -- >>>>>>> > Martin Ba?ti >>>>>>> > Software Engineer >>>>>>> > Red Hat Czech >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> >>>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Tue May 16 20:40:08 2017 From: andrew.holway at gmail.com (Andrew Holway) Date: Tue, 16 May 2017 22:40:08 +0200 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: I have a feeling that there is something broken with your image. Could you try installing Centos from ISO? On 16 May 2017 at 22:37, Robert L. Harris wrote: > > I left SELinux enabled, no change, still streaming the same error: > > [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize > failed. Certificate database: /etc/httpd/alias. > [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error: > -8038 SEC_ERROR_NOT_INITIALIZED > [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS > database exist? > > > > On Tue, May 16, 2017 at 2:12 PM Andrew Holway > wrote: > >> Yea, I would try installing IPA then making the changes that you want. I >> think SELinux should be left enabled however. It makes admin super fun! :) >> >> >> On 16 May 2017 at 21:57, Robert L. Harris >> wrote: >> >>> >>> I did disable selinux as it gave errors setting up my standard users, >>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable >>> selinux and then try again. >>> >>> >>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway >>> wrote: >>> >>>> This is pretty weird. FreeIPA installation normally works. >>>> >>>> Has the operating system image been changed or optimised somehow? >>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from >>>> the ISO? >>>> >>>> On 16 May 2017 at 21:48, Robert L. Harris >>>> wrote: >>>> >>>>> >>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>>>> alarms on VMWare ) >>>>> >>>>> >>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway < >>>>> andrew.holway at gmail.com> wrote: >>>>> >>>>>> Hallo, >>>>>> >>>>>> How much memory do you have on the machine. I have a sneaking >>>>>> suspicion that you're running out. >>>>>> >>>>>> Ta, >>>>>> >>>>>> Andrew >>>>>> >>>>>> On 16 May 2017 at 17:16, Robert L. Harris >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>>>> yum install >>>>>>> >>>>>>> "minimal" install of Centos7 + basic build. >>>>>>> {0}:/var/log>cat /etc/*elease >>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>> NAME="CentOS Linux" >>>>>>> VERSION="7 (Core)" >>>>>>> ID="centos" >>>>>>> ID_LIKE="rhel fedora" >>>>>>> VERSION_ID="7" >>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>>> ANSI_COLOR="0;31" >>>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>>> HOME_URL="https://www.centos.org/" >>>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>>> >>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>>> >>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>> >>>>>>> >>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>> python-iniparse-0.4-9.el7.noarch >>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>>> >>>>>>> Tried to pull an exact client. The "yum install ipa-server" went >>>>>>> fine: >>>>>>> >>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>>> >>>>>>> >>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>>> >>>>>>> Restarting the directory server >>>>>>> Restarting the KDC >>>>>>> Please add records in this file to your DNS system: >>>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>>> Restarting the web server >>>>>>> Configuring client side components >>>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>> Client hostname: ipa.rdlg.net >>>>>>> Realm: RDLG.NET >>>>>>> DNS Domain: rdlg.net >>>>>>> IPA Server: ipa.rdlg.net >>>>>>> BaseDN: dc=rdlg,dc=net >>>>>>> >>>>>>> Skipping synchronizing time with NTP server. >>>>>>> New SSSD config will be created >>>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>>> Configured /etc/sssd/sssd.conf >>>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>>>> >>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>>> >>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] NSS_Initialize >>>>>>> failed. Certificate database: /etc/httpd/alias. >>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>>>> database exist? >>>>>>> >>>>>>> >>>>>>> Robert >>>>>>> >>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden >>>>>>> wrote: >>>>>>> >>>>>>>> Robert L. Harris wrote: >>>>>>>> > >>>>>>>> > Hmmm >>>>>>>> > >>>>>>>> > {0}:/var/log>ls >>>>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>>>> secure >>>>>>>> > tallylog wtmp >>>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>>>> spooler >>>>>>>> > tuned yum.log >>>>>>>> > boot.log cups firewalld lastlog ntpstats samba >>>>>>>> sssd >>>>>>>> > vmware-vmsvc.log >>>>>>>> > >>>>>>>> > >>>>>>>> > root at ipa >>>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>>> > package http is not installed >>>>>>>> > >>>>>>>> > root at ipa >>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>> > >>>>>>>> > root at ipa >>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>>> > >>>>>>>> > >>>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>>> >>>>>>>> I find this very hard to believe given that it go so far as to >>>>>>>> configure >>>>>>>> things in Apache, restart it, etc. What version of [free]ipa-server >>>>>>>> is >>>>>>>> installed? How did you install it and from what repo? >>>>>>>> >>>>>>>> rob >>>>>>>> >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>>>>> > > wrote: >>>>>>>> > >>>>>>>> > That's weird, it should be super fast, anything in >>>>>>>> > /var/log/httpd/error_log? >>>>>>>> > >>>>>>>> > >>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>>> >> >>>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>>> >> >>>>>>>> >> Anyway, I did the revert and re-install. Actual install went >>>>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>>>> >> >>>>>>>> >> [8/9]: restoring configuration >>>>>>>> >> [9/9]: starting directory server >>>>>>>> >> Done. >>>>>>>> >> Restarting the directory server >>>>>>>> >> Restarting the KDC >>>>>>>> >> Please add records in this file to your DNS system: >>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>>> >> Restarting the web server >>>>>>>> >> Configuring client side components >>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>> >> Client hostname: ipa.rdlg.net >>>>>>>> >> Realm: RDLG.NET >>>>>>>> >> DNS Domain: rdlg.net >>>>>>>> >> IPA Server: ipa.rdlg.net >>>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>>> >> >>>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>>> >> New SSSD config will be created >>>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>>> >> Forwarding 'schema' to json server ' >>>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't see >>>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>>>> mbasti at redhat.com >>>>>>>> >> > wrote: >>>>>>>> >> >>>>>>>> >> Please keep freeipa-users in CC >>>>>>>> >> >>>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>>> Otherwise >>>>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>>>> >> uninstallation. >>>>>>>> >> >>>>>>>> >> Martin >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>>> >>> >>>>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>>>> >>> >>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at Thu >>>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>>>> proxy >>>>>>>> >>> enabled >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>>> code=exited, >>>>>>>> >>> status=1/FAILURE >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>>>> >>> code=exited status=1 >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>>> >>> >>>>>>>> >>> Thanks, didn't know that command. I tried to continue >>>>>>>> the >>>>>>>> >>> process: >>>>>>>> >>> >>>>>>>> >>> {0}:/root>ipa-server-install >>>>>>>> >>> >>>>>>>> >>> The log file for this installation can be found in >>>>>>>> >>> /var/log/ipaserver-install.log >>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>>> IPA >>>>>>>> >>> server is already configured on this system. >>>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>>> uninstall it >>>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>>> The >>>>>>>> >>> ipa-server-install command failed. See >>>>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>>>> >>> >>>>>>>> >>> root at ipa >>>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>>> >>> >>>>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>>>> data >>>>>>>> >>> and configuration! >>>>>>>> >>> >>>>>>>> >>> Are you sure you want to continue with the uninstall >>>>>>>> >>> procedure? [no]: yes >>>>>>>> >>> ipa : ERROR Server removal aborted: Deleting >>>>>>>> this >>>>>>>> >>> server is not allowed as it would leave your >>>>>>>> installation >>>>>>>> >>> without a CA.. >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>>> started the >>>>>>>> >>> install, so I can revert, just make sure ti add the >>>>>>>> apache >>>>>>>> >>> user before starting the install. Or if you have a >>>>>>>> better >>>>>>>> >>> command to continue the clean-up/install..... >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>>>> >>> > wrote: >>>>>>>> >>> >>>>>>>> >>> Hello, >>>>>>>> >>> >>>>>>>> >>> comments inline >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>>> >>>> >>>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I >>>>>>>> put >>>>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>>> >>> >>>>>>>> >>> Could you please provide journalctl -u httpd and >>>>>>>> >>> /var/log/httpd/error_log ? >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>>> >>>>>>>> >>>> Also, >>>>>>>> >>>> Anyone else get the constant spam when mailing >>>>>>>> this >>>>>>>> >>>> list? Got an address to block for it? >>>>>>>> >>> >>>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>>> archives. We >>>>>>>> >>> plan to resolve this issue but it may take time as >>>>>>>> we are >>>>>>>> >>> not maintaining our mailman. >>>>>>>> >>> >>>>>>>> >>> Martin >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>>> >>>>>>>> >>>> Robert >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>>>> >>>> > >>>>>>>> wrote: >>>>>>>> >>>> >>>>>>>> >>>> Robert, did you look in >>>>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>>>> >>>> >>>>>>>> >>>> Was there any other information? >>>>>>>> >>>> >>>>>>>> >>>> cheers >>>>>>>> >>>> L. >>>>>>>> >>>> >>>>>>>> >>>> ------ >>>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>>> inspiration >>>>>>>> >>>> for collective action, to build collective >>>>>>>> power, to >>>>>>>> >>>> achieve collective transformation, rooted in >>>>>>>> grief >>>>>>>> >>>> and rage but pointed towards vision and >>>>>>>> dreams." >>>>>>>> >>>> >>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter >>>>>>>> founder/ >>>>>>>> >>>> >>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>>>> >>>> >>>>>>> >>>> > wrote: >>>>>>>> >>>> >>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying >>>>>>>> the >>>>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>>>> server" >>>>>>>> >>>> with some normal base packages which did >>>>>>>> include >>>>>>>> >>>> the freeipa-client but otherwise, just >>>>>>>> standard >>>>>>>> >>>> tools. Here's a pastebin of the output of >>>>>>>> the >>>>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>>>> >>>> >>>>>>>> >>>> Robert >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> -- >>>>>>>> >>>> Manage your subscription for the >>>>>>>> Freeipa-users >>>>>>>> >>>> mailing list: >>>>>>>> >>>> https://www.redhat.com/ >>>>>>>> mailman/listinfo/freeipa-users >>>>>>>> >>>> Go to http://freeipa.org for more info on >>>>>>>> the >>>>>>>> >>>> project >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> -- >>>>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>>>> >>>> mailing list: >>>>>>>> >>>> https://www.redhat.com/ >>>>>>>> mailman/listinfo/freeipa-users >>>>>>>> >>>> Go to http://freeipa.org for more info on the >>>>>>>> project >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>>> >>>>>>>> >>> >>>>>>>> >>> -- >>>>>>>> >>> Martin Ba?ti >>>>>>>> >>> Software Engineer >>>>>>>> >>> Red Hat Czech >>>>>>>> >>> >>>>>>>> >> >>>>>>>> >> -- >>>>>>>> >> Martin Ba?ti >>>>>>>> >> Software Engineer >>>>>>>> >> Red Hat Czech >>>>>>>> >> >>>>>>>> > >>>>>>>> > -- >>>>>>>> > Martin Ba?ti >>>>>>>> > Software Engineer >>>>>>>> > Red Hat Czech >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> >>>> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From jochen at jochen.org Tue May 16 20:44:04 2017 From: jochen at jochen.org (Jochen Hein) Date: Tue, 16 May 2017 22:44:04 +0200 Subject: [Freeipa-users] Why OTP not working In-Reply-To: (Andrey Dudin's message of "Tue, 16 May 2017 22:51:52 +0300") References: Message-ID: <83pof8y1kb.fsf@jochen.org> Andrey Dudin writes: > I trying to use OTP auth in Freeipa but have some problems. OTP (with RADIUS) works for me. > I have user *test:* > > [root at ipa-centos]# ipa user-show test ... Did you enable --user-auth-type=otp with "ipa config-mod"? I have: [root at freeipa1 log]# ipa config-show --raw ... ipauserauthtype: otp ipauserauthtype: password ipauserauthtype: radius Look at the mouse-over-docs in Webui -> IPA-Server -> Configuration -> User Authentication Types for more info. Otherwise, you need to enable --user-auth-type=otp for your user. I have for RADIUS both password and radius for my OTP user: [root at freeipa1 log]# ipa user-show jochen --raw ... ipauserauthtype: password ipauserauthtype: radius If you need both password and otp, use both --user-auth-type=password and --user-auth-type=otp for "ipa user-mod" or "ipa config-mod". When I do a "su - jochen", I get asked for "First Factor" and "Second Factor", since sssd knows I use RADIUS for OTP. That might be easier to first test that you can authenticate with OTP. > Server with FreeIpa: > > [root at ipa-centos]# ipa host-show ipa-centos.mydomain.com ... > Authentication Indicators: otp Is there a simple way to check on the command line, whether or not an authentication indicator was set when authenticating? I can't remember anything from reading the docs - I expected some option for klist. Jochen -- This space is intentionally left blank. From robert.l.harris at gmail.com Tue May 16 20:50:02 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Tue, 16 May 2017 20:50:02 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <17824237-3beb-a5c1-0d6c-d9a1051eddce@redhat.com> <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: I can, though that's what I did 2 days ago, fresh install from latest ISO. On Tue, May 16, 2017 at 2:40 PM Andrew Holway wrote: > I have a feeling that there is something broken with your image. Could you > try installing Centos from ISO? > > > On 16 May 2017 at 22:37, Robert L. Harris > wrote: > >> >> I left SELinux enabled, no change, still streaming the same error: >> >> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize >> failed. Certificate database: /etc/httpd/alias. >> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library Error: >> -8038 SEC_ERROR_NOT_INITIALIZED >> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS >> database exist? >> >> >> >> On Tue, May 16, 2017 at 2:12 PM Andrew Holway >> wrote: >> >>> Yea, I would try installing IPA then making the changes that you want. I >>> think SELinux should be left enabled however. It makes admin super fun! :) >>> >>> >>> On 16 May 2017 at 21:57, Robert L. Harris >>> wrote: >>> >>>> >>>> I did disable selinux as it gave errors setting up my standard users, >>>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable >>>> selinux and then try again. >>>> >>>> >>>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway >>>> wrote: >>>> >>>>> This is pretty weird. FreeIPA installation normally works. >>>>> >>>>> Has the operating system image been changed or optimised somehow? >>>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from >>>>> the ISO? >>>>> >>>>> On 16 May 2017 at 21:48, Robert L. Harris >>>>> wrote: >>>>> >>>>>> >>>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>>>>> alarms on VMWare ) >>>>>> >>>>>> >>>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway < >>>>>> andrew.holway at gmail.com> wrote: >>>>>> >>>>>>> Hallo, >>>>>>> >>>>>>> How much memory do you have on the machine. I have a sneaking >>>>>>> suspicion that you're running out. >>>>>>> >>>>>>> Ta, >>>>>>> >>>>>>> Andrew >>>>>>> >>>>>>> On 16 May 2017 at 17:16, Robert L. Harris >>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> Last night I rolled back my snapshot. Here's what I have after the >>>>>>>> yum install >>>>>>>> >>>>>>>> "minimal" install of Centos7 + basic build. >>>>>>>> {0}:/var/log>cat /etc/*elease >>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>> NAME="CentOS Linux" >>>>>>>> VERSION="7 (Core)" >>>>>>>> ID="centos" >>>>>>>> ID_LIKE="rhel fedora" >>>>>>>> VERSION_ID="7" >>>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>>>> ANSI_COLOR="0;31" >>>>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>>>> HOME_URL="https://www.centos.org/" >>>>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>>>> >>>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>>>> >>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>> >>>>>>>> >>>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>> python-iniparse-0.4-9.el7.noarch >>>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>>>> >>>>>>>> Tried to pull an exact client. The "yum install ipa-server" went >>>>>>>> fine: >>>>>>>> >>>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>>>> >>>>>>>> >>>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>>>> >>>>>>>> Restarting the directory server >>>>>>>> Restarting the KDC >>>>>>>> Please add records in this file to your DNS system: >>>>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>>>> Restarting the web server >>>>>>>> Configuring client side components >>>>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>> Client hostname: ipa.rdlg.net >>>>>>>> Realm: RDLG.NET >>>>>>>> DNS Domain: rdlg.net >>>>>>>> IPA Server: ipa.rdlg.net >>>>>>>> BaseDN: dc=rdlg,dc=net >>>>>>>> >>>>>>>> Skipping synchronizing time with NTP server. >>>>>>>> New SSSD config will be created >>>>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>>>> Configured /etc/sssd/sssd.conf >>>>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json' >>>>>>>> >>>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>>>> >>>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] >>>>>>>> NSS_Initialize failed. Certificate database: /etc/httpd/alias. >>>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the NSS >>>>>>>> database exist? >>>>>>>> >>>>>>>> >>>>>>>> Robert >>>>>>>> >>>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden < >>>>>>>> rcritten at redhat.com> wrote: >>>>>>>> >>>>>>>>> Robert L. Harris wrote: >>>>>>>>> > >>>>>>>>> > Hmmm >>>>>>>>> > >>>>>>>>> > {0}:/var/log>ls >>>>>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>>>>> secure >>>>>>>>> > tallylog wtmp >>>>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>>>>> spooler >>>>>>>>> > tuned yum.log >>>>>>>>> > boot.log cups firewalld lastlog ntpstats samba >>>>>>>>> sssd >>>>>>>>> > vmware-vmsvc.log >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > root at ipa >>>>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>>>> > package http is not installed >>>>>>>>> > >>>>>>>>> > root at ipa >>>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>>> > >>>>>>>>> > root at ipa >>>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>>>> >>>>>>>>> I find this very hard to believe given that it go so far as to >>>>>>>>> configure >>>>>>>>> things in Apache, restart it, etc. What version of >>>>>>>>> [free]ipa-server is >>>>>>>>> installed? How did you install it and from what repo? >>>>>>>>> >>>>>>>>> rob >>>>>>>>> >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>>>>>> > > wrote: >>>>>>>>> > >>>>>>>>> > That's weird, it should be super fast, anything in >>>>>>>>> > /var/log/httpd/error_log? >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>>>> >> >>>>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>>>> >> >>>>>>>>> >> Anyway, I did the revert and re-install. Actual install >>>>>>>>> went >>>>>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>>>>> >> >>>>>>>>> >> [8/9]: restoring configuration >>>>>>>>> >> [9/9]: starting directory server >>>>>>>>> >> Done. >>>>>>>>> >> Restarting the directory server >>>>>>>>> >> Restarting the KDC >>>>>>>>> >> Please add records in this file to your DNS system: >>>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>>>> >> Restarting the web server >>>>>>>>> >> Configuring client side components >>>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>>> >> Client hostname: ipa.rdlg.net >>>>>>>>> >> Realm: RDLG.NET >>>>>>>>> >> DNS Domain: rdlg.net >>>>>>>>> >> IPA Server: ipa.rdlg.net >>>>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>>>> >> >>>>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>>>> >> New SSSD config will be created >>>>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>>>> >> Forwarding 'schema' to json server ' >>>>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't >>>>>>>>> see >>>>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>>>>> mbasti at redhat.com >>>>>>>>> >> > wrote: >>>>>>>>> >> >>>>>>>>> >> Please keep freeipa-users in CC >>>>>>>>> >> >>>>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>>>> Otherwise >>>>>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>>>>> >> uninstallation. >>>>>>>>> >> >>>>>>>>> >> Martin >>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>>>> >>> >>>>>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>>>>> >>> >>>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at >>>>>>>>> Thu >>>>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO KDC >>>>>>>>> proxy >>>>>>>>> >>> enabled >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>>>> code=exited, >>>>>>>>> >>> status=1/FAILURE >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>>>>> >>> code=exited status=1 >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>>>> >>> >>>>>>>>> >>> Thanks, didn't know that command. I tried to continue >>>>>>>>> the >>>>>>>>> >>> process: >>>>>>>>> >>> >>>>>>>>> >>> {0}:/root>ipa-server-install >>>>>>>>> >>> >>>>>>>>> >>> The log file for this installation can be found in >>>>>>>>> >>> /var/log/ipaserver-install.log >>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>>>> IPA >>>>>>>>> >>> server is already configured on this system. >>>>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>>>> uninstall it >>>>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): ERROR >>>>>>>>> The >>>>>>>>> >>> ipa-server-install command failed. See >>>>>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>>>>> >>> >>>>>>>>> >>> root at ipa >>>>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>>>> >>> >>>>>>>>> >>> This is a NON REVERSIBLE operation and will delete all >>>>>>>>> data >>>>>>>>> >>> and configuration! >>>>>>>>> >>> >>>>>>>>> >>> Are you sure you want to continue with the uninstall >>>>>>>>> >>> procedure? [no]: yes >>>>>>>>> >>> ipa : ERROR Server removal aborted: >>>>>>>>> Deleting this >>>>>>>>> >>> server is not allowed as it would leave your >>>>>>>>> installation >>>>>>>>> >>> without a CA.. >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>>>> started the >>>>>>>>> >>> install, so I can revert, just make sure ti add the >>>>>>>>> apache >>>>>>>>> >>> user before starting the install. Or if you have a >>>>>>>>> better >>>>>>>>> >>> command to continue the clean-up/install..... >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>>>>> >>> > wrote: >>>>>>>>> >>> >>>>>>>>> >>> Hello, >>>>>>>>> >>> >>>>>>>>> >>> comments inline >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>>>> >>>> >>>>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought I >>>>>>>>> put >>>>>>>>> >>>> that log in the first pastebin. It's in this one: >>>>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>>>> >>> >>>>>>>>> >>> Could you please provide journalctl -u httpd and >>>>>>>>> >>> /var/log/httpd/error_log ? >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>>> >>>>>>>>> >>>> Also, >>>>>>>>> >>>> Anyone else get the constant spam when mailing >>>>>>>>> this >>>>>>>>> >>>> list? Got an address to block for it? >>>>>>>>> >>> >>>>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>>>> archives. We >>>>>>>>> >>> plan to resolve this issue but it may take time as >>>>>>>>> we are >>>>>>>>> >>> not maintaining our mailman. >>>>>>>>> >>> >>>>>>>>> >>> Martin >>>>>>>>> >>> >>>>>>>>> >>> >>>>>>>>> >>>> >>>>>>>>> >>>> Robert >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>>>>> >>>> > >>>>>>>>> wrote: >>>>>>>>> >>>> >>>>>>>>> >>>> Robert, did you look in >>>>>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>>>>> >>>> >>>>>>>>> >>>> Was there any other information? >>>>>>>>> >>>> >>>>>>>>> >>>> cheers >>>>>>>>> >>>> L. >>>>>>>>> >>>> >>>>>>>>> >>>> ------ >>>>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>>>> inspiration >>>>>>>>> >>>> for collective action, to build collective >>>>>>>>> power, to >>>>>>>>> >>>> achieve collective transformation, rooted in >>>>>>>>> grief >>>>>>>>> >>>> and rage but pointed towards vision and >>>>>>>>> dreams." >>>>>>>>> >>>> >>>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter >>>>>>>>> founder/ >>>>>>>>> >>>> >>>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>>>>> >>>> >>>>>>>> >>>> > wrote: >>>>>>>>> >>>> >>>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now trying >>>>>>>>> the >>>>>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>>>>> server" >>>>>>>>> >>>> with some normal base packages which did >>>>>>>>> include >>>>>>>>> >>>> the freeipa-client but otherwise, just >>>>>>>>> standard >>>>>>>>> >>>> tools. Here's a pastebin of the output >>>>>>>>> of the >>>>>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>>>>> >>>> >>>>>>>>> >>>> Robert >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> -- >>>>>>>>> >>>> Manage your subscription for the >>>>>>>>> Freeipa-users >>>>>>>>> >>>> mailing list: >>>>>>>>> >>>> >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> >>>> Go to http://freeipa.org for more info >>>>>>>>> on the >>>>>>>>> >>>> project >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> -- >>>>>>>>> >>>> Manage your subscription for the Freeipa-users >>>>>>>>> >>>> mailing list: >>>>>>>>> >>>> >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> >>>> Go to http://freeipa.org for more info on >>>>>>>>> the project >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>>> >>>>>>>>> >>> >>>>>>>>> >>> -- >>>>>>>>> >>> Martin Ba?ti >>>>>>>>> >>> Software Engineer >>>>>>>>> >>> Red Hat Czech >>>>>>>>> >>> >>>>>>>>> >> >>>>>>>>> >> -- >>>>>>>>> >> Martin Ba?ti >>>>>>>>> >> Software Engineer >>>>>>>>> >> Red Hat Czech >>>>>>>>> >> >>>>>>>>> > >>>>>>>>> > -- >>>>>>>>> > Martin Ba?ti >>>>>>>>> > Software Engineer >>>>>>>>> > Red Hat Czech >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>> >>>>>>> >>>>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan at cazena.com Tue May 16 20:55:40 2017 From: dan at cazena.com (Dan Dietterich) Date: Tue, 16 May 2017 20:55:40 +0000 Subject: [Freeipa-users] Confused: LDAP authentication of AD users Message-ID: <19ABE7D3-63E3-44E4-9827-94544710AAD4@cazena.com> With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I am trying to use FreeIPA LDAP for user authentication. Is that supposed to work? -------------- next part -------------- An HTML attachment was scrubbed... URL: From list at sudo.nz Tue May 16 21:08:18 2017 From: list at sudo.nz (Dagan McGregor) Date: Tue, 16 May 2017 21:08:18 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: References: <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> Message-ID: <47821956-7470-44BC-BC76-2CE1EDB18C4B@sudo.nz> On 17 May 2017 8:50:02 AM NZST, "Robert L. Harris" wrote: >I can, though that's what I did 2 days ago, fresh install from latest >ISO. > > >On Tue, May 16, 2017 at 2:40 PM Andrew Holway >wrote: > >> I have a feeling that there is something broken with your image. >Could you >> try installing Centos from ISO? >> >> >> On 16 May 2017 at 22:37, Robert L. Harris >> wrote: >> >>> >>> I left SELinux enabled, no change, still streaming the same error: >>> >>> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] >NSS_Initialize >>> failed. Certificate database: /etc/httpd/alias. >>> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library >Error: >>> -8038 SEC_ERROR_NOT_INITIALIZED >>> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS >>> database exist? >>> >>> >>> >>> On Tue, May 16, 2017 at 2:12 PM Andrew Holway > >>> wrote: >>> >>>> Yea, I would try installing IPA then making the changes that you >want. I >>>> think SELinux should be left enabled however. It makes admin super >fun! :) >>>> >>>> >>>> On 16 May 2017 at 21:57, Robert L. Harris > >>>> wrote: >>>> >>>>> >>>>> I did disable selinux as it gave errors setting up my standard >users, >>>>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and >re-enable >>>>> selinux and then try again. >>>>> >>>>> >>>>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway > >>>>> wrote: >>>>> >>>>>> This is pretty weird. FreeIPA installation normally works. >>>>>> >>>>>> Has the operating system image been changed or optimised somehow? >>>>>> Perhaps SELinux has been disabled? Have you tried installing >Centos7 from >>>>>> the ISO? >>>>>> >>>>>> On 16 May 2017 at 21:48, Robert L. Harris > >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( >no >>>>>>> alarms on VMWare ) >>>>>>> >>>>>>> >>>>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway < >>>>>>> andrew.holway at gmail.com> wrote: >>>>>>> >>>>>>>> Hallo, >>>>>>>> >>>>>>>> How much memory do you have on the machine. I have a sneaking >>>>>>>> suspicion that you're running out. >>>>>>>> >>>>>>>> Ta, >>>>>>>> >>>>>>>> Andrew >>>>>>>> >>>>>>>> On 16 May 2017 at 17:16, Robert L. Harris >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> Last night I rolled back my snapshot. Here's what I have >after the >>>>>>>>> yum install >>>>>>>>> >>>>>>>>> "minimal" install of Centos7 + basic build. >>>>>>>>> {0}:/var/log>cat /etc/*elease >>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>> NAME="CentOS Linux" >>>>>>>>> VERSION="7 (Core)" >>>>>>>>> ID="centos" >>>>>>>>> ID_LIKE="rhel fedora" >>>>>>>>> VERSION_ID="7" >>>>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>>>>> ANSI_COLOR="0;31" >>>>>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>>>>> HOME_URL="https://www.centos.org/" >>>>>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>>>>> >>>>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>>>>> >>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>> >>>>>>>>> >>>>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>>> python-iniparse-0.4-9.el7.noarch >>>>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>>>>> >>>>>>>>> Tried to pull an exact client. The "yum install ipa-server" >went >>>>>>>>> fine: >>>>>>>>> >>>>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>> >>>>>>>>> >>>>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>>>>> >>>>>>>>> Restarting the directory server >>>>>>>>> Restarting the KDC >>>>>>>>> Please add records in this file to your DNS system: >>>>>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>>>>> Restarting the web server >>>>>>>>> Configuring client side components >>>>>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>>> Client hostname: ipa.rdlg.net >>>>>>>>> Realm: RDLG.NET >>>>>>>>> DNS Domain: rdlg.net >>>>>>>>> IPA Server: ipa.rdlg.net >>>>>>>>> BaseDN: dc=rdlg,dc=net >>>>>>>>> >>>>>>>>> Skipping synchronizing time with NTP server. >>>>>>>>> New SSSD config will be created >>>>>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>>>>> Configured /etc/sssd/sssd.conf >>>>>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>>>>> Forwarding 'schema' to json server >'https://ipa.rdlg.net/ipa/json' >>>>>>>>> >>>>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>>>>> >>>>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] >>>>>>>>> NSS_Initialize failed. Certificate database: /etc/httpd/alias. >>>>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL >Library >>>>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the >NSS >>>>>>>>> database exist? >>>>>>>>> >>>>>>>>> >>>>>>>>> Robert >>>>>>>>> >>>>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden < >>>>>>>>> rcritten at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Robert L. Harris wrote: >>>>>>>>>> > >>>>>>>>>> > Hmmm >>>>>>>>>> > >>>>>>>>>> > {0}:/var/log>ls >>>>>>>>>> > anaconda btmp dmesg grubby maillog >ppp >>>>>>>>>> secure >>>>>>>>>> > tallylog wtmp >>>>>>>>>> > audit cron dmesg.old grubby_prune_debug messages >rhsm >>>>>>>>>> spooler >>>>>>>>>> > tuned yum.log >>>>>>>>>> > boot.log cups firewalld lastlog ntpstats >samba >>>>>>>>>> sssd >>>>>>>>>> > vmware-vmsvc.log >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > root at ipa >>>>>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>>>>> > package http is not installed >>>>>>>>>> > >>>>>>>>>> > root at ipa >>>>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>>>> > >>>>>>>>>> > root at ipa >>>>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>>>>> >>>>>>>>>> I find this very hard to believe given that it go so far as >to >>>>>>>>>> configure >>>>>>>>>> things in Apache, restart it, etc. What version of >>>>>>>>>> [free]ipa-server is >>>>>>>>>> installed? How did you install it and from what repo? >>>>>>>>>> >>>>>>>>>> rob >>>>>>>>>> >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti >>>>>>>>>> > > wrote: >>>>>>>>>> > >>>>>>>>>> > That's weird, it should be super fast, anything in >>>>>>>>>> > /var/log/httpd/error_log? >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>>>>> >> >>>>>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>>>>> >> >>>>>>>>>> >> Anyway, I did the revert and re-install. Actual >install >>>>>>>>>> went >>>>>>>>>> >> through fine then the "ipa-server-install" ran until >this: >>>>>>>>>> >> >>>>>>>>>> >> [8/9]: restoring configuration >>>>>>>>>> >> [9/9]: starting directory server >>>>>>>>>> >> Done. >>>>>>>>>> >> Restarting the directory server >>>>>>>>>> >> Restarting the KDC >>>>>>>>>> >> Please add records in this file to your DNS system: >>>>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>>>>> >> Restarting the web server >>>>>>>>>> >> Configuring client side components >>>>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>>>> >> Client hostname: ipa.rdlg.net >>>>>>>>>> >> Realm: RDLG.NET >>>>>>>>>> >> DNS Domain: rdlg.net >>>>>>>>>> >> IPA Server: ipa.rdlg.net >>>>>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>>>>> >> >>>>>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>>>>> >> New SSSD config will be created >>>>>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>>>>> >> Forwarding 'schema' to json server ' >>>>>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I >don't >>>>>>>>>> see >>>>>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>>>>>> mbasti at redhat.com >>>>>>>>>> >> > wrote: >>>>>>>>>> >> >>>>>>>>>> >> Please keep freeipa-users in CC >>>>>>>>>> >> >>>>>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>>>>> Otherwise >>>>>>>>>> >> there is an option --ignore-last-of-role to >unblock >>>>>>>>>> >> uninstallation. >>>>>>>>>> >> >>>>>>>>>> >> Martin >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>>>>> >>> >>>>>>>>>> >>> Looks like you hit it, apache didn't have a >group: >>>>>>>>>> >>> >>>>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end >at >>>>>>>>>> Thu >>>>>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO >KDC >>>>>>>>>> proxy >>>>>>>>>> >>> enabled >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name >apache >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>>>>> code=exited, >>>>>>>>>> >>> status=1/FAILURE >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: httpd.service: control process >exited, >>>>>>>>>> >>> code=exited status=1 >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP >Server. >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: Unit httpd.service entered failed >state. >>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net > >>>>>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>>>>> >>> >>>>>>>>>> >>> Thanks, didn't know that command. I tried to >continue >>>>>>>>>> the >>>>>>>>>> >>> process: >>>>>>>>>> >>> >>>>>>>>>> >>> {0}:/root>ipa-server-install >>>>>>>>>> >>> >>>>>>>>>> >>> The log file for this installation can be found >in >>>>>>>>>> >>> /var/log/ipaserver-install.log >>>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): >ERROR >>>>>>>>>> IPA >>>>>>>>>> >>> server is already configured on this system. >>>>>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>>>>> uninstall it >>>>>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): >ERROR >>>>>>>>>> The >>>>>>>>>> >>> ipa-server-install command failed. See >>>>>>>>>> >>> /var/log/ipaserver-install.log for more >information >>>>>>>>>> >>> >>>>>>>>>> >>> root at ipa >>>>>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>>>>> >>> >>>>>>>>>> >>> This is a NON REVERSIBLE operation and will >delete all >>>>>>>>>> data >>>>>>>>>> >>> and configuration! >>>>>>>>>> >>> >>>>>>>>>> >>> Are you sure you want to continue with the >uninstall >>>>>>>>>> >>> procedure? [no]: yes >>>>>>>>>> >>> ipa : ERROR Server removal aborted: >>>>>>>>>> Deleting this >>>>>>>>>> >>> server is not allowed as it would leave your >>>>>>>>>> installation >>>>>>>>>> >>> without a CA.. >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>>>>> started the >>>>>>>>>> >>> install, so I can revert, just make sure ti add >the >>>>>>>>>> apache >>>>>>>>>> >>> user before starting the install. Or if you have >a >>>>>>>>>> better >>>>>>>>>> >>> command to continue the clean-up/install..... >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>>>>>> >>> > >wrote: >>>>>>>>>> >>> >>>>>>>>>> >>> Hello, >>>>>>>>>> >>> >>>>>>>>>> >>> comments inline >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>>>>> >>>> >>>>>>>>>> >>>> Sigh... Sorry, it's been a long day, I >thought I >>>>>>>>>> put >>>>>>>>>> >>>> that log in the first pastebin. It's in >this one: >>>>>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>>>>> >>> >>>>>>>>>> >>> Could you please provide journalctl -u httpd >and >>>>>>>>>> >>> /var/log/httpd/error_log ? >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> Also, >>>>>>>>>> >>>> Anyone else get the constant spam when >mailing >>>>>>>>>> this >>>>>>>>>> >>>> list? Got an address to block for it? >>>>>>>>>> >>> >>>>>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>>>>> archives. We >>>>>>>>>> >>> plan to resolve this issue but it may take >time as >>>>>>>>>> we are >>>>>>>>>> >>> not maintaining our mailman. >>>>>>>>>> >>> >>>>>>>>>> >>> Martin >>>>>>>>>> >>> >>>>>>>>>> >>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> Robert >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan >Musicman >>>>>>>>>> >>>> > >>>>>>>>>> wrote: >>>>>>>>>> >>>> >>>>>>>>>> >>>> Robert, did you look in >>>>>>>>>> >>>> /var/log/ipaserver-install.log as it >says? >>>>>>>>>> >>>> >>>>>>>>>> >>>> Was there any other information? >>>>>>>>>> >>>> >>>>>>>>>> >>>> cheers >>>>>>>>>> >>>> L. >>>>>>>>>> >>>> >>>>>>>>>> >>>> ------ >>>>>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>>>>> inspiration >>>>>>>>>> >>>> for collective action, to build >collective >>>>>>>>>> power, to >>>>>>>>>> >>>> achieve collective transformation, >rooted in >>>>>>>>>> grief >>>>>>>>>> >>>> and rage but pointed towards vision and >>>>>>>>>> dreams." >>>>>>>>>> >>>> >>>>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter >>>>>>>>>> founder/ >>>>>>>>>> >>>> >>>>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. >Harris >>>>>>>>>> >>>> >>>>>>>>> >>>> > >wrote: >>>>>>>>>> >>>> >>>>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now >trying >>>>>>>>>> the >>>>>>>>>> >>>> latest CentOS7. I built out a >"minimal >>>>>>>>>> server" >>>>>>>>>> >>>> with some normal base packages which >did >>>>>>>>>> include >>>>>>>>>> >>>> the freeipa-client but otherwise, >just >>>>>>>>>> standard >>>>>>>>>> >>>> tools. Here's a pastebin of the >output >>>>>>>>>> of the >>>>>>>>>> >>>> install: >https://pastebin.com/zAWCgkUU >>>>>>>>>> >>>> >>>>>>>>>> >>>> Robert >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> -- >>>>>>>>>> >>>> Manage your subscription for the >>>>>>>>>> Freeipa-users >>>>>>>>>> >>>> mailing list: >>>>>>>>>> >>>> >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> >>>> Go to http://freeipa.org for more >info >>>>>>>>>> on the >>>>>>>>>> >>>> project >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> -- >>>>>>>>>> >>>> Manage your subscription for the >Freeipa-users >>>>>>>>>> >>>> mailing list: >>>>>>>>>> >>>> >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> >>>> Go to http://freeipa.org for more info >on >>>>>>>>>> the project >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>>> >>>>>>>>>> >>> >>>>>>>>>> >>> -- >>>>>>>>>> >>> Martin Ba?ti >>>>>>>>>> >>> Software Engineer >>>>>>>>>> >>> Red Hat Czech >>>>>>>>>> >>> >>>>>>>>>> >> >>>>>>>>>> >> -- >>>>>>>>>> >> Martin Ba?ti >>>>>>>>>> >> Software Engineer >>>>>>>>>> >> Red Hat Czech >>>>>>>>>> >> >>>>>>>>>> > >>>>>>>>>> > -- >>>>>>>>>> > Martin Ba?ti >>>>>>>>>> > Software Engineer >>>>>>>>>> > Red Hat Czech >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>> >> Hi, Apologies if this has been asked already, but are the file permissions correct for the alias file it is complaining about? If the process cannot read the file it will fail. It's also worth checking the SElinux context in case it needs a relabel. And check it's not immutable for some reason. $ ls -lZ /etc/httpd/alias $ lsattr /etc/httpd/alias I have just installed FreeIPA in CentOS 7 myself without any problems. So this seems like an odd error to get. Cheers, Dagan McGregor -------------- next part -------------- An HTML attachment was scrubbed... URL: From vdel at us.ibm.com Tue May 16 21:48:58 2017 From: vdel at us.ibm.com (Vinny Del Signore) Date: Tue, 16 May 2017 17:48:58 -0400 Subject: [Freeipa-users] Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Message-ID: Hello all, I was hoping someone may have seen this issue or suggest how to further troubleshoot. We had FreeIPA configured a few years ago by a team that is now gone. Several months ago we had an issue where passwords seemed to expire and authentication started failing for users. For example we were not able to login to the LDAP server via ssh as an LDAP user, shows "Permission denied": [fred at fred ~]$ ssh cr0777kk at biobb-ss cr0777kk at biobb-ss's password: Permission denied, please try again. cr0777kk at biobb-ss's password: Permission denied, please try again. cr0777kk at biobb-ss's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). [fred at fred ~]$ We checked the user status in LDAP and it is not locked and has the correct permissions. Then we noticed that the server is marked as LOCKED by kerberos in kerberos log: [/var/log/krb5kdc.log] root ldap-p1? ~ # grep biobb-ss /var/log/krb5kdc.log | tail May 16 15:49:51 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20459](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20457](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have been revoked May 16 15:50:59 ldap-p1.freeipa.example.com krb5kdc[20458](info): AS_REQ (4 etypes {18 17 16 23}) 10.107.179.53: LOCKED_OUT: host/biobb-ss.freeipa.example.com at FREEIPA.EXAMPLE.COM for krbtgt/FREEIPA.EXAMPLE.COM at FREEIPA.EXAMPLE.COM, Clients credentials have been revoked root ldap-p1? ~ # For this we have a Workaround which is to re-enroll the server in LDAP DB: On the LDAP server, we execute these commands: # kinit # ipa host-del biobb-ss.freeipa.example.com # ipa host-add biobb-ss.freeipa.example.com --password xxxxxxxxxxx # ipa hostgroup-add-member dev --hosts=biobb-ss.freeipa.example.com This was working for a couple of months, but now when we try the second command (to delete the server from the LDAP DB), it fails. And if we re execute the same command it shows different errors in the order below: Here is what we see now: # ipa host-del host.freeipa.example.comm # ipa: ERROR: cannot connect to 'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate. # ipa host-del host.freeipa.example.comm # ipa: ERROR: cannot connect to 'https://host.freeipa.example.com:443/ca/agent/ca/displayBySerial': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use. # ipa host-del host.freeipa.example.comm # ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. Any help appreciated. Thank you in advance. -Vin -------------- next part -------------- An HTML attachment was scrubbed... URL: From jason at tresgeek.net Tue May 16 22:02:46 2017 From: jason at tresgeek.net (Jason B. Nance) Date: Tue, 16 May 2017 17:02:46 -0500 (CDT) Subject: [Freeipa-users] Confused: LDAP authentication of AD users In-Reply-To: <19ABE7D3-63E3-44E4-9827-94544710AAD4@cazena.com> References: <19ABE7D3-63E3-44E4-9827-94544710AAD4@cazena.com> Message-ID: <1282682243.2961.1494972166681.JavaMail.zimbra@tresgeek.net> Hi Dan > With a one-way trust from FreeIPA 4.4 to Active Directory on WinServ2012r2, I am > trying to use FreeIPA LDAP for user authentication. > Is that supposed to work? In the way you have described it, no. AD users/groups will not be in the FreeIPA LDAP. So attempting to authenticate a Windows user by pointing an LDAP client at a FreeIPA server will fail. Installing the FreeIPA client on a Linux host and enrolling it in an IPA domain with a trust to an Active Directory domain will allow you to authenticate Windows users on the Linux host. This is done using SSSD, among other things. Regards, j -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrew.holway at gmail.com Tue May 16 23:53:42 2017 From: andrew.holway at gmail.com (Andrew Holway) Date: Wed, 17 May 2017 01:53:42 +0200 Subject: [Freeipa-users] Spam Message-ID: Whats up with this wierd spam. This is the only list where I see this. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vdel at us.ibm.com Wed May 17 00:15:12 2017 From: vdel at us.ibm.com (Vinny Del Signore) Date: Tue, 16 May 2017 20:15:12 -0400 Subject: [Freeipa-users] Spam In-Reply-To: References: Message-ID: Hi Andrew, I just sent my first mail today around 5:30pm EST and have already received five spam e-mails from "Amy Kristen". Three of these included nude photos. These are the two e-mail addresses used so far. Hoping this stops. -Vin Amy Kristen Amy Kristen Vin From: Andrew Holway To: "freeipa-users at redhat.com" Date: 05/16/2017 07:54 PM Subject: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com Whats up with this wierd spam. This is the only list where I see this.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From dudin.andrey at gmail.com Wed May 17 01:56:28 2017 From: dudin.andrey at gmail.com (Andrey Dudin) Date: Wed, 17 May 2017 01:56:28 +0000 Subject: [Freeipa-users] Spam In-Reply-To: References: Message-ID: Me too. I received a lot of spam messages from Amy Kristen. ??, 17 ??? 2017 ?. ? 3:16, Vinny Del Signore : > Hi Andrew, > > I just sent my first mail today around 5:30pm EST and have already > received five spam e-mails from "Amy Kristen". Three of these included nude > photos. These are the two e-mail addresses used so far. Hoping this stops. > > > -Vin > > Amy Kristen > Amy Kristen > > > > > *Vin* > > [image: Inactive hide details for Andrew Holway ---05/16/2017 07:54:37 > PM---Whats up with this wierd spam. This is the only list where]Andrew > Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is > the only list where I see this. -- > > From: Andrew Holway > To: "freeipa-users at redhat.com" > Date: 05/16/2017 07:54 PM > Subject: [Freeipa-users] Spam > Sent by: freeipa-users-bounces at redhat.com > ------------------------------ > > > > > Whats up with this wierd spam. This is the only list where I see this.-- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- ? ????????? ????? ?????? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From christopher.lamb at ch.ibm.com Wed May 17 04:24:55 2017 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 17 May 2017 06:24:55 +0200 Subject: [Freeipa-users] Spam In-Reply-To: References: Message-ID: .... and I was feeling left out because I wasn't getting any spam, despite other users reporting it. Then I posted a new thread a few days ago, and within seconds I got several spams, and did so for each post I made on that thread. So I as far as I can see something is picking up fresh posts, and responding to those. I will probably get another dose (of spam) following this post ..... Chris From: Andrey Dudin To: Andrew Holway , Vinny Del Signore Cc: "freeipa-users at redhat.com" Date: 17/05/2017 03:58 Subject: Re: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com Me too.? I received a lot of spam messages from Amy Kristen. ??, 17 ??? 2017 ?. ? 3:16, Vinny Del Signore : Hi Andrew, I just sent my first mail today around 5:30pm EST and have already received five spam e-mails from "Amy Kristen". Three of these included nude photos. These are the two e-mail addresses used so far. Hoping this stops. -Vin Amy Kristen Amy Kristen Vin Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is the only list where I see this. -- From: Andrew Holway To: "freeipa-users at redhat.com" Date: 05/16/2017 07:54 PM Subject: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com Whats up with this wierd spam. This is the only list where I see this.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org?for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- ? ????????? ????? ??????[attachment "graycol.gif" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From christopher.lamb at ch.ibm.com Wed May 17 04:34:56 2017 From: christopher.lamb at ch.ibm.com (Christopher Lamb) Date: Wed, 17 May 2017 06:34:56 +0200 Subject: [Freeipa-users] Spam In-Reply-To: References: Message-ID: to be more precise, a few minutes after I post, and a few seconds after I get the mail with my post from freeipa-users From: Christopher Lamb/Switzerland/IBM at IBMCH To: "freeipa-users at redhat.com" Date: 17/05/2017 06:26 Subject: Re: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com .... and I was feeling left out because I wasn't getting any spam, despite other users reporting it. Then I posted a new thread a few days ago, and within seconds I got several spams, and did so for each post I made on that thread. So I as far as I can see something is picking up fresh posts, and responding to those. I will probably get another dose (of spam) following this post ..... Chris Inactive hide details for Andrey Dudin ---17/05/2017 03:58:00---Me too. I received a lot of spam messages from Amy Kristen. ?Andrey Dudin ---17/05/2017 03:58:00---Me too. I received a lot of spam messages from Amy Kristen. ??, 17 ??? 2017 ?. ? 3:16, Vinny Del Si From: Andrey Dudin To: Andrew Holway , Vinny Del Signore Cc: "freeipa-users at redhat.com" Date: 17/05/2017 03:58 Subject: Re: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com Me too.? I received a lot of spam messages from Amy Kristen. ??, 17 ??? 2017 ?. ? 3:16, Vinny Del Signore : Hi Andrew, I just sent my first mail today around 5:30pm EST and have already received five spam e-mails from "Amy Kristen". Three of these included nude photos. These are the two e-mail addresses used so far. Hoping this stops. -Vin Amy Kristen Amy Kristen Vin Andrew Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is the only list where I see this. -- From: Andrew Holway To: "freeipa-users at redhat.com" Date: 05/16/2017 07:54 PM Subject: [Freeipa-users] Spam Sent by: freeipa-users-bounces at redhat.com Whats up with this wierd spam. This is the only list where I see this.-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org?for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- ? ????????? ????? ??????[attachment "graycol.gif" deleted by Christopher Lamb/Switzerland/IBM] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available URL: From abokovoy at redhat.com Wed May 17 04:39:41 2017 From: abokovoy at redhat.com (Alexander Bokovoy) Date: Wed, 17 May 2017 07:39:41 +0300 Subject: [Freeipa-users] Spam In-Reply-To: References: Message-ID: <20170517043941.aoyifw27jldly4vg@redhat.com> On ke, 17 touko 2017, Christopher Lamb wrote: >.... and I was feeling left out because I wasn't getting any spam, despite >other users reporting it. > >Then I posted a new thread a few days ago, and within seconds I got several >spams, and did so for each post I made on that thread. > >So I as far as I can see something is picking up fresh posts, and >responding to those. I will probably get another dose (of spam) following >this post ..... We discussed this topic multiple times in past on this list, you can check archives for details. There is no a subscribed person that spams. It is a bot using archives to retrieve emails. We are in a process to migrate to a different mail list provider (lists.fedoraproject.org) this week, you'll get a notification soon. -- / Alexander Bokovoy From BJB at jndata.dk Wed May 17 05:29:37 2017 From: BJB at jndata.dk (Bjarne Blichfeldt) Date: Wed, 17 May 2017 05:29:37 +0000 Subject: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 In-Reply-To: References: <2CA71D6C07ADB544847562573DC6BF062B3D3796@CPEMS-KPN309.KPNCNL.LOCAL> <2CA71D6C07ADB544847562573DC6BF062B3D39EA@CPEMS-KPN309.KPNCNL.LOCAL> <89213DDB84447F44A8E8950A5C2185E04CD67C91@SJN01013.jnmain00.corp.jndata.net> Message-ID: <89213DDB84447F44A8E8950A5C2185E04CD790D8@SJN01013.jnmain00.corp.jndata.net> Thank you for pointing that out. I should of course have been more specific: native aix sudo does not support ldap and therefore sudorules from ldap, but it is possible to install a different sudo version with ldap enabled. Unfortunately, in our case, using external rpm's is not an option. Regards Bjarne Blichfeldt. From: Luiz Fernando Vianna da Silva [mailto:luiz.vianna at tivit.com.br] Sent: 16. maj 2017 16:43 To: Bjarne Blichfeldt ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Thats where you are mistaken. It is possible to integrate sudo rules into AIX, I've done it and have documented it here: https://www.freeipa.org/page/SUDO_Integration_for_AIX Give it a try, its a fairly simple procedure. P.S. IBM has recently pimped the AIX toolbox RPMs and even implemented it as a YUM server. I haven't tried using these new RPMs yet to see if they work with sudo integration. If you want to keep it safe, user perzl RPMs as I describe on the documentation. If you want, and I would appreciate it if you would, give the new RPMs from toolbox a go and if it works please update the documentaion, or send me your notes and I'll update it. Atenciosamente/Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 15-05-2017 02:53, Bjarne Blichfeldt escreveu: We have a working setup on three aix servers and by comparing our config with yours, I see the following differences: LDAP: /etc/security/ldap/ldap.cfg : userattrmappath:/etc/security/ldap/FreeIPAuser.map groupattrmappath:/etc/security/ldap/FreeIPAgroup.map userclasses:posixaccount /etc/security/ldap/FreeIPAuser.map: #FreeIPAuser.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html keyobjectclass SEC_CHAR posixaccount s # The following attributes are required by AIX to be functional username SEC_CHAR uid s id SEC_INT uidnumber s pgrp SEC_CHAR gidnumber s home SEC_CHAR homedirectory s shell SEC_CHAR loginshell s gecos SEC_CHAR gecos s spassword SEC_CHAR userpassword s lastupdate SEC_INT shadowlastchange s /etc/security/ldap/FreeIPAgroup.map: #FreeIPAgroup.map file # https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html groupname SEC_CHAR cn s id SEC_INT gidNumber s users SEC_LIST member m To test if the ldap is working: ls-secldapclntd lsldap -a passwd lsuser -R LDAP ALL KERBEROS: /etc/methods.cfg: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes Add Kerberos to authorized authentication entities and verify: chauthent -k5 -std #Verify lsauthent Kerberos 5 Standard Aix To test: lsuser -R KRB5LDAP Configure aix to create homedir during login: /etc/security/login.cfg: mkhomeatlogin = true usw: shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/ usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/sliplogin,/usr/sbin/uucp/uucico,/usr/sbin/snappd maxlogins = 32767 logintimeout = 30 maxroles = 8 auth_type = STD_AUTH mkhomeatlogin = true Also remember: user can be locked in AIX so use smitty to unlock user and reset login attempts. As far as I found out, it is not possible to integrate sudo rules from IPA into AIX. sudo on aix does not support that. You will have to maintain /etc/sudoers by som other means. Hope that helps, good luck. Regards Bjarne Blichfeldt. From: wouter.hummelink at kpn.com [mailto:wouter.hummelink at kpn.com] Sent: 12. maj 2017 16:03 To: iulian.roman at gmail.com Cc: freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Yes, kinit works with IPA users. GSSAPI authentication is not keeping it simple, since we want passwords to work before trying TGS based logins over GSSAPI. The keytab works sinds lsuser is still able to get user data. (Documentation specifies that enabling krb5 in ldap.cfg makes the bind user and password moot, secldapclntd uses krb5 to identify itself to IPA) Also we are able to kinit host/aixlpar.example.org at EXAMPLE.ORG -kt /etc/krb5/krb5.keytab We van try using su from an unprivileged user, but su has some different issues altogether, it doesn't like @ in usernames which we need at the next stage (integrating AD Trust) From: Iulian Roman [mailto:iulian.roman at gmail.com] Sent: vrijdag 12 mei 2017 15:56 To: Hummelink, Wouter Cc: luiz.vianna at tivit.com.br; freeipa-users at redhat.com Subject: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 On Fri, May 12, 2017 at 3:31 PM, > wrote: The shell is shown correctly as ksh in lsuser, so that doesnt appear to be an issue for the ID view. My advice would be to start simple ,prove that your authentication works and you can develop a more elaborated setup afterwards. If you combine them all together it will be a trial and error which eventually will work at some point. Do you have the correct keytabs in /etc/krb5/krb5.keytab ? can you run kinit (with password and with the keytab) from aix and get a ticket from Kerberos ? can you su to an IPA account ? do you have GSSAPIAuthentication enabled in sshd_config ? >From what you've described i would suspect that your keytab is not correct , but that should be confirmed only by answering the questions above. Verzonden vanaf mijn Samsung-apparaat -------- Oorspronkelijk bericht -------- Van: Luiz Fernando Vianna da Silva > Datum: 12-05-17 15:03 (GMT+01:00) Aan: "Hummelink, Wouter" >, freeipa-users at redhat.com Onderwerp: Re: [Freeipa-users] IPA Compat + ID Views + AIX 7.1 Hello Wouter. It may seem silly, but try installing bash on one AIX server and test authenticating against that one. Its a single rpm with no dependencies. For me it did the trick and I ended up doing that on all my AIX servers. Let me know how it goes or if you have any issues. Best Regards __________________________________________ Luiz Fernando Vianna da Silva Em 12-05-2017 09:47, wouter.hummelink at kpn.com escreveu: Hi All, We're running a POC to integrate IPA and AIX using AIX KRB5LDAP compound module. All the moving parts seem to be working on their own, however logging in doesn't work with SSH on AIX reporting Failed password for user We're using ID views to overwrite the user shell and home dirs. (Since AIX will refuse a login with a nonexisting shell (like bash)) AIXs lsuser command is able to find all of the users it's supposed to and su to IPA users works. Also when a user tries to log in I can see a successful Kerberos conversation to our IPA server. Tips for troubleshooting would be much appreciated, increasing SSH log level did not produce any meaningful logging. =============== Configuration Excerpt ================================================================ /etc/security/ldap/ldap.cfg: ldapservers:ipaserver.example.org binddn:uid=srvc-aixservice,cn=users,cn=accounts,dc=example,dc=org bindpwd:{DESv2} authtype:ldap_auth useSSL:TLS ldapsslkeyf:/etc/security/ldap/example.kdb ldapsslkeypwd:{DESv2}4688216124E33174C03FBBB420 88FA8 932F219867AA7C2C552A12BEEC0CC67 useKRB5:yes krbprincipal:host/aixlpar.example.org krbkeypath:/etc/krb5/krb5.keytab userattrmappath:/etc/security/ldap/2307user.map groupattrmappath:/etc/security/ldap/2307group.map userbasedn:cn=users,cn=aixtest,cn=views,cn=compat,dc=example,dc=org groupbasedn:cn=groups,cn=aixtest,cn=views,cn=compat,dc=example,dc=org netgroupbasedn:cn=ng,cn=compat,dc=example,dc=org automountbasedn:cn=default,cn=automount,dc=example,dc=org etherbasedn:cn=computers,cn=accounts,dc=example,dc=org userclasses:posixaccount,account,shadowaccount groupclasses:posixgroup ldapport:389 searchmode:ALL defaultentrylocation:LDAP /etc/security/user default: SYSTEM = KRB5LDAP or compat /etc/methods.cfg LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,is_kadmind_compat=no,tgt_verify=yes,kadmind=no,keep_creds=yes,allow_expired_pwd=no KRB5LDAP: options = auth=KRB5,db=LDAP Met vriendelijke groet, Wouter Hummelink Technical Consultant - Enterprise Webhosting / Tooling & Automation T: +31-6-12882447 E: wouter.hummelink at kpn.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lakshan.Jayasekara at lankaclear.com Wed May 17 05:23:19 2017 From: Lakshan.Jayasekara at lankaclear.com (Lakshan Jayasekara) Date: Wed, 17 May 2017 05:23:19 +0000 Subject: [Freeipa-users] CentOS patch management on FreeIPA server Message-ID: <84e5f6dd7109400ca8106bf9da6ef06d@lankaclear.com> Hi All, I'm using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on CentOS 7 and have one replica server as well. I need to patch up centos system as per PCI DSS compliance. Let me know whether I can proceed as usual or to follow any sequential steps to achieve the task. Lakshanth Chandika Jayasekara -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Wed May 17 06:04:00 2017 From: datakid at gmail.com (Lachlan Musicman) Date: Wed, 17 May 2017 16:04:00 +1000 Subject: [Freeipa-users] CentOS patch management on FreeIPA server In-Reply-To: <84e5f6dd7109400ca8106bf9da6ef06d@lankaclear.com> References: <84e5f6dd7109400ca8106bf9da6ef06d@lankaclear.com> Message-ID: On 17 May 2017 at 15:23, Lakshan Jayasekara < Lakshan.Jayasekara at lankaclear.com> wrote: > > Hi All, > > > > I?m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on CentOS 7 and have one replica server as well. I need to patch up centos system as per PCI DSS compliance. Let me know whether I can proceed as usual or to follow any sequential steps to achieve the task. Lakshanth, You should always have appropriate backup and restore procedures that are good for you. Having said that, I regularly update our IPA server with patches (via Katello/Foreman) without a problem. I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked. cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, Black Lives Matter founder -------------- next part -------------- An HTML attachment was scrubbed... URL: From sbose at redhat.com Wed May 17 09:17:34 2017 From: sbose at redhat.com (Sumit Bose) Date: Wed, 17 May 2017 11:17:34 +0200 Subject: [Freeipa-users] Password and OTP auth In-Reply-To: References: <20170516141658.GB32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: <20170517091734.GD32195@p.Speedport_W_724V_Typ_A_05011603_00_011> On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote: > Thanks, but I think I have a problem. > > I have test user: > > [root at ipa-centos]# ipa user-show test > User login: test > First name: test > Last name: test > Home directory: /home/test > Login shell: /bin/sh > Principal name: test at MYDOMAIN.COM > Principal alias: test at MYDOMAIN.COM > Email address: test at mydomain.com > UID: 152200001 > GID: 152200001 As mentioned in the other thread there should be a listing of user auth types here. Please try ipa user-mod test --user-auth-type=password --user-auth-type=otp to allow both password and 2-factor/otp authentication. > Account disabled: False > Password: True > Member of groups: trust admins, ipausers, admins > Kerberos keys available: True > > > And test host: > > [root at ipa-centos]# ipa host-show ipa-client.mydomain.com > Host name: ipa-client.mydomain.com > Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM > Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM > SSH public key fingerprint: %SOME FINGERPRINTS% > Authentication Indicators: otp > Password: False > Keytab: True > Managed by: ipa-client.mydomain.com > > > When I trying to login to ipa-client.mydomain.com with password+otptoken I > have error: > > [mynotebook]$ ssh test at ipa-client.mydomain.com > test at ipa-client.mydomain.com's password: Please check if ChallengeResponseAuthentication is enabled in /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it by setting 'ChallengeResponseAuthentication yes'. > Permission denied, please try again. > > > Same if I trying to use just password. > > On ipa server in krb5kdc.log I see: > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 > ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required > auth indicators not present in ticket: otp The otp authentication indicator is missing in the Kerberos ticket of the user. I assume that the ticket was requested only with the password. Please see above what might be missing. HTH bye, Sumit > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, Required > auth indicators not present in ticket: otp > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > What's wrong? > > 2017-05-16 17:16 GMT+03:00 Sumit Bose : > > > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > > Hello all. > > > > > > tell me please. Is it possible to use password and otp auth at the one > > > moment? > > > > > > For example I have DEV/STAGE servers and want to be able use password > > auth > > > for ssh, but for PROD servers I want to use OTP auth for same user. > > > > Authentication indicators can be used for this. If you add > > > > ipa host-mod --auth-ind=otp prod.server > > > > Only 2-factor authentication should be possible on prod.server. But > > please note that e.g. ssh-key based authentication will still be > > possible as well. > > > > HTH > > > > bye, > > Sumit > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > -- > ? ????????? ????? ?????? From dudin.andrey at gmail.com Wed May 17 10:06:11 2017 From: dudin.andrey at gmail.com (Andrey Dudin) Date: Wed, 17 May 2017 13:06:11 +0300 Subject: [Freeipa-users] Password and OTP auth In-Reply-To: <20170517091734.GD32195@p.Speedport_W_724V_Typ_A_05011603_00_011> References: <20170516141658.GB32195@p.Speedport_W_724V_Typ_A_05011603_00_011> <20170517091734.GD32195@p.Speedport_W_724V_Typ_A_05011603_00_011> Message-ID: Hello If I do ipa user-mod test --user-auth-type=password --user-auth-type=otp I have user: [root at ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: test at MYDOMAIN.COM Principal alias: test at MYDOMAIN.COM Email address: test at mydomain.com UID: 152200001 GID: 152200001 User authentication types: otp, password Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True I can login into ipa-client.mydomain.com to ssh using password+otp token, but for login to IPA Web UI I also need password+otp. I need just password for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com. [root at ipa-centos]# ipa service-show HTTP/ ipa-centos.mydomain.com at MYDOMAIN.COM --raw krbcanonicalname: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM krbprincipalname: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM usercertificate: %cert% subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM serial_number: 9 serial_number_hex: 0x9 issuer: CN=Certificate Authority,O=MYDOMAIN.COM valid_not_before: Tue May 16 11:32:36 2017 UTC valid_not_after: Fri May 17 11:32:36 2019 UTC md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1 sha1_fingerprint: de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04 krbprincipalauthind: password has_keytab: TRUE managedby: fqdn=ipa-centos.mydomain.com ,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global 2017-05-17 12:17 GMT+03:00 Sumit Bose : > On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote: > > Thanks, but I think I have a problem. > > > > I have test user: > > > > [root at ipa-centos]# ipa user-show test > > User login: test > > First name: test > > Last name: test > > Home directory: /home/test > > Login shell: /bin/sh > > Principal name: test at MYDOMAIN.COM > > Principal alias: test at MYDOMAIN.COM > > Email address: test at mydomain.com > > UID: 152200001 > > GID: 152200001 > > As mentioned in the other thread there should be a listing of user auth > types here. Please try > > ipa user-mod test --user-auth-type=password --user-auth-type=otp > > to allow both password and 2-factor/otp authentication. > > > Account disabled: False > > Password: True > > Member of groups: trust admins, ipausers, admins > > Kerberos keys available: True > > > > > > And test host: > > > > [root at ipa-centos]# ipa host-show ipa-client.mydomain.com > > Host name: ipa-client.mydomain.com > > Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM > > Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM > > SSH public key fingerprint: %SOME FINGERPRINTS% > > Authentication Indicators: otp > > Password: False > > Keytab: True > > Managed by: ipa-client.mydomain.com > > > > > > When I trying to login to ipa-client.mydomain.com with > password+otptoken I > > have error: > > > > [mynotebook]$ ssh test at ipa-client.mydomain.com > > test at ipa-client.mydomain.com's password: > > Please check if ChallengeResponseAuthentication is enabled in > /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it > by setting 'ChallengeResponseAuthentication yes'. > > Permission denied, please try again. > > > > > > Same if I trying to use just password. > > > > On ipa server in krb5kdc.log I see: > > > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ > > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/ > > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 > > ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime > 1494946853, > > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, > Required > > auth indicators not present in ticket: otp > > The otp authentication indicator is missing in the Kerberos ticket of > the user. I assume that the ticket was requested only with the password. > Please see above what might be missing. > > HTH > > bye, > Sumit > > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime > 1494946853, > > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM, > Required > > auth indicators not present in ticket: otp > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > > > What's wrong? > > > > 2017-05-16 17:16 GMT+03:00 Sumit Bose : > > > > > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > > > Hello all. > > > > > > > > tell me please. Is it possible to use password and otp auth at the > one > > > > moment? > > > > > > > > For example I have DEV/STAGE servers and want to be able use password > > > auth > > > > for ssh, but for PROD servers I want to use OTP auth for same user. > > > > > > Authentication indicators can be used for this. If you add > > > > > > ipa host-mod --auth-ind=otp prod.server > > > > > > Only 2-factor authentication should be possible on prod.server. But > > > please note that e.g. ssh-key based authentication will still be > > > possible as well. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > -- > > > > Manage your subscription for the Freeipa-users mailing list: > > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > > > > > > -- > > ? ????????? ????? ?????? > -- ? ????????? ????? ?????? -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Wed May 17 15:22:59 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Wed, 17 May 2017 17:22:59 +0200 Subject: [Freeipa-users] Freeipa and limiting access by group (memberOf) In-Reply-To: References: Message-ID: <20170517152259.uobpktzfya6iauye@hendrix> On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > Hi Folks, > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > smoothly using: > > yum install ipa-server > > and > > ipa-server-install > > > My issue is with connecting a CentOS 7 client. On my client, I yum > installed ipa-client and ipa-admintools. > I than ran "ipa-client-install" and answered the setup questions (very > easy and smooth). > > The "getent passwd" command didn't return any users, but the "getent passwd > jdoe" does give the information > for the user. I found in the archives that I can set "enumerate=True" so I > get a complete user listing. That > seems to be working, and I was able to login with the account "jdoe" > (brilliant!). I would discourage enumeration especially if you're planning on a large domain. The performance right now is not great. Moreover, the way the trusted accounts are retrieved doesn't support enumeration at all either. > > Problem 1: > ======== > > I created a user group on the ipa server with the following attributes: > > name = xyx, gid = 1000 > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa > client, I get the following message after > logging in: > > /usr/bin/id: cannot find name for group ID 1000 > > A "getent group" command does list the group: xyz:*:1000: > > A "groups" command issued by the user shows: xyz > > files created by the user show the correct ownership and group. I would first try to remove the sssd caches because uid/gid renumbering doesn't work great. If that doesn't help, please check the sssd logs. By the way, 1000 is quite low and would most probably clash with local accounts. I would strongly suggest to stick to ID numbers within the configured ID range (ipa idrange-find) > > Problem 2: > ======= > > I've been looking through the freeipa groups and literature and I can't > figure out how to limit user login access to > an ipa client by a memberOf group. > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a > group filter like: > > passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) > > > I tried changing the access_provider to simple and using the > "simply_allow_groups = test", but that didn't work. > However, using "access_provider = ipa" and "filter_users" did allow me to > filter out a user from the "getent passwd" command. > > I tried changing the access_provider to ldap and using the filter > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu > but that failed too. Please check out "ipa help hbac" From matrix.zj at qq.com Wed May 17 15:56:27 2017 From: matrix.zj at qq.com (=?ISO-8859-1?B?TWF0cml4?=) Date: Wed, 17 May 2017 23:56:27 +0800 Subject: [Freeipa-users] mysql connection has been blocked by sss_ssh_knownhostsproxy Message-ID: There is a weird issue occurred with sss_ssh_knownhostsproxy. I am not sure it is within the coverage of IPA mail-list. but want to get some suggestions from your side Background: server A running with mysql database. And it will simultaneously send a 1.3GB file to 14 clients. With 'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h': mysql connection will be blocked by those 14 rsync connections. from 'netstat -tupnlo' result, we can find that send-queue is higher and higher, looks like it has sent has been blocked. Finally, after mysql 'net_write_timeout', connection will be closed since no data can be sent from this connection. without 'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h': mysql connection can be worked as normal. sss_ssh_knownhostsproxy version: sssd-common-1.14.0-43.el7_3.11.x86_64 rsync version: rsync-3.0.9-17.el7.x86_64 kernel version: 3.10.0-229.el7.x86_64 Can you provide some hints on this, that would be appreciated. Matrix -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Wed May 17 17:55:08 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Wed, 17 May 2017 17:55:08 +0000 Subject: [Freeipa-users] CentOS patch management on FreeIPA server In-Reply-To: References: <84e5f6dd7109400ca8106bf9da6ef06d@lankaclear.com> Message-ID: Hi, I think yum update is fine, just don?t do it at the same time. It?s written somewhere in the docs that this could lead to crappy outcome. Also, Lachlan, how do you do backups of FreeIPA? -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 17 May 2017, at 08:04, Lachlan Musicman > wrote: On 17 May 2017 at 15:23, Lakshan Jayasekara > wrote: > > Hi All, > > > > I?m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on CentOS 7 and have one replica server as well. I need to patch up centos system as per PCI DSS compliance. Let me know whether I can proceed as usual or to follow any sequential steps to achieve the task. Lakshanth, You should always have appropriate backup and restore procedures that are good for you. Having said that, I regularly update our IPA server with patches (via Katello/Foreman) without a problem. I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked. cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, Black Lives Matter founder -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From robert.l.harris at gmail.com Wed May 17 20:04:48 2017 From: robert.l.harris at gmail.com (Robert L. Harris) Date: Wed, 17 May 2017 20:04:48 +0000 Subject: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7 In-Reply-To: <47821956-7470-44BC-BC76-2CE1EDB18C4B@sudo.nz> References: <05a8f23b-66e7-628d-f19a-b80ca01a6850@redhat.com> <47821956-7470-44BC-BC76-2CE1EDB18C4B@sudo.nz> Message-ID: Ok, I reverted to a completely fresh install, literally just after the first reboot. It installed cleanly. So there's something in a package upgrade that's breaking things. I may try to figure it out later. On Tue, May 16, 2017 at 3:08 PM Dagan McGregor wrote: > On 17 May 2017 8:50:02 AM NZST, "Robert L. Harris" < > robert.l.harris at gmail.com> wrote: >> >> I can, though that's what I did 2 days ago, fresh install from latest >> ISO. >> >> >> On Tue, May 16, 2017 at 2:40 PM Andrew Holway >> wrote: >> >>> I have a feeling that there is something broken with your image. Could >>> you try installing Centos from ISO? >>> >>> >>> On 16 May 2017 at 22:37, Robert L. Harris >>> wrote: >>> >>>> >>>> I left SELinux enabled, no change, still streaming the same error: >>>> >>>> [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize >>>> failed. Certificate database: /etc/httpd/alias. >>>> [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library >>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>> [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS >>>> database exist? >>>> >>>> >>>> >>>> On Tue, May 16, 2017 at 2:12 PM Andrew Holway >>>> wrote: >>>> >>>>> Yea, I would try installing IPA then making the changes that you want. >>>>> I think SELinux should be left enabled however. It makes admin super fun! :) >>>>> >>>>> >>>>> On 16 May 2017 at 21:57, Robert L. Harris >>>>> wrote: >>>>> >>>>>> >>>>>> I did disable selinux as it gave errors setting up my standard users, >>>>>> etc. I can roll back the snapshot, set it at 4Gigs of RAM and re-enable >>>>>> selinux and then try again. >>>>>> >>>>>> >>>>>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway < >>>>>> andrew.holway at gmail.com> wrote: >>>>>> >>>>>>> This is pretty weird. FreeIPA installation normally works. >>>>>>> >>>>>>> Has the operating system image been changed or optimised somehow? >>>>>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 from >>>>>>> the ISO? >>>>>>> >>>>>>> On 16 May 2017 at 21:48, Robert L. Harris >>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> 2 Gigs, it's a VM. The VM didn't report any memory issues ( no >>>>>>>> alarms on VMWare ) >>>>>>>> >>>>>>>> >>>>>>>> On Tue, May 16, 2017 at 12:29 PM Andrew Holway < >>>>>>>> andrew.holway at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hallo, >>>>>>>>> >>>>>>>>> How much memory do you have on the machine. I have a sneaking >>>>>>>>> suspicion that you're running out. >>>>>>>>> >>>>>>>>> Ta, >>>>>>>>> >>>>>>>>> Andrew >>>>>>>>> >>>>>>>>> On 16 May 2017 at 17:16, Robert L. Harris < >>>>>>>>> robert.l.harris at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Last night I rolled back my snapshot. Here's what I have after >>>>>>>>>> the yum install >>>>>>>>>> >>>>>>>>>> "minimal" install of Centos7 + basic build. >>>>>>>>>> {0}:/var/log>cat /etc/*elease >>>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>>> NAME="CentOS Linux" >>>>>>>>>> VERSION="7 (Core)" >>>>>>>>>> ID="centos" >>>>>>>>>> ID_LIKE="rhel fedora" >>>>>>>>>> VERSION_ID="7" >>>>>>>>>> PRETTY_NAME="CentOS Linux 7 (Core)" >>>>>>>>>> ANSI_COLOR="0;31" >>>>>>>>>> CPE_NAME="cpe:/o:centos:centos:7" >>>>>>>>>> HOME_URL="https://www.centos.org/" >>>>>>>>>> BUG_REPORT_URL="https://bugs.centos.org/" >>>>>>>>>> >>>>>>>>>> CENTOS_MANTISBT_PROJECT="CentOS-7" >>>>>>>>>> CENTOS_MANTISBT_PROJECT_VERSION="7" >>>>>>>>>> REDHAT_SUPPORT_PRODUCT="centos" >>>>>>>>>> REDHAT_SUPPORT_PRODUCT_VERSION="7" >>>>>>>>>> >>>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>>> CentOS Linux release 7.3.1611 (Core) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb' >>>>>>>>>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64 >>>>>>>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>>>>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>>> perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>>>> python-iniparse-0.4-9.el7.noarch >>>>>>>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>>> pam_krb5-2.4.8-6.el7.x86_64 >>>>>>>>>> sssd-krb5-1.14.0-43.el7_3.14.x86_64 >>>>>>>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>>>>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>>>>>>> krb5-libs-1.14.1-27.el7_3.x86_64 >>>>>>>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>>>>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>>>>>>> krb5-workstation-1.14.1-27.el7_3.x86_64 >>>>>>>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>>>>>>> >>>>>>>>>> Tried to pull an exact client. The "yum install ipa-server" went >>>>>>>>>> fine: >>>>>>>>>> >>>>>>>>>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server >>>>>>>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>>>>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> "ipa-server-install" ran clean but has been stuck for 2 days: >>>>>>>>>> >>>>>>>>>> Restarting the directory server >>>>>>>>>> Restarting the KDC >>>>>>>>>> Please add records in this file to your DNS system: >>>>>>>>>> /tmp/ipa.system.records.qLsLyx.db >>>>>>>>>> Restarting the web server >>>>>>>>>> Configuring client side components >>>>>>>>>> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>>>> Client hostname: ipa.rdlg.net >>>>>>>>>> Realm: RDLG.NET >>>>>>>>>> DNS Domain: rdlg.net >>>>>>>>>> IPA Server: ipa.rdlg.net >>>>>>>>>> BaseDN: dc=rdlg,dc=net >>>>>>>>>> >>>>>>>>>> Skipping synchronizing time with NTP server. >>>>>>>>>> New SSSD config will be created >>>>>>>>>> Configured sudoers in /etc/nsswitch.conf >>>>>>>>>> Configured /etc/sssd/sssd.conf >>>>>>>>>> trying https://ipa.rdlg.net/ipa/json >>>>>>>>>> Forwarding 'schema' to json server 'https://ipa.rdlg.net/ipa/json >>>>>>>>>> ' >>>>>>>>>> >>>>>>>>>> Checking the /var/log/httpd/error.log has 2 days of just this: >>>>>>>>>> >>>>>>>>>> [Tue May 16 09:14:42.941476 2017] [:error] [pid 1182] >>>>>>>>>> NSS_Initialize failed. Certificate database: /etc/httpd/alias. >>>>>>>>>> [Tue May 16 09:14:42.941499 2017] [:error] [pid 1182] SSL Library >>>>>>>>>> Error: -8038 SEC_ERROR_NOT_INITIALIZED >>>>>>>>>> [Tue May 16 09:14:42.941501 2017] [:error] [pid 1182] Does the >>>>>>>>>> NSS database exist? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Robert >>>>>>>>>> >>>>>>>>>> On Fri, May 12, 2017 at 11:14 AM Rob Crittenden < >>>>>>>>>> rcritten at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Robert L. Harris wrote: >>>>>>>>>>> > >>>>>>>>>>> > Hmmm >>>>>>>>>>> > >>>>>>>>>>> > {0}:/var/log>ls >>>>>>>>>>> > anaconda btmp dmesg grubby maillog ppp >>>>>>>>>>> secure >>>>>>>>>>> > tallylog wtmp >>>>>>>>>>> > audit cron dmesg.old grubby_prune_debug messages rhsm >>>>>>>>>>> spooler >>>>>>>>>>> > tuned yum.log >>>>>>>>>>> > boot.log cups firewalld lastlog ntpstats >>>>>>>>>>> samba sssd >>>>>>>>>>> > vmware-vmsvc.log >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > root at ipa >>>>>>>>>>> > {1}:/var/log>rpm -q -l http >>>>>>>>>>> > package http is not installed >>>>>>>>>>> > >>>>>>>>>>> > root at ipa >>>>>>>>>>> > {1}:/var/log>rpm -q -a | grep -i http >>>>>>>>>>> > perl-HTTP-Tiny-0.033-3.el7.noarch >>>>>>>>>>> > >>>>>>>>>>> > root at ipa >>>>>>>>>>> > {0}:/var/log>rpm -q -a | grep -i tomcat >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > Doesn't look like an httpd was installed as a dependancy? >>>>>>>>>>> >>>>>>>>>>> I find this very hard to believe given that it go so far as to >>>>>>>>>>> configure >>>>>>>>>>> things in Apache, restart it, etc. What version of >>>>>>>>>>> [free]ipa-server is >>>>>>>>>>> installed? How did you install it and from what repo? >>>>>>>>>>> >>>>>>>>>>> rob >>>>>>>>>>> >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > On Fri, May 12, 2017 at 1:17 AM Martin Ba?ti < >>>>>>>>>>> mbasti at redhat.com >>>>>>>>>>> > > wrote: >>>>>>>>>>> > >>>>>>>>>>> > That's weird, it should be super fast, anything in >>>>>>>>>>> > /var/log/httpd/error_log? >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > On 11.05.2017 22:23, Robert L. Harris wrote: >>>>>>>>>>> >> >>>>>>>>>>> >> Odd, must have clicked reply instead of reply-all. >>>>>>>>>>> >> >>>>>>>>>>> >> Anyway, I did the revert and re-install. Actual install >>>>>>>>>>> went >>>>>>>>>>> >> through fine then the "ipa-server-install" ran until this: >>>>>>>>>>> >> >>>>>>>>>>> >> [8/9]: restoring configuration >>>>>>>>>>> >> [9/9]: starting directory server >>>>>>>>>>> >> Done. >>>>>>>>>>> >> Restarting the directory server >>>>>>>>>>> >> Restarting the KDC >>>>>>>>>>> >> Please add records in this file to your DNS system: >>>>>>>>>>> >> /tmp/ipa.system.records.v5Jwrt.db >>>>>>>>>>> >> Restarting the web server >>>>>>>>>>> >> Configuring client side components >>>>>>>>>>> >> Using existing certificate '/etc/ipa/ca.crt'. >>>>>>>>>>> >> Client hostname: ipa.rdlg.net >>>>>>>>>>> >> Realm: RDLG.NET >>>>>>>>>>> >> DNS Domain: rdlg.net >>>>>>>>>>> >> IPA Server: ipa.rdlg.net >>>>>>>>>>> >> BaseDN: dc=rdlg,dc=net >>>>>>>>>>> >> >>>>>>>>>>> >> Skipping synchronizing time with NTP server. >>>>>>>>>>> >> New SSSD config will be created >>>>>>>>>>> >> Configured sudoers in /etc/nsswitch.conf >>>>>>>>>>> >> Configured /etc/sssd/sssd.conf >>>>>>>>>>> >> trying https://ipa.rdlg.net/ipa/json >>>>>>>>>>> >> Forwarding 'schema' to json server ' >>>>>>>>>>> https://ipa.rdlg.net/ipa/json' >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> It's been sitting there for a while ( 4 hours? ) I don't >>>>>>>>>>> see >>>>>>>>>>> >> anyting in the ipaserver-install.log, but it's here: >>>>>>>>>>> >> https://pastebin.com/biK1Dmv7 >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> On Thu, May 11, 2017 at 8:12 AM Martin Ba?ti < >>>>>>>>>>> mbasti at redhat.com >>>>>>>>>>> >> > wrote: >>>>>>>>>>> >> >>>>>>>>>>> >> Please keep freeipa-users in CC >>>>>>>>>>> >> >>>>>>>>>>> >> Snapshot is always better, so I suggest to use it. >>>>>>>>>>> Otherwise >>>>>>>>>>> >> there is an option --ignore-last-of-role to unblock >>>>>>>>>>> >> uninstallation. >>>>>>>>>>> >> >>>>>>>>>>> >> Martin >>>>>>>>>>> >> >>>>>>>>>>> >> >>>>>>>>>>> >> On 11.05.2017 16:00, Robert L. Harris wrote: >>>>>>>>>>> >>> >>>>>>>>>>> >>> Looks like you hit it, apache didn't have a group: >>>>>>>>>>> >>> >>>>>>>>>>> >>> -- Logs begin at Wed 2017-05-10 19:56:27 MDT, end at >>>>>>>>>>> Thu >>>>>>>>>>> >>> 2017-05-11 07:48:27 MDT. -- >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: Starting The Apache HTTP Server... >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> ipa-httpd-kdcproxy[28808]: ipa : INFO >>>>>>>>>>> KDC proxy >>>>>>>>>>> >>> enabled >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> httpd[28809]: AH00544: httpd: bad group name apache >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: httpd.service: main process exited, >>>>>>>>>>> code=exited, >>>>>>>>>>> >>> status=1/FAILURE >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> kill[28812]: kill: cannot find process "" >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: httpd.service: control process exited, >>>>>>>>>>> >>> code=exited status=1 >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: Failed to start The Apache HTTP Server. >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: Unit httpd.service entered failed state. >>>>>>>>>>> >>> May 10 20:36:00 ipa.rdlg.net >>>>>>>>>>> >>> systemd[1]: httpd.service failed. >>>>>>>>>>> >>> >>>>>>>>>>> >>> Thanks, didn't know that command. I tried to >>>>>>>>>>> continue the >>>>>>>>>>> >>> process: >>>>>>>>>>> >>> >>>>>>>>>>> >>> {0}:/root>ipa-server-install >>>>>>>>>>> >>> >>>>>>>>>>> >>> The log file for this installation can be found in >>>>>>>>>>> >>> /var/log/ipaserver-install.log >>>>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): >>>>>>>>>>> ERROR IPA >>>>>>>>>>> >>> server is already configured on this system. >>>>>>>>>>> >>> If you want to reinstall the IPA server, please >>>>>>>>>>> uninstall it >>>>>>>>>>> >>> first using 'ipa-server-install --uninstall'. >>>>>>>>>>> >>> ipa.ipapython.install.cli.install_tool(Server): >>>>>>>>>>> ERROR The >>>>>>>>>>> >>> ipa-server-install command failed. See >>>>>>>>>>> >>> /var/log/ipaserver-install.log for more information >>>>>>>>>>> >>> >>>>>>>>>>> >>> root at ipa >>>>>>>>>>> >>> {1}:/root>ipa-server-install --uninstall >>>>>>>>>>> >>> >>>>>>>>>>> >>> This is a NON REVERSIBLE operation and will delete >>>>>>>>>>> all data >>>>>>>>>>> >>> and configuration! >>>>>>>>>>> >>> >>>>>>>>>>> >>> Are you sure you want to continue with the uninstall >>>>>>>>>>> >>> procedure? [no]: yes >>>>>>>>>>> >>> ipa : ERROR Server removal aborted: >>>>>>>>>>> Deleting this >>>>>>>>>>> >>> server is not allowed as it would leave your >>>>>>>>>>> installation >>>>>>>>>>> >>> without a CA.. >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> This is a VM and I took a snapshot right before I >>>>>>>>>>> started the >>>>>>>>>>> >>> install, so I can revert, just make sure ti add the >>>>>>>>>>> apache >>>>>>>>>>> >>> user before starting the install. Or if you have a >>>>>>>>>>> better >>>>>>>>>>> >>> command to continue the clean-up/install..... >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> On Thu, May 11, 2017 at 2:19 AM Martin Ba?ti >>>>>>>>>>> >>> > >>>>>>>>>>> wrote: >>>>>>>>>>> >>> >>>>>>>>>>> >>> Hello, >>>>>>>>>>> >>> >>>>>>>>>>> >>> comments inline >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> On 11.05.2017 06:06, Robert L. Harris wrote: >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Sigh... Sorry, it's been a long day, I thought >>>>>>>>>>> I put >>>>>>>>>>> >>>> that log in the first pastebin. It's in this >>>>>>>>>>> one: >>>>>>>>>>> >>>> https://pastebin.com/18PAXXNS >>>>>>>>>>> >>> >>>>>>>>>>> >>> Could you please provide journalctl -u httpd and >>>>>>>>>>> >>> /var/log/httpd/error_log ? >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Also, >>>>>>>>>>> >>>> Anyone else get the constant spam when >>>>>>>>>>> mailing this >>>>>>>>>>> >>>> list? Got an address to block for it? >>>>>>>>>>> >>> >>>>>>>>>>> >>> Sorry for that, there is a bot mining public >>>>>>>>>>> archives. We >>>>>>>>>>> >>> plan to resolve this issue but it may take time >>>>>>>>>>> as we are >>>>>>>>>>> >>> not maintaining our mailman. >>>>>>>>>>> >>> >>>>>>>>>>> >>> Martin >>>>>>>>>>> >>> >>>>>>>>>>> >>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Robert >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> On Wed, May 10, 2017 at 9:56 PM Lachlan Musicman >>>>>>>>>>> >>>> > >>>>>>>>>>> wrote: >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Robert, did you look in >>>>>>>>>>> >>>> /var/log/ipaserver-install.log as it says? >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Was there any other information? >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> cheers >>>>>>>>>>> >>>> L. >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> ------ >>>>>>>>>>> >>>> "Mission Statement: To provide hope and >>>>>>>>>>> inspiration >>>>>>>>>>> >>>> for collective action, to build collective >>>>>>>>>>> power, to >>>>>>>>>>> >>>> achieve collective transformation, rooted >>>>>>>>>>> in grief >>>>>>>>>>> >>>> and rage but pointed towards vision and >>>>>>>>>>> dreams." >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> - Patrice Cullors, /Black Lives Matter >>>>>>>>>>> founder/ >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> On 11 May 2017 at 13:24, Robert L. Harris >>>>>>>>>>> >>>> >>>>>>>>>> >>>> > wrote: >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Ok, I gave up on Ubuntu. I'm now >>>>>>>>>>> trying the >>>>>>>>>>> >>>> latest CentOS7. I built out a "minimal >>>>>>>>>>> server" >>>>>>>>>>> >>>> with some normal base packages which >>>>>>>>>>> did include >>>>>>>>>>> >>>> the freeipa-client but otherwise, just >>>>>>>>>>> standard >>>>>>>>>>> >>>> tools. Here's a pastebin of the output >>>>>>>>>>> of the >>>>>>>>>>> >>>> install: https://pastebin.com/zAWCgkUU >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> Robert >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> -- >>>>>>>>>>> >>>> Manage your subscription for the >>>>>>>>>>> Freeipa-users >>>>>>>>>>> >>>> mailing list: >>>>>>>>>>> >>>> >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> >>>> Go to http://freeipa.org for more info >>>>>>>>>>> on the >>>>>>>>>>> >>>> project >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> -- >>>>>>>>>>> >>>> Manage your subscription for the >>>>>>>>>>> Freeipa-users >>>>>>>>>>> >>>> mailing list: >>>>>>>>>>> >>>> >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> >>>> Go to http://freeipa.org for more info on >>>>>>>>>>> the project >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>>> >>>>>>>>>>> >>> >>>>>>>>>>> >>> -- >>>>>>>>>>> >>> Martin Ba?ti >>>>>>>>>>> >>> Software Engineer >>>>>>>>>>> >>> Red Hat Czech >>>>>>>>>>> >>> >>>>>>>>>>> >> >>>>>>>>>>> >> -- >>>>>>>>>>> >> Martin Ba?ti >>>>>>>>>>> >> Software Engineer >>>>>>>>>>> >> Red Hat Czech >>>>>>>>>>> >> >>>>>>>>>>> > >>>>>>>>>>> > -- >>>>>>>>>>> > Martin Ba?ti >>>>>>>>>>> > Software Engineer >>>>>>>>>>> > Red Hat Czech >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>> >>>>> >>> > Hi, > > Apologies if this has been asked already, but are the file permissions > correct for the alias file it is complaining about? > > If the process cannot read the file it will fail. > > It's also worth checking the SElinux context in case it needs a relabel. > And check it's not immutable for some reason. > > $ ls -lZ /etc/httpd/alias > $ lsattr /etc/httpd/alias > > I have just installed FreeIPA in CentOS 7 myself without any problems. So > this seems like an odd error to get. > > Cheers, > Dagan McGregor > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Lakshan.Jayasekara at lankaclear.com Thu May 18 03:58:09 2017 From: Lakshan.Jayasekara at lankaclear.com (Lakshan Jayasekara) Date: Thu, 18 May 2017 03:58:09 +0000 Subject: [Freeipa-users] CentOS patch management on FreeIPA server In-Reply-To: References: <84e5f6dd7109400ca8106bf9da6ef06d@lankaclear.com> Message-ID: <66410e93ed3e43b189aec8a2bfeab6f9@lankaclear.com> Hi Chris, Thanks for the update. Pl let me know any sort of configuration backup can be taken for IPA server. Also let me know the sequence of updating the systems, as I have IPA servers and a replica server in my infrastructure. These are virtual servers and backing up before updating. Best Regards, Reply / Forwarded by Lakshanth Chandika Jayasekara Senior Systems Engineer Confidentiality Notice: The information contained in this message is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. This email has been scanned for all viruses by the Symantec End Point Protection Email Security System. P Save a tree. Don't print this e-mail unless it's really necessary. From: Christophe TREFOIS [mailto:christophe.trefois at uni.lu] Sent: Wednesday, May 17, 2017 11:25 PM To: Lachlan Musicman Cc: Lakshan Jayasekara ; freeipa-users at redhat.com Subject: Re: [Freeipa-users] CentOS patch management on FreeIPA server Hi, I think yum update is fine, just don?t do it at the same time. It?s written somewhere in the docs that this could lead to crappy outcome. Also, Lachlan, how do you do backups of FreeIPA? -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 17 May 2017, at 08:04, Lachlan Musicman > wrote: On 17 May 2017 at 15:23, Lakshan Jayasekara > wrote: > > Hi All, > > > > I?m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on CentOS 7 and have one replica server as well. I need to patch up centos system as per PCI DSS compliance. Let me know whether I can proceed as usual or to follow any sequential steps to achieve the task. Lakshanth, You should always have appropriate backup and restore procedures that are good for you. Having said that, I regularly update our IPA server with patches (via Katello/Foreman) without a problem. I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked. cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, Black Lives Matter founder -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 18 07:52:45 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 18 May 2017 09:52:45 +0200 Subject: [Freeipa-users] IMPORTANT: Migration of FreeIPA-users list to lists.fedorahosted.org Message-ID: <77d00d47-6604-eee3-4703-ddd93fe31ea4@redhat.com> Dear FreeIPA-users subscribers, due to various issues with the current mailing lists, the FreeIPA-users list is being migrated to a new provider, lists.fedorahosted.org. Information about the new list: E-mail address: freeipa-users at lists.fedorahosted.org Archives: https://lists.fedorahosted.org/archives/list/freeipa-users at lists.fedorahosted.org/ List-Id: FreeIPA users list All subscribers will be automatically subscribed to the new mailing list, please update your email filters in advance. The mass subscription will be done in 24 hours. This mailing list will be set to read-only mode after migration. Sorry for inconvenience, Your FreeIPA developers -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From callum.guy at x-on.co.uk Thu May 18 08:57:53 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 08:57:53 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance Message-ID: Hi All, I am currently stuck trying to setup the first replica of our master IPA server. I have tried a number of different approaches including escalating from a client and nothing is working for me. I perform a full OS reset each time I get stuck. I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?). The command is shown below - note that i am skipping the conn check as my platforms security settings do not allow the SSH session to be established back on the master, all ports should be available to the application however. [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg Directory Manager (existing master) password: ipa : ERROR Could not resolve hostname ipa2.SITE.net usis check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/42]: creating directory server user [2/42]: creating directory server instance [3/42]: updating configuration in dse.ldif [4/42]: restarting directory server [5/42]: adding default schema [6/42]: enabling memberof plugin [7/42]: enabling winsync plugin [8/42]: configuring replication version plugin [9/42]: enabling IPA enrollment plugin [10/42]: enabling ldapi [11/42]: configuring uniqueness plugin [12/42]: configuring uuid plugin [13/42]: configuring modrdn plugin [14/42]: configuring DNS plugin [15/42]: enabling entryUSN plugin [16/42]: configuring lockout plugin [17/42]: configuring topology plugin [18/42]: creating indices [19/42]: enabling referential integrity plugin [20/42]: configuring ssl for ds instance [21/42]: configuring certmap.conf [22/42]: configure autobind for root [23/42]: configure new location for managed entries [24/42]: configure dirsrv ccache [25/42]: enabling SASL mapping fallback [26/42]: restarting directory server [27/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 4 seconds elapsed Update succeeded [28/42]: adding sasl mappings to the directory [29/42]: updating schema [30/42]: setting Auto Member configuration [31/42]: enabling S4U2Proxy delegation [32/42]: importing CA certificates from LDAP [33/42]: initializing group membership [34/42]: adding master entry [35/42]: initializing domain level [36/42]: configuring Posix uid/gid generation [37/42]: adding replication acis [38/42]: enabling compatibility plugin [39/42]: activating sidgen plugin [40/42]: activating extdom plugin [41/42]: tuning directory server [42/42]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds [1/27]: creating certificate server user [2/27]: configuring certificate server instance [3/27]: stopping certificate server instance to update CS.cfg [4/27]: backing up CS.cfg [5/27]: disabling nonces [6/27]: set up CRL publishing [7/27]: enable PKIX certificate path discovery and validation [8/27]: starting certificate server instance And here is stays and refuses to move on. The ipareplica-install.log log reports: 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] timeout 300 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/admin/ca/getStatus 2017-05-18T08:40:09Z DEBUG request body '' I have tried and that port is indeed inaccessible but I can't establish a way to progress this issue from any of the the other log files. Also I have seen in the 4.4.4 release notes that IPv6 being disabled on the master can cause issues, re-enabling (at least in /etc/hosts) did not seem to help. If anyone is able to offer ideas that would be very much appreciated. I am tempted to remove the --setup-ca option to see if this helps. Thanks, Callum -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From callum.guy at x-on.co.uk Thu May 18 09:33:17 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 09:33:17 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Hi All, Just following on from this, I have performed an installation without --setup-ca and it has completed successfully. I now need to understand what impact this might have, is it the case that I can still install/configure the CA component? Is there any documentation on this action? Also in the event of a failure of my master server (I only have these two) will all my certificates be invalidated and lost or will the replica still be able to handle these certificates until a time where a new master has been created? Thanks, Callum On Thu, May 18, 2017 at 9:57 AM Callum Guy wrote: > Hi All, > > I am currently stuck trying to setup the first replica of our master IPA > server. I have tried a number of different approaches including escalating > from a client and nothing is working for me. I perform a full OS reset each > time I get stuck. > > I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version > however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?). > > The command is shown below - note that i am skipping the conn check as my > platforms security settings do not allow the SSH session to be established > back on the master, all ports should be available to the application > however. > > [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca > --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg > > Directory Manager (existing master) password: > > ipa : ERROR Could not resolve hostname ipa2.SITE.net usis > check queries IPA DNS directly and ignores /etc/hosts.) > Continue? [no]: yes > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/42]: creating directory server user > [2/42]: creating directory server instance > [3/42]: updating configuration in dse.ldif > [4/42]: restarting directory server > [5/42]: adding default schema > [6/42]: enabling memberof plugin > [7/42]: enabling winsync plugin > [8/42]: configuring replication version plugin > [9/42]: enabling IPA enrollment plugin > [10/42]: enabling ldapi > [11/42]: configuring uniqueness plugin > [12/42]: configuring uuid plugin > [13/42]: configuring modrdn plugin > [14/42]: configuring DNS plugin > [15/42]: enabling entryUSN plugin > [16/42]: configuring lockout plugin > [17/42]: configuring topology plugin > [18/42]: creating indices > [19/42]: enabling referential integrity plugin > [20/42]: configuring ssl for ds instance > [21/42]: configuring certmap.conf > [22/42]: configure autobind for root > [23/42]: configure new location for managed entries > [24/42]: configure dirsrv ccache > [25/42]: enabling SASL mapping fallback > [26/42]: restarting directory server > [27/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 4 seconds elapsed > Update succeeded > > [28/42]: adding sasl mappings to the directory > [29/42]: updating schema > [30/42]: setting Auto Member configuration > [31/42]: enabling S4U2Proxy delegation > [32/42]: importing CA certificates from LDAP > [33/42]: initializing group membership > [34/42]: adding master entry > [35/42]: initializing domain level > [36/42]: configuring Posix uid/gid generation > [37/42]: adding replication acis > [38/42]: enabling compatibility plugin > [39/42]: activating sidgen plugin > [40/42]: activating extdom plugin > [41/42]: tuning directory server > [42/42]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > > And here is stays and refuses to move on. The ipareplica-install.log log > reports: > 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running > 2017-05-18T08:40:09Z DEBUG request POST > http://ipa2.SITE.net:8080/ca/admin/ca/getStatus > 2017-05-18T08:40:09Z DEBUG request body '' > > I have tried and that port is indeed inaccessible but I can't establish a > way to progress this issue from any of the the other log files. Also I have > seen in the 4.4.4 release notes that IPv6 being disabled on the master can > cause issues, re-enabling (at least in /etc/hosts) did not seem to help. > > If anyone is able to offer ideas that would be very much appreciated. I am > tempted to remove the --setup-ca option to see if this helps. > > Thanks, > > Callum > > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu May 18 09:34:41 2017 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 18 May 2017 19:34:41 +1000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: We are seeing this. I'm not at work, but I think it's bug report 6766. Patch has already been committed (bot by us), we're waiting for IPA 4.5. cheers L. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, *Black Lives Matter founder* On 18 May 2017 at 18:57, Callum Guy wrote: > Hi All, > > I am currently stuck trying to setup the first replica of our master IPA > server. I have tried a number of different approaches including escalating > from a client and nothing is working for me. I perform a full OS reset each > time I get stuck. > > I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this version > however having performed ipa-server-upgrade - does this mean i'm on 4.4.4?). > > The command is shown below - note that i am skipping the conn check as my > platforms security settings do not allow the SSH session to be established > back on the master, all ports should be available to the application > however. > > [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca > --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg > > Directory Manager (existing master) password: > > ipa : ERROR Could not resolve hostname ipa2.SITE.net usis > check queries IPA DNS directly and ignores /etc/hosts.) > Continue? [no]: yes > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated time: 1 minute > [1/42]: creating directory server user > [2/42]: creating directory server instance > [3/42]: updating configuration in dse.ldif > [4/42]: restarting directory server > [5/42]: adding default schema > [6/42]: enabling memberof plugin > [7/42]: enabling winsync plugin > [8/42]: configuring replication version plugin > [9/42]: enabling IPA enrollment plugin > [10/42]: enabling ldapi > [11/42]: configuring uniqueness plugin > [12/42]: configuring uuid plugin > [13/42]: configuring modrdn plugin > [14/42]: configuring DNS plugin > [15/42]: enabling entryUSN plugin > [16/42]: configuring lockout plugin > [17/42]: configuring topology plugin > [18/42]: creating indices > [19/42]: enabling referential integrity plugin > [20/42]: configuring ssl for ds instance > [21/42]: configuring certmap.conf > [22/42]: configure autobind for root > [23/42]: configure new location for managed entries > [24/42]: configure dirsrv ccache > [25/42]: enabling SASL mapping fallback > [26/42]: restarting directory server > [27/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 4 seconds elapsed > Update succeeded > > [28/42]: adding sasl mappings to the directory > [29/42]: updating schema > [30/42]: setting Auto Member configuration > [31/42]: enabling S4U2Proxy delegation > [32/42]: importing CA certificates from LDAP > [33/42]: initializing group membership > [34/42]: adding master entry > [35/42]: initializing domain level > [36/42]: configuring Posix uid/gid generation > [37/42]: adding replication acis > [38/42]: enabling compatibility plugin > [39/42]: activating sidgen plugin > [40/42]: activating extdom plugin > [41/42]: tuning directory server > [42/42]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 > seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery and validation > [8/27]: starting certificate server instance > > And here is stays and refuses to move on. The ipareplica-install.log log > reports: > 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] > timeout 300 > 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running > 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/ > admin/ca/getStatus > 2017-05-18T08:40:09Z DEBUG request body '' > > I have tried and that port is indeed inaccessible but I can't establish a > way to progress this issue from any of the the other log files. Also I have > seen in the 4.4.4 release notes that IPv6 being disabled on the master can > cause issues, re-enabling (at least in /etc/hosts) did not seem to help. > > If anyone is able to offer ideas that would be very much appreciated. I am > tempted to remove the --setup-ca option to see if this helps. > > Thanks, > > Callum > > > > *0333 332 0000 | www.x-on.co.uk | ** > > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu May 18 09:38:02 2017 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 18 May 2017 19:38:02 +1000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: https://pagure.io/freeipa/issue/6766 4.5.1 - I stand corrected. Can add more tomorrow. ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, *Black Lives Matter founder* On 18 May 2017 at 19:34, Lachlan Musicman wrote: > We are seeing this. I'm not at work, but I think it's bug report 6766. > > Patch has already been committed (bot by us), we're waiting for IPA 4.5. > > cheers > L. > > ------ > "Mission Statement: To provide hope and inspiration for collective action, > to build collective power, to achieve collective transformation, rooted in > grief and rage but pointed towards vision and dreams." > > - Patrice Cullors, *Black Lives Matter founder* > > On 18 May 2017 at 18:57, Callum Guy wrote: > >> Hi All, >> >> I am currently stuck trying to setup the first replica of our master IPA >> server. I have tried a number of different approaches including escalating >> from a client and nothing is working for me. I perform a full OS reset each >> time I get stuck. >> >> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >> version however having performed ipa-server-upgrade - does this mean i'm on >> 4.4.4?). >> >> The command is shown below - note that i am skipping the conn check as my >> platforms security settings do not allow the SSH session to be established >> back on the master, all ports should be available to the application >> however. >> >> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca >> --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >> >> Directory Manager (existing master) password: >> >> ipa : ERROR Could not resolve hostname ipa2.SITE.net usis >> check queries IPA DNS directly and ignores /etc/hosts.) >> Continue? [no]: yes >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv). Estimated time: 1 minute >> [1/42]: creating directory server user >> [2/42]: creating directory server instance >> [3/42]: updating configuration in dse.ldif >> [4/42]: restarting directory server >> [5/42]: adding default schema >> [6/42]: enabling memberof plugin >> [7/42]: enabling winsync plugin >> [8/42]: configuring replication version plugin >> [9/42]: enabling IPA enrollment plugin >> [10/42]: enabling ldapi >> [11/42]: configuring uniqueness plugin >> [12/42]: configuring uuid plugin >> [13/42]: configuring modrdn plugin >> [14/42]: configuring DNS plugin >> [15/42]: enabling entryUSN plugin >> [16/42]: configuring lockout plugin >> [17/42]: configuring topology plugin >> [18/42]: creating indices >> [19/42]: enabling referential integrity plugin >> [20/42]: configuring ssl for ds instance >> [21/42]: configuring certmap.conf >> [22/42]: configure autobind for root >> [23/42]: configure new location for managed entries >> [24/42]: configure dirsrv ccache >> [25/42]: enabling SASL mapping fallback >> [26/42]: restarting directory server >> [27/42]: setting up initial replication >> Starting replication, please wait until this has completed. >> Update in progress, 4 seconds elapsed >> Update succeeded >> >> [28/42]: adding sasl mappings to the directory >> [29/42]: updating schema >> [30/42]: setting Auto Member configuration >> [31/42]: enabling S4U2Proxy delegation >> [32/42]: importing CA certificates from LDAP >> [33/42]: initializing group membership >> [34/42]: adding master entry >> [35/42]: initializing domain level >> [36/42]: configuring Posix uid/gid generation >> [37/42]: adding replication acis >> [38/42]: enabling compatibility plugin >> [39/42]: activating sidgen plugin >> [40/42]: activating extdom plugin >> [41/42]: tuning directory server >> [42/42]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >> 30 seconds >> [1/27]: creating certificate server user >> [2/27]: configuring certificate server instance >> [3/27]: stopping certificate server instance to update CS.cfg >> [4/27]: backing up CS.cfg >> [5/27]: disabling nonces >> [6/27]: set up CRL publishing >> [7/27]: enable PKIX certificate path discovery and validation >> [8/27]: starting certificate server instance >> >> And here is stays and refuses to move on. The ipareplica-install.log log >> reports: >> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] >> timeout 300 >> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >> 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/a >> dmin/ca/getStatus >> 2017-05-18T08:40:09Z DEBUG request body '' >> >> I have tried and that port is indeed inaccessible but I can't establish a >> way to progress this issue from any of the the other log files. Also I have >> seen in the 4.4.4 release notes that IPv6 being disabled on the master can >> cause issues, re-enabling (at least in /etc/hosts) did not seem to help. >> >> If anyone is able to offer ideas that would be very much appreciated. I >> am tempted to remove the --setup-ca option to see if this helps. >> >> Thanks, >> >> Callum >> >> >> >> *0333 332 0000 | www.x-on.co.uk | ** >> >> * >> X-on is a trading name of Storacall Technology Ltd a limited company >> registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please notify >> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >> delete the >> message from your computer. If you are not a named addressee you must not >> use, disclose, disseminate, distribute, copy, print or reply to this email. Views >> or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on or its >> associated companies. Although X-on routinely screens for viruses, >> addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the absence >> of viruses in this email or any attachments. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From callum.guy at x-on.co.uk Thu May 18 09:53:18 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 09:53:18 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Ah, thanks for that Lachlan - its always reassuring to hear that its not just me! As mentioned above I have it running without the CA so that's a good start. I am sure we will upgrade as well once 4.5 becomes stable and GA for CentOS. I'm not expecting that to happen quickly so will have to work with what we have for now. Do you happen to know if there is any way to build the CA component separately? On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman wrote: > https://pagure.io/freeipa/issue/6766 > > 4.5.1 - I stand corrected. Can add more tomorrow. > > ------ > "Mission Statement: To provide hope and inspiration for collective action, > to build collective power, to achieve collective transformation, rooted in > grief and rage but pointed towards vision and dreams." > > - Patrice Cullors, *Black Lives Matter founder* > > On 18 May 2017 at 19:34, Lachlan Musicman wrote: > >> We are seeing this. I'm not at work, but I think it's bug report 6766. >> >> Patch has already been committed (bot by us), we're waiting for IPA 4.5. >> >> cheers >> L. >> >> ------ >> "Mission Statement: To provide hope and inspiration for collective >> action, to build collective power, to achieve collective transformation, >> rooted in grief and rage but pointed towards vision and dreams." >> >> - Patrice Cullors, *Black Lives Matter founder* >> >> On 18 May 2017 at 18:57, Callum Guy wrote: >> >>> Hi All, >>> >>> I am currently stuck trying to setup the first replica of our master IPA >>> server. I have tried a number of different approaches including escalating >>> from a client and nothing is working for me. I perform a full OS reset each >>> time I get stuck. >>> >>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>> version however having performed ipa-server-upgrade - does this mean i'm on >>> 4.4.4?). >>> >>> The command is shown below - note that i am skipping the conn check as >>> my platforms security settings do not allow the SSH session to be >>> established back on the master, all ports should be available to the >>> application however. >>> >>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 --setup-ca >>> --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>> >>> Directory Manager (existing master) password: >>> >>> ipa : ERROR Could not resolve hostname ipa2.SITE.net usis >>> check queries IPA DNS directly and ignores /etc/hosts.) >>> Continue? [no]: yes >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv). Estimated time: 1 minute >>> [1/42]: creating directory server user >>> [2/42]: creating directory server instance >>> [3/42]: updating configuration in dse.ldif >>> [4/42]: restarting directory server >>> [5/42]: adding default schema >>> [6/42]: enabling memberof plugin >>> [7/42]: enabling winsync plugin >>> [8/42]: configuring replication version plugin >>> [9/42]: enabling IPA enrollment plugin >>> [10/42]: enabling ldapi >>> [11/42]: configuring uniqueness plugin >>> [12/42]: configuring uuid plugin >>> [13/42]: configuring modrdn plugin >>> [14/42]: configuring DNS plugin >>> [15/42]: enabling entryUSN plugin >>> [16/42]: configuring lockout plugin >>> [17/42]: configuring topology plugin >>> [18/42]: creating indices >>> [19/42]: enabling referential integrity plugin >>> [20/42]: configuring ssl for ds instance >>> [21/42]: configuring certmap.conf >>> [22/42]: configure autobind for root >>> [23/42]: configure new location for managed entries >>> [24/42]: configure dirsrv ccache >>> [25/42]: enabling SASL mapping fallback >>> [26/42]: restarting directory server >>> [27/42]: setting up initial replication >>> Starting replication, please wait until this has completed. >>> Update in progress, 4 seconds elapsed >>> Update succeeded >>> >>> [28/42]: adding sasl mappings to the directory >>> [29/42]: updating schema >>> [30/42]: setting Auto Member configuration >>> [31/42]: enabling S4U2Proxy delegation >>> [32/42]: importing CA certificates from LDAP >>> [33/42]: initializing group membership >>> [34/42]: adding master entry >>> [35/42]: initializing domain level >>> [36/42]: configuring Posix uid/gid generation >>> [37/42]: adding replication acis >>> [38/42]: enabling compatibility plugin >>> [39/42]: activating sidgen plugin >>> [40/42]: activating extdom plugin >>> [41/42]: tuning directory server >>> [42/42]: configuring directory to start on boot >>> Done configuring directory server (dirsrv). >>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >>> 30 seconds >>> [1/27]: creating certificate server user >>> [2/27]: configuring certificate server instance >>> [3/27]: stopping certificate server instance to update CS.cfg >>> [4/27]: backing up CS.cfg >>> [5/27]: disabling nonces >>> [6/27]: set up CRL publishing >>> [7/27]: enable PKIX certificate path discovery and validation >>> [8/27]: starting certificate server instance >>> >>> And here is stays and refuses to move on. The ipareplica-install.log log >>> reports: >>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] >>> timeout 300 >>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>> 2017-05-18T08:40:09Z DEBUG request POST >>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>> 2017-05-18T08:40:09Z DEBUG request body '' >>> >>> I have tried and that port is indeed inaccessible but I can't establish >>> a way to progress this issue from any of the the other log files. Also I >>> have seen in the 4.4.4 release notes that IPv6 being disabled on the master >>> can cause issues, re-enabling (at least in /etc/hosts) did not seem to help. >>> >>> If anyone is able to offer ideas that would be very much appreciated. I >>> am tempted to remove the --setup-ca option to see if this helps. >>> >>> Thanks, >>> >>> Callum >>> >>> >>> >>> *0333 332 0000 | www.x-on.co.uk | ** >>> >>> * >>> X-on is a trading name of Storacall Technology Ltd a limited company >>> registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>> The information in this e-mail is confidential and for use by the >>> addressee(s) only. If you are not the intended recipient, please notify >>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>> delete the >>> message from your computer. If you are not a named addressee you must >>> not use, disclose, disseminate, distribute, copy, print or reply to this >>> email. Views or opinions expressed by an individual >>> within this email may not necessarily reflect the views of X-on or its >>> associated companies. Although X-on routinely screens for viruses, >>> addressees should scan this email and any attachments >>> for viruses. X-on makes no representation or warranty as to the absence >>> of viruses in this email or any attachments. >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From datakid at gmail.com Thu May 18 10:01:53 2017 From: datakid at gmail.com (Lachlan Musicman) Date: Thu, 18 May 2017 20:01:53 +1000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Sorry cobber. We only found 6766 today - we've been tackling it on and off for a couple of weeks :) ------ "Mission Statement: To provide hope and inspiration for collective action, to build collective power, to achieve collective transformation, rooted in grief and rage but pointed towards vision and dreams." - Patrice Cullors, *Black Lives Matter founder* On 18 May 2017 at 19:53, Callum Guy wrote: > Ah, thanks for that Lachlan - its always reassuring to hear that its not > just me! > > As mentioned above I have it running without the CA so that's a good > start. I am sure we will upgrade as well once 4.5 becomes stable and GA for > CentOS. I'm not expecting that to happen quickly so will have to work with > what we have for now. > > Do you happen to know if there is any way to build the CA component > separately? > > On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman > wrote: > >> https://pagure.io/freeipa/issue/6766 >> >> 4.5.1 - I stand corrected. Can add more tomorrow. >> >> ------ >> "Mission Statement: To provide hope and inspiration for collective >> action, to build collective power, to achieve collective transformation, >> rooted in grief and rage but pointed towards vision and dreams." >> >> - Patrice Cullors, *Black Lives Matter founder* >> >> On 18 May 2017 at 19:34, Lachlan Musicman wrote: >> >>> We are seeing this. I'm not at work, but I think it's bug report 6766. >>> >>> Patch has already been committed (bot by us), we're waiting for IPA 4.5. >>> >>> cheers >>> L. >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for collective >>> action, to build collective power, to achieve collective transformation, >>> rooted in grief and rage but pointed towards vision and dreams." >>> >>> - Patrice Cullors, *Black Lives Matter founder* >>> >>> On 18 May 2017 at 18:57, Callum Guy wrote: >>> >>>> Hi All, >>>> >>>> I am currently stuck trying to setup the first replica of our master >>>> IPA server. I have tried a number of different approaches including >>>> escalating from a client and nothing is working for me. I perform a full OS >>>> reset each time I get stuck. >>>> >>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>>> version however having performed ipa-server-upgrade - does this mean i'm on >>>> 4.4.4?). >>>> >>>> The command is shown below - note that i am skipping the conn check as >>>> my platforms security settings do not allow the SSH session to be >>>> established back on the master, all ports should be available to the >>>> application however. >>>> >>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 >>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>>> >>>> Directory Manager (existing master) password: >>>> >>>> ipa : ERROR Could not resolve hostname ipa2.SITE.net usis >>>> check queries IPA DNS directly and ignores /etc/hosts.) >>>> Continue? [no]: yes >>>> Configuring NTP daemon (ntpd) >>>> [1/4]: stopping ntpd >>>> [2/4]: writing configuration >>>> [3/4]: configuring ntpd to start on boot >>>> [4/4]: starting ntpd >>>> Done configuring NTP daemon (ntpd). >>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>> [1/42]: creating directory server user >>>> [2/42]: creating directory server instance >>>> [3/42]: updating configuration in dse.ldif >>>> [4/42]: restarting directory server >>>> [5/42]: adding default schema >>>> [6/42]: enabling memberof plugin >>>> [7/42]: enabling winsync plugin >>>> [8/42]: configuring replication version plugin >>>> [9/42]: enabling IPA enrollment plugin >>>> [10/42]: enabling ldapi >>>> [11/42]: configuring uniqueness plugin >>>> [12/42]: configuring uuid plugin >>>> [13/42]: configuring modrdn plugin >>>> [14/42]: configuring DNS plugin >>>> [15/42]: enabling entryUSN plugin >>>> [16/42]: configuring lockout plugin >>>> [17/42]: configuring topology plugin >>>> [18/42]: creating indices >>>> [19/42]: enabling referential integrity plugin >>>> [20/42]: configuring ssl for ds instance >>>> [21/42]: configuring certmap.conf >>>> [22/42]: configure autobind for root >>>> [23/42]: configure new location for managed entries >>>> [24/42]: configure dirsrv ccache >>>> [25/42]: enabling SASL mapping fallback >>>> [26/42]: restarting directory server >>>> [27/42]: setting up initial replication >>>> Starting replication, please wait until this has completed. >>>> Update in progress, 4 seconds elapsed >>>> Update succeeded >>>> >>>> [28/42]: adding sasl mappings to the directory >>>> [29/42]: updating schema >>>> [30/42]: setting Auto Member configuration >>>> [31/42]: enabling S4U2Proxy delegation >>>> [32/42]: importing CA certificates from LDAP >>>> [33/42]: initializing group membership >>>> [34/42]: adding master entry >>>> [35/42]: initializing domain level >>>> [36/42]: configuring Posix uid/gid generation >>>> [37/42]: adding replication acis >>>> [38/42]: enabling compatibility plugin >>>> [39/42]: activating sidgen plugin >>>> [40/42]: activating extdom plugin >>>> [41/42]: tuning directory server >>>> [42/42]: configuring directory to start on boot >>>> Done configuring directory server (dirsrv). >>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes >>>> 30 seconds >>>> [1/27]: creating certificate server user >>>> [2/27]: configuring certificate server instance >>>> [3/27]: stopping certificate server instance to update CS.cfg >>>> [4/27]: backing up CS.cfg >>>> [5/27]: disabling nonces >>>> [6/27]: set up CRL publishing >>>> [7/27]: enable PKIX certificate path discovery and validation >>>> [8/27]: starting certificate server instance >>>> >>>> And here is stays and refuses to move on. The ipareplica-install.log >>>> log reports: >>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] >>>> timeout 300 >>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>>> 2017-05-18T08:40:09Z DEBUG request POST http://ipa2.SITE.net:8080/ca/ >>>> admin/ca/getStatus >>>> 2017-05-18T08:40:09Z DEBUG request body '' >>>> >>>> I have tried and that port is indeed inaccessible but I can't establish >>>> a way to progress this issue from any of the the other log files. Also I >>>> have seen in the 4.4.4 release notes that IPv6 being disabled on the master >>>> can cause issues, re-enabling (at least in /etc/hosts) did not seem to help. >>>> >>>> If anyone is able to offer ideas that would be very much appreciated. I >>>> am tempted to remove the --setup-ca option to see if this helps. >>>> >>>> Thanks, >>>> >>>> Callum >>>> >>>> >>>> >>>> *0333 332 0000 | www.x-on.co.uk | ** >>>> >>>> * >>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>> registered in England and Wales. >>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>> The information in this e-mail is confidential and for use by the >>>> addressee(s) only. If you are not the intended recipient, please notify >>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>> delete the >>>> message from your computer. If you are not a named addressee you must >>>> not use, disclose, disseminate, distribute, copy, print or reply to this >>>> email. Views or opinions expressed by an individual >>>> within this email may not necessarily reflect the views of X-on or its >>>> associated companies. Although X-on routinely screens for viruses, >>>> addressees should scan this email and any attachments >>>> for viruses. X-on makes no representation or warranty as to the absence >>>> of viruses in this email or any attachments. >>>> >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >> > > *0333 332 0000 | www.x-on.co.uk | ** > > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From callum.guy at x-on.co.uk Thu May 18 10:19:56 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 10:19:56 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Haha, looks like i'm going CA-less for a while on the replica. I don't see any immediate requirement for one so time to get on with my life! I'll post back if anything changes but I'm probably stuck waiting for the upgrade too.. On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman wrote: > Sorry cobber. We only found 6766 today - we've been tackling it on and off > for a couple of weeks :) > > ------ > "Mission Statement: To provide hope and inspiration for collective action, > to build collective power, to achieve collective transformation, rooted in > grief and rage but pointed towards vision and dreams." > > - Patrice Cullors, *Black Lives Matter founder* > > On 18 May 2017 at 19:53, Callum Guy wrote: > >> Ah, thanks for that Lachlan - its always reassuring to hear that its not >> just me! >> >> As mentioned above I have it running without the CA so that's a good >> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for >> CentOS. I'm not expecting that to happen quickly so will have to work with >> what we have for now. >> >> Do you happen to know if there is any way to build the CA component >> separately? >> >> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >> wrote: >> >>> https://pagure.io/freeipa/issue/6766 >>> >>> 4.5.1 - I stand corrected. Can add more tomorrow. >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for collective >>> action, to build collective power, to achieve collective transformation, >>> rooted in grief and rage but pointed towards vision and dreams." >>> >>> - Patrice Cullors, *Black Lives Matter founder* >>> >>> On 18 May 2017 at 19:34, Lachlan Musicman wrote: >>> >>>> We are seeing this. I'm not at work, but I think it's bug report 6766. >>>> >>>> Patch has already been committed (bot by us), we're waiting for IPA 4.5. >>>> >>>> cheers >>>> L. >>>> >>>> ------ >>>> "Mission Statement: To provide hope and inspiration for collective >>>> action, to build collective power, to achieve collective transformation, >>>> rooted in grief and rage but pointed towards vision and dreams." >>>> >>>> - Patrice Cullors, *Black Lives Matter founder* >>>> >>>> On 18 May 2017 at 18:57, Callum Guy wrote: >>>> >>>>> Hi All, >>>>> >>>>> I am currently stuck trying to setup the first replica of our master >>>>> IPA server. I have tried a number of different approaches including >>>>> escalating from a client and nothing is working for me. I perform a full OS >>>>> reset each time I get stuck. >>>>> >>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>>>> version however having performed ipa-server-upgrade - does this mean i'm on >>>>> 4.4.4?). >>>>> >>>>> The command is shown below - note that i am skipping the conn check as >>>>> my platforms security settings do not allow the SSH session to be >>>>> established back on the master, all ports should be available to the >>>>> application however. >>>>> >>>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 >>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>>>> >>>>> Directory Manager (existing master) password: >>>>> >>>>> ipa : ERROR Could not resolve hostname ipa2.SITE.net usis >>>>> check queries IPA DNS directly and ignores /etc/hosts.) >>>>> Continue? [no]: yes >>>>> Configuring NTP daemon (ntpd) >>>>> [1/4]: stopping ntpd >>>>> [2/4]: writing configuration >>>>> [3/4]: configuring ntpd to start on boot >>>>> [4/4]: starting ntpd >>>>> Done configuring NTP daemon (ntpd). >>>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>>> [1/42]: creating directory server user >>>>> [2/42]: creating directory server instance >>>>> [3/42]: updating configuration in dse.ldif >>>>> [4/42]: restarting directory server >>>>> [5/42]: adding default schema >>>>> [6/42]: enabling memberof plugin >>>>> [7/42]: enabling winsync plugin >>>>> [8/42]: configuring replication version plugin >>>>> [9/42]: enabling IPA enrollment plugin >>>>> [10/42]: enabling ldapi >>>>> [11/42]: configuring uniqueness plugin >>>>> [12/42]: configuring uuid plugin >>>>> [13/42]: configuring modrdn plugin >>>>> [14/42]: configuring DNS plugin >>>>> [15/42]: enabling entryUSN plugin >>>>> [16/42]: configuring lockout plugin >>>>> [17/42]: configuring topology plugin >>>>> [18/42]: creating indices >>>>> [19/42]: enabling referential integrity plugin >>>>> [20/42]: configuring ssl for ds instance >>>>> [21/42]: configuring certmap.conf >>>>> [22/42]: configure autobind for root >>>>> [23/42]: configure new location for managed entries >>>>> [24/42]: configure dirsrv ccache >>>>> [25/42]: enabling SASL mapping fallback >>>>> [26/42]: restarting directory server >>>>> [27/42]: setting up initial replication >>>>> Starting replication, please wait until this has completed. >>>>> Update in progress, 4 seconds elapsed >>>>> Update succeeded >>>>> >>>>> [28/42]: adding sasl mappings to the directory >>>>> [29/42]: updating schema >>>>> [30/42]: setting Auto Member configuration >>>>> [31/42]: enabling S4U2Proxy delegation >>>>> [32/42]: importing CA certificates from LDAP >>>>> [33/42]: initializing group membership >>>>> [34/42]: adding master entry >>>>> [35/42]: initializing domain level >>>>> [36/42]: configuring Posix uid/gid generation >>>>> [37/42]: adding replication acis >>>>> [38/42]: enabling compatibility plugin >>>>> [39/42]: activating sidgen plugin >>>>> [40/42]: activating extdom plugin >>>>> [41/42]: tuning directory server >>>>> [42/42]: configuring directory to start on boot >>>>> Done configuring directory server (dirsrv). >>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>>>> minutes 30 seconds >>>>> [1/27]: creating certificate server user >>>>> [2/27]: configuring certificate server instance >>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>> [4/27]: backing up CS.cfg >>>>> [5/27]: disabling nonces >>>>> [6/27]: set up CRL publishing >>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>> [8/27]: starting certificate server instance >>>>> >>>>> And here is stays and refuses to move on. The ipareplica-install.log >>>>> log reports: >>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, 8443] >>>>> timeout 300 >>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>>>> 2017-05-18T08:40:09Z DEBUG request POST >>>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>>>> 2017-05-18T08:40:09Z DEBUG request body '' >>>>> >>>>> I have tried and that port is indeed inaccessible but I can't >>>>> establish a way to progress this issue from any of the the other log files. >>>>> Also I have seen in the 4.4.4 release notes that IPv6 being disabled on the >>>>> master can cause issues, re-enabling (at least in /etc/hosts) did not seem >>>>> to help. >>>>> >>>>> If anyone is able to offer ideas that would be very much appreciated. >>>>> I am tempted to remove the --setup-ca option to see if this helps. >>>>> >>>>> Thanks, >>>>> >>>>> Callum >>>>> >>>>> >>>>> >>>>> *0333 332 0000 | www.x-on.co.uk | ** >>>>> >>>>> * >>>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>>> registered in England and Wales. >>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>>> The information in this e-mail is confidential and for use by the >>>>> addressee(s) only. If you are not the intended recipient, please notify >>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>>> delete the >>>>> message from your computer. If you are not a named addressee you must >>>>> not use, disclose, disseminate, distribute, copy, print or reply to this >>>>> email. Views or opinions expressed by an individual >>>>> within this email may not necessarily reflect the views of X-on or its >>>>> associated companies. Although X-on routinely screens for viruses, >>>>> addressees should scan this email and any attachments >>>>> for viruses. X-on makes no representation or warranty as to the >>>>> absence of viruses in this email or any attachments. >>>>> >>>>> >>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>> >> >> *0333 332 0000 | www.x-on.co.uk | ** >> >> * >> X-on is a trading name of Storacall Technology Ltd a limited company >> registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please notify >> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >> delete the >> message from your computer. If you are not a named addressee you must not >> use, disclose, disseminate, distribute, copy, print or reply to this email. Views >> or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on or its >> associated companies. Although X-on routinely screens for viruses, >> addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the absence >> of viruses in this email or any attachments. >> >> > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 18 11:46:02 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 18 May 2017 13:46:02 +0200 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Please note that commits in #6766 will not fix this issue, the issue is on dogtag side, please see https://pagure.io/dogtagpki/issue/2646 Sorry for troubles On 18.05.2017 12:19, Callum Guy wrote: > Haha, looks like i'm going CA-less for a while on the replica. I don't > see any immediate requirement for one so time to get on with my life! > > I'll post back if anything changes but I'm probably stuck waiting for > the upgrade too.. > > On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman > wrote: > > Sorry cobber. We only found 6766 today - we've been tackling it on > and off for a couple of weeks :) > > ------ > "Mission Statement: To provide hope and inspiration for collective > action, to build collective power, to achieve collective > transformation, rooted in grief and rage but pointed towards > vision and dreams." > > - Patrice Cullors, /Black Lives Matter founder/ > > On 18 May 2017 at 19:53, Callum Guy > wrote: > > Ah, thanks for that Lachlan - its always reassuring to hear > that its not just me! > > As mentioned above I have it running without the CA so that's > a good start. I am sure we will upgrade as well once 4.5 > becomes stable and GA for CentOS. I'm not expecting that to > happen quickly so will have to work with what we have for now. > > Do you happen to know if there is any way to build the CA > component separately? > > On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman > > wrote: > > https://pagure.io/freeipa/issue/6766 > > 4.5.1 - I stand corrected. Can add more tomorrow. > > ------ > "Mission Statement: To provide hope and inspiration for > collective action, to build collective power, to achieve > collective transformation, rooted in grief and rage but > pointed towards vision and dreams." > > - Patrice Cullors, /Black Lives Matter founder/ > > On 18 May 2017 at 19:34, Lachlan Musicman > > wrote: > > We are seeing this. I'm not at work, but I think it's > bug report 6766. > > Patch has already been committed (bot by us), we're > waiting for IPA 4.5. > > cheers > L. > > ------ > "Mission Statement: To provide hope and inspiration > for collective action, to build collective power, to > achieve collective transformation, rooted in grief and > rage but pointed towards vision and dreams." > > - Patrice Cullors, /Black Lives Matter founder/ > > On 18 May 2017 at 18:57, Callum Guy > > > wrote: > > Hi All, > > I am currently stuck trying to setup the first > replica of our master IPA server. I have tried a > number of different approaches including > escalating from a client and nothing is working > for me. I perform a full OS reset each time I get > stuck. > > I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm > -q reports this version however having performed > ipa-server-upgrade - does this mean i'm on 4.4.4?). > > The command is shown below - note that i am > skipping the conn check as my platforms security > settings do not allow the SSH session to be > established back on the master, all ports should > be available to the application however. > > [root at ipa2 ~]# ipa-replica-install > --ip-address=172.24.0.101 --setup-ca --setup-dns > --skip-conncheck --no-forwarders SITE.net.gpg > > Directory Manager (existing master) password: > > ipa : ERROR Could not resolve hostname > ipa2.SITE.net usis check > queries IPA DNS directly and ignores /etc/hosts.) > Continue? [no]: yes > Configuring NTP daemon (ntpd) > [1/4]: stopping ntpd > [2/4]: writing configuration > [3/4]: configuring ntpd to start on boot > [4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv). Estimated > time: 1 minute > [1/42]: creating directory server user > [2/42]: creating directory server instance > [3/42]: updating configuration in dse.ldif > [4/42]: restarting directory server > [5/42]: adding default schema > [6/42]: enabling memberof plugin > [7/42]: enabling winsync plugin > [8/42]: configuring replication version plugin > [9/42]: enabling IPA enrollment plugin > [10/42]: enabling ldapi > [11/42]: configuring uniqueness plugin > [12/42]: configuring uuid plugin > [13/42]: configuring modrdn plugin > [14/42]: configuring DNS plugin > [15/42]: enabling entryUSN plugin > [16/42]: configuring lockout plugin > [17/42]: configuring topology plugin > [18/42]: creating indices > [19/42]: enabling referential integrity plugin > [20/42]: configuring ssl for ds instance > [21/42]: configuring certmap.conf > [22/42]: configure autobind for root > [23/42]: configure new location for managed entries > [24/42]: configure dirsrv ccache > [25/42]: enabling SASL mapping fallback > [26/42]: restarting directory server > [27/42]: setting up initial replication > Starting replication, please wait until this has > completed. > Update in progress, 4 seconds elapsed > Update succeeded > > [28/42]: adding sasl mappings to the directory > [29/42]: updating schema > [30/42]: setting Auto Member configuration > [31/42]: enabling S4U2Proxy delegation > [32/42]: importing CA certificates from LDAP > [33/42]: initializing group membership > [34/42]: adding master entry > [35/42]: initializing domain level > [36/42]: configuring Posix uid/gid generation > [37/42]: adding replication acis > [38/42]: enabling compatibility plugin > [39/42]: activating sidgen plugin > [40/42]: activating extdom plugin > [41/42]: tuning directory server > [42/42]: configuring directory to start on boot > Done configuring directory server (dirsrv). > Configuring certificate server (pki-tomcatd). > Estimated time: 3 minutes 30 seconds > [1/27]: creating certificate server user > [2/27]: configuring certificate server instance > [3/27]: stopping certificate server instance to > update CS.cfg > [4/27]: backing up CS.cfg > [5/27]: disabling nonces > [6/27]: set up CRL publishing > [7/27]: enable PKIX certificate path discovery > and validation > [8/27]: starting certificate server instance > > And here is stays and refuses to move on. The > ipareplica-install.log log reports: > 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: > localhost [8080, 8443] timeout 300 > 2017-05-18T08:40:09Z DEBUG Waiting until the CA is > running > 2017-05-18T08:40:09Z DEBUG request POST > http://ipa2.SITE.net:8080/ca/admin/ca/getStatus > 2017-05-18T08:40:09Z DEBUG request body '' > > I have tried and that port is indeed inaccessible > but I can't establish a way to progress this issue > from any of the the other log files. Also I have > seen in the 4.4.4 release notes that IPv6 being > disabled on the master can cause issues, > re-enabling (at least in /etc/hosts) did not seem > to help. > > If anyone is able to offer ideas that would be > very much appreciated. I am tempted to remove the > --setup-ca option to see if this helps. > > Thanks, > > Callum > > > > *^0333 332 0000 | www.x-on.co.uk > | > _**_^ > > * > X-on is a trading name of Storacall Technology Ltd > a limited company registered in England and Wales. > Registered Office : Avaland House, 110 London > Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. > Company Registration No. 2578478. > The information in this e-mail is confidential and > for use by the addressee(s) only. If you are not > the intended recipient, please notify X-on > immediately on +44(0)333 332 0000 > and delete the > message from your computer. If you are not a named > addressee you must not use, disclose, disseminate, > distribute, copy, print or reply to this email. > Views or opinions expressed by an individual > within this email may not necessarily reflect the > views of X-on or its associated companies. > Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or > warranty as to the absence of viruses in this > email or any attachments. > > > -- > Manage your subscription for the Freeipa-users > mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > > > *^0333 332 0000 | www.x-on.co.uk | > _**_^ > * > X-on is a trading name of Storacall Technology Ltd a limited > company registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, > Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by > the addressee(s) only. If you are not the intended recipient, > please notify X-on immediately on +44(0)333 332 0000 > and delete the > message from your computer. If you are not a named addressee > you must not use, disclose, disseminate, distribute, copy, > print or reply to this email. Views or opinions expressed by > an individual > within this email may not necessarily reflect the views of > X-on or its associated companies. Although X-on routinely > screens for viruses, addressees should scan this email and any > attachments > for viruses. X-on makes no representation or warranty as to > the absence of viruses in this email or any attachments. > > > > > *^0333 332 0000 | www.x-on.co.uk | > _**_^ > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please > notify X-on immediately on +44(0)333 332 0000 and delete the > message from your computer. If you are not a named addressee you must > not use, disclose, disseminate, distribute, copy, print or reply to > this email. Views or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the > absence of viruses in this email or any attachments. > > > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Thu May 18 12:02:15 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 18 May 2017 14:02:15 +0200 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> Message-ID: <798e9af0-3fcb-10cf-434d-a8cf1e940df0@redhat.com> On 05/15/2017 08:33 PM, Michael Plemmons wrote: > I have done more searching in my logs and I see the following errors. > > This is in the localhost log file /var/lib/pki/pki-tomcat/logs > > May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log > SEVERE: StandardWrapper.Throwable > java.lang.NullPointerException > > May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext > loadOnStartup > SEVERE: Servlet [castart] in web application [/ca] threw load() exception > java.lang.NullPointerException > > May 15, 2017 3:08:09 PM org.apache.catalina.core.StandardHostValve invoke > SEVERE: Exception Processing /ca/admin/ca/getStatus > javax.ws.rs .ServiceUnavailableException: Subsystem > unavailable > > > Looking at the debug log it says Authentication failed for port 636. > > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init() > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init begins > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init ends > [15/May/2017:17:39:25][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: > errorIfDown true > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake happened > Could not connect to LDAP server host ipa12.mgmt.crosschx.com > port 636 Error > netscape.ldap.LDAPException: Authentication failed (48) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > > I looked at the validity of the cert it mentions and it is fine. > > (root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n 'subsystemCert > cert-pki-ca' > State MONITORING, stuck: no. > > > I then looked at the ldap errors around the time of this failure and I > am seeing this log entry. > > > [15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could not get > initial credentials for principal > [ldap/ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM > ] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for > requested realm) > > When I perform a klist against that keytab nothing appears out of the > ordinary compared to working IPA servers. > > I am not sure what to look at next. > Hi, you can try the following to manually replay the connection established by Dogtag to LDAP server: root$ export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias root$ export LDAPTLS_CERT='subsystemCert cert-pki-ca' The above commands specify the NSSDB containing the user certificate and its name for SASL-EXTERNAL authentication. Then note the value obtained below as it will be used for the next step as the password to access the private key in the NSSDB: root$ grep internal /etc/pki/pki-tomcat/password.conf internal= root$ ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q -LLL dn namingcontexts Please enter pin, password, or pass phrase for security token 'ldap(0)': <<<< here supply the value found above dn: namingcontexts: cn=changelog namingcontexts: dc=ipadomain,dc=com namingcontexts: o=ipaca In the LDAP server access log (in /etc/dirsrv/slapd-IPADOMAIN.COM/access), you should see the corresponding connection: [18/May/2017:13:35:14.822090417 +0200] conn=297 fd=150 slot=150 SSL connection from xxx to yyy [18/May/2017:13:35:15.789414017 +0200] conn=297 TLS1.2 128-bit AES-GCM; client CN=CA Subsystem,O=IPADOMAIN.COM; issuer CN=Certificate Authority,O=IPADOMAIN.COM [18/May/2017:13:35:15.793108509 +0200] conn=297 TLS1.2 client bound as uid=pkidbuser,ou=people,o=ipaca [18/May/2017:13:35:15.798101505 +0200] conn=297 op=0 BIND dn="" method=sasl version=3 mech=EXTERNAL [18/May/2017:13:35:15.800322076 +0200] conn=297 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=pkidbuser,ou=people,o=ipaca" HTH, Flo. > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons > > > wrote: > > The PKI service came up successfully but only when it uses BasicAuth > rather than SSL auth. I am not sure about what I need to do in > order to get the auth working over SSL again. > > None of the certs are expired when I run getcert list and > ipa-getcert list. > > Since the failure is with attempts to login to LDAP over 636. I > have been attempting to auth to LDAP via port 636 and the ldapsearch > is not completing. When looking at packet captures, I see some the > TCP handshake and what appears to be the start of a SSL process and > then everything hangs. > > What is the proper method to test performing a ldapsearch over 636? > Also, the CS.cfg shows it wants to auth as cn=Directory Manager. I > can successfully auth with cn=Directory Manager over 389 but I think > I am not performing ldapsearch over 636 correctly. > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons > > wrote: > > I think I found the email thread. Asking for help with crashed > freeIPA istance. That email pointed to this > link, https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html > . > That link talked about changing the CS.cfg file to use port 389 > for PKI to auth to LDAP. I made the necessary changes and PKI > came up successfully. > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons > > wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden > > wrote: > > Michael Plemmons wrote: > > I just realized that I sent the reply directly to Rob > and not to the > > list. My response is inline > > Ok, this is actually good news. > > I made a similar proposal in another case and I was > completely wrong. > Flo had the user do something and it totally fixed their > auth error, I > just can't remember what it was or find the e-mail > thread. I'm pretty > sure it was this calendar year though. > > rob > > > Do you or Flo know what I could search for in the past > emails to find the answer to the problem? > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > > www.crosschx.com > > > > > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons > > > >> > > wrote: > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > > www.crosschx.com > > > > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > > > >> wrote: > > > > Michael Plemmons wrote: > > > I realized that I was not very clear in my > statement about > > testing with > > > ldapsearch. I had initially run it without > logging in with a > > DN. I was > > > just running the local ldapsearch -x > command. I then tested on > > > ipa12.mgmt and ipa11.mgmt logging in with a > full DN for the > > admin and > > > "cn=Directory Manager" from ipa12.mgmt > (broken server) and > > ipa11.mgmt > > > and both ldapsearch command succeeded. > > > > > > I ran the following from ipa12.mgmt and > ipa11.mgmt as a non > > root user. > > > I also ran the command showing a line count > for the output and > > the line > > > counts for each were the same when run from > ipa12.mgmt and > > ipa11.mgmt. > > > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > > > > > > >> -D "DN" -w PASSWORD -b > > > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > > > > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com > > > > > > > > > >> -D "cn=directory > manager" -w > > PASSWORD dn > > > > The CA has its own suffix and replication > agreements. Given the auth > > error and recent (5 months) renewal of CA > credentials I'd check > > that the > > CA agent authentication entries are correct. > > > > Against each master with a CA run: > > > > $ ldapsearch -LLL -x -D 'cn=directory manager' > -W -b > > uid=ipara,ou=people,o=ipaca description > > > > The format is 2;serial#,subject,issuer > > > > Then on each run: > > > > # certutil -L -d /etc/httpd/alias -n ipaCert > |grep Serial > > > > The serial # should match that in the > description everywhere. > > > > rob > > > > > > > > On the CA (IPA13.MGMT) I ran the ldapsearch > command and see that the > > serial number is 7. I then ran the certutil > command on all three > > servers and the serial number is 7 as well. > > > > > > I also ran the ldapsearch command against the > other two servers and > > they also showed a serial number of 7. > > > > > > > > > > > > > > > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | > CROSSCHX > > > * > > > 614.427.2411 > > > mike.plemmons at crosschx.com > > > > > > > >> > > > www.crosschx.com > > > > > > > > > On Wed, May 3, 2017 at 5:28 PM, Michael Plemmons > > > > > > > > > > >>> > > > wrote: > > > > > > I have a three node IPA cluster. > > > > > > ipa11.mgmt - was a master over 6 months ago > > > ipa13.mgmt - current master > > > ipa12.mgmt > > > > > > ipa13 has agreements with ipa11 and > ipa12. ipa11 and > > ipa12 do not > > > have agreements between each other. > > > > > > It appears that either ipa12.mgmt lost > some level of its > > replication > > > agreement with ipa13. I saw some level > because users / > > hosts were > > > replicated between all systems but we > started seeing DNS > > was not > > > resolving properly from ipa12. I do not > know when this > > started. > > > > > > When looking at replication agreements > on ipa12 I did not > > see any > > > agreement with ipa13. > > > > > > When I run ipa-replica-manage list all > three hosts show > > has master. > > > > > > When I run ipa-replica-manage ipa11.mgmt > I see ipa13.mgmt > > is a replica. > > > > > > When I run ipa-replica-manage ipa12.mgmt > nothing returned. > > > > > > I ran ipa-replica-manage connect > --cacert=/etc/ipa/ca.crt > > > ipa12.mgmt.crosschx.com > > > > > > >> > > > ipa13.mgmt.crosschx.com > > > > > > > >> on ipa12.mgmt > > > > > > I then ran the following > > > > > > ipa-replica-manage force-sync --from > > ipa13.mgmt.crosschx.com > > > > > > > > >> > > > > > > ipa-replica-manage re-initialize --from > > ipa13.mgmt.crosschx.com > > > > > > > > >> > > > > > > I was still seeing bad DNS returns when > dig'ing against > > ipa12.mgmt. > > > I was able to create user and DNS > records and see the > > information > > > replicated properly across all three nodes. > > > > > > I then ran ipactl stop on ipa12.mgmt and > then ipactl start on > > > ipa12.mgmt because I wanted to make sure > everything was > > running > > > fresh after the changes above. While > IPA was staring up (DNS > > > started) we were able to see valid DNS > queries returned but > > > pki-tomcat would not start. > > > > > > I am not sure what I need to do in order > to get this > > working. I > > > have included the output of certutil and > getcert below > > from all > > > three servers as well as the debug > output for pki. > > > > > > > > > While the IPA system is coming up I am > able to > > successfully run > > > ldapsearch -x as the root user and see > results. I am also > > able to > > > login with the "cn=Directory Manager" > account and see results. > > > > > > > > > The debug log shows the following error. > > > > > > > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > ============================================ > > > > [03/May/2017:21:22:01][localhost-startStop-1]: ===== DEBUG > > > SUBSYSTEM INITIALIZED ======= > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > ============================================ > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=debug > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized debug > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > done init > > > id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initialized jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > > initSubsystem id=dbs > > > > [03/May/2017:21:22:01][localhost-startStop-1]: CMSEngine: > > ready to > > > init id=dbs > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > DBSubsystem: init() > > > mEnableSerialMgmt=true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: Creating > > > LdapBoundConnFactor(DBSubsystem) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapBoundConnFactory: > > > init > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > LdapBoundConnFactory:doCloning true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init() > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init begins > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init ends > > > > [03/May/2017:21:22:01][localhost-startStop-1]: init: before > > > makeConnection errorIfDown is true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > makeConnection: > > > errorIfDown true > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: Setting > desired cert > > nickname to: > > > subsystemCert cert-pki-ca > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > LdapJssSSLSocket: set > > > client auth cert nickname subsystemCert > cert-pki-ca > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificatSelectionCB: Entering! > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: > returning: null > > > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL > > handshake happened > > > Could not connect to LDAP server host > > ipa12.mgmt.crosschx.com > > > > > > > > >> port 636 Error > > > netscape.ldap.LDAPException: > Authentication failed (48) > > > at > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > > at > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > > > at > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > > > at > > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > > at > > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > > at > com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > at > com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > at > > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > at > > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > > at > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > at > java.security.AccessController.doPrivileged(Native > > Method) > > > at javax.security.auth.Subject.do > > > >AsPrivileged(Subject.java:549) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > > at > > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > > at > > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > > at > > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > > at > > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > at > java.security.AccessController.doPrivileged(Native > > Method) > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > > at > > > > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > > at > > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > > at > > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > > at > > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > > at > java.util.concurrent.FutureTask.run(FutureTask.java:266) > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > > at java.lang.Thread.run(Thread.java:745) > > > Internal Database Error encountered: > Could not connect to LDAP > > > server host ipa12.mgmt.crosschx.com > > > > > > > >> > > > port 636 Error > netscape.ldap.LDAPException: Authentication > > failed (48) > > > at > > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:676) > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > > at > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > > at > > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > > at > com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > at > com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > at > > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > at > > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > > at > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > at > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > at > java.security.AccessController.doPrivileged(Native > > Method) > > > at javax.security.auth.Subject.do > > > >AsPrivileged(Subject.java:549) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > > at > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > > at > > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > > at > > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > > at > > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > > at > > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > > at > > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > at > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > at > java.security.AccessController.doPrivileged(Native > > Method) > > > at > > > > > > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:873) > > > at > > > > > > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > > at > > > > > > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:679) > > > at > > > > > > org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1966) > > > at > > > > > > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > > at > java.util.concurrent.FutureTask.run(FutureTask.java:266) > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > > at > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > > at java.lang.Thread.run(Thread.java:745) > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > CMSEngine.shutdown() > > > > > > > > > ============================= > > > > > > > > > IPA11.MGMT > > > > > > (root)>certutil -L -d > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Server-Cert > > > u,u,u MGMT.CROSSCHX.COM > > > IPA CA CT,C,C > > > (root)>certutil -L -d > /var/lib/pki/pki-tomcat/alias/ > > Certificate > > > Nickname Trust Attributes > SSL,S/MIME,JAR/XPI caSigningCert > > > cert-pki-ca CTu,Cu,Cu auditSigningCert > cert-pki-ca u,u,Pu > > > ocspSigningCert cert-pki-ca u,u,u > subsystemCert > > cert-pki-ca u,u,u > > > Server-Cert cert-pki-ca u,u,u IPA13.MGMT > (root)>certutil -L -d > > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > Certificate Nickname > > Trust > > > Attributes SSL,S/MIME,JAR/XPI > Server-Cert u,u,u > > MGMT.CROSSCHX.COM > > > > IPA CA CT,C,C > (root)>certutil -L -d > > > /var/lib/pki/pki-tomcat/alias/ > Certificate Nickname Trust > > Attributes > > > SSL,S/MIME,JAR/XPI caSigningCert > cert-pki-ca CTu,Cu,Cu > > > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert > > cert-pki-ca > > > u,u,u subsystemCert cert-pki-ca u,u,u > Server-Cert > > cert-pki-ca u,u,u > > > IPA12.MGMT (root)>certutil -L -d > > > /etc/dirsrv/slapd-MGMT-CROSSCHX-COM/ > Certificate Nickname > > Trust > > > Attributes SSL,S/MIME,JAR/XPI > Server-Cert u,u,u > > MGMT.CROSSCHX.COM > > > > IPA CA C,, > (root)>certutil -L -d > > > /var/lib/pki/pki-tomcat/alias/ > Certificate Nickname Trust > > Attributes > > > SSL,S/MIME,JAR/XPI caSigningCert > cert-pki-ca CTu,Cu,Cu > > > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert > > cert-pki-ca > > > u,u,u subsystemCert cert-pki-ca u,u,u > Server-Cert > > cert-pki-ca u,u,u > > > > ================================================= > IPA11.MGMT > > > (root)>getcert list Number of > certificates and requests being > > > tracked: 8. Request ID '20161229155314': > status: > > MONITORING stuck: > > > no key pair storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 15:52:43 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: > yes Request ID > > > '20161229155652': status: MONITORING > stuck: no key pair > > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229155654': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229155655': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229155657': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=Certificate > Authority,O=MGMT.CROSSCHX.COM > > > > > expires: > 2036-11-22 13:00:25 > > UTC key > > > usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229155659': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: > dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-19 15:56:20 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: > id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229155921': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa11.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 15:52:46 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_httpd track: yes > > > auto-renew: yes Request ID > '20161229160009': status: > > MONITORING > > > stuck: no key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > ================================== > IPA13.MGMT > > (root)>getcert list > > > Number of certificates and requests > being tracked: 8. > > Request ID > > > '20161229143449': status: MONITORING > stuck: no key pair > > storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 14:34:20 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: > yes Request ID > > > '20161229143826': status: MONITORING > stuck: no key pair > > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229143828': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229143831': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229143833': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=Certificate > Authority,O=MGMT.CROSSCHX.COM > > > > > expires: > 2036-11-22 13:00:25 > > UTC key > > > usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229143835': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: > dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-19 14:37:54 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: > id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229144057': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa13.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 14:34:23 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_httpd track: yes > > > auto-renew: yes Request ID > '20161229144146': status: > > MONITORING > > > stuck: no key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > =========================== IPA12.MGMT > (root)>getcert list > > Number of > > > certificates and requests being tracked: > 8. Request ID > > > '20161229151518': status: MONITORING > stuck: no key pair > > storage: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate > > > > DB',pinfile='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM/pwdfile.txt' > > > certificate: > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-MGMT-CROSSCHX-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 15:14:51 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_dirsrv > > > MGMT-CROSSCHX-COM track: yes auto-renew: > yes Request ID > > > '20161229151850': status: MONITORING > stuck: no key pair > > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Audit,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:00:29 UTC key usage: > > digitalSignature,nonRepudiation > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229151852': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=OCSP Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:26 UTC key usage: > > > > digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: > > > id-kp-OCSPSigning pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229151854': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=CA Subsystem,O=MGMT.CROSSCHX.COM > > > > > > > expires: 2018-11-12 13:00:28 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229151856': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate > DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > > cert-pki-ca',token='NSS Certificate DB' CA: > > > dogtag-ipa-ca-renew-agent issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=Certificate > Authority,O=MGMT.CROSSCHX.COM > > > > > expires: > 2036-11-22 13:00:25 > > UTC key > > > usage: > digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save > > > command: > /usr/libexec/ipa/certmonger/stop_pkicad post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229151858': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB',pin set certificate: > > > > > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS > > > Certificate DB' CA: > dogtag-ipa-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-19 15:18:16 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: > id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > > > pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > > post-save > > > command: > /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert > > > cert-pki-ca" track: yes auto-renew: yes > Request ID > > '20161229152115': > > > status: MONITORING stuck: no key pair > storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > > Certificate DB' CA: IPA issuer: > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=ipa12.mgmt.crosschx.com > > > > > > > > >>,O=MGMT.CROSSCHX.COM > > > > > > expires: > 2018-12-30 15:14:54 > > UTC key > > > usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > post-save > > > command: > /usr/libexec/ipa/certmonger/restart_httpd track: yes > > > auto-renew: yes Request ID > '20161229152204': status: > > MONITORING > > > stuck: no key pair storage: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > > Certificate DB' CA: > dogtag-ipa-ca-renew-agent issuer: > > CN=Certificate > > > Authority,O=MGMT.CROSSCHX.COM > > > subject: > > > CN=IPA RA,O=MGMT.CROSSCHX.COM > > > expires: > > > 2018-11-12 13:01:34 UTC key usage: > > > > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save > > command: > > > > /usr/libexec/ipa/certmonger/renew_ra_cert track: yes > > auto-renew: yes > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer > | CROSSCHX > > > * > > > 614.427.2411 > > > mike.plemmons at crosschx.com > > > > > > > > >> > > > www.crosschx.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From callum.guy at x-on.co.uk Thu May 18 12:12:28 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 12:12:28 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: Thanks Martin, really appreciate the additional information. Are you aware of a separate guide for installing DogTag/PKI on top of FreeIPA - basically I am happy to install separately if it doesn't compromise the FreeIPA server configuration, i'm not clear on whether this is possible without a major time investment. On Thu, May 18, 2017 at 12:46 PM Martin Ba?ti wrote: > > Please note that commits in #6766 will not fix this issue, the issue is on > dogtag side, please see https://pagure.io/dogtagpki/issue/2646 > Sorry for troubles > > > On 18.05.2017 12:19, Callum Guy wrote: > > Haha, looks like i'm going CA-less for a while on the replica. I don't see > any immediate requirement for one so time to get on with my life! > > I'll post back if anything changes but I'm probably stuck waiting for the > upgrade too.. > > On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman > wrote: > >> Sorry cobber. We only found 6766 today - we've been tackling it on and >> off for a couple of weeks :) >> >> ------ >> "Mission Statement: To provide hope and inspiration for collective >> action, to build collective power, to achieve collective transformation, >> rooted in grief and rage but pointed towards vision and dreams." >> >> - Patrice Cullors, *Black Lives Matter founder* >> >> On 18 May 2017 at 19:53, Callum Guy wrote: >> >>> Ah, thanks for that Lachlan - its always reassuring to hear that its not >>> just me! >>> >>> As mentioned above I have it running without the CA so that's a good >>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for >>> CentOS. I'm not expecting that to happen quickly so will have to work with >>> what we have for now. >>> >>> Do you happen to know if there is any way to build the CA component >>> separately? >>> >>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >>> wrote: >>> >>>> https://pagure.io/freeipa/issue/6766 >>>> >>>> 4.5.1 - I stand corrected. Can add more tomorrow. >>>> >>>> ------ >>>> "Mission Statement: To provide hope and inspiration for collective >>>> action, to build collective power, to achieve collective transformation, >>>> rooted in grief and rage but pointed towards vision and dreams." >>>> >>>> - Patrice Cullors, *Black Lives Matter founder* >>>> >>>> On 18 May 2017 at 19:34, Lachlan Musicman wrote: >>>> >>>>> We are seeing this. I'm not at work, but I think it's bug report 6766. >>>>> >>>>> Patch has already been committed (bot by us), we're waiting for IPA >>>>> 4.5. >>>>> >>>>> cheers >>>>> L. >>>>> >>>>> ------ >>>>> "Mission Statement: To provide hope and inspiration for collective >>>>> action, to build collective power, to achieve collective transformation, >>>>> rooted in grief and rage but pointed towards vision and dreams." >>>>> >>>>> - Patrice Cullors, *Black Lives Matter founder* >>>>> >>>>> On 18 May 2017 at 18:57, Callum Guy wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I am currently stuck trying to setup the first replica of our master >>>>>> IPA server. I have tried a number of different approaches including >>>>>> escalating from a client and nothing is working for me. I perform a full OS >>>>>> reset each time I get stuck. >>>>>> >>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>>>>> version however having performed ipa-server-upgrade - does this mean i'm on >>>>>> 4.4.4?). >>>>>> >>>>>> The command is shown below - note that i am skipping the conn check >>>>>> as my platforms security settings do not allow the SSH session to be >>>>>> established back on the master, all ports should be available to the >>>>>> application however. >>>>>> >>>>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 >>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>>>>> >>>>>> Directory Manager (existing master) password: >>>>>> >>>>>> ipa : ERROR Could not resolve hostname ipa2.SITE.net usis >>>>>> check queries IPA DNS directly and ignores /etc/hosts.) >>>>>> Continue? [no]: yes >>>>>> Configuring NTP daemon (ntpd) >>>>>> [1/4]: stopping ntpd >>>>>> [2/4]: writing configuration >>>>>> [3/4]: configuring ntpd to start on boot >>>>>> [4/4]: starting ntpd >>>>>> Done configuring NTP daemon (ntpd). >>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>>>> [1/42]: creating directory server user >>>>>> [2/42]: creating directory server instance >>>>>> [3/42]: updating configuration in dse.ldif >>>>>> [4/42]: restarting directory server >>>>>> [5/42]: adding default schema >>>>>> [6/42]: enabling memberof plugin >>>>>> [7/42]: enabling winsync plugin >>>>>> [8/42]: configuring replication version plugin >>>>>> [9/42]: enabling IPA enrollment plugin >>>>>> [10/42]: enabling ldapi >>>>>> [11/42]: configuring uniqueness plugin >>>>>> [12/42]: configuring uuid plugin >>>>>> [13/42]: configuring modrdn plugin >>>>>> [14/42]: configuring DNS plugin >>>>>> [15/42]: enabling entryUSN plugin >>>>>> [16/42]: configuring lockout plugin >>>>>> [17/42]: configuring topology plugin >>>>>> [18/42]: creating indices >>>>>> [19/42]: enabling referential integrity plugin >>>>>> [20/42]: configuring ssl for ds instance >>>>>> [21/42]: configuring certmap.conf >>>>>> [22/42]: configure autobind for root >>>>>> [23/42]: configure new location for managed entries >>>>>> [24/42]: configure dirsrv ccache >>>>>> [25/42]: enabling SASL mapping fallback >>>>>> [26/42]: restarting directory server >>>>>> [27/42]: setting up initial replication >>>>>> Starting replication, please wait until this has completed. >>>>>> Update in progress, 4 seconds elapsed >>>>>> Update succeeded >>>>>> >>>>>> [28/42]: adding sasl mappings to the directory >>>>>> [29/42]: updating schema >>>>>> [30/42]: setting Auto Member configuration >>>>>> [31/42]: enabling S4U2Proxy delegation >>>>>> [32/42]: importing CA certificates from LDAP >>>>>> [33/42]: initializing group membership >>>>>> [34/42]: adding master entry >>>>>> [35/42]: initializing domain level >>>>>> [36/42]: configuring Posix uid/gid generation >>>>>> [37/42]: adding replication acis >>>>>> [38/42]: enabling compatibility plugin >>>>>> [39/42]: activating sidgen plugin >>>>>> [40/42]: activating extdom plugin >>>>>> [41/42]: tuning directory server >>>>>> [42/42]: configuring directory to start on boot >>>>>> Done configuring directory server (dirsrv). >>>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>>>>> minutes 30 seconds >>>>>> [1/27]: creating certificate server user >>>>>> [2/27]: configuring certificate server instance >>>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>>> [4/27]: backing up CS.cfg >>>>>> [5/27]: disabling nonces >>>>>> [6/27]: set up CRL publishing >>>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>>> [8/27]: starting certificate server instance >>>>>> >>>>>> And here is stays and refuses to move on. The ipareplica-install.log >>>>>> log reports: >>>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, >>>>>> 8443] timeout 300 >>>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>>>>> 2017-05-18T08:40:09Z DEBUG request POST >>>>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>>>>> 2017-05-18T08:40:09Z DEBUG request body '' >>>>>> >>>>>> I have tried and that port is indeed inaccessible but I can't >>>>>> establish a way to progress this issue from any of the the other log files. >>>>>> Also I have seen in the 4.4.4 release notes that IPv6 being disabled on the >>>>>> master can cause issues, re-enabling (at least in /etc/hosts) did not seem >>>>>> to help. >>>>>> >>>>>> If anyone is able to offer ideas that would be very much appreciated. >>>>>> I am tempted to remove the --setup-ca option to see if this helps. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Callum >>>>>> >>>>>> >>>>>> >>>>>> *0333 332 0000 | www.x-on.co.uk | ** >>>>>> >>>>>> * >>>>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>>>> registered in England and Wales. >>>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>>>> The information in this e-mail is confidential and for use by the >>>>>> addressee(s) only. If you are not the intended recipient, please notify >>>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>>>> delete the >>>>>> message from your computer. If you are not a named addressee you must >>>>>> not use, disclose, disseminate, distribute, copy, print or reply to this >>>>>> email. Views or opinions expressed by an individual >>>>>> within this email may not necessarily reflect the views of X-on or >>>>>> its associated companies. Although X-on routinely screens for viruses, >>>>>> addressees should scan this email and any attachments >>>>>> for viruses. X-on makes no representation or warranty as to the >>>>>> absence of viruses in this email or any attachments. >>>>>> >>>>>> >>>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>> >>> >>> *0333 332 0000 | www.x-on.co.uk | ** >>> >>> * >>> X-on is a trading name of Storacall Technology Ltd a limited company >>> registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>> The information in this e-mail is confidential and for use by the >>> addressee(s) only. If you are not the intended recipient, please notify >>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>> delete the >>> message from your computer. If you are not a named addressee you must >>> not use, disclose, disseminate, distribute, copy, print or reply to this >>> email. Views or opinions expressed by an individual >>> within this email may not necessarily reflect the views of X-on or its >>> associated companies. Although X-on routinely screens for viruses, >>> addressees should scan this email and any attachments >>> for viruses. X-on makes no representation or warranty as to the absence >>> of viruses in this email or any attachments. >>> >>> >> > > *0333 332 0000 | www.x-on.co.uk | ** > > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > > > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 18 12:28:50 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 18 May 2017 14:28:50 +0200 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: Message-ID: <6dc6579c-f3f4-d787-4c4c-64d953252ecd@redhat.com> ipa-ca-install will install on top of FreeIPA CA-less replica, nothing else, you really don't want to do it manually. On 18.05.2017 14:12, Callum Guy wrote: > Thanks Martin, really appreciate the additional information. > > Are you aware of a separate guide for installing DogTag/PKI on top of > FreeIPA - basically I am happy to install separately if it doesn't > compromise the FreeIPA server configuration, i'm not clear on whether > this is possible without a major time investment. > > On Thu, May 18, 2017 at 12:46 PM Martin Ba?ti > wrote: > > > Please note that commits in #6766 will not fix this issue, the > issue is on dogtag side, please see > https://pagure.io/dogtagpki/issue/2646 > > Sorry for troubles > > > On 18.05.2017 12:19, Callum Guy wrote: >> Haha, looks like i'm going CA-less for a while on the replica. I >> don't see any immediate requirement for one so time to get on >> with my life! >> >> I'll post back if anything changes but I'm probably stuck waiting >> for the upgrade too.. >> >> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman >> > wrote: >> >> Sorry cobber. We only found 6766 today - we've been tackling >> it on and off for a couple of weeks :) >> >> ------ >> "Mission Statement: To provide hope and inspiration for >> collective action, to build collective power, to achieve >> collective transformation, rooted in grief and rage but >> pointed towards vision and dreams." >> >> - Patrice Cullors, /Black Lives Matter founder/ >> >> On 18 May 2017 at 19:53, Callum Guy > > wrote: >> >> Ah, thanks for that Lachlan - its always reassuring to >> hear that its not just me! >> >> As mentioned above I have it running without the CA so >> that's a good start. I am sure we will upgrade as well >> once 4.5 becomes stable and GA for CentOS. I'm not >> expecting that to happen quickly so will have to work >> with what we have for now. >> >> Do you happen to know if there is any way to build the CA >> component separately? >> >> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >> > wrote: >> >> https://pagure.io/freeipa/issue/6766 >> >> 4.5.1 - I stand corrected. Can add more tomorrow. >> >> ------ >> "Mission Statement: To provide hope and inspiration >> for collective action, to build collective power, to >> achieve collective transformation, rooted in grief >> and rage but pointed towards vision and dreams." >> >> - Patrice Cullors, /Black Lives Matter founder/ >> >> On 18 May 2017 at 19:34, Lachlan Musicman >> > wrote: >> >> We are seeing this. I'm not at work, but I think >> it's bug report 6766. >> >> Patch has already been committed (bot by us), >> we're waiting for IPA 4.5. >> >> cheers >> L. >> >> ------ >> "Mission Statement: To provide hope and >> inspiration for collective action, to build >> collective power, to achieve collective >> transformation, rooted in grief and rage but >> pointed towards vision and dreams." >> >> - Patrice Cullors, /Black Lives Matter founder/ >> >> On 18 May 2017 at 18:57, Callum Guy >> > > wrote: >> >> Hi All, >> >> I am currently stuck trying to setup the >> first replica of our master IPA server. I >> have tried a number of different approaches >> including escalating from a client and >> nothing is working for me. I perform a full >> OS reset each time I get stuck. >> >> I'm running CentOS 7.2 with the FreeIPA 4.4.0 >> (rpm -q reports this version however having >> performed ipa-server-upgrade - does this mean >> i'm on 4.4.4?). >> >> The command is shown below - note that i am >> skipping the conn check as my platforms >> security settings do not allow the SSH >> session to be established back on the master, >> all ports should be available to the >> application however. >> >> [root at ipa2 ~]# ipa-replica-install >> --ip-address=172.24.0.101 --setup-ca >> --setup-dns --skip-conncheck >> --no-forwarders SITE.net.gpg >> >> Directory Manager (existing master) password: >> >> ipa : ERROR Could not resolve >> hostname ipa2.SITE.net >> usis check queries IPA DNS directly and >> ignores /etc/hosts.) >> Continue? [no]: yes >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server (dirsrv). >> Estimated time: 1 minute >> [1/42]: creating directory server user >> [2/42]: creating directory server instance >> [3/42]: updating configuration in dse.ldif >> [4/42]: restarting directory server >> [5/42]: adding default schema >> [6/42]: enabling memberof plugin >> [7/42]: enabling winsync plugin >> [8/42]: configuring replication version plugin >> [9/42]: enabling IPA enrollment plugin >> [10/42]: enabling ldapi >> [11/42]: configuring uniqueness plugin >> [12/42]: configuring uuid plugin >> [13/42]: configuring modrdn plugin >> [14/42]: configuring DNS plugin >> [15/42]: enabling entryUSN plugin >> [16/42]: configuring lockout plugin >> [17/42]: configuring topology plugin >> [18/42]: creating indices >> [19/42]: enabling referential integrity plugin >> [20/42]: configuring ssl for ds instance >> [21/42]: configuring certmap.conf >> [22/42]: configure autobind for root >> [23/42]: configure new location for managed >> entries >> [24/42]: configure dirsrv ccache >> [25/42]: enabling SASL mapping fallback >> [26/42]: restarting directory server >> [27/42]: setting up initial replication >> Starting replication, please wait until this >> has completed. >> Update in progress, 4 seconds elapsed >> Update succeeded >> >> [28/42]: adding sasl mappings to the directory >> [29/42]: updating schema >> [30/42]: setting Auto Member configuration >> [31/42]: enabling S4U2Proxy delegation >> [32/42]: importing CA certificates from LDAP >> [33/42]: initializing group membership >> [34/42]: adding master entry >> [35/42]: initializing domain level >> [36/42]: configuring Posix uid/gid generation >> [37/42]: adding replication acis >> [38/42]: enabling compatibility plugin >> [39/42]: activating sidgen plugin >> [40/42]: activating extdom plugin >> [41/42]: tuning directory server >> [42/42]: configuring directory to start on boot >> Done configuring directory server (dirsrv). >> Configuring certificate server (pki-tomcatd). >> Estimated time: 3 minutes 30 seconds >> [1/27]: creating certificate server user >> [2/27]: configuring certificate server instance >> [3/27]: stopping certificate server >> instance to update CS.cfg >> [4/27]: backing up CS.cfg >> [5/27]: disabling nonces >> [6/27]: set up CRL publishing >> [7/27]: enable PKIX certificate path >> discovery and validation >> [8/27]: starting certificate server instance >> >> And here is stays and refuses to move on. The >> ipareplica-install.log log reports: >> 2017-05-18T08:40:07Z DEBUG >> wait_for_open_ports: localhost [8080, 8443] >> timeout 300 >> 2017-05-18T08:40:09Z DEBUG Waiting until the >> CA is running >> 2017-05-18T08:40:09Z DEBUG request POST >> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >> 2017-05-18T08:40:09Z DEBUG request body '' >> >> I have tried and that port is indeed >> inaccessible but I can't establish a way to >> progress this issue from any of the the other >> log files. Also I have seen in the 4.4.4 >> release notes that IPv6 being disabled on the >> master can cause issues, re-enabling (at >> least in /etc/hosts) did not seem to help. >> >> If anyone is able to offer ideas that would >> be very much appreciated. I am tempted to >> remove the --setup-ca option to see if this >> helps. >> >> Thanks, >> >> Callum >> >> >> >> *^0333 332 0000 | www.x-on.co.uk >> | >> _**_^ >> >> * >> X-on is a trading name of Storacall >> Technology Ltd a limited company registered >> in England and Wales. >> Registered Office : Avaland House, 110 London >> Road, Apsley, Hemel Hempstead, Herts, HP3 >> 9SD. Company Registration No. 2578478. >> The information in this e-mail is >> confidential and for use by the addressee(s) >> only. If you are not the intended recipient, >> please notify X-on immediately on +44(0)333 >> 332 0000 and >> delete the >> message from your computer. If you are not a >> named addressee you must not use, disclose, >> disseminate, distribute, copy, print or reply >> to this email. Views or opinions expressed by >> an individual >> within this email may not necessarily reflect >> the views of X-on or its associated >> companies. Although X-on routinely screens >> for viruses, addressees should scan this >> email and any attachments >> for viruses. X-on makes no representation or >> warranty as to the absence of viruses in this >> email or any attachments. >> >> >> -- >> Manage your subscription for the >> Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the >> project >> >> >> >> >> >> *^0333 332 0000 | www.x-on.co.uk >> | _**_^ >> >> * >> X-on is a trading name of Storacall Technology Ltd a >> limited company registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, >> Apsley, Hemel Hempstead, Herts, HP3 9SD. Company >> Registration No. 2578478. >> The information in this e-mail is confidential and for >> use by the addressee(s) only. If you are not the intended >> recipient, please notify X-on immediately on +44(0)333 >> 332 0000 and delete the >> message from your computer. If you are not a named >> addressee you must not use, disclose, disseminate, >> distribute, copy, print or reply to this email. Views or >> opinions expressed by an individual >> within this email may not necessarily reflect the views >> of X-on or its associated companies. Although X-on >> routinely screens for viruses, addressees should scan >> this email and any attachments >> for viruses. X-on makes no representation or warranty as >> to the absence of viruses in this email or any attachments. >> >> >> >> >> *^0333 332 0000 | www.x-on.co.uk | >> _**_^ >> * >> X-on is a trading name of Storacall Technology Ltd a limited >> company registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please >> notify X-on immediately on +44(0)333 332 0000 >> and delete the >> message from your computer. If you are not a named addressee you >> must not use, disclose, disseminate, distribute, copy, print or >> reply to this email. Views or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on >> or its associated companies. Although X-on routinely screens for >> viruses, addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the >> absence of viruses in this email or any attachments. >> >> >> > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > > > *^0333 332 0000 | www.x-on.co.uk | > _**_^ > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please > notify X-on immediately on +44(0)333 332 0000 and delete the > message from your computer. If you are not a named addressee you must > not use, disclose, disseminate, distribute, copy, print or reply to > this email. Views or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the > absence of viruses in this email or any attachments. > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu May 18 12:43:48 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 18 May 2017 08:43:48 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> Message-ID: <61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com> On 04/26/2017 06:02 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> So I can see my certs using cert-find, but can't get details using >> cert-show or add new ones using cert-request. >> >> # ipa cert-find >> : >> ------------------------------ >> Number of entries returned 385 >> ------------------------------ >> # ipa cert-show 895 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # ipa cert-show 1 (which does not exist) >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # ipa cert-status 895 >> ipa: ERROR: Certificate operation cannot be completed: Unable to >> communicate with CMS (503) >> # >> >> Is this an IPV6 thing? Because ipactl shows everything green and >> certmonger is running. > Doubtful. > > cert-find and cert-show use different APIs in dogtag. cert-find uses the > newer RESTful API and cert-show uses the older XML-based API (and is > authenticated). I'm guessing that is where the issue lies. > > What I'd recommend doing is noting the time, restarting the CA, and then > plow through the debug log looking for failures. It could be that the CA > is only partially up (and I'd check your CA subsystem certs as well). Which debug log, specifically, do you think will help? I'm also not sure what you mean by, "check your CA subsystem certs." We still have pending CSRs that we can't grant until I get this working again. > rob > >> Bret >> >> >> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>> Digging still deeper: >>> >>> # ipa cert-request f.f --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> >>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>> it has a CA but there's no CMS available? >>> >>> >>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>> Using the firefox debugger, I get these errors when trying to pop up >>>> the New Certificate dialog: >>>> >>>> Empty string passed to getElementById(). (5) >>>> jquery.js:4:1060 >>>> TypeError: u is undefined >>>> app.js:1:362059 >>>> Empty string passed to getElementById(). (5) >>>> jquery.js:4:1060 >>>> TypeError: t is undefined >>>> app.js:1:217432 >>>> >>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>> >>>> >>>> Bret >>>> >>>> >>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>> "Action -> New Certificate" not do anything on this or any other server? >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>> past month or so. >>>>>> >>>>>> Today, someone came and asked me to generate a new certificate for >>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>> and no error, either. >>>>>> >>>>>> I suspect the problem might be that we no longer have a CA server >>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>> the CA. >>>>>> >>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>> not sure if this shows that I'm missing a CA or not: >>>>>> >>>>>> # ipa ca-find >>>>>> ------------ >>>>>> 1 CA matched >>>>>> ------------ >>>>>> Name: ipa >>>>>> Description IPA CA >>>>>> Authority ID: 3ce3346[...] >>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>> ---------------------------- >>>>>> Number of entries returned 1 >>>>>> ---------------------------- >>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>> O=DAMASCUSGRP.COM" >>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>> # klist >>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>> >>>>>> Valid starting Expires Service principal >>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>> # >>>>>> >>>>>> >>>>>> What's my best path of recovery? >>>>>> >>>>>> -- >>>>>> *Bret Wortman* >>>>>> The Damascus Group >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> From callum.guy at x-on.co.uk Thu May 18 12:44:16 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 12:44:16 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: <6dc6579c-f3f4-d787-4c4c-64d953252ecd@redhat.com> References: <6dc6579c-f3f4-d787-4c4c-64d953252ecd@redhat.com> Message-ID: Thanks for that Martin. The man page for ipa-ca-install suggests i could pass in my replica file to create a "CA-less" configuration. Is this what i want or is a CA-full appropriate? All I want to achieve is the additional resilience provided by a replica which can both authorise and sign certificates in the event of a loss of the master server. I certainly don't want an entirely separate CA to be installed - my anticipation is that my replica will be able to become an intermediate authority - is that the intended arrangement for a replica? Finally, do you hold out much hope that ipa-ca-install will work any better than --setup-ca flag I was attempting to get working for the replica install? If its the same code I would probably just end up with a half configured CA and have to rebuild my replica - something I would like to avoid repeating after the last couple of days! On Thu, May 18, 2017 at 1:28 PM Martin Ba?ti wrote: > ipa-ca-install will install on top of FreeIPA CA-less replica, nothing > else, you really don't want to do it manually. > > On 18.05.2017 14:12, Callum Guy wrote: > > Thanks Martin, really appreciate the additional information. > > Are you aware of a separate guide for installing DogTag/PKI on top of > FreeIPA - basically I am happy to install separately if it doesn't > compromise the FreeIPA server configuration, i'm not clear on whether this > is possible without a major time investment. > > On Thu, May 18, 2017 at 12:46 PM Martin Ba?ti wrote: > >> >> Please note that commits in #6766 will not fix this issue, the issue is >> on dogtag side, please see https://pagure.io/dogtagpki/issue/2646 >> Sorry for troubles >> >> >> On 18.05.2017 12:19, Callum Guy wrote: >> >> Haha, looks like i'm going CA-less for a while on the replica. I don't >> see any immediate requirement for one so time to get on with my life! >> >> I'll post back if anything changes but I'm probably stuck waiting for the >> upgrade too.. >> >> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman >> wrote: >> >>> Sorry cobber. We only found 6766 today - we've been tackling it on and >>> off for a couple of weeks :) >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for collective >>> action, to build collective power, to achieve collective transformation, >>> rooted in grief and rage but pointed towards vision and dreams." >>> >>> - Patrice Cullors, *Black Lives Matter founder* >>> >>> On 18 May 2017 at 19:53, Callum Guy wrote: >>> >>>> Ah, thanks for that Lachlan - its always reassuring to hear that its >>>> not just me! >>>> >>>> As mentioned above I have it running without the CA so that's a good >>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for >>>> CentOS. I'm not expecting that to happen quickly so will have to work with >>>> what we have for now. >>>> >>>> Do you happen to know if there is any way to build the CA component >>>> separately? >>>> >>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >>>> wrote: >>>> >>>>> https://pagure.io/freeipa/issue/6766 >>>>> >>>>> 4.5.1 - I stand corrected. Can add more tomorrow. >>>>> >>>>> ------ >>>>> "Mission Statement: To provide hope and inspiration for collective >>>>> action, to build collective power, to achieve collective transformation, >>>>> rooted in grief and rage but pointed towards vision and dreams." >>>>> >>>>> - Patrice Cullors, *Black Lives Matter founder* >>>>> >>>>> On 18 May 2017 at 19:34, Lachlan Musicman wrote: >>>>> >>>>>> We are seeing this. I'm not at work, but I think it's bug report >>>>>> 6766. >>>>>> >>>>>> Patch has already been committed (bot by us), we're waiting for IPA >>>>>> 4.5. >>>>>> >>>>>> cheers >>>>>> L. >>>>>> >>>>>> ------ >>>>>> "Mission Statement: To provide hope and inspiration for collective >>>>>> action, to build collective power, to achieve collective transformation, >>>>>> rooted in grief and rage but pointed towards vision and dreams." >>>>>> >>>>>> - Patrice Cullors, *Black Lives Matter founder* >>>>>> >>>>>> On 18 May 2017 at 18:57, Callum Guy wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> I am currently stuck trying to setup the first replica of our master >>>>>>> IPA server. I have tried a number of different approaches including >>>>>>> escalating from a client and nothing is working for me. I perform a full OS >>>>>>> reset each time I get stuck. >>>>>>> >>>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>>>>>> version however having performed ipa-server-upgrade - does this mean i'm on >>>>>>> 4.4.4?). >>>>>>> >>>>>>> The command is shown below - note that i am skipping the conn check >>>>>>> as my platforms security settings do not allow the SSH session to be >>>>>>> established back on the master, all ports should be available to the >>>>>>> application however. >>>>>>> >>>>>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 >>>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>>>>>> >>>>>>> Directory Manager (existing master) password: >>>>>>> >>>>>>> ipa : ERROR Could not resolve hostname ipa2.SITE.net >>>>>>> usis check queries IPA DNS directly and ignores /etc/hosts.) >>>>>>> Continue? [no]: yes >>>>>>> Configuring NTP daemon (ntpd) >>>>>>> [1/4]: stopping ntpd >>>>>>> [2/4]: writing configuration >>>>>>> [3/4]: configuring ntpd to start on boot >>>>>>> [4/4]: starting ntpd >>>>>>> Done configuring NTP daemon (ntpd). >>>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>>>>> [1/42]: creating directory server user >>>>>>> [2/42]: creating directory server instance >>>>>>> [3/42]: updating configuration in dse.ldif >>>>>>> [4/42]: restarting directory server >>>>>>> [5/42]: adding default schema >>>>>>> [6/42]: enabling memberof plugin >>>>>>> [7/42]: enabling winsync plugin >>>>>>> [8/42]: configuring replication version plugin >>>>>>> [9/42]: enabling IPA enrollment plugin >>>>>>> [10/42]: enabling ldapi >>>>>>> [11/42]: configuring uniqueness plugin >>>>>>> [12/42]: configuring uuid plugin >>>>>>> [13/42]: configuring modrdn plugin >>>>>>> [14/42]: configuring DNS plugin >>>>>>> [15/42]: enabling entryUSN plugin >>>>>>> [16/42]: configuring lockout plugin >>>>>>> [17/42]: configuring topology plugin >>>>>>> [18/42]: creating indices >>>>>>> [19/42]: enabling referential integrity plugin >>>>>>> [20/42]: configuring ssl for ds instance >>>>>>> [21/42]: configuring certmap.conf >>>>>>> [22/42]: configure autobind for root >>>>>>> [23/42]: configure new location for managed entries >>>>>>> [24/42]: configure dirsrv ccache >>>>>>> [25/42]: enabling SASL mapping fallback >>>>>>> [26/42]: restarting directory server >>>>>>> [27/42]: setting up initial replication >>>>>>> Starting replication, please wait until this has completed. >>>>>>> Update in progress, 4 seconds elapsed >>>>>>> Update succeeded >>>>>>> >>>>>>> [28/42]: adding sasl mappings to the directory >>>>>>> [29/42]: updating schema >>>>>>> [30/42]: setting Auto Member configuration >>>>>>> [31/42]: enabling S4U2Proxy delegation >>>>>>> [32/42]: importing CA certificates from LDAP >>>>>>> [33/42]: initializing group membership >>>>>>> [34/42]: adding master entry >>>>>>> [35/42]: initializing domain level >>>>>>> [36/42]: configuring Posix uid/gid generation >>>>>>> [37/42]: adding replication acis >>>>>>> [38/42]: enabling compatibility plugin >>>>>>> [39/42]: activating sidgen plugin >>>>>>> [40/42]: activating extdom plugin >>>>>>> [41/42]: tuning directory server >>>>>>> [42/42]: configuring directory to start on boot >>>>>>> Done configuring directory server (dirsrv). >>>>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>>>>>> minutes 30 seconds >>>>>>> [1/27]: creating certificate server user >>>>>>> [2/27]: configuring certificate server instance >>>>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>>>> [4/27]: backing up CS.cfg >>>>>>> [5/27]: disabling nonces >>>>>>> [6/27]: set up CRL publishing >>>>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>>>> [8/27]: starting certificate server instance >>>>>>> >>>>>>> And here is stays and refuses to move on. The ipareplica-install.log >>>>>>> log reports: >>>>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, >>>>>>> 8443] timeout 300 >>>>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>>>>>> 2017-05-18T08:40:09Z DEBUG request POST >>>>>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>>>>>> 2017-05-18T08:40:09Z DEBUG request body '' >>>>>>> >>>>>>> I have tried and that port is indeed inaccessible but I can't >>>>>>> establish a way to progress this issue from any of the the other log files. >>>>>>> Also I have seen in the 4.4.4 release notes that IPv6 being disabled on the >>>>>>> master can cause issues, re-enabling (at least in /etc/hosts) did not seem >>>>>>> to help. >>>>>>> >>>>>>> If anyone is able to offer ideas that would be very much >>>>>>> appreciated. I am tempted to remove the --setup-ca option to see if this >>>>>>> helps. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Callum >>>>>>> >>>>>>> >>>>>>> >>>>>>> *0333 332 0000 | www.x-on.co.uk | ** >>>>>>> >>>>>>> * >>>>>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>>>>> registered in England and Wales. >>>>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>>>>> The information in this e-mail is confidential and for use by the >>>>>>> addressee(s) only. If you are not the intended recipient, please notify >>>>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>>>>> delete the >>>>>>> message from your computer. If you are not a named addressee you >>>>>>> must not use, disclose, disseminate, distribute, copy, print or reply to >>>>>>> this email. Views or opinions expressed by an individual >>>>>>> within this email may not necessarily reflect the views of X-on or >>>>>>> its associated companies. Although X-on routinely screens for viruses, >>>>>>> addressees should scan this email and any attachments >>>>>>> for viruses. X-on makes no representation or warranty as to the >>>>>>> absence of viruses in this email or any attachments. >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> *0333 332 0000 | www.x-on.co.uk | ** >>>> >>>> * >>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>> registered in England and Wales. >>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>> The information in this e-mail is confidential and for use by the >>>> addressee(s) only. If you are not the intended recipient, please notify >>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>> delete the >>>> message from your computer. If you are not a named addressee you must >>>> not use, disclose, disseminate, distribute, copy, print or reply to this >>>> email. Views or opinions expressed by an individual >>>> within this email may not necessarily reflect the views of X-on or its >>>> associated companies. Although X-on routinely screens for viruses, >>>> addressees should scan this email and any attachments >>>> for viruses. X-on makes no representation or warranty as to the absence >>>> of viruses in this email or any attachments. >>>> >>>> >>> >> >> *0333 332 0000 | www.x-on.co.uk | ** >> >> * >> X-on is a trading name of Storacall Technology Ltd a limited company >> registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please notify >> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >> delete the >> message from your computer. If you are not a named addressee you must not >> use, disclose, disseminate, distribute, copy, print or reply to this email. Views >> or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on or its >> associated companies. Although X-on routinely screens for viruses, >> addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the absence >> of viruses in this email or any attachments. >> >> >> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > > *0333 332 0000 | www.x-on.co.uk | ** > > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mbasti at redhat.com Thu May 18 12:49:14 2017 From: mbasti at redhat.com (=?UTF-8?Q?Martin_Ba=c5=a1ti?=) Date: Thu, 18 May 2017 14:49:14 +0200 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: References: <6dc6579c-f3f4-d787-4c4c-64d953252ecd@redhat.com> Message-ID: <704155de-d19f-86af-568b-09c02ac8759f@redhat.com> It will create clone of the original CA, it will work as backup not a separate CA. I'm afraid it will result into the same behavior because it uses almost the same code, but as I said before this issue is on dogtag side and not always reproducible. On 18.05.2017 14:44, Callum Guy wrote: > Thanks for that Martin. > > The man page for ipa-ca-install suggests i could pass in my replica > file to create a "CA-less" configuration. Is this what i want or is a > CA-full appropriate? All I want to achieve is the additional > resilience provided by a replica which can both authorise and sign > certificates in the event of a loss of the master server. I certainly > don't want an entirely separate CA to be installed - my anticipation > is that my replica will be able to become an intermediate authority - > is that the intended arrangement for a replica? > > Finally, do you hold out much hope that ipa-ca-install will work any > better than --setup-ca flag I was attempting to get working for the > replica install? If its the same code I would probably just end up > with a half configured CA and have to rebuild my replica - something I > would like to avoid repeating after the last couple of days! > > On Thu, May 18, 2017 at 1:28 PM Martin Ba?ti > wrote: > > ipa-ca-install will install on top of FreeIPA CA-less replica, > nothing else, you really don't want to do it manually. > > > On 18.05.2017 14:12, Callum Guy wrote: >> Thanks Martin, really appreciate the additional information. >> >> Are you aware of a separate guide for installing DogTag/PKI on >> top of FreeIPA - basically I am happy to install separately if it >> doesn't compromise the FreeIPA server configuration, i'm not >> clear on whether this is possible without a major time investment. >> >> On Thu, May 18, 2017 at 12:46 PM Martin Ba?ti > > wrote: >> >> >> Please note that commits in #6766 will not fix this issue, >> the issue is on dogtag side, please see >> https://pagure.io/dogtagpki/issue/2646 >> >> Sorry for troubles >> >> >> On 18.05.2017 12:19, Callum Guy wrote: >>> Haha, looks like i'm going CA-less for a while on the >>> replica. I don't see any immediate requirement for one so >>> time to get on with my life! >>> >>> I'll post back if anything changes but I'm probably stuck >>> waiting for the upgrade too.. >>> >>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman >>> > wrote: >>> >>> Sorry cobber. We only found 6766 today - we've been >>> tackling it on and off for a couple of weeks :) >>> >>> ------ >>> "Mission Statement: To provide hope and inspiration for >>> collective action, to build collective power, to achieve >>> collective transformation, rooted in grief and rage but >>> pointed towards vision and dreams." >>> >>> - Patrice Cullors, /Black Lives Matter founder/ >>> >>> On 18 May 2017 at 19:53, Callum Guy >>> > >>> wrote: >>> >>> Ah, thanks for that Lachlan - its always reassuring >>> to hear that its not just me! >>> >>> As mentioned above I have it running without the CA >>> so that's a good start. I am sure we will upgrade as >>> well once 4.5 becomes stable and GA for CentOS. I'm >>> not expecting that to happen quickly so will have to >>> work with what we have for now. >>> >>> Do you happen to know if there is any way to build >>> the CA component separately? >>> >>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >>> > wrote: >>> >>> https://pagure.io/freeipa/issue/6766 >>> >>> 4.5.1 - I stand corrected. Can add more tomorrow. >>> >>> ------ >>> "Mission Statement: To provide hope and >>> inspiration for collective action, to build >>> collective power, to achieve collective >>> transformation, rooted in grief and rage but >>> pointed towards vision and dreams." >>> >>> - Patrice Cullors, /Black Lives Matter founder/ >>> >>> On 18 May 2017 at 19:34, Lachlan Musicman >>> > >>> wrote: >>> >>> We are seeing this. I'm not at work, but I >>> think it's bug report 6766. >>> >>> Patch has already been committed (bot by >>> us), we're waiting for IPA 4.5. >>> >>> cheers >>> L. >>> >>> ------ >>> "Mission Statement: To provide hope and >>> inspiration for collective action, to build >>> collective power, to achieve collective >>> transformation, rooted in grief and rage but >>> pointed towards vision and dreams." >>> >>> - Patrice Cullors, /Black Lives Matter founder/ >>> >>> On 18 May 2017 at 18:57, Callum Guy >>> >> > wrote: >>> >>> Hi All, >>> >>> I am currently stuck trying to setup the >>> first replica of our master IPA server. >>> I have tried a number of different >>> approaches including escalating from a >>> client and nothing is working for me. I >>> perform a full OS reset each time I get >>> stuck. >>> >>> I'm running CentOS 7.2 with the FreeIPA >>> 4.4.0 (rpm -q reports this version >>> however having performed >>> ipa-server-upgrade - does this mean i'm >>> on 4.4.4?). >>> >>> The command is shown below - note that i >>> am skipping the conn check as my >>> platforms security settings do not allow >>> the SSH session to be established back >>> on the master, all ports should be >>> available to the application however. >>> >>> [root at ipa2 ~]# ipa-replica-install >>> --ip-address=172.24.0.101 --setup-ca >>> --setup-dns --skip-conncheck >>> --no-forwarders SITE.net.gpg >>> >>> Directory Manager (existing master) >>> password: >>> >>> ipa : ERROR Could not resolve >>> hostname ipa2.SITE.net >>> usis check >>> queries IPA DNS directly and ignores >>> /etc/hosts.) >>> Continue? [no]: yes >>> Configuring NTP daemon (ntpd) >>> [1/4]: stopping ntpd >>> [2/4]: writing configuration >>> [3/4]: configuring ntpd to start on boot >>> [4/4]: starting ntpd >>> Done configuring NTP daemon (ntpd). >>> Configuring directory server (dirsrv). >>> Estimated time: 1 minute >>> [1/42]: creating directory server user >>> [2/42]: creating directory server instance >>> [3/42]: updating configuration in dse.ldif >>> [4/42]: restarting directory server >>> [5/42]: adding default schema >>> [6/42]: enabling memberof plugin >>> [7/42]: enabling winsync plugin >>> [8/42]: configuring replication >>> version plugin >>> [9/42]: enabling IPA enrollment plugin >>> [10/42]: enabling ldapi >>> [11/42]: configuring uniqueness plugin >>> [12/42]: configuring uuid plugin >>> [13/42]: configuring modrdn plugin >>> [14/42]: configuring DNS plugin >>> [15/42]: enabling entryUSN plugin >>> [16/42]: configuring lockout plugin >>> [17/42]: configuring topology plugin >>> [18/42]: creating indices >>> [19/42]: enabling referential integrity >>> plugin >>> [20/42]: configuring ssl for ds instance >>> [21/42]: configuring certmap.conf >>> [22/42]: configure autobind for root >>> [23/42]: configure new location for >>> managed entries >>> [24/42]: configure dirsrv ccache >>> [25/42]: enabling SASL mapping fallback >>> [26/42]: restarting directory server >>> [27/42]: setting up initial replication >>> Starting replication, please wait until >>> this has completed. >>> Update in progress, 4 seconds elapsed >>> Update succeeded >>> >>> [28/42]: adding sasl mappings to the >>> directory >>> [29/42]: updating schema >>> [30/42]: setting Auto Member configuration >>> [31/42]: enabling S4U2Proxy delegation >>> [32/42]: importing CA certificates from LDAP >>> [33/42]: initializing group membership >>> [34/42]: adding master entry >>> [35/42]: initializing domain level >>> [36/42]: configuring Posix uid/gid >>> generation >>> [37/42]: adding replication acis >>> [38/42]: enabling compatibility plugin >>> [39/42]: activating sidgen plugin >>> [40/42]: activating extdom plugin >>> [41/42]: tuning directory server >>> [42/42]: configuring directory to start >>> on boot >>> Done configuring directory server (dirsrv). >>> Configuring certificate server >>> (pki-tomcatd). Estimated time: 3 minutes >>> 30 seconds >>> [1/27]: creating certificate server user >>> [2/27]: configuring certificate server >>> instance >>> [3/27]: stopping certificate server >>> instance to update CS.cfg >>> [4/27]: backing up CS.cfg >>> [5/27]: disabling nonces >>> [6/27]: set up CRL publishing >>> [7/27]: enable PKIX certificate path >>> discovery and validation >>> [8/27]: starting certificate server >>> instance >>> >>> And here is stays and refuses to move >>> on. The ipareplica-install.log log reports: >>> 2017-05-18T08:40:07Z DEBUG >>> wait_for_open_ports: localhost [8080, >>> 8443] timeout 300 >>> 2017-05-18T08:40:09Z DEBUG Waiting until >>> the CA is running >>> 2017-05-18T08:40:09Z DEBUG request POST >>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>> 2017-05-18T08:40:09Z DEBUG request body '' >>> >>> I have tried and that port is indeed >>> inaccessible but I can't establish a way >>> to progress this issue from any of the >>> the other log files. Also I have seen in >>> the 4.4.4 release notes that IPv6 being >>> disabled on the master can cause issues, >>> re-enabling (at least in /etc/hosts) did >>> not seem to help. >>> >>> If anyone is able to offer ideas that >>> would be very much appreciated. I am >>> tempted to remove the --setup-ca option >>> to see if this helps. >>> >>> Thanks, >>> >>> Callum >>> >>> >>> >>> *^0333 332 0000 | www.x-on.co.uk >>> | >>> _**_^ >>> >>> * >>> X-on is a trading name of Storacall >>> Technology Ltd a limited company >>> registered in England and Wales. >>> Registered Office : Avaland House, 110 >>> London Road, Apsley, Hemel Hempstead, >>> Herts, HP3 9SD. Company Registration No. >>> 2578478. >>> The information in this e-mail is >>> confidential and for use by the >>> addressee(s) only. If you are not the >>> intended recipient, please notify X-on >>> immediately on +44(0)333 332 0000 >>> and delete the >>> message from your computer. If you are >>> not a named addressee you must not use, >>> disclose, disseminate, distribute, copy, >>> print or reply to this email. Views or >>> opinions expressed by an individual >>> within this email may not necessarily >>> reflect the views of X-on or its >>> associated companies. Although X-on >>> routinely screens for viruses, >>> addressees should scan this email and >>> any attachments >>> for viruses. X-on makes no >>> representation or warranty as to the >>> absence of viruses in this email or any >>> attachments. >>> >>> >>> -- >>> Manage your subscription for the >>> Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info >>> on the project >>> >>> >>> >>> >>> >>> *^0333 332 0000 | www.x-on.co.uk >>> | >>> _**_^ >>> >>> * >>> X-on is a trading name of Storacall Technology Ltd a >>> limited company registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, >>> Apsley, Hemel Hempstead, Herts, HP3 9SD. Company >>> Registration No. 2578478. >>> The information in this e-mail is confidential and >>> for use by the addressee(s) only. If you are not the >>> intended recipient, please notify X-on immediately >>> on +44(0)333 332 0000 >>> and delete the >>> message from your computer. If you are not a named >>> addressee you must not use, disclose, disseminate, >>> distribute, copy, print or reply to this email. >>> Views or opinions expressed by an individual >>> within this email may not necessarily reflect the >>> views of X-on or its associated companies. Although >>> X-on routinely screens for viruses, addressees >>> should scan this email and any attachments >>> for viruses. X-on makes no representation or >>> warranty as to the absence of viruses in this email >>> or any attachments. >>> >>> >>> >>> >>> *^0333 332 0000 | www.x-on.co.uk | >>> _**_^ >>> * >>> X-on is a trading name of Storacall Technology Ltd a limited >>> company registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, Apsley, >>> Hemel Hempstead, Herts, HP3 9SD. Company Registration No. >>> 2578478. >>> The information in this e-mail is confidential and for use >>> by the addressee(s) only. If you are not the intended >>> recipient, please notify X-on immediately on +44(0)333 332 >>> 0000 and delete the >>> message from your computer. If you are not a named addressee >>> you must not use, disclose, disseminate, distribute, copy, >>> print or reply to this email. Views or opinions expressed by >>> an individual >>> within this email may not necessarily reflect the views of >>> X-on or its associated companies. Although X-on routinely >>> screens for viruses, addressees should scan this email and >>> any attachments >>> for viruses. X-on makes no representation or warranty as to >>> the absence of viruses in this email or any attachments. >>> >>> >>> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> >> >> *^0333 332 0000 | www.x-on.co.uk | >> _**_^ >> * >> X-on is a trading name of Storacall Technology Ltd a limited >> company registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please >> notify X-on immediately on +44(0)333 332 0000 >> and delete the >> message from your computer. If you are not a named addressee you >> must not use, disclose, disseminate, distribute, copy, print or >> reply to this email. Views or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on >> or its associated companies. Although X-on routinely screens for >> viruses, addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the >> absence of viruses in this email or any attachments. >> > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > > > *^0333 332 0000 | www.x-on.co.uk | > _**_^ > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please > notify X-on immediately on +44(0)333 332 0000 and delete the > message from your computer. If you are not a named addressee you must > not use, disclose, disseminate, distribute, copy, print or reply to > this email. Views or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the > absence of viruses in this email or any attachments. > -- Martin Ba?ti Software Engineer Red Hat Czech -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu May 18 12:56:21 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 18 May 2017 08:56:21 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: <61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com> References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> <61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com> Message-ID: <1326f0de-44ce-7728-b20c-2567997c8b04@damascusgrp.com> httpd_error seems to give the most information. When i try to use ipa cert-show: ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: ping(): SUCCESS (111)Connection refused: AH00957: AJP: attempt to connect to 127.0.0.1:8009 (localhost) failed AH00959: ap_proxy_connect_backend disabling worker for (locahost) for 60s [client 192.168.208.54:52714] AH00896: failed to make connection to backend: localhost ipa: ERROR: ra.get_certificate(): Unable to communicate with CMS (503) ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: cert_show/1(u'895', version=u'2.213'): CertificateOperationError /var/log/pki/pki-tomcat/ca/debug just loops through the same set of messages every 5 minutes or so but doesn't seem to error. /var/log/pki/localhost_access_log.2017-05-18.txt is basically empty except for a single entry (for a POST to /ca/admin/ca/getStatus) Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access when I issue the request, but periodic messages do appear about every 5 minutes or so. On 05/18/2017 08:43 AM, Bret Wortman wrote: > On 04/26/2017 06:02 PM, Rob Crittenden wrote: >> Bret Wortman wrote: >>> So I can see my certs using cert-find, but can't get details using >>> cert-show or add new ones using cert-request. >>> >>> # ipa cert-find >>> : >>> ------------------------------ >>> Number of entries returned 385 >>> ------------------------------ >>> # ipa cert-show 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-show 1 (which does not exist) >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # ipa cert-status 895 >>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>> communicate with CMS (503) >>> # >>> >>> Is this an IPV6 thing? Because ipactl shows everything green and >>> certmonger is running. >> Doubtful. >> >> cert-find and cert-show use different APIs in dogtag. cert-find uses the >> newer RESTful API and cert-show uses the older XML-based API (and is >> authenticated). I'm guessing that is where the issue lies. >> >> What I'd recommend doing is noting the time, restarting the CA, and then >> plow through the debug log looking for failures. It could be that the CA >> is only partially up (and I'd check your CA subsystem certs as well). > Which debug log, specifically, do you think will help? I'm also not > sure what you mean by, "check your CA subsystem certs." We still have > pending CSRs that we can't grant until I get this working again. >> rob >> >>> Bret >>> >>> >>> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>>> Digging still deeper: >>>> >>>> # ipa cert-request f.f >>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> >>>> Looks like this is an HTTP error; so is it possible that my IPA thinks >>>> it has a CA but there's no CMS available? >>>> >>>> >>>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>>> Using the firefox debugger, I get these errors when trying to pop up >>>>> the New Certificate dialog: >>>>> >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: u is undefined >>>>> app.js:1:362059 >>>>> Empty string passed to getElementById(). (5) >>>>> jquery.js:4:1060 >>>>> TypeError: t is undefined >>>>> app.js:1:217432 >>>>> >>>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>>> >>>>> >>>>> Bret >>>>> >>>>> >>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>>> "Action -> New Certificate" not do anything on this or any other >>>>>> server? >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>>> past month or so. >>>>>>> >>>>>>> Today, someone came and asked me to generate a new certificate for >>>>>>> their web server. All was good until I went to the IPA UI and tried >>>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>>> and no error, either. >>>>>>> >>>>>>> I suspect the problem might be that we no longer have a CA server >>>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>>> the CA. >>>>>>> >>>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>>> not sure if this shows that I'm missing a CA or not: >>>>>>> >>>>>>> # ipa ca-find >>>>>>> ------------ >>>>>>> 1 CA matched >>>>>>> ------------ >>>>>>> Name: ipa >>>>>>> Description IPA CA >>>>>>> Authority ID: 3ce3346[...] >>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>>> ---------------------------- >>>>>>> Number of entries returned 1 >>>>>>> ---------------------------- >>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>>> O=DAMASCUSGRP.COM" >>>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>>> # klist >>>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>>> >>>>>>> Valid starting Expires Service principal >>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>>> # >>>>>>> >>>>>>> >>>>>>> What's my best path of recovery? >>>>>>> >>>>>>> -- >>>>>>> *Bret Wortman* >>>>>>> The Damascus Group >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From bret.wortman at damascusgrp.com Thu May 18 12:58:07 2017 From: bret.wortman at damascusgrp.com (Bret Wortman) Date: Thu, 18 May 2017 08:58:07 -0400 Subject: [Freeipa-users] I think I lost my CA... In-Reply-To: <1326f0de-44ce-7728-b20c-2567997c8b04@damascusgrp.com> References: <25b53b08-ede0-7627-4b31-d9cb7de50b38@damascusgrp.com> <2da4022b-408a-846e-1acf-1d1b576987a6@damascusgrp.com> <42070482-0397-f4c7-552d-6215b6140197@damascusgrp.com> <50a036fb-b118-878e-5983-85427aefb8e5@damascusgrp.com> <81f171a5-3bea-ed43-94a0-c20f53b756f0@damascusgrp.com> <28c6acf8-a76f-6676-729e-8608b2cc1249@redhat.com> <61cd147a-4421-087e-a3b7-5c08aa6908ee@damascusgrp.com> <1326f0de-44ce-7728-b20c-2567997c8b04@damascusgrp.com> Message-ID: <8195abe2-6af1-f3b8-507d-3af396581214@damascusgrp.com> Oops, the slapd messages are arriving every 60s, not 5m. On 05/18/2017 08:56 AM, Bret Wortman wrote: > > httpd_error seems to give the most information. When i try to use ipa > cert-show: > > ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: ping(): SUCCESS > (111)Connection refused: AH00957: AJP: attempt to connect to > 127.0.0.1:8009 (localhost) failed > AH00959: ap_proxy_connect_backend disabling worker for (locahost) for 60s > [client 192.168.208.54:52714] AH00896: failed to make connection to > backend: localhost > ipa: ERROR: ra.get_certificate(): Unable to communicate with CMS (503) > ipa: INFO: [jsonserver_kerb] admin at DAMASCUSGRP.COM: > cert_show/1(u'895', version=u'2.213'): CertificateOperationError > > /var/log/pki/pki-tomcat/ca/debug just loops through the same set of > messages every 5 minutes or so but doesn't seem to error. > > /var/log/pki/localhost_access_log.2017-05-18.txt is basically empty > except for a single entry (for a POST to /ca/admin/ca/getStatus) > > Nothing shows up in dirsrv/slapd-DAMASCUSGRP-COM/errors or access when > I issue the request, but periodic messages do appear about every 5 > minutes or so. > > > On 05/18/2017 08:43 AM, Bret Wortman wrote: >> On 04/26/2017 06:02 PM, Rob Crittenden wrote: >>> Bret Wortman wrote: >>>> So I can see my certs using cert-find, but can't get details using >>>> cert-show or add new ones using cert-request. >>>> >>>> # ipa cert-find >>>> : >>>> ------------------------------ >>>> Number of entries returned 385 >>>> ------------------------------ >>>> # ipa cert-show 895 >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> # ipa cert-show 1 (which does not exist) >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> # ipa cert-status 895 >>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>> communicate with CMS (503) >>>> # >>>> >>>> Is this an IPV6 thing? Because ipactl shows everything green and >>>> certmonger is running. >>> Doubtful. >>> >>> cert-find and cert-show use different APIs in dogtag. cert-find uses >>> the >>> newer RESTful API and cert-show uses the older XML-based API (and is >>> authenticated). I'm guessing that is where the issue lies. >>> >>> What I'd recommend doing is noting the time, restarting the CA, and >>> then >>> plow through the debug log looking for failures. It could be that >>> the CA >>> is only partially up (and I'd check your CA subsystem certs as well). >> Which debug log, specifically, do you think will help? I'm also not >> sure what you mean by, "check your CA subsystem certs." We still have >> pending CSRs that we can't grant until I get this working again. >>> rob >>> >>>> Bret >>>> >>>> >>>> On 04/26/2017 09:03 AM, Bret Wortman wrote: >>>>> Digging still deeper: >>>>> >>>>> # ipa cert-request f.f >>>>> --principal=HTTP/`hostname`@DAMASCUSGRP.COM >>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to >>>>> communicate with CMS (503) >>>>> >>>>> Looks like this is an HTTP error; so is it possible that my IPA >>>>> thinks >>>>> it has a CA but there's no CMS available? >>>>> >>>>> >>>>> On 04/26/2017 08:41 AM, Bret Wortman wrote: >>>>>> Using the firefox debugger, I get these errors when trying to pop up >>>>>> the New Certificate dialog: >>>>>> >>>>>> Empty string passed to getElementById(). (5) >>>>>> jquery.js:4:1060 >>>>>> TypeError: u is undefined >>>>>> app.js:1:362059 >>>>>> Empty string passed to getElementById(). (5) >>>>>> jquery.js:4:1060 >>>>>> TypeError: t is undefined >>>>>> app.js:1:217432 >>>>>> >>>>>> I'm definitely not a web kind of guy so I'm not sure if this is >>>>>> helpful or not. This is on 4.4.0, API Version 2.213. >>>>>> >>>>>> >>>>>> Bret >>>>>> >>>>>> >>>>>> On 04/26/2017 08:35 AM, Bret Wortman wrote: >>>>>>> Good news. One of my servers _does_ have CA installed. So why does >>>>>>> "Action -> New Certificate" not do anything on this or any other >>>>>>> server? >>>>>>> >>>>>>> >>>>>>> Bret >>>>>>> >>>>>>> >>>>>>> On 04/25/2017 02:52 PM, Bret Wortman wrote: >>>>>>>> I recently had to upgrade all my Fedora IPA servers to C7. It went >>>>>>>> well, and we've been up and running nicely on 4.4.0 on C7 for the >>>>>>>> past month or so. >>>>>>>> >>>>>>>> Today, someone came and asked me to generate a new certificate for >>>>>>>> their web server. All was good until I went to the IPA UI and >>>>>>>> tried >>>>>>>> to perform Actions->New Certificate, which did nothing. I tried >>>>>>>> each of our 3 servers in turn. All came back with no popup window >>>>>>>> and no error, either. >>>>>>>> >>>>>>>> I suspect the problem might be that we no longer have a CA server >>>>>>>> due to the method I used to upgrade the servers. I likely missed a >>>>>>>> "--setup-ca" in there somewhere, so my rolling update rolled over >>>>>>>> the CA. >>>>>>>> >>>>>>>> What's my best hope of recovery? I never ran this before, so I'm >>>>>>>> not sure if this shows that I'm missing a CA or not: >>>>>>>> >>>>>>>> # ipa ca-find >>>>>>>> ------------ >>>>>>>> 1 CA matched >>>>>>>> ------------ >>>>>>>> Name: ipa >>>>>>>> Description IPA CA >>>>>>>> Authority ID: 3ce3346[...] >>>>>>>> Subject DN: CN=Certificate Authority, O=DAMASCUSGRP.COM >>>>>>>> Issuer DN: CN=Certificate Authority,O=DAMASCUSGRP.COM >>>>>>>> ---------------------------- >>>>>>>> Number of entries returned 1 >>>>>>>> ---------------------------- >>>>>>>> # ipa ca-add dg --desc "Damascus Group" --subject "CN=DG CA, >>>>>>>> O=DAMASCUSGRP.COM" >>>>>>>> ipa: ERROR: Failed to authenticate to CA REST API >>>>>>>> # klist >>>>>>>> Ticket cache: KEYRING:persistent:0:0 >>>>>>>> Default principal: admin at DAMASCUSGRP.COM >>>>>>>> >>>>>>>> Valid starting Expires Service principal >>>>>>>> 04/25/2017 18:48:26 04/26/2017 18:48:21 >>>>>>>> krbtgt/DAMASCUSGRP.COM at DAMASCUSGRP.COM >>>>>>>> # >>>>>>>> >>>>>>>> >>>>>>>> What's my best path of recovery? >>>>>>>> >>>>>>>> -- >>>>>>>> *Bret Wortman* >>>>>>>> The Damascus Group >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From callum.guy at x-on.co.uk Thu May 18 12:59:35 2017 From: callum.guy at x-on.co.uk (Callum Guy) Date: Thu, 18 May 2017 12:59:35 +0000 Subject: [Freeipa-users] ipa-replica-install hangs: starting certificate server instance In-Reply-To: <704155de-d19f-86af-568b-09c02ac8759f@redhat.com> References: <6dc6579c-f3f4-d787-4c4c-64d953252ecd@redhat.com> <704155de-d19f-86af-568b-09c02ac8759f@redhat.com> Message-ID: OK Martin, thanks for the explanation - i suspected it might not work quite correctly. On that basis I have decided to hold off an wait for a more optimistic situation. I really appreciate the advice, looks like my time will be better spent configuring the clients to use the replica! On Thu, May 18, 2017 at 1:49 PM Martin Ba?ti wrote: > It will create clone of the original CA, it will work as backup not a > separate CA. > > I'm afraid it will result into the same behavior because it uses almost > the same code, but as I said before this issue is on dogtag side and not > always reproducible. > > On 18.05.2017 14:44, Callum Guy wrote: > > Thanks for that Martin. > > The man page for ipa-ca-install suggests i could pass in my replica file > to create a "CA-less" configuration. Is this what i want or is a CA-full > appropriate? All I want to achieve is the additional resilience provided by > a replica which can both authorise and sign certificates in the event of a > loss of the master server. I certainly don't want an entirely separate CA > to be installed - my anticipation is that my replica will be able to become > an intermediate authority - is that the intended arrangement for a replica? > > Finally, do you hold out much hope that ipa-ca-install will work any > better than --setup-ca flag I was attempting to get working for the replica > install? If its the same code I would probably just end up with a half > configured CA and have to rebuild my replica - something I would like to > avoid repeating after the last couple of days! > > On Thu, May 18, 2017 at 1:28 PM Martin Ba?ti wrote: > >> ipa-ca-install will install on top of FreeIPA CA-less replica, nothing >> else, you really don't want to do it manually. >> >> On 18.05.2017 14:12, Callum Guy wrote: >> >> Thanks Martin, really appreciate the additional information. >> >> Are you aware of a separate guide for installing DogTag/PKI on top of >> FreeIPA - basically I am happy to install separately if it doesn't >> compromise the FreeIPA server configuration, i'm not clear on whether this >> is possible without a major time investment. >> >> On Thu, May 18, 2017 at 12:46 PM Martin Ba?ti wrote: >> >>> >>> Please note that commits in #6766 will not fix this issue, the issue is >>> on dogtag side, please see https://pagure.io/dogtagpki/issue/2646 >>> Sorry for troubles >>> >>> >>> On 18.05.2017 12:19, Callum Guy wrote: >>> >>> Haha, looks like i'm going CA-less for a while on the replica. I don't >>> see any immediate requirement for one so time to get on with my life! >>> >>> I'll post back if anything changes but I'm probably stuck waiting for >>> the upgrade too.. >>> >>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman >>> wrote: >>> >>>> Sorry cobber. We only found 6766 today - we've been tackling it on and >>>> off for a couple of weeks :) >>>> >>>> ------ >>>> "Mission Statement: To provide hope and inspiration for collective >>>> action, to build collective power, to achieve collective transformation, >>>> rooted in grief and rage but pointed towards vision and dreams." >>>> >>>> - Patrice Cullors, *Black Lives Matter founder* >>>> >>>> On 18 May 2017 at 19:53, Callum Guy wrote: >>>> >>>>> Ah, thanks for that Lachlan - its always reassuring to hear that its >>>>> not just me! >>>>> >>>>> As mentioned above I have it running without the CA so that's a good >>>>> start. I am sure we will upgrade as well once 4.5 becomes stable and GA for >>>>> CentOS. I'm not expecting that to happen quickly so will have to work with >>>>> what we have for now. >>>>> >>>>> Do you happen to know if there is any way to build the CA component >>>>> separately? >>>>> >>>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman >>>>> wrote: >>>>> >>>>>> https://pagure.io/freeipa/issue/6766 >>>>>> >>>>>> 4.5.1 - I stand corrected. Can add more tomorrow. >>>>>> >>>>>> ------ >>>>>> "Mission Statement: To provide hope and inspiration for collective >>>>>> action, to build collective power, to achieve collective transformation, >>>>>> rooted in grief and rage but pointed towards vision and dreams." >>>>>> >>>>>> - Patrice Cullors, *Black Lives Matter founder* >>>>>> >>>>>> On 18 May 2017 at 19:34, Lachlan Musicman wrote: >>>>>> >>>>>>> We are seeing this. I'm not at work, but I think it's bug report >>>>>>> 6766. >>>>>>> >>>>>>> Patch has already been committed (bot by us), we're waiting for IPA >>>>>>> 4.5. >>>>>>> >>>>>>> cheers >>>>>>> L. >>>>>>> >>>>>>> ------ >>>>>>> "Mission Statement: To provide hope and inspiration for collective >>>>>>> action, to build collective power, to achieve collective transformation, >>>>>>> rooted in grief and rage but pointed towards vision and dreams." >>>>>>> >>>>>>> - Patrice Cullors, *Black Lives Matter founder* >>>>>>> >>>>>>> On 18 May 2017 at 18:57, Callum Guy wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I am currently stuck trying to setup the first replica of our >>>>>>>> master IPA server. I have tried a number of different approaches including >>>>>>>> escalating from a client and nothing is working for me. I perform a full OS >>>>>>>> reset each time I get stuck. >>>>>>>> >>>>>>>> I'm running CentOS 7.2 with the FreeIPA 4.4.0 (rpm -q reports this >>>>>>>> version however having performed ipa-server-upgrade - does this mean i'm on >>>>>>>> 4.4.4?). >>>>>>>> >>>>>>>> The command is shown below - note that i am skipping the conn check >>>>>>>> as my platforms security settings do not allow the SSH session to be >>>>>>>> established back on the master, all ports should be available to the >>>>>>>> application however. >>>>>>>> >>>>>>>> [root at ipa2 ~]# ipa-replica-install --ip-address=172.24.0.101 >>>>>>>> --setup-ca --setup-dns --skip-conncheck --no-forwarders SITE.net.gpg >>>>>>>> >>>>>>>> Directory Manager (existing master) password: >>>>>>>> >>>>>>>> ipa : ERROR Could not resolve hostname ipa2.SITE.net >>>>>>>> usis check queries IPA DNS directly and ignores /etc/hosts.) >>>>>>>> Continue? [no]: yes >>>>>>>> Configuring NTP daemon (ntpd) >>>>>>>> [1/4]: stopping ntpd >>>>>>>> [2/4]: writing configuration >>>>>>>> [3/4]: configuring ntpd to start on boot >>>>>>>> [4/4]: starting ntpd >>>>>>>> Done configuring NTP daemon (ntpd). >>>>>>>> Configuring directory server (dirsrv). Estimated time: 1 minute >>>>>>>> [1/42]: creating directory server user >>>>>>>> [2/42]: creating directory server instance >>>>>>>> [3/42]: updating configuration in dse.ldif >>>>>>>> [4/42]: restarting directory server >>>>>>>> [5/42]: adding default schema >>>>>>>> [6/42]: enabling memberof plugin >>>>>>>> [7/42]: enabling winsync plugin >>>>>>>> [8/42]: configuring replication version plugin >>>>>>>> [9/42]: enabling IPA enrollment plugin >>>>>>>> [10/42]: enabling ldapi >>>>>>>> [11/42]: configuring uniqueness plugin >>>>>>>> [12/42]: configuring uuid plugin >>>>>>>> [13/42]: configuring modrdn plugin >>>>>>>> [14/42]: configuring DNS plugin >>>>>>>> [15/42]: enabling entryUSN plugin >>>>>>>> [16/42]: configuring lockout plugin >>>>>>>> [17/42]: configuring topology plugin >>>>>>>> [18/42]: creating indices >>>>>>>> [19/42]: enabling referential integrity plugin >>>>>>>> [20/42]: configuring ssl for ds instance >>>>>>>> [21/42]: configuring certmap.conf >>>>>>>> [22/42]: configure autobind for root >>>>>>>> [23/42]: configure new location for managed entries >>>>>>>> [24/42]: configure dirsrv ccache >>>>>>>> [25/42]: enabling SASL mapping fallback >>>>>>>> [26/42]: restarting directory server >>>>>>>> [27/42]: setting up initial replication >>>>>>>> Starting replication, please wait until this has completed. >>>>>>>> Update in progress, 4 seconds elapsed >>>>>>>> Update succeeded >>>>>>>> >>>>>>>> [28/42]: adding sasl mappings to the directory >>>>>>>> [29/42]: updating schema >>>>>>>> [30/42]: setting Auto Member configuration >>>>>>>> [31/42]: enabling S4U2Proxy delegation >>>>>>>> [32/42]: importing CA certificates from LDAP >>>>>>>> [33/42]: initializing group membership >>>>>>>> [34/42]: adding master entry >>>>>>>> [35/42]: initializing domain level >>>>>>>> [36/42]: configuring Posix uid/gid generation >>>>>>>> [37/42]: adding replication acis >>>>>>>> [38/42]: enabling compatibility plugin >>>>>>>> [39/42]: activating sidgen plugin >>>>>>>> [40/42]: activating extdom plugin >>>>>>>> [41/42]: tuning directory server >>>>>>>> [42/42]: configuring directory to start on boot >>>>>>>> Done configuring directory server (dirsrv). >>>>>>>> Configuring certificate server (pki-tomcatd). Estimated time: 3 >>>>>>>> minutes 30 seconds >>>>>>>> [1/27]: creating certificate server user >>>>>>>> [2/27]: configuring certificate server instance >>>>>>>> [3/27]: stopping certificate server instance to update CS.cfg >>>>>>>> [4/27]: backing up CS.cfg >>>>>>>> [5/27]: disabling nonces >>>>>>>> [6/27]: set up CRL publishing >>>>>>>> [7/27]: enable PKIX certificate path discovery and validation >>>>>>>> [8/27]: starting certificate server instance >>>>>>>> >>>>>>>> And here is stays and refuses to move on. The >>>>>>>> ipareplica-install.log log reports: >>>>>>>> 2017-05-18T08:40:07Z DEBUG wait_for_open_ports: localhost [8080, >>>>>>>> 8443] timeout 300 >>>>>>>> 2017-05-18T08:40:09Z DEBUG Waiting until the CA is running >>>>>>>> 2017-05-18T08:40:09Z DEBUG request POST >>>>>>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus >>>>>>>> 2017-05-18T08:40:09Z DEBUG request body '' >>>>>>>> >>>>>>>> I have tried and that port is indeed inaccessible but I can't >>>>>>>> establish a way to progress this issue from any of the the other log files. >>>>>>>> Also I have seen in the 4.4.4 release notes that IPv6 being disabled on the >>>>>>>> master can cause issues, re-enabling (at least in /etc/hosts) did not seem >>>>>>>> to help. >>>>>>>> >>>>>>>> If anyone is able to offer ideas that would be very much >>>>>>>> appreciated. I am tempted to remove the --setup-ca option to see if this >>>>>>>> helps. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Callum >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *0333 332 0000 | www.x-on.co.uk | ** >>>>>>>> >>>>>>>> * >>>>>>>> X-on is a trading name of Storacall Technology Ltd a limited >>>>>>>> company registered in England and Wales. >>>>>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>>>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>>>>>> The information in this e-mail is confidential and for use by the >>>>>>>> addressee(s) only. If you are not the intended recipient, please notify >>>>>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> >>>>>>>> and delete the >>>>>>>> message from your computer. If you are not a named addressee you >>>>>>>> must not use, disclose, disseminate, distribute, copy, print or reply to >>>>>>>> this email. Views or opinions expressed by an individual >>>>>>>> within this email may not necessarily reflect the views of X-on or >>>>>>>> its associated companies. Although X-on routinely screens for viruses, >>>>>>>> addressees should scan this email and any attachments >>>>>>>> for viruses. X-on makes no representation or warranty as to the >>>>>>>> absence of viruses in this email or any attachments. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> *0333 332 0000 | www.x-on.co.uk | ** >>>>> >>>>> * >>>>> X-on is a trading name of Storacall Technology Ltd a limited company >>>>> registered in England and Wales. >>>>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>>>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>>>> The information in this e-mail is confidential and for use by the >>>>> addressee(s) only. If you are not the intended recipient, please notify >>>>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>>>> delete the >>>>> message from your computer. If you are not a named addressee you must >>>>> not use, disclose, disseminate, distribute, copy, print or reply to this >>>>> email. Views or opinions expressed by an individual >>>>> within this email may not necessarily reflect the views of X-on or its >>>>> associated companies. Although X-on routinely screens for viruses, >>>>> addressees should scan this email and any attachments >>>>> for viruses. X-on makes no representation or warranty as to the >>>>> absence of viruses in this email or any attachments. >>>>> >>>>> >>>> >>> >>> *0333 332 0000 | www.x-on.co.uk | ** >>> >>> * >>> X-on is a trading name of Storacall Technology Ltd a limited company >>> registered in England and Wales. >>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >>> The information in this e-mail is confidential and for use by the >>> addressee(s) only. If you are not the intended recipient, please notify >>> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >>> delete the >>> message from your computer. If you are not a named addressee you must >>> not use, disclose, disseminate, distribute, copy, print or reply to this >>> email. Views or opinions expressed by an individual >>> within this email may not necessarily reflect the views of X-on or its >>> associated companies. Although X-on routinely screens for viruses, >>> addressees should scan this email and any attachments >>> for viruses. X-on makes no representation or warranty as to the absence >>> of viruses in this email or any attachments. >>> >>> >>> >>> >>> -- >>> Martin Ba?ti >>> Software Engineer >>> Red Hat Czech >>> >>> >> >> *0333 332 0000 | www.x-on.co.uk | ** >> >> * >> X-on is a trading name of Storacall Technology Ltd a limited company >> registered in England and Wales. >> Registered Office : Avaland House, 110 London Road, Apsley, Hemel >> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. >> The information in this e-mail is confidential and for use by the >> addressee(s) only. If you are not the intended recipient, please notify >> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and >> delete the >> message from your computer. If you are not a named addressee you must not >> use, disclose, disseminate, distribute, copy, print or reply to this email. Views >> or opinions expressed by an individual >> within this email may not necessarily reflect the views of X-on or its >> associated companies. Although X-on routinely screens for viruses, >> addressees should scan this email and any attachments >> for viruses. X-on makes no representation or warranty as to the absence >> of viruses in this email or any attachments. >> >> >> -- >> Martin Ba?ti >> Software Engineer >> Red Hat Czech >> >> > > *0333 332 0000 | www.x-on.co.uk | ** > > * > X-on is a trading name of Storacall Technology Ltd a limited company > registered in England and Wales. > Registered Office : Avaland House, 110 London Road, Apsley, Hemel > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. > The information in this e-mail is confidential and for use by the > addressee(s) only. If you are not the intended recipient, please notify > X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and > delete the > message from your computer. If you are not a named addressee you must not > use, disclose, disseminate, distribute, copy, print or reply to this email. Views > or opinions expressed by an individual > within this email may not necessarily reflect the views of X-on or its > associated companies. Although X-on routinely screens for viruses, > addressees should scan this email and any attachments > for viruses. X-on makes no representation or warranty as to the absence of > viruses in this email or any attachments. > > > -- > Martin Ba?ti > Software Engineer > Red Hat Czech > > -- *0333 332 0000 | www.x-on.co.uk | ** * X-on is a trading name of Storacall Technology Ltd a limited company registered in England and Wales. Registered Office : Avaland House, 110 London Road, Apsley, Hemel Hempstead, Herts, HP3 9SD. Company Registration No. 2578478. The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient, please notify X-on immediately on +44(0)333 332 0000 and delete the message from your computer. If you are not a named addressee you must not use, disclose, disseminate, distribute, copy, print or reply to this email. Views or opinions expressed by an individual within this email may not necessarily reflect the views of X-on or its associated companies. Although X-on routinely screens for viruses, addressees should scan this email and any attachments for viruses. X-on makes no representation or warranty as to the absence of viruses in this email or any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Thu May 18 13:09:55 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 18 May 2017 13:09:55 +0000 Subject: [Freeipa-users] Cant locate CSN after yum update Message-ID: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> Hi all, Did a yum update on one of my replicas, non CA master, and upgrade was successful (ipupgrade.log) said so. Hwoever, now every few seconds I get the following message. https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= Does anybody know how to proceed and if this is important? ipa-replica-manage says, backing off, retrying later, so not sure if replication happens successfully or not and what to do ?? Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in diamond replication. Remaining replicas were upgraded today as well, and don?t seem to complain. Only 1 of them complains. 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 389-ds-base-1.3.5.10-20.el7_3.x86_64 [root at lums3 ~]# rpm -qa | grep ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch python2-ipaserver-4.4.0-14.el7.centos.7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch sssd-ipa-1.14.0-43.el7_3.14.x86_64 python-ipaddress-1.0.16-2.el7.noarch python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-common-4.4.0-14.el7.centos.7.noarch python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks a lot for any pointers, Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Thu May 18 13:49:49 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Thu, 18 May 2017 09:49:49 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: <798e9af0-3fcb-10cf-434d-a8cf1e940df0@redhat.com> References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> <798e9af0-3fcb-10cf-434d-a8cf1e940df0@redhat.com> Message-ID: *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud wrote: > On 05/15/2017 08:33 PM, Michael Plemmons wrote: > >> I have done more searching in my logs and I see the following errors. >> >> This is in the localhost log file /var/lib/pki/pki-tomcat/logs >> >> May 15, 2017 3:08:08 PM org.apache.catalina.core.ApplicationContext log >> SEVERE: StandardWrapper.Throwable >> java.lang.NullPointerException >> >> May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext >> loadOnStartup >> SEVERE: Servlet [castart] in web application [/ca] threw load() exception >> java.lang.NullPointerException >> >> May 15, 2017 3:08:09 PM org.apache.catalina.core.StandardHostValve invoke >> SEVERE: Exception Processing /ca/admin/ca/getStatus >> javax.ws.rs .ServiceUnavailableException: Subsystem >> unavailable >> >> >> Looking at the debug log it says Authentication failed for port 636. >> >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init() >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init begins >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init ends >> [15/May/2017:17:39:25][localhost-startStop-1]: init: before >> makeConnection errorIfDown is true >> [15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: >> errorIfDown true >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: Setting desired cert nickname to: >> subsystemCert cert-pki-ca >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set >> client auth cert nickname subsystemCert cert-pki-ca >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificatSelectionCB: Entering! >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: returning: null >> [15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake happened >> Could not connect to LDAP server host ipa12.mgmt.crosschx.com >> port 636 Error >> netscape.ldap.LDAPException: Authentication failed (48) >> at >> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >> ction(LdapBoundConnFactory.java:205) >> >> >> I looked at the validity of the cert it mentions and it is fine. >> >> (root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n 'subsystemCert >> cert-pki-ca' >> State MONITORING, stuck: no. >> >> >> I then looked at the ldap errors around the time of this failure and I >> am seeing this log entry. >> >> >> [15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could not get >> initial credentials for principal >> [ldap/ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM >> ] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for >> requested realm) >> >> When I perform a klist against that keytab nothing appears out of the >> ordinary compared to working IPA servers. >> >> I am not sure what to look at next. >> >> > Hi, > > you can try the following to manually replay the connection established by > Dogtag to LDAP server: > > root$ export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias > root$ export LDAPTLS_CERT='subsystemCert cert-pki-ca' > > The above commands specify the NSSDB containing the user certificate and > its name for SASL-EXTERNAL authentication. > > Then note the value obtained below as it will be used for the next step as > the password to access the private key in the NSSDB: > root$ grep internal /etc/pki/pki-tomcat/password.conf > internal= > > root$ ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q > -LLL dn namingcontexts > Please enter pin, password, or pass phrase for security token 'ldap(0)': > <<<< here supply the value found above > dn: > namingcontexts: cn=changelog > namingcontexts: dc=ipadomain,dc=com > namingcontexts: o=ipaca > > So I guess I found my problem. (root)>ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q -LLL dn namingcontexts Please enter pin, password, or pass phrase for security token 'ldap(0)': ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: TLS error -12195:Peer does not recognize and trust the CA that issued your certificate. I looked at our certs in /etc/dirsrv/slapd-IPADOMAIN-COM and found the following. IPA12 - problem server (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u IPADOMAIN-COM IPA CA C,, IPA11/IPA13 - 11 was the master and 13 is the new master (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u IPADOMAIN-COM IPA CA CT,C,C > > In the LDAP server access log (in /etc/dirsrv/slapd-IPADOMAIN.COM/access), > you should see the corresponding connection: > > [18/May/2017:13:35:14.822090417 +0200] conn=297 fd=150 slot=150 SSL > connection from xxx to yyy > [18/May/2017:13:35:15.789414017 +0200] conn=297 TLS1.2 128-bit AES-GCM; > client CN=CA Subsystem,O=IPADOMAIN.COM; issuer CN=Certificate Authority,O= > IPADOMAIN.COM > [18/May/2017:13:35:15.793108509 +0200] conn=297 TLS1.2 client bound as > uid=pkidbuser,ou=people,o=ipaca > [18/May/2017:13:35:15.798101505 +0200] conn=297 op=0 BIND dn="" > method=sasl version=3 mech=EXTERNAL > [18/May/2017:13:35:15.800322076 +0200] conn=297 op=0 RESULT err=0 tag=97 > nentries=0 etime=0 dn="uid=pkidbuser,ou=people,o=ipaca" > > HTH, > Flo. > > >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons >> > >> wrote: >> >> The PKI service came up successfully but only when it uses BasicAuth >> rather than SSL auth. I am not sure about what I need to do in >> order to get the auth working over SSL again. >> >> None of the certs are expired when I run getcert list and >> ipa-getcert list. >> >> Since the failure is with attempts to login to LDAP over 636. I >> have been attempting to auth to LDAP via port 636 and the ldapsearch >> is not completing. When looking at packet captures, I see some the >> TCP handshake and what appears to be the start of a SSL process and >> then everything hangs. >> >> What is the proper method to test performing a ldapsearch over 636? >> Also, the CS.cfg shows it wants to auth as cn=Directory Manager. I >> can successfully auth with cn=Directory Manager over 389 but I think >> I am not performing ldapsearch over 636 correctly. >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons >> > > wrote: >> >> I think I found the email thread. Asking for help with crashed >> freeIPA istance. That email pointed to this >> link, https://www.redhat.com/archives/freeipa-users/2017-January/ >> msg00215.html >> > msg00215.html>. >> That link talked about changing the CS.cfg file to use port 389 >> for PKI to auth to LDAP. I made the necessary changes and PKI >> came up successfully. >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons >> > > wrote: >> >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com > > >> www.crosschx.com >> >> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden >> > wrote: >> >> Michael Plemmons wrote: >> > I just realized that I sent the reply directly to Rob >> and not to the >> > list. My response is inline >> >> Ok, this is actually good news. >> >> I made a similar proposal in another case and I was >> completely wrong. >> Flo had the user do something and it totally fixed their >> auth error, I >> just can't remember what it was or find the e-mail >> thread. I'm pretty >> sure it was this calendar year though. >> >> rob >> >> >> Do you or Flo know what I could search for in the past >> emails to find the answer to the problem? >> >> >> >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> >> > > >> > www.crosschx.com >> >> > >> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons >> > > >> > >> >> > wrote: >> > >> > >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> >> > > >> > www.crosschx.com >> >> > >> > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden >> >> > > >> wrote: >> > >> > Michael Plemmons wrote: >> > > I realized that I was not very clear in my >> statement about >> > testing with >> > > ldapsearch. I had initially run it without >> logging in with a >> > DN. I was >> > > just running the local ldapsearch -x >> command. I then tested on >> > > ipa12.mgmt and ipa11.mgmt logging in with a >> full DN for the >> > admin and >> > > "cn=Directory Manager" from ipa12.mgmt >> (broken server) and >> > ipa11.mgmt >> > > and both ldapsearch command succeeded. >> > > >> > > I ran the following from ipa12.mgmt and >> ipa11.mgmt as a non >> > root user. >> > > I also ran the command showing a line count >> for the output and >> > the line >> > > counts for each were the same when run from >> ipa12.mgmt and >> > ipa11.mgmt. >> > > >> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> >> > > > >> > > > >> > > >> -D "DN" -w PASSWORD -b >> > > >> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn >> > > >> > > ldapsearch -LLL -h ipa12.mgmt.crosschx.com >> >> > > > >> > > > >> > > >> -D "cn=directory >> manager" -w >> > PASSWORD dn >> > >> > The CA has its own suffix and replication >> agreements. Given the auth >> > error and recent (5 months) renewal of CA >> credentials I'd check >> > that the >> > CA agent authentication entries are correct. >> > >> > Against each master with a CA run: >> > >> > $ ldapsearch -LLL -x -D 'cn=directory manager' >> -W -b >> > uid=ipara,ou=people,o=ipaca description >> > >> > The format is 2;serial#,subject,issuer >> > >> > Then on each run: >> > >> > # certutil -L -d /etc/httpd/alias -n ipaCert >> |grep Serial >> > >> > The serial # should match that in the >> description everywhere. >> > >> > rob >> > >> > >> > >> > On the CA (IPA13.MGMT) I ran the ldapsearch >> command and see that the >> > serial number is 7. I then ran the certutil >> command on all three >> > servers and the serial number is 7 as well. >> > >> > >> > I also ran the ldapsearch command against the >> other two servers and >> > they also showed a serial number of 7. >> > >> > >> > >> > >> > > >> > > >> > > >> > > >> > > >> > > *Mike Plemmons | Senior DevOps Engineer | >> CROSSCHX >> > > * >> > > 614.427.2411 >> > > mike.plemmons at crosschx.com >> >> > > >> > > >> > > >> >> > > www.crosschx.com >> >> > >> > > >> > > On Wed, May 3, 2017 at 5:28 PM, Michael >> Plemmons >> > > > >> > > > >> > > >> > > >>> >> > > wrote: >> > > >> > > I have a three node IPA cluster. >> > > >> > > ipa11.mgmt - was a master over 6 months >> ago >> > > ipa13.mgmt - current master >> > > ipa12.mgmt >> > > >> > > ipa13 has agreements with ipa11 and >> ipa12. ipa11 and >> > ipa12 do not >> > > have agreements between each other. >> > > >> > > It appears that either ipa12.mgmt lost >> some level of its >> > replication >> > > agreement with ipa13. I saw some level >> because users / >> > hosts were >> > > replicated between all systems but we >> started seeing DNS >> > was not >> > > resolving properly from ipa12. I do not >> know when this >> > started. >> > > >> > > When looking at replication agreements >> on ipa12 I did not >> > see any >> > > agreement with ipa13. >> > > >> > > When I run ipa-replica-manage list all >> three hosts show >> > has master. >> > > >> > > When I run ipa-replica-manage ipa11.mgmt >> I see ipa13.mgmt >> > is a replica. >> > > >> > > When I run ipa-replica-manage ipa12.mgmt >> nothing returned. >> > > >> > > I ran ipa-replica-manage connect >> --cacert=/etc/ipa/ca.crt >> > > ipa12.mgmt.crosschx.com >> >> > > >> > > >> > >> >> > > ipa13.mgmt.crosschx.com >> >> > > >> > > >> > > >> on ipa12.mgmt >> > > >> > > I then ran the following >> > > >> > > ipa-replica-manage force-sync --from >> > ipa13.mgmt.crosschx.com >> >> > > >> > > > >> > > >> >> > > >> > > ipa-replica-manage re-initialize --from >> > ipa13.mgmt.crosschx.com >> >> > > >> > > > >> > > >> >> > > >> > > I was still seeing bad DNS returns when >> dig'ing against >> > ipa12.mgmt. >> > > I was able to create user and DNS >> records and see the >> > information >> > > replicated properly across all three >> nodes. >> > > >> > > I then ran ipactl stop on ipa12.mgmt and >> then ipactl start on >> > > ipa12.mgmt because I wanted to make sure >> everything was >> > running >> > > fresh after the changes above. While >> IPA was staring up (DNS >> > > started) we were able to see valid DNS >> queries returned but >> > > pki-tomcat would not start. >> > > >> > > I am not sure what I need to do in order >> to get this >> > working. I >> > > have included the output of certutil and >> getcert below >> > from all >> > > three servers as well as the debug >> output for pki. >> > > >> > > >> > > While the IPA system is coming up I am >> able to >> > successfully run >> > > ldapsearch -x as the root user and see >> results. I am also >> > able to >> > > login with the "cn=Directory Manager" >> account and see results. >> > > >> > > >> > > The debug log shows the following error. >> > > >> > > >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > > ============================= >> =============== >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: ===== >> DEBUG >> > > SUBSYSTEM INITIALIZED ======= >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > > ============================= >> =============== >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > restart at >> > > autoShutdown? false >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > autoShutdown crumb file path? >> > > >> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > about to >> > > look for cert for auto-shutdown >> support:auditSigningCert >> > cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > done init >> > > id=debug >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initialized debug >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initSubsystem id=log >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > ready to >> > > init id=log >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > >> > >> RollingLogFile(/var/lib/pki/pk >> i-tomcat/logs/ca/signedAudit/ca_audit) >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > >> RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > >> RollingLogFile(/var/lib/pki/p >> ki-tomcat/logs/ca/transactions) >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > restart at >> > > autoShutdown? false >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > autoShutdown crumb file path? >> > > >> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > about to >> > > look for cert for auto-shutdown >> support:auditSigningCert >> > cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > done init >> > > id=log >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initialized log >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initSubsystem id=jss >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > ready to >> > > init id=jss >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > restart at >> > > autoShutdown? false >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > autoShutdown crumb file path? >> > > >> /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > about to >> > > look for cert for auto-shutdown >> support:auditSigningCert >> > cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > found >> > > cert:auditSigningCert cert-pki-ca >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > done init >> > > id=jss >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initialized jss >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > > initSubsystem id=dbs >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> CMSEngine: >> > ready to >> > > init id=dbs >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > DBSubsystem: init() >> > > mEnableSerialMgmt=true >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: Creating >> > > LdapBoundConnFactor(DBSubsystem) >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapBoundConnFactory: >> > > init >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > > LdapBoundConnFactory:doCloning true >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init() >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init begins >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> > LdapAuthInfo: init ends >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: init: >> before >> > > makeConnection errorIfDown is true >> > > >> [03/May/2017:21:22:01][localhost-startStop-1]: >> makeConnection: >> > > errorIfDown true >> > > >> [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificateSelectionCB: Setting >> desired cert >> > nickname to: >> > > subsystemCert cert-pki-ca >> > > >> [03/May/2017:21:22:02][localhost-startStop-1]: >> > LdapJssSSLSocket: set >> > > client auth cert nickname subsystemCert >> cert-pki-ca >> > > >> [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificatSelectionCB: Entering! >> > > >> [03/May/2017:21:22:02][localhost-startStop-1]: >> > > SSLClientCertificateSelectionCB: >> returning: null >> > > >> [03/May/2017:21:22:02][localhost-startStop-1]: SSL >> > handshake happened >> > > Could not connect to LDAP server host >> > ipa12.mgmt.crosschx.com >> >> > > >> > > > >> > > >> port 636 Error >> > > netscape.ldap.LDAPException: >> Authentication failed (48) >> > > at >> > > >> > >> com.netscape.cmscore.ldapconn. >> LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) >> > > at >> > > >> > >> com.netscape.cmscore.ldapconn. >> LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) >> > > at >> > > >> > >> com.netscape.cmscore.ldapconn. >> LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) >> > > at >> > >> com.netscape.cmscore.dbs.DBSu >> bsystem.init(DBSubsystem.java:654) >> > > at >> > > >> > >> com.netscape.cmscore.apps.CMSE >> ngine.initSubsystem(CMSEngine.java:1169) >> > > at >> > > >> > >> com.netscape.cmscore.apps.CMSE >> ngine.initSubsystems(CMSEngine.java:1075) >> > > at >> > >> com.netscape.cmscore.apps.CMS >> Engine.init(CMSEngine.java:571) >> > > at >> com.netscape.certsrv.apps.CMS.init(CMS.java:187) >> > > at >> com.netscape.certsrv.apps.CMS.start(CMS.java:1616) >> > > at >> > > >> > >> com.netscape.cms.servlet.base. >> CMSStartServlet.init(CMSStartServlet.java:114) >> > > at >> > >> javax.servlet.GenericServlet. >> init(GenericServlet.java:158) >> > > at >> sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> > Method) >> > > at >> > > >> > >> sun.reflect.NativeMethodAccess >> orImpl.invoke(NativeMethodAccessorImpl.java:62) >> > > at >> > > >> > >> sun.reflect.DelegatingMethodAc >> cessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> > > at >> java.lang.reflect.Method.invoke(Method.java:498) >> > > at >> > > >> > >> org.apache.catalina.security.S >> ecurityUtil$1.run(SecurityUtil.java:288) >> > > at >> > > >> > >> org.apache.catalina.security.S >> ecurityUtil$1.run(SecurityUtil.java:285) >> > > at >> java.security.AccessController.doPrivileged(Native >> > Method) >> > > at javax.security.auth.Subject.do >> >> > > > >>AsPrivileged(Subject.java:549) >> > > at >> > > >> > >> org.apache.catalina.security.S >> ecurityUtil.execute(SecurityUtil.java:320) >> > > at >> > > >> > >> org.apache.catalina.security.S >> ecurityUtil.doAsPrivilege(SecurityUtil.java:175) >> > > at >> > > >> > >> org.apache.catalina.security.S >> ecurityUtil.doAsPrivilege(SecurityUtil.java:124) >> > > at >> > > >> > >> org.apache.catalina.core.Stand >> ardWrapper.initServlet(StandardWrapper.java:1270) >> > > at >> > > >> > >> org.apache.catalina.core.Stand >> ardWrapper.loadServlet(StandardWrapper.java:1195) >> > > at >> > > >> > >> org.apache.catalina.core.Stand >> ardWrapper.load(StandardWrapper.java:1085) >> > > at >> > > >> > >> org.apache.catalina.core.Stand >> ardContext.loadOnStartup(StandardContext.java:5318) >> > > at >> > > >> > >> org.apache.catalina.core.Stand >> ardContext.startInternal(StandardContext.java:5610) >> > > at >> > > >> > >> org.apache.catalina.util.Lifec >> ycleBase.start(LifecycleBase.java:147) >> > > at >> > > >> > >> org.apache.catalina.core.Conta >> inerBase.addChildInternal(ContainerBase.java:899) >> > > at >> > > >> > >> org.apache.catalina.core.Conta >> inerBase.access$000(ContainerBase.java:133) >> > > at >> > > >> > >> org.apache.catalina.core.Conta >> inerBase$PrivilegedAddChild.run(ContainerBase.java:156) >> > > at >> > > >> > >> org.apache.catalina.core.Conta >> inerBase$PrivilegedAddChild.run(ContainerBase.java:145) >> > > at >> java.security.AccessController.doPrivileged(Native > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From lkrispen at redhat.com Thu May 18 14:11:58 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Thu, 18 May 2017 16:11:58 +0200 Subject: [Freeipa-users] Cant locate CSN after yum update In-Reply-To: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> References: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> Message-ID: <591DABAE.10002@redhat.com> hi, there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. Now, in your case the csn reported missing: 59095fe1000b00120000 has a time stamp from May,3rd, so it could very well be correct that this csn is no longer found in the changelog. To continue analysis, could you provide the replicaids of all your current replicas, and which is the replicaid of the sever logging the change and the ruvs of the replicas from all servers. ldapsearch .... -D "cn=directory manager" .... -b cn=config "objectclass=nsds5replica" nsds50ruv Regards, Ludwig On 05/18/2017 03:09 PM, Christophe TREFOIS wrote: > Hi all, > > Did a yum update on one of my replicas, non CA master, and upgrade was > successful (ipupgrade.log) said so. > > > Hwoever, now every few seconds I get the following message. > https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= > > Does anybody know how to proceed and if this is important? > ipa-replica-manage says, backing off, retrying later, so not sure if > replication happens successfully or not and what to do ?? > > Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in > diamond replication. > > Remaining replicas were upgraded today as well, and don't seem to > complain. Only 1 of them complains. > > 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 > 389-ds-base-1.3.5.10-20.el7_3.x86_64 > > > [root at lums3 ~]# rpm -qa | grep ipa > libipa_hbac-1.14.0-43.el7_3.14.x86_64 > python-iniparse-0.4-9.el7.noarch > ipa-admintools-4.4.0-14.el7.centos.7.noarch > python2-ipaserver-4.4.0-14.el7.centos.7.noarch > python2-ipalib-4.4.0-14.el7.centos.7.noarch > sssd-ipa-1.14.0-43.el7_3.14.x86_64 > python-ipaddress-1.0.16-2.el7.noarch > python2-ipaclient-4.4.0-14.el7.centos.7.noarch > ipa-server-common-4.4.0-14.el7.centos.7.noarch > ipa-client-common-4.4.0-14.el7.centos.7.noarch > ipa-client-4.4.0-14.el7.centos.7.x86_64 > ipa-common-4.4.0-14.el7.centos.7.noarch > python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 > ipa-server-4.4.0-14.el7.centos.7.x86_64 > > Thanks a lot for any pointers, > Christophe > > -- > > Dr Christophe Trefois, Dipl.-Ing. > Technical Specialist / Post-Doc > > UNIVERSIT? DU LUXEMBOURG > > LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE > Campus Belval | House of Biomedicine > 6, avenue du Swing > L-4367 Belvaux > T:+352 46 66 44 6124 > F:+352 46 66 44 6949 > http://www.uni.lu/lcsb > > Facebook Twitter > Google Plus > Linkedin > skype > > ---- > This message is confidential and may contain privileged information. > It is intended for the named recipient only. > If you receive it in error please notify me and permanently delete the > original message and any copies. > ---- > > > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From flo at redhat.com Thu May 18 14:28:36 2017 From: flo at redhat.com (Florence Blanc-Renaud) Date: Thu, 18 May 2017 16:28:36 +0200 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> <798e9af0-3fcb-10cf-434d-a8cf1e940df0@redhat.com> Message-ID: <759369be-e9a6-c317-2677-a8f989497dad@redhat.com> On 05/18/2017 03:49 PM, Michael Plemmons wrote: > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > www.crosschx.com > > On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud > wrote: > > On 05/15/2017 08:33 PM, Michael Plemmons wrote: > > I have done more searching in my logs and I see the following > errors. > > This is in the localhost log file /var/lib/pki/pki-tomcat/logs > > May 15, 2017 3:08:08 PM > org.apache.catalina.core.ApplicationContext log > SEVERE: StandardWrapper.Throwable > java.lang.NullPointerException > > May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext > loadOnStartup > SEVERE: Servlet [castart] in web application [/ca] threw load() > exception > java.lang.NullPointerException > > May 15, 2017 3:08:09 PM > org.apache.catalina.core.StandardHostValve invoke > SEVERE: Exception Processing /ca/admin/ca/getStatus > javax.ws.rs > .ServiceUnavailableException: Subsystem > unavailable > > > Looking at the debug log it says Authentication failed for port 636. > > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: init() > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: > init begins > [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: > init ends > [15/May/2017:17:39:25][localhost-startStop-1]: init: before > makeConnection errorIfDown is true > [15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: > errorIfDown true > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificateSelectionCB: Setting desired cert nickname to: > subsystemCert cert-pki-ca > [15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: set > client auth cert nickname subsystemCert cert-pki-ca > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificatSelectionCB: Entering! > [15/May/2017:17:39:25][localhost-startStop-1]: > SSLClientCertificateSelectionCB: returning: null > [15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake > happened > Could not connect to LDAP server host ipa12.mgmt.crosschx.com > > > port 636 Error > netscape.ldap.LDAPException: Authentication failed (48) > at > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > > I looked at the validity of the cert it mentions and it is fine. > > (root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n > 'subsystemCert > cert-pki-ca' > State MONITORING, stuck: no. > > > I then looked at the ldap errors around the time of this failure > and I > am seeing this log entry. > > > [15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could > not get > initial credentials for principal > [ldap/ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM > > >] in keytab > [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any > KDC for > requested realm) > > When I perform a klist against that keytab nothing appears out > of the > ordinary compared to working IPA servers. > > I am not sure what to look at next. > > > Hi, > > you can try the following to manually replay the connection > established by Dogtag to LDAP server: > > root$ export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias > root$ export LDAPTLS_CERT='subsystemCert cert-pki-ca' > > The above commands specify the NSSDB containing the user certificate > and its name for SASL-EXTERNAL authentication. > > Then note the value obtained below as it will be used for the next > step as the password to access the private key in the NSSDB: > root$ grep internal /etc/pki/pki-tomcat/password.conf > internal= > > root$ ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL > -Q -LLL dn namingcontexts > Please enter pin, password, or pass phrase for security token > 'ldap(0)': <<<< here supply the value found above > dn: > namingcontexts: cn=changelog > namingcontexts: dc=ipadomain,dc=com > namingcontexts: o=ipaca > > > > So I guess I found my problem. > > (root)>ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q > -LLL dn namingcontexts > Please enter pin, password, or pass phrase for security token 'ldap(0)': > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > additional info: TLS error -12195:Peer does not recognize and trust > the CA that issued your certificate. > > > I looked at our certs in /etc/dirsrv/slapd-IPADOMAIN-COM and found the > following. > > IPA12 - problem server > (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPADOMAIN-COM IPA CA C,, > > > > IPA11/IPA13 - 11 was the master and 13 is the new master > (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert u,u,u > IPADOMAIN-COM IPA CA CT,C,C > > > Good news! In this case the fix is trivial: root$ certutil -M -d /etc/dirsrv/slapd-IPADOMAIN-COM -n 'IPADOMAIN-COM IPA CA' -t CT,C,C Flo. > > In the LDAP server access log (in > /etc/dirsrv/slapd-IPADOMAIN.COM/access), you should see the > corresponding connection: > > [18/May/2017:13:35:14.822090417 +0200] conn=297 fd=150 slot=150 SSL > connection from xxx to yyy > [18/May/2017:13:35:15.789414017 +0200] conn=297 TLS1.2 128-bit > AES-GCM; client CN=CA Subsystem,O=IPADOMAIN.COM > ; issuer CN=Certificate > Authority,O=IPADOMAIN.COM > [18/May/2017:13:35:15.793108509 +0200] conn=297 TLS1.2 client bound > as uid=pkidbuser,ou=people,o=ipaca > [18/May/2017:13:35:15.798101505 +0200] conn=297 op=0 BIND dn="" > method=sasl version=3 mech=EXTERNAL > [18/May/2017:13:35:15.800322076 +0200] conn=297 op=0 RESULT err=0 > tag=97 nentries=0 etime=0 dn="uid=pkidbuser,ou=people,o=ipaca" > > HTH, > Flo. > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > > > www.crosschx.com > > > On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons > > >> > wrote: > > The PKI service came up successfully but only when it uses > BasicAuth > rather than SSL auth. I am not sure about what I need to do in > order to get the auth working over SSL again. > > None of the certs are expired when I run getcert list and > ipa-getcert list. > > Since the failure is with attempts to login to LDAP over 636. I > have been attempting to auth to LDAP via port 636 and the > ldapsearch > is not completing. When looking at packet captures, I see > some the > TCP handshake and what appears to be the start of a SSL > process and > then everything hangs. > > What is the proper method to test performing a ldapsearch > over 636? > Also, the CS.cfg shows it wants to auth as cn=Directory > Manager. I > can successfully auth with cn=Directory Manager over 389 but > I think > I am not performing ldapsearch over 636 correctly. > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > > > > www.crosschx.com > > > On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons > > >> wrote: > > I think I found the email thread. Asking for help with > crashed > freeIPA istance. That email pointed to this > link, > https://www.redhat.com/archives/freeipa-users/2017-January/msg00215.html > > > >. > That link talked about changing the CS.cfg file to use > port 389 > for PKI to auth to LDAP. I made the necessary changes > and PKI > came up successfully. > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > > > > www.crosschx.com > > > On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons > > >> wrote: > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > * > 614.427.2411 > mike.plemmons at crosschx.com > > > > www.crosschx.com > > > On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden > > >> wrote: > > Michael Plemmons wrote: > > I just realized that I sent the reply directly > to Rob > and not to the > > list. My response is inline > > Ok, this is actually good news. > > I made a similar proposal in another case and I was > completely wrong. > Flo had the user do something and it totally > fixed their > auth error, I > just can't remember what it was or find the e-mail > thread. I'm pretty > sure it was this calendar year though. > > rob > > > Do you or Flo know what I could search for in the past > emails to find the answer to the problem? > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > > >> > > www.crosschx.com > > > > > > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons > > > > > > >>> > > wrote: > > > > > > > > > > > > *Mike Plemmons | Senior DevOps Engineer | > CROSSCHX > > * > > 614.427.2411 > > mike.plemmons at crosschx.com > > > > > >> > > www.crosschx.com > > > > > > On Thu, May 4, 2017 at 9:24 AM, Rob Crittenden > > > > > >>> wrote: > > > > Michael Plemmons wrote: > > > I realized that I was not very clear > in my > statement about > > testing with > > > ldapsearch. I had initially run it > without > logging in with a > > DN. I was > > > just running the local ldapsearch -x > command. I then tested on > > > ipa12.mgmt and ipa11.mgmt logging in > with a > full DN for the > > admin and > > > "cn=Directory Manager" from ipa12.mgmt > (broken server) and > > ipa11.mgmt > > > and both ldapsearch command succeeded. > > > > > > I ran the following from ipa12.mgmt and > ipa11.mgmt as a non > > root user. > > > I also ran the command showing a > line count > for the output and > > the line > > > counts for each were the same when > run from > ipa12.mgmt and > > ipa11.mgmt. > > > > > > ldapsearch -LLL -h > ipa12.mgmt.crosschx.com > > > > > >> > > > > > > > > >>> -D "DN" -w PASSWORD -b > > > > "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" dn > > > > > > ldapsearch -LLL -h > ipa12.mgmt.crosschx.com > > > > > >> > > > > > > > > >>> -D "cn=directory > manager" -w > > PASSWORD dn > > > > The CA has its own suffix and replication > agreements. Given the auth > > error and recent (5 months) renewal of CA > credentials I'd check > > that the > > CA agent authentication entries are > correct. > > > > Against each master with a CA run: > > > > $ ldapsearch -LLL -x -D 'cn=directory > manager' > -W -b > > uid=ipara,ou=people,o=ipaca description > > > > The format is 2;serial#,subject,issuer > > > > Then on each run: > > > > # certutil -L -d /etc/httpd/alias -n > ipaCert > |grep Serial > > > > The serial # should match that in the > description everywhere. > > > > rob > > > > > > > > On the CA (IPA13.MGMT) I ran the ldapsearch > command and see that the > > serial number is 7. I then ran the certutil > command on all three > > servers and the serial number is 7 as well. > > > > > > I also ran the ldapsearch command against the > other two servers and > > they also showed a serial number of 7. > > > > > > > > > > > > > > > > > > > > > > > > > > *Mike Plemmons | Senior DevOps > Engineer | > CROSSCHX > > > * > > > 614.427.2411 > > > mike.plemmons at crosschx.com > > > > > >> > > > > > > > >>> > > > www.crosschx.com > > > > > > > > > > On Wed, May 3, 2017 at 5:28 PM, > Michael Plemmons > > > > > > > > >> > > > > > > > >>>> > > > wrote: > > > > > > I have a three node IPA cluster. > > > > > > ipa11.mgmt - was a master over 6 > months ago > > > ipa13.mgmt - current master > > > ipa12.mgmt > > > > > > ipa13 has agreements with ipa11 and > ipa12. ipa11 and > > ipa12 do not > > > have agreements between each other. > > > > > > It appears that either > ipa12.mgmt lost > some level of its > > replication > > > agreement with ipa13. I saw > some level > because users / > > hosts were > > > replicated between all systems > but we > started seeing DNS > > was not > > > resolving properly from ipa12. > I do not > know when this > > started. > > > > > > When looking at replication > agreements > on ipa12 I did not > > see any > > > agreement with ipa13. > > > > > > When I run ipa-replica-manage > list all > three hosts show > > has master. > > > > > > When I run ipa-replica-manage > ipa11.mgmt > I see ipa13.mgmt > > is a replica. > > > > > > When I run ipa-replica-manage > ipa12.mgmt > nothing returned. > > > > > > I ran ipa-replica-manage connect > --cacert=/etc/ipa/ca.crt > > > ipa12.mgmt.crosschx.com > > > > > >> > > > > > > >>> > > > ipa13.mgmt.crosschx.com > > > > > >> > > > > > > > >>> on ipa12.mgmt > > > > > > I then ran the following > > > > > > ipa-replica-manage force-sync --from > > ipa13.mgmt.crosschx.com > > > > > >> > > > > > > > > >>> > > > > > > ipa-replica-manage re-initialize > --from > > ipa13.mgmt.crosschx.com > > > > > >> > > > > > > > > >>> > > > > > > I was still seeing bad DNS > returns when > dig'ing against > > ipa12.mgmt. > > > I was able to create user and DNS > records and see the > > information > > > replicated properly across all > three nodes. > > > > > > I then ran ipactl stop on > ipa12.mgmt and > then ipactl start on > > > ipa12.mgmt because I wanted to > make sure > everything was > > running > > > fresh after the changes above. > While > IPA was staring up (DNS > > > started) we were able to see > valid DNS > queries returned but > > > pki-tomcat would not start. > > > > > > I am not sure what I need to do > in order > to get this > > working. I > > > have included the output of > certutil and > getcert below > > from all > > > three servers as well as the debug > output for pki. > > > > > > > > > While the IPA system is coming > up I am > able to > > successfully run > > > ldapsearch -x as the root user > and see > results. I am also > > able to > > > login with the "cn=Directory > Manager" > account and see results. > > > > > > > > > The debug log shows the > following error. > > > > > > > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > > ============================================ > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > ===== DEBUG > > > SUBSYSTEM INITIALIZED ======= > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > > ============================================ > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > done init > > > id=debug > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initialized debug > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initSubsystem id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > ready to > > > init id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > Creating > > > > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > Creating > > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/system) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > Creating > > > > > RollingLogFile(/var/lib/pki/pki-tomcat/logs/ca/transactions) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > done init > > > id=log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initialized log > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initSubsystem id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > ready to > > > init id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > restart at > > > autoShutdown? false > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > autoShutdown crumb file path? > > > > /var/lib/pki/pki-tomcat/logs/autoShutdown.crumb > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > about to > > > look for cert for auto-shutdown > support:auditSigningCert > > cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > found > > > cert:auditSigningCert cert-pki-ca > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > done init > > > id=jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initialized jss > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > > initSubsystem id=dbs > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > CMSEngine: > > ready to > > > init id=dbs > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > DBSubsystem: init() > > > mEnableSerialMgmt=true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > Creating > > > LdapBoundConnFactor(DBSubsystem) > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapBoundConnFactory: > > > init > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > > LdapBoundConnFactory:doCloning true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init() > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init begins > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > > LdapAuthInfo: init ends > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > init: before > > > makeConnection errorIfDown is true > > > > [03/May/2017:21:22:01][localhost-startStop-1]: > makeConnection: > > > errorIfDown true > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: > Setting > desired cert > > nickname to: > > > subsystemCert cert-pki-ca > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > LdapJssSSLSocket: set > > > client auth cert nickname > subsystemCert > cert-pki-ca > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificatSelectionCB: > Entering! > > > > [03/May/2017:21:22:02][localhost-startStop-1]: > > > SSLClientCertificateSelectionCB: > returning: null > > > > [03/May/2017:21:22:02][localhost-startStop-1]: SSL > > handshake happened > > > Could not connect to LDAP server > host > > ipa12.mgmt.crosschx.com > > > > > >> > > > > > > > > >>> port 636 Error > > > netscape.ldap.LDAPException: > Authentication failed (48) > > > at > > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:205) > > > at > > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:166) > > > at > > > > > > > com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:130) > > > at > > > > com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:654) > > > at > > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > > > at > > > > > > > com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > > > at > > > > com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:571) > > > at > com.netscape.certsrv.apps.CMS.init(CMS.java:187) > > > at > com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > > > at > > > > > > > com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:114) > > > at > > > > javax.servlet.GenericServlet.init(GenericServlet.java:158) > > > at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > > > at > > > > > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at > java.lang.reflect.Method.invoke(Method.java:498) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) > > > at > java.security.AccessController.doPrivileged(Native > > Method) > > > at > javax.security.auth.Subject.do > > > > > > >>AsPrivileged(Subject.java:549) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) > > > at > > > > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:124) > > > at > > > > > > > org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1270) > > > at > > > > > > > org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1195) > > > at > > > > > > > org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1085) > > > at > > > > > > > org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5318) > > > at > > > > > > > org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5610) > > > at > > > > > > > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) > > > at > > > > > > > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) > > > at > > > > > > > org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133) > > > at > > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156) > > > at > > > > > > > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) > > > at > java.security.AccessController.doPrivileged(Native > > > > From christophe.trefois at uni.lu Thu May 18 15:04:47 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 18 May 2017 15:04:47 +0000 Subject: [Freeipa-users] Cant locate CSN after yum update In-Reply-To: <591DABAE.10002@redhat.com> References: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> <591DABAE.10002@redhat.com> Message-ID: <38E58875-47CB-4516-AAE0-E1F71BA78AE5@uni.lu> Hi Ludwig, Since we were scared, we did a full re-init of that specific replica from the CA master, and it looks like the issue is not appearing anymore. Is this sufficient, or should we still investigate ? Thanks for your help! Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 18 May 2017, at 16:11, Ludwig Krispenz > wrote: hi, there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. Now, in your case the csn reported missing: 59095fe1000b00120000 has a time stamp from May,3rd, so it could very well be correct that this csn is no longer found in the changelog. To continue analysis, could you provide the replicaids of all your current replicas, and which is the replicaid of the sever logging the change and the ruvs of the replicas from all servers. ldapsearch .... -D "cn=directory manager" .... -b cn=config "objectclass=nsds5replica" nsds50ruv Regards, Ludwig On 05/18/2017 03:09 PM, Christophe TREFOIS wrote: Hi all, Did a yum update on one of my replicas, non CA master, and upgrade was successful (ipupgrade.log) said so. Hwoever, now every few seconds I get the following message. https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= Does anybody know how to proceed and if this is important? ipa-replica-manage says, backing off, retrying later, so not sure if replication happens successfully or not and what to do ?? Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in diamond replication. Remaining replicas were upgraded today as well, and don?t seem to complain. Only 1 of them complains. 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 389-ds-base-1.3.5.10-20.el7_3.x86_64 [root at lums3 ~]# rpm -qa | grep ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch python2-ipaserver-4.4.0-14.el7.centos.7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch sssd-ipa-1.14.0-43.el7_3.14.x86_64 python-ipaddress-1.0.16-2.el7.noarch python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-common-4.4.0-14.el7.centos.7.noarch python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks a lot for any pointers, Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael.plemmons at crosschx.com Thu May 18 15:29:43 2017 From: michael.plemmons at crosschx.com (Michael Plemmons) Date: Thu, 18 May 2017 11:29:43 -0400 Subject: [Freeipa-users] Could not connect to LDAP server host - IO Error creating JSS SSL Socket: In-Reply-To: <759369be-e9a6-c317-2677-a8f989497dad@redhat.com> References: <390a61fb-081b-fa93-da4c-3197b9f269be@redhat.com> <4f49e3b8-ac05-c49b-cfef-c9109d026d72@redhat.com> <798e9af0-3fcb-10cf-434d-a8cf1e940df0@redhat.com> <759369be-e9a6-c317-2677-a8f989497dad@redhat.com> Message-ID: SOLVED! Thank you Flo! That did the trick. Once I made the change to the certificate and restarted the IPA services everything came back up like it was supposed to. High five! *Mike Plemmons | Senior DevOps Engineer | CROSSCHX* 614.427.2411 mike.plemmons at crosschx.com www.crosschx.com On Thu, May 18, 2017 at 10:28 AM, Florence Blanc-Renaud wrote: > On 05/18/2017 03:49 PM, Michael Plemmons wrote: > >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> www.crosschx.com >> >> On Thu, May 18, 2017 at 8:02 AM, Florence Blanc-Renaud > > wrote: >> >> On 05/15/2017 08:33 PM, Michael Plemmons wrote: >> >> I have done more searching in my logs and I see the following >> errors. >> >> This is in the localhost log file /var/lib/pki/pki-tomcat/logs >> >> May 15, 2017 3:08:08 PM >> org.apache.catalina.core.ApplicationContext log >> SEVERE: StandardWrapper.Throwable >> java.lang.NullPointerException >> >> May 15, 2017 3:08:08 PM org.apache.catalina.core.StandardContext >> loadOnStartup >> SEVERE: Servlet [castart] in web application [/ca] threw load() >> exception >> java.lang.NullPointerException >> >> May 15, 2017 3:08:09 PM >> org.apache.catalina.core.StandardHostValve invoke >> SEVERE: Exception Processing /ca/admin/ca/getStatus >> javax.ws.rs >> .ServiceUnavailableException: Subsystem >> unavailable >> >> >> Looking at the debug log it says Authentication failed for port >> 636. >> >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: >> init() >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: >> init begins >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapAuthInfo: >> init ends >> [15/May/2017:17:39:25][localhost-startStop-1]: init: before >> makeConnection errorIfDown is true >> [15/May/2017:17:39:25][localhost-startStop-1]: makeConnection: >> errorIfDown true >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: Setting desired cert nickname >> to: >> subsystemCert cert-pki-ca >> [15/May/2017:17:39:25][localhost-startStop-1]: LdapJssSSLSocket: >> set >> client auth cert nickname subsystemCert cert-pki-ca >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificatSelectionCB: Entering! >> [15/May/2017:17:39:25][localhost-startStop-1]: >> SSLClientCertificateSelectionCB: returning: null >> [15/May/2017:17:39:25][localhost-startStop-1]: SSL handshake >> happened >> Could not connect to LDAP server host ipa12.mgmt.crosschx.com >> >> > > port 636 Error >> netscape.ldap.LDAPException: Authentication failed (48) >> at >> com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConne >> ction(LdapBoundConnFactory.java:205) >> >> >> I looked at the validity of the cert it mentions and it is fine. >> >> (root)>getcert status -v -d /etc/pki/pki-tomcat/alias -n >> 'subsystemCert >> cert-pki-ca' >> State MONITORING, stuck: no. >> >> >> I then looked at the ldap errors around the time of this failure >> and I >> am seeing this log entry. >> >> >> [15/May/2017:17:38:42.063080758 +0000] set_krb5_creds - Could >> not get >> initial credentials for principal >> [ldap/ipa12.mgmt.crosschx.com at MGMT.CROSSCHX.COM >> >> > >] in keytab >> [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any >> KDC for >> requested realm) >> >> When I perform a klist against that keytab nothing appears out >> of the >> ordinary compared to working IPA servers. >> >> I am not sure what to look at next. >> >> >> Hi, >> >> you can try the following to manually replay the connection >> established by Dogtag to LDAP server: >> >> root$ export LDAPTLS_CACERTDIR=/etc/pki/pki-tomcat/alias >> root$ export LDAPTLS_CERT='subsystemCert cert-pki-ca' >> >> The above commands specify the NSSDB containing the user certificate >> and its name for SASL-EXTERNAL authentication. >> >> Then note the value obtained below as it will be used for the next >> step as the password to access the private key in the NSSDB: >> root$ grep internal /etc/pki/pki-tomcat/password.conf >> internal= >> >> root$ ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL >> -Q -LLL dn namingcontexts >> Please enter pin, password, or pass phrase for security token >> 'ldap(0)': <<<< here supply the value found >> above >> dn: >> namingcontexts: cn=changelog >> namingcontexts: dc=ipadomain,dc=com >> namingcontexts: o=ipaca >> >> >> >> So I guess I found my problem. >> >> (root)>ldapsearch -H ldaps://`hostname`:636 -b "" -s base -Y EXTERNAL -Q >> -LLL dn namingcontexts >> Please enter pin, password, or pass phrase for security token 'ldap(0)': >> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) >> additional info: TLS error -12195:Peer does not recognize and trust >> the CA that issued your certificate. >> >> >> I looked at our certs in /etc/dirsrv/slapd-IPADOMAIN-COM and found the >> following. >> >> IPA12 - problem server >> (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> IPADOMAIN-COM IPA CA C,, >> >> >> >> IPA11/IPA13 - 11 was the master and 13 is the new master >> (root)>certutil -L -d /etc/dirsrv/slapd-IPADOMAIN-COM >> >> Certificate Nickname Trust >> Attributes >> >> SSL,S/MIME,JAR/XPI >> >> Server-Cert u,u,u >> IPADOMAIN-COM IPA CA CT,C,C >> >> >> >> Good news! In this case the fix is trivial: > root$ certutil -M -d /etc/dirsrv/slapd-IPADOMAIN-COM -n 'IPADOMAIN-COM > IPA CA' -t CT,C,C > > Flo. > >> >> In the LDAP server access log (in >> /etc/dirsrv/slapd-IPADOMAIN.COM/access), you should see the >> corresponding connection: >> >> [18/May/2017:13:35:14.822090417 +0200] conn=297 fd=150 slot=150 SSL >> connection from xxx to yyy >> [18/May/2017:13:35:15.789414017 +0200] conn=297 TLS1.2 128-bit >> AES-GCM; client CN=CA Subsystem,O=IPADOMAIN.COM >> ; issuer CN=Certificate >> Authority,O=IPADOMAIN.COM >> [18/May/2017:13:35:15.793108509 +0200] conn=297 TLS1.2 client bound >> as uid=pkidbuser,ou=people,o=ipaca >> [18/May/2017:13:35:15.798101505 +0200] conn=297 op=0 BIND dn="" >> method=sasl version=3 mech=EXTERNAL >> [18/May/2017:13:35:15.800322076 +0200] conn=297 op=0 RESULT err=0 >> tag=97 nentries=0 etime=0 dn="uid=pkidbuser,ou=people,o=ipaca" >> >> HTH, >> Flo. >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> > > >> www.crosschx.com >> >> >> On Wed, May 10, 2017 at 3:35 PM, Michael Plemmons >> > >> > >> >> wrote: >> >> The PKI service came up successfully but only when it uses >> BasicAuth >> rather than SSL auth. I am not sure about what I need to do >> in >> order to get the auth working over SSL again. >> >> None of the certs are expired when I run getcert list and >> ipa-getcert list. >> >> Since the failure is with attempts to login to LDAP over >> 636. I >> have been attempting to auth to LDAP via port 636 and the >> ldapsearch >> is not completing. When looking at packet captures, I see >> some the >> TCP handshake and what appears to be the start of a SSL >> process and >> then everything hangs. >> >> What is the proper method to test performing a ldapsearch >> over 636? >> Also, the CS.cfg shows it wants to auth as cn=Directory >> Manager. I >> can successfully auth with cn=Directory Manager over 389 but >> I think >> I am not performing ldapsearch over 636 correctly. >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> >> > > >> www.crosschx.com >> >> >> On Fri, May 5, 2017 at 3:33 PM, Michael Plemmons >> > >> > >> wrote: >> >> I think I found the email thread. Asking for help with >> crashed >> freeIPA istance. That email pointed to this >> link, >> https://www.redhat.com/archives/freeipa-users/2017-January/ >> msg00215.html >> > msg00215.html> >> >> > msg00215.html >> > msg00215.html>>. >> That link talked about changing the CS.cfg file to use >> port 389 >> for PKI to auth to LDAP. I made the necessary changes >> and PKI >> came up successfully. >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> >> > > >> www.crosschx.com >> >> >> On Fri, May 5, 2017 at 3:19 PM, Michael Plemmons >> > >> > >> wrote: >> >> >> >> >> >> *Mike Plemmons | Senior DevOps Engineer | CROSSCHX >> * >> 614.427.2411 >> mike.plemmons at crosschx.com >> >> > > >> www.crosschx.com >> >> >> On Fri, May 5, 2017 at 3:15 PM, Rob Crittenden >> >> >> wrote: >> >> Michael Plemmons wrote: >> > I just realized that I sent the reply directly >> to Rob >> and not to the >> > list. My response is inline >> >> Ok, this is actually good news. >> >> I made a similar proposal in another case and I >> was >> completely wrong. >> Flo had the user do something and it totally >> fixed their >> auth error, I >> just can't remember what it was or find the e-mail >> thread. I'm pretty >> sure it was this calendar year though. >> >> rob >> >> >> Do you or Flo know what I could search for in the past >> emails to find the answer to the problem? >> >> >> >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | >> CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> >> > > >> > >> > >> >> > www.crosschx.com >> >> >> > >> > On Thu, May 4, 2017 at 9:39 AM, Michael Plemmons >> > > >> > > >> > >> > >>> >> > wrote: >> > >> > >> > >> > >> > >> > *Mike Plemmons | Senior DevOps Engineer | >> CROSSCHX >> > * >> > 614.427.2411 >> > mike.plemmons at crosschx.com >> >> > > >> > >> > >> >> > www.crosschx.com >> >> >> > >> > On Thu, May 4, 2017 at 9:24 AM, Rob >> Crittenden >> > > > >> > > >> > >>> wrote: >> > >> > Michael Plemmons wrote: >> > > I realized that I was not very clear >> in my >> statement about >> > testing with >> > > ldapsearch. I had initially run it >> without >> logging in with a >> > DN. I was >> > > just running the local ldapsearch -x >> command. I then tested on >> > > ipa12.mgmt and ipa11.mgmt logging in >> with a >> full DN for the >> > admin and >> > > "cn=Directory Manager" from ipa12.mgmt >> (broken server) and >> > ipa11.mgmt >> > > and both ldapsearch command succeeded. >> > > >> > > I ran the following from ipa12.mgmt >> and >> ipa11.mgmt as a non >> > root user. >> > > I also ran the command showing a >> line count >> for the output and >> > the line >> > > counts for each were the same when >> run from >> ipa12.mgmt and >> > ipa11.mgmt. >> > > >> > > ldapsearch -LLL -h >> ipa12.mgmt.crosschx.com >> > > >> > > >> > >> >> > > > >> > > >> > > >> > >>> -D "DN" -w PASSWORD -b >> > > >> "cn=users,cn=accounts,dc=mgmt,dc=crosschx,dc=com" >> dn >> > > >> > > ldapsearch -LLL -h >> ipa12.mgmt.crosschx.com >> > > >> > > >> > >> >> > > > >> > > >> > > >> > >>> -D "cn=directory >> manager" -w >> > PASSWORD dn >> > >> > The CA has its own suffix and >> replication >> agreements. Given the auth >> > error and recent (5 months) renewal of >> CA >> credentials I'd check >> > that the >> > CA agent authentication entries are >> correct. >> > >> > Against each master with a CA run: >> > >> > $ ldapsearch -LLL -x -D 'cn=directory >> manager' >> -W -b >> > uid=ipara,ou=people,o=ipaca description >> > >> > The format is 2;serial#,subject,issuer >> > >> > Then on each run: >> > >> > # certutil -L -d /etc/httpd/alias -n >> ipaCert >> |grep Serial >> > >> > The serial # should match that in the >> description everywhere. >> > >> > rob >> > >> > >> > >> > On the CA (IPA13.MGMT) I ran the ldapsearch >> command and see that the >> > serial number is 7. I then ran the certutil >> command on all three >> > servers and the serial number is 7 as well. >> > >> > >> > I also ran the ldapsearch command against >> the >> other two servers and >> > they also showed a serial number of 7. >> > >> > >> > >> > >> > > >> > > >> > > >> > > >> > > >> > > *Mike Plemmons | Senior DevOps >> Engineer | >> CROSSCHX >> > > * >> > > 614.427.2411 >> > > mike.plemmons at crosschx.com >> >> > > >> > >> > >> >> > > >> > > >> > > >> > >>> >> > > www.crosschx.com >> >> >> > >> > > >> > > On Wed, May 3, 2017 at 5:28 PM, >> Michael Plemmons >> > > > >> > > >> > > >> > >> >> > > >> > > >> > > >> > >>>> >> > > wrote: >> > > >> > > I have a three node IPA cluster. >> > > >> > > ipa11.mgmt - was a master over 6 >> months ago >> > > ipa13.mgmt - current master >> > > ipa12.mgmt >> > > >> > > ipa13 has agreements with ipa11 >> and >> ipa12. ipa11 and >> > ipa12 do not >> > > have agreements between each >> other. >> > > >> > > It appears that either >> ipa12.mgmt lost >> some level of its >> > replication >> > > agreement with ipa13. I saw >> some level >> because users / >> > hosts were >> > > replicated between all systems >> but we >> started seeing DNS >> > was not >> > > resolving properly from ipa12. >> I do not >> know when this >> > started. >> > > >> > > When looking at replication >> agreements >> on ipa12 I did not >> > see any >> > > agreement with ipa13. >> > > >> > > When I run ipa-replica-manage >> list all >> three hosts show >> > has master. >> > > >> > > When I run ipa-replica-manage >> ipa11.mgmt >> I see ipa13.mgmt >> > is a replica. >> > > >> > > When I run ipa-replica-manage >> ipa12.mgmt >> nothing returned. >> > > >> > > I ran ipa-replica-manage connect >> --cacert=/etc/ipa/ca.crt >> > > ipa12.mgmt.crosschx.com >> >> > > >> > >> > >> >> > > >> > > >> > >> > >>> >> > > ipa13.mgmt.crosschx.com >> >> > > >> > >> > >> >> > > >> > > >> > > >> > >>> on ipa12.mgmt >> > > >> > > I then ran the following >> > > >> > > ipa-replica-manage force-sync >> --from >> > ipa13.mgmt.crosschx.com >> >> > > >> > >> > >> >> > > > >> > > >> > > >> > >>> >> > > >> > > ipa-replica-manage re-initialize >> --from >> > ipa13.mgmt.crosschx.com >> >> > > >> > >> > >> >> > > > >> > > >> > > >> > >>> >> > > >> > > I was still seeing bad DNS >> returns when >> dig'ing against >> > ipa12.mgmt. >> > > I was able to create user and DNS >> records and see the >> > information >> > > replicated properly across all >> three nodes. >> > > >> > > I then ran ipactl stop on >> ipa12.mgmt and >> then ipactl start on > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Thu May 18 15:35:13 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 18 May 2017 15:35:13 +0000 Subject: [Freeipa-users] Cant locate CSN after yum update In-Reply-To: <38E58875-47CB-4516-AAE0-E1F71BA78AE5@uni.lu> References: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> <591DABAE.10002@redhat.com> <38E58875-47CB-4516-AAE0-E1F71BA78AE5@uni.lu> Message-ID: <7DF99717-0854-4DE7-9CC3-348E62910CC2@uni.lu> Dear Ludwig, Thanks for your help in IRC to guide me in running the right commands. Here is the output, toto1 and toto2 are CA master, and toto3 and toto4 are non CA master. The problematic replica was toto3, and after re-init, we haven?t seen any errors in the log anymore. https://paste.fedoraproject.org/paste/j8c30CZPyh8rPymjbKSvZF5M1UNdIGYhyRLivL9gydE= I also ran ipa-replica-manage on all replicas to all replicas, so total of 16 command, and found all of them reported ?incremental update succeeded?. As discussed, I?m not sure what I?m looking at with the RUV stuff above, and any explanation for a newcomer to ldap / ds / freeipa would be greatly appreciated. Thanks a lot for your help! Kind regards, Christophe aka Trefex On 18 May 2017, at 17:04, Christophe TREFOIS > wrote: Hi Ludwig, Since we were scared, we did a full re-init of that specific replica from the CA master, and it looks like the issue is not appearing anymore. Is this sufficient, or should we still investigate ? Thanks for your help! Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 18 May 2017, at 16:11, Ludwig Krispenz > wrote: hi, there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. Now, in your case the csn reported missing: 59095fe1000b00120000 has a time stamp from May,3rd, so it could very well be correct that this csn is no longer found in the changelog. To continue analysis, could you provide the replicaids of all your current replicas, and which is the replicaid of the sever logging the change and the ruvs of the replicas from all servers. ldapsearch .... -D "cn=directory manager" .... -b cn=config "objectclass=nsds5replica" nsds50ruv Regards, Ludwig On 05/18/2017 03:09 PM, Christophe TREFOIS wrote: Hi all, Did a yum update on one of my replicas, non CA master, and upgrade was successful (ipupgrade.log) said so. Hwoever, now every few seconds I get the following message. https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= Does anybody know how to proceed and if this is important? ipa-replica-manage says, backing off, retrying later, so not sure if replication happens successfully or not and what to do ?? Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in diamond replication. Remaining replicas were upgraded today as well, and don?t seem to complain. Only 1 of them complains. 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 389-ds-base-1.3.5.10-20.el7_3.x86_64 [root at lums3 ~]# rpm -qa | grep ipa libipa_hbac-1.14.0-43.el7_3.14.x86_64 python-iniparse-0.4-9.el7.noarch ipa-admintools-4.4.0-14.el7.centos.7.noarch python2-ipaserver-4.4.0-14.el7.centos.7.noarch python2-ipalib-4.4.0-14.el7.centos.7.noarch sssd-ipa-1.14.0-43.el7_3.14.x86_64 python-ipaddress-1.0.16-2.el7.noarch python2-ipaclient-4.4.0-14.el7.centos.7.noarch ipa-server-common-4.4.0-14.el7.centos.7.noarch ipa-client-common-4.4.0-14.el7.centos.7.noarch ipa-client-4.4.0-14.el7.centos.7.x86_64 ipa-common-4.4.0-14.el7.centos.7.noarch python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 ipa-server-4.4.0-14.el7.centos.7.x86_64 Thanks a lot for any pointers, Christophe -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSIT? DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb [Facebook] [Twitter] [Google Plus] [Linkedin] [skype] ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhrozek at redhat.com Thu May 18 18:19:52 2017 From: jhrozek at redhat.com (Jakub Hrozek) Date: Thu, 18 May 2017 20:19:52 +0200 Subject: [Freeipa-users] Freeipa and limiting access by group (memberOf) In-Reply-To: <92af8bca-58ab-b5e5-e02c-3a0bc55ec741@nso.edu> References: <20170517152259.uobpktzfya6iauye@hendrix> <92af8bca-58ab-b5e5-e02c-3a0bc55ec741@nso.edu> Message-ID: <20170518181952.fnegbbbpx3yszc4s@hendrix> On Thu, May 18, 2017 at 10:37:57AM -0600, Janet Houser wrote: > > > On 5/17/17 9:22 AM, Jakub Hrozek wrote: > > On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote: > > > Hi Folks, > > > > > > Last week I deployed freeipa on a CentOS7 VM. The installation went very > > > smoothly using: > > > > > > yum install ipa-server > > > > > > and > > > > > > ipa-server-install > > > > > > > > > My issue is with connecting a CentOS 7 client. On my client, I yum > > > installed ipa-client and ipa-admintools. > > > I than ran "ipa-client-install" and answered the setup questions (very > > > easy and smooth). > > > > > > The "getent passwd" command didn't return any users, but the "getent passwd > > > jdoe" does give the information > > > for the user. I found in the archives that I can set "enumerate=True" so I > > > get a complete user listing. That > > > seems to be working, and I was able to login with the account "jdoe" > > > (brilliant!). > > I would discourage enumeration especially if you're planning on a large > > domain. The performance right now is not great. Moreover, the way the > > trusted accounts are retrieved doesn't support enumeration at all > > either. > > Copy that. Enumeration is set to true just for testing. It will be > disabled later. > > > > > Problem 1: > > > ======== > > > > > > I created a user group on the ipa server with the following attributes: > > > > > > name = xyx, gid = 1000 > > > > > > I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa > > > client, I get the following message after > > > logging in: > > > > > > /usr/bin/id: cannot find name for group ID 1000 > > > > > > A "getent group" command does list the group: xyz:*:1000: > > > > > > A "groups" command issued by the user shows: xyz > > > > > > files created by the user show the correct ownership and group. > > I would first try to remove the sssd caches because uid/gid renumbering > > doesn't work great. If that doesn't help, please check the sssd logs. > > Didn't work, and the logs aren't really being helpful, but I'll dig further. Feel free to paste some sanitized snippet here.. > > > > > By the way, 1000 is quite low and would most probably clash with local > > accounts. I would strongly suggest to stick to ID numbers within the > > configured ID range (ipa idrange-find) > > > > > Problem 2: > > > ======= > > > > > > I've been looking through the freeipa groups and literature and I can't > > > figure out how to limit user login access to > > > an ipa client by a memberOf group. > > > > > > When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a > > > group filter like: > > > > > > passwd (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu)) > > > > > > > > > I tried changing the access_provider to simple and using the > > > "simply_allow_groups = test", but that didn't work. > > > However, using "access_provider = ipa" and "filter_users" did allow me to > > > filter out a user from the "getent passwd" command. > > > > > > I tried changing the access_provider to ldap and using the filter > > > "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu > > > but that failed too. > > Please check out "ipa help hbac" > > > I just realized hbac is host based access control. I can't really use this > since I need to restrict certain users > to resources. Since freeipa is based on directory server 389, I'm assuming > it can do group / memberOf filtering. What are the resources we're talking about here? > > Any suggestions would be appreciated. From goranm at ecobee.com Thu May 18 20:13:28 2017 From: goranm at ecobee.com (Goran Marik) Date: Thu, 18 May 2017 20:13:28 +0000 Subject: [Freeipa-users] Replica cannot be reinitialized after upgrade In-Reply-To: <59198455.2020009@redhat.com> References: <59198455.2020009@redhat.com> Message-ID: <9014AEFD-2665-408E-9915-6D81ED0A12D1@ecobee.com> Thanks Ludwig for the suggestion and thanks to Maciej for the confirmation from his end. This issue is happening for us for several weeks, so I don?t think this is a transient problem. What is the best way to sanitize the logs without removing useful info before sending them your way? Will the files mentioned on "https://www.freeipa.org/page/Files_to_be_attached_to_bug_report -> Directory server failed" be sufficient? I?ve also run the ipa_consistency_check script, and the output shows that something is indeed wrong with the sync: ??? FreeIPA servers: inf01 inf01 inf02 inf02 STATE ============================================================= Active Users 15 15 15 15 OK Stage Users 0 0 0 0 OK Preserved Users 3 3 3 3 OK User Groups 9 9 9 9 OK Hosts 45 45 45 46 FAIL Host Groups 7 7 7 7 OK HBAC Rules 6 6 6 6 OK SUDO Rules 7 7 7 7 OK DNS Zones 33 33 33 33 OK LDAP Conflicts NO NO NO NO OK Ghost Replicas 2 2 2 2 FAIL Anonymous BIND YES YES YES YES OK Replication Status inf01.prod 0inf01.dev 0inf01.dev 0inf01.dev 0 inf02.dev 0inf02.dev 0inf01.prod 0inf01.prod 0 inf02.prod 0inf02.prod 0inf02.prod 0inf02.dev 0 ============================================================= ??? Thanks, Goran > On May 15, 2017, at 6:35 AM, Ludwig Krispenz wrote: > > The messages you see could be transient messages, and if replication is working than this seems to be the case. If not we would need more data to investigate: deployment info, relicaIDs of all servers, ruvs, logs,..... > > Here is some background info: there are some scenarios where a csn could not be found in the changelog, eg if updates were aplied on the supplier during a total init, they could be part of the data and database ruv, but not in the changelog of the initialized replica. > ds did try to use an alternative csn in cases where it could not be found, but this had the risk of missing updates, so we decided to change it and make this misssing csn a non fatal error, backoff and retry, if another supplier would have updated the replica in between, the starting csn could have changed and be found. so if the reported missing csns change and replication continues everything is ok, although I think the messages should stop at some point. > > There is a configuration parameter for a replciation agreement to trigger the previous behaviour of picking an alternative csn: > nsds5ReplicaIgnoreMissingChange > with potential values "once", "always". > > where "once" just tries to kickstart replication by using another csn and "always" changes the default behaviour > > > On 05/11/2017 06:53 PM, Goran Marik wrote: >> Hi, >> >> After an upgrade to Centos 7.3.1611 with ?yum update", we started seeing the following messages in the logs: >> ??? >> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged >> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. >> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. >> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged >> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. >> ??? >> >> The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located. >> >> This happens only on one replica out of 4. We?ve tried "ipa-replica-manage re-initialize ?from? and ?ipa-csreplica-manage re-initialize ?from? several times, but while both commands report success, the log messages continue to happen. The server was rebooted and ?systemctl restart ipa? was done few times as well. >> >> The replica seems to be working fine despite the errors, but I?m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades. >> >> The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and ipa-server-4.4.0-14.el7.centos.7.x86_64 >> >> Thanks, >> Goran >> >> -- >> Goran Marik >> Senior Systems Developer >> >> ecobee >> 250 University Ave, Suite 400 >> Toronto, ON M5H 3E5 >> >> >> >> > > -- > Red Hat GmbH, > http://www.de.redhat.com/ > , Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Goran Marik Senior Systems Developer ecobee 250 University Ave, Suite 400 Toronto, ON M5H 3E5 From christophe.trefois at uni.lu Thu May 18 21:27:13 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Thu, 18 May 2017 21:27:13 +0000 Subject: [Freeipa-users] CA CRL not tracking any certificates. Normal? Message-ID: <89B1439F-618A-4749-9199-4D62BBD5BEEF@uni.lu> Hi, I just saw that my CA CRL master is not tracking any certs. However, my other CA master replica is tracking 8 certificates. Is this normal and expected? Thanks, Christophe From lkrispen at redhat.com Fri May 19 06:51:58 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 May 2017 08:51:58 +0200 Subject: [Freeipa-users] Cant locate CSN after yum update In-Reply-To: <7DF99717-0854-4DE7-9CC3-348E62910CC2@uni.lu> References: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> <591DABAE.10002@redhat.com> <38E58875-47CB-4516-AAE0-E1F71BA78AE5@uni.lu> <7DF99717-0854-4DE7-9CC3-348E62910CC2@uni.lu> Message-ID: <591E960E.7090802@redhat.com> On 05/18/2017 05:35 PM, Christophe TREFOIS wrote: > Dear Ludwig, > > Thanks for your help in IRC to guide me in running the right commands. > > Here is the output, toto1 and toto2 are CA master, and toto3 and toto4 > are non CA master. The problematic replica was toto3, and after > re-init, we haven?t seen any errors in the log anymore. > > https://paste.fedoraproject.org/paste/j8c30CZPyh8rPymjbKSvZF5M1UNdIGYhyRLivL9gydE= > > I also ran ipa-replica-manage on all replicas to all replicas, so > total of 16 command, and found all of them reported ?incremental > update succeeded?. > > As discussed, I?m not sure what I?m looking at with the RUV stuff > above, and any explanation for a newcomer to ldap / ds / freeipa would > be greatly appreciated. ok, here is a quick explanation of the csn/ruv stuff. each change applied on a server gets a CSN (change sequence number), it basically consists of a timestamp and an identifier of the replica where it was originally applied, so in 59095fe1000b00120000 there is a time stamp: 59095fe1 and a replicaid: 0012 == 18, the rest of the csn isused to serialize csns within the one second resolution of a timestamp. a change is applied to the main database and written to the changelog, with the csn as key. now each replica keeps track of the latest csn it has seen for each replicaID, so you get a vector of max csns, this is called RUV (replica update vector). In a replication session, the supplier compares its own ruv with the ruv of the consumer and so decides if it has changes which the consumer has not yet seen. based on the consumer ruv it determines the start csn to send updates. > > Thanks a lot for your help! > > Kind regards, > Christophe aka Trefex > >> On 18 May 2017, at 17:04, Christophe TREFOIS >> > wrote: >> >> Hi Ludwig, >> >> Since we were scared, we did a full re-init of that specific replica >> from the CA master, and it looks like the issue is not appearing anymore. >> >> Is this sufficient, or should we still investigate ? >> >> Thanks for your help! >> Christophe >> >> -- >> >> Dr Christophe Trefois, Dipl.-Ing. >> Technical Specialist / Post-Doc >> >> UNIVERSIT? DU LUXEMBOURG >> >> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE >> Campus Belval | House of Biomedicine >> 6, avenue du Swing >> L-4367 Belvaux >> T:+352 46 66 44 6124 >> F:+352 46 66 44 6949 >> http://www.uni.lu/lcsb >> >> Facebook Twitter >> Google Plus >> Linkedin >> skype >> >> >> ---- >> This message is confidential and may contain privileged information. >> It is intended for the named recipient only. >> If you receive it in error please notify me and permanently delete >> the original message and any copies. >> ---- >> >> >>> On 18 May 2017, at 16:11, Ludwig Krispenz >> > wrote: >>> >>> hi, >>> >>> there was a change that in the case of a missing csn ds would not >>> silently use a "close" one and continue, but log an error, backoff >>> and retry - after updates on other masters the staring csn coudl >>> change and replication continue. >>> >>> Now, in your case the csn reported missing: 59095fe1000b00120000 >>> has a time stamp from May,3rd, so it could very well be correct that >>> this csn is no longer found in the changelog. >>> >>> To continue analysis, could you provide the replicaids of all your >>> current replicas, and which is the replicaid of the sever logging >>> the change and the ruvs of the replicas from all servers. >>> ldapsearch .... -D "cn=directory manager" .... -b cn=config >>> "objectclass=nsds5replica" nsds50ruv >>> >>> Regards, >>> Ludwig >>> >>> On 05/18/2017 03:09 PM, Christophe TREFOIS wrote: >>>> Hi all, >>>> >>>> Did a yum update on one of my replicas, non CA master, and upgrade >>>> was successful (ipupgrade.log) said so. >>>> >>>> >>>> Hwoever, now every few seconds I get the following message. >>>> https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= >>>> >>>> Does anybody know how to proceed and if this is important? >>>> ipa-replica-manage says, backing off, retrying later, so not sure >>>> if replication happens successfully or not and what to do ?? >>>> >>>> Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in >>>> diamond replication. >>>> >>>> Remaining replicas were upgraded today as well, and don?t seem to >>>> complain. Only 1 of them complains. >>>> >>>> 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 >>>> 389-ds-base-1.3.5.10-20.el7_3.x86_64 >>>> >>>> >>>> [root at lums3 ~]# rpm -qa | grep ipa >>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>> python-iniparse-0.4-9.el7.noarch >>>> ipa-admintools-4.4.0-14.el7.centos.7.noarch >>>> python2-ipaserver-4.4.0-14.el7.centos.7.noarch >>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>> python-ipaddress-1.0.16-2.el7.noarch >>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>> >>>> Thanks a lot for any pointers, >>>> Christophe >>>> >>>> -- >>>> >>>> Dr Christophe Trefois, Dipl.-Ing. >>>> Technical Specialist / Post-Doc >>>> >>>> UNIVERSIT? DU LUXEMBOURG >>>> >>>> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE >>>> Campus Belval | House of Biomedicine >>>> 6, avenue du Swing >>>> L-4367 Belvaux >>>> T:+352 46 66 44 6124 >>>> F:+352 46 66 44 6949 >>>> http://www.uni.lu/lcsb >>>> >>>> Facebook Twitter >>>> Google Plus >>>> Linkedin >>>> skype >>>> >>>> >>>> ---- >>>> This message is confidential and may contain privileged information. >>>> It is intended for the named recipient only. >>>> If you receive it in error please notify me and permanently delete >>>> the original message and any copies. >>>> ---- >>>> >>>> >>>> >>>> >>> >>> -- >>> Red Hat GmbH,http://www.de.redhat.com/, Registered seat: Grasbrunn, >>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: From christophe.trefois at uni.lu Fri May 19 07:00:24 2017 From: christophe.trefois at uni.lu (Christophe TREFOIS) Date: Fri, 19 May 2017 07:00:24 +0000 Subject: [Freeipa-users] Cant locate CSN after yum update In-Reply-To: <591E960E.7090802@redhat.com> References: <522A7500-1BA1-434A-BAAB-B1C1C0EB524B@uni.lu> <591DABAE.10002@redhat.com> <38E58875-47CB-4516-AAE0-E1F71BA78AE5@uni.lu> <7DF99717-0854-4DE7-9CC3-348E62910CC2@uni.lu> <591E960E.7090802@redhat.com> Message-ID: Dear Ludwig, Thank you for the explanations. Now I understand. Strangely then, the problem csn was on the replica that we had to reinitialize. How could such a csn disappear? Thanks again for the help. Much appreciated. Sent from my iPhone > On 19 May 2017, at 08:47, Ludwig Krispenz wrote: > > >> On 05/18/2017 05:35 PM, Christophe TREFOIS wrote: >> Dear Ludwig, >> >> Thanks for your help in IRC to guide me in running the right commands. >> >> Here is the output, toto1 and toto2 are CA master, and toto3 and toto4 are non CA master. The problematic replica was toto3, and after re-init, we haven?t seen any errors in the log anymore. >> >> https://paste.fedoraproject.org/paste/j8c30CZPyh8rPymjbKSvZF5M1UNdIGYhyRLivL9gydE= >> >> I also ran ipa-replica-manage on all replicas to all replicas, so total of 16 command, and found all of them reported ?incremental update succeeded?. >> >> As discussed, I?m not sure what I?m looking at with the RUV stuff above, and any explanation for a newcomer to ldap / ds / freeipa would be greatly appreciated. > ok, here is a quick explanation of the csn/ruv stuff. > > each change applied on a server gets a CSN (change sequence number), it basically consists of a timestamp and an identifier of the replica where it was originally applied, so in 59095fe1000b00120000 there is a time stamp: 59095fe1 and a replicaid: 0012 == 18, the rest of the csn isused to serialize csns within the one second resolution of a timestamp. > a change is applied to the main database and written to the changelog, with the csn as key. > > now each replica keeps track of the latest csn it has seen for each replicaID, so you get a vector of max csns, this is called RUV (replica update vector). > In a replication session, the supplier compares its own ruv with the ruv of the consumer and so decides if it has changes which the consumer has not yet seen. > based on the consumer ruv it determines the start csn to send updates. > > >> >> Thanks a lot for your help! >> >> Kind regards, >> Christophe aka Trefex >> >>> On 18 May 2017, at 17:04, Christophe TREFOIS wrote: >>> >>> Hi Ludwig, >>> >>> Since we were scared, we did a full re-init of that specific replica from the CA master, and it looks like the issue is not appearing anymore. >>> >>> Is this sufficient, or should we still investigate ? >>> >>> Thanks for your help! >>> Christophe >>> -- >>> >>> Dr Christophe Trefois, Dipl.-Ing. >>> Technical Specialist / Post-Doc >>> >>> UNIVERSIT? DU LUXEMBOURG >>> >>> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE >>> Campus Belval | House of Biomedicine >>> 6, avenue du Swing >>> L-4367 Belvaux >>> T: +352 46 66 44 6124 >>> F: +352 46 66 44 6949 >>> http://www.uni.lu/lcsb >>> >>> >>> >>> >>> ---- >>> This message is confidential and may contain privileged information. >>> It is intended for the named recipient only. >>> If you receive it in error please notify me and permanently delete the original message and any copies. >>> ---- >>> >>> >>>> On 18 May 2017, at 16:11, Ludwig Krispenz wrote: >>>> >>>> hi, >>>> >>>> there was a change that in the case of a missing csn ds would not silently use a "close" one and continue, but log an error, backoff and retry - after updates on other masters the staring csn coudl change and replication continue. >>>> >>>> Now, in your case the csn reported missing: 59095fe1000b00120000 >>>> has a time stamp from May,3rd, so it could very well be correct that this csn is no longer found in the changelog. >>>> >>>> To continue analysis, could you provide the replicaids of all your current replicas, and which is the replicaid of the sever logging the change and the ruvs of the replicas from all servers. >>>> ldapsearch .... -D "cn=directory manager" .... -b cn=config "objectclass=nsds5replica" nsds50ruv >>>> >>>> Regards, >>>> Ludwig >>>> >>>>> On 05/18/2017 03:09 PM, Christophe TREFOIS wrote: >>>>> Hi all, >>>>> >>>>> Did a yum update on one of my replicas, non CA master, and upgrade was successful (ipupgrade.log) said so. >>>>> >>>>> >>>>> Hwoever, now every few seconds I get the following message. https://paste.fedoraproject.org/paste/wS4x9KvD3EB0gv2HAsj6X15M1UNdIGYhyRLivL9gydE= >>>>> >>>>> Does anybody know how to proceed and if this is important? >>>>> ipa-replica-manage says, backing off, retrying later, so not sure if replication happens successfully or not and what to do ?? >>>>> >>>>> Setup: CentOS 7.3 all up-to-date, 2 CA master, 2 non CA master in diamond replication. >>>>> >>>>> Remaining replicas were upgraded today as well, and don?t seem to complain. Only 1 of them complains. >>>>> >>>>> 389-ds-base-libs-1.3.5.10-20.el7_3.x86_64 >>>>> 389-ds-base-1.3.5.10-20.el7_3.x86_64 >>>>> >>>>> >>>>> [root at lums3 ~]# rpm -qa | grep ipa >>>>> libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> python-iniparse-0.4-9.el7.noarch >>>>> ipa-admintools-4.4.0-14.el7.centos.7.noarch >>>>> python2-ipaserver-4.4.0-14.el7.centos.7.noarch >>>>> python2-ipalib-4.4.0-14.el7.centos.7.noarch >>>>> sssd-ipa-1.14.0-43.el7_3.14.x86_64 >>>>> python-ipaddress-1.0.16-2.el7.noarch >>>>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch >>>>> ipa-server-common-4.4.0-14.el7.centos.7.noarch >>>>> ipa-client-common-4.4.0-14.el7.centos.7.noarch >>>>> ipa-client-4.4.0-14.el7.centos.7.x86_64 >>>>> ipa-common-4.4.0-14.el7.centos.7.noarch >>>>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64 >>>>> ipa-server-4.4.0-14.el7.centos.7.x86_64 >>>>> >>>>> Thanks a lot for any pointers, >>>>> Christophe >>>>> -- >>>>> >>>>> Dr Christophe Trefois, Dipl.-Ing. >>>>> Technical Specialist / Post-Doc >>>>> >>>>> UNIVERSIT? DU LUXEMBOURG >>>>> >>>>> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE >>>>> Campus Belval | House of Biomedicine >>>>> 6, avenue du Swing >>>>> L-4367 Belvaux >>>>> T: +352 46 66 44 6124 >>>>> F: +352 46 66 44 6949 >>>>> http://www.uni.lu/lcsb >>>>> >>>>> >>>>> >>>>> >>>>> ---- >>>>> This message is confidential and may contain privileged information. >>>>> It is intended for the named recipient only. >>>>> If you receive it in error please notify me and permanently delete the original message and any copies. >>>>> ---- >>>>> >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, >>>> Commercial register: Amtsgericht Muenchen, HRB 153243, >>>> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >> > > -- > Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, > Commercial register: Amtsgericht Muenchen, HRB 153243, > Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2225 bytes Desc: not available URL: From bernhard.kneip at isa.de.com Fri May 19 07:06:38 2017 From: bernhard.kneip at isa.de.com (Bernhard Kneip) Date: Fri, 19 May 2017 09:06:38 +0200 Subject: [Freeipa-users] replicating cn=accounts, dc=ipa, dc=example, dc=com tree to a read-only instance of 389ds on our mailserver Message-ID: <85c38b94-f964-70d3-a20c-ea9ad360b3ec@isa.de.com> Hi guys, our current setup consists of 3 replicated free-ipa servers in a master-master configuration. What we are currently trying to do, is to add a standalone 389-ds on our mailserver which should only readonly-replicate cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to be able to add a local ldap-addressbook to our mailserver without the need to have it on our ipa-servers. Our environment is: 3 free-ipa servers (centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3) 1 Mailserver (debian stretch, 389-ds 1.3.5.15-2) What we did do: Basically following this guide: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd on consumer (our mailserver): ...first we created the missing root (cn=accounts,dc=ipa,dc=example,dc=com) by hand.... # readonly replication manager dn: cn=readonly replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: readonly replication manager sn: RORM userPassword: NotTheRealPassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 Replication Entry: # no dc=ipa in the dn! dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaid: 65535 nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com nsds5replicatype: 2 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 1 # on supplier (one of our IPA-servers) # on our IPA-servers, dc=ipa is included dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config objectclass: top objectclass: nsds5ReplicationAgreement cn: accounts2hermes nsds5replicahost: mail.example.com nsds5replicaport: 389 nsds5ReplicaBindDN: cn=readonly replication manager,cn=config nsds5replicabindmethod: SIMPLE nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com description: replicate cn=accounts from ipa to hermes nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime nsds5replicacredentials: notTheRealButSameAsAbove nsds5ReplicaIgnoreMissingChange: once nsds5BeginReplicaRefresh: start After some log-entries regarding the schema versions, we stopped the consumer and copied the schema from the supplier to the consumer by hand... This fixed most of the noise in the log, but we are still getting the following error: [18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin - agmt="cn=accountsToMail" (mail:389): The remote replica has a different database generation ID tha n the local database. You may have to reinitialize the remote replica, or the local replica. Of course, we tried to re-initialize the remote-replica by, dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start What are we missing? Best regards, Bernhard -- Bernhard Kneip Systemadministration E-Mail: Bernhard.Kneip at isa.de.com Tel: +49(0)3677/46929-144 Internet: www.isa.de.com ISA Institut f?r Serviceautomation GmbH & Co. KG Ziolkowskistra?e 8, 98693 Ilmenau Amtsgericht Jena, HRA 301735 pers?nlich haftende Gesellschafterin: ISA GmbH Amtsgericht Jena, HRB 306708 Gesch?ftsf?hrer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer Member of SIELAFF GROUP From lkrispen at redhat.com Fri May 19 07:49:18 2017 From: lkrispen at redhat.com (Ludwig Krispenz) Date: Fri, 19 May 2017 09:49:18 +0200 Subject: [Freeipa-users] Replica cannot be reinitialized after upgrade In-Reply-To: <9014AEFD-2665-408E-9915-6D81ED0A12D1@ecobee.com> References: <59198455.2020009@redhat.com> <9014AEFD-2665-408E-9915-6D81ED0A12D1@ecobee.com> Message-ID: <591EA37E.7040903@redhat.com> On 05/18/2017 10:13 PM, Goran Marik wrote: > Thanks Ludwig for the suggestion and thanks to Maciej for the confirmation from his end. This issue is happening for us for several weeks, so I don?t think this is a transient problem. > > What is the best way to sanitize the logs without removing useful info before sending them your way? Will the files mentioned on "https://www.freeipa.org/page/Files_to_be_attached_to_bug_report -> Directory server failed" be sufficient? yes, but we need soem additional info on the replication config and state, you could add /etc/dirsrv/slapd-*/dse.ldif and the result of these query ldapsearch -o ldif-wrap=no .................... -D "cn=directory manager" ... -b "cn=config" "objectclass=nsds5replica" \* nsds50ruv But looking again at the csn reorted missing it is from June, 2016. So I wonder if this is for an stale/removed replica and cleaning the ruvs would help > > I?ve also run the ipa_consistency_check script, and the output shows that something is indeed wrong with the sync: > ??? > FreeIPA servers: inf01 inf01 inf02 inf02 STATE > ============================================================= > Active Users 15 15 15 15 OK > Stage Users 0 0 0 0 OK > Preserved Users 3 3 3 3 OK > User Groups 9 9 9 9 OK > Hosts 45 45 45 46 FAIL > Host Groups 7 7 7 7 OK > HBAC Rules 6 6 6 6 OK > SUDO Rules 7 7 7 7 OK > DNS Zones 33 33 33 33 OK > LDAP Conflicts NO NO NO NO OK > Ghost Replicas 2 2 2 2 FAIL > Anonymous BIND YES YES YES YES OK > Replication Status inf01.prod 0inf01.dev 0inf01.dev 0inf01.dev 0 > inf02.dev 0inf02.dev 0inf01.prod 0inf01.prod 0 > inf02.prod 0inf02.prod 0inf02.prod 0inf02.dev 0 > ============================================================= > ??? > > Thanks, > Goran > >> On May 15, 2017, at 6:35 AM, Ludwig Krispenz wrote: >> >> The messages you see could be transient messages, and if replication is working than this seems to be the case. If not we would need more data to investigate: deployment info, relicaIDs of all servers, ruvs, logs,..... >> >> Here is some background info: there are some scenarios where a csn could not be found in the changelog, eg if updates were aplied on the supplier during a total init, they could be part of the data and database ruv, but not in the changelog of the initialized replica. >> ds did try to use an alternative csn in cases where it could not be found, but this had the risk of missing updates, so we decided to change it and make this misssing csn a non fatal error, backoff and retry, if another supplier would have updated the replica in between, the starting csn could have changed and be found. so if the reported missing csns change and replication continues everything is ok, although I think the messages should stop at some point. >> >> There is a configuration parameter for a replciation agreement to trigger the previous behaviour of picking an alternative csn: >> nsds5ReplicaIgnoreMissingChange >> with potential values "once", "always". >> >> where "once" just tries to kickstart replication by using another csn and "always" changes the default behaviour >> >> >> On 05/11/2017 06:53 PM, Goran Marik wrote: >>> Hi, >>> >>> After an upgrade to Centos 7.3.1611 with ?yum update", we started seeing the following messages in the logs: >>> ??? >>> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.519724479 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged >>> May 9 21:58:28 inf01 ns-slapd[4323]: [09/May/2017:21:58:28.550459233 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. >>> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.588245476 +0000] agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389) - Can't locate CSN 576b34e8000a050f0000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized. >>> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.611400689 +0000] NSMMReplicationPlugin - changelog program - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): CSN 576b34e8000a050f0000 not found, we aren't as up to date, or we purged >>> May 9 21:58:32 inf01 ns-slapd[4323]: [09/May/2017:21:58:32.642226385 +0000] NSMMReplicationPlugin - agmt="cn=cloneAgreement1-inf02.dev.ecobee.com-pki-tomcat" (inf02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized. >>> ??? >>> >>> The log messages are pretty frequently, every few seconds, and report few different CSN numbers that cannot be located. >>> >>> This happens only on one replica out of 4. We?ve tried "ipa-replica-manage re-initialize ?from? and ?ipa-csreplica-manage re-initialize ?from? several times, but while both commands report success, the log messages continue to happen. The server was rebooted and ?systemctl restart ipa? was done few times as well. >>> >>> The replica seems to be working fine despite the errors, but I?m worried that the logs indicate underlaying problem we are not fully detecting. I would like to understand better what is triggering this behaviour and how to fix it, and if someone else saw them after a recent upgrades. >>> >>> The software versions are 389-ds-base-1.3.5.10-20.el7_3.x86_64 and ipa-server-4.4.0-14.el7.centos.7.x86_64 >>> >>> Thanks, >>> Goran >>> >>> -- >>> Goran Marik >>> Senior Systems Developer >>> >>> ecobee >>> 250 University Ave, Suite 400 >>> Toronto, ON M5H 3E5 >>> >>> >>> >>> >> -- >> Red Hat GmbH, >> http://www.de.redhat.com/ >> , Registered seat: Grasbrunn, >> Commercial register: Amtsgericht Muenchen, HRB 153243, >> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- > Goran Marik > Senior Systems Developer > > ecobee > 250 University Ave, Suite 400 > Toronto, ON M5H 3E5 > > -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander From bernhard.kneip at isa.de.com Thu May 18 09:27:02 2017 From: bernhard.kneip at isa.de.com (Bernhard Kneip) Date: Thu, 18 May 2017 11:27:02 +0200 Subject: [Freeipa-users] replicating cn=accounts, dc=ipa, dc=example, dc=com tree to a read-only instance of 389ds on our mailserver Message-ID: Hi guys, our current setup consists of 3 replicated free-ipa servers in a master-master configuration. What we are currently trying to do, is to add a standalone 389-ds on our mailserver which should only readonly-replicate cn=accounts,dc=ipa,dc=example,dc=com to enable our mailserver to have a local ldap cache (for alias/mailbox mapping in postfix/dovecot) and to be able to add a local ldap-addressbook to our mailserver without the need to have it on our ipa-servers. Our environment is: 3 free-ipa servers (centos7, 389-ds-base.x86_64 1.3.5.10-20.el7_3) 1 Mailserver (debian stretch, 389-ds 1.3.5.15-2) What we did do: Basically following this guide: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/Managing_Replication-Configuring-Replication-cmd#Configuring-Replication-Suppliers-cmd on consumer (our mailserver): ...first we created the missing root (cn=accounts,dc=ipa,dc=example,dc=com) by hand.... # readonly replication manager dn: cn=readonly replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top cn: readonly replication manager sn: RORM userPassword: NotTheRealPassword passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0 Replication Entry: # no dc=ipa in the dn! dn: cn=replica,cn=dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaid: 65535 nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com nsds5replicatype: 2 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 1 # on supplier (one of our IPA-servers) # on our IPA-servers, dc=ipa is included dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config objectclass: top objectclass: nsds5ReplicationAgreement cn: accounts2hermes nsds5replicahost: mail.example.com nsds5replicaport: 389 nsds5ReplicaBindDN: cn=readonly replication manager,cn=config nsds5replicabindmethod: SIMPLE nsds5replicaroot: cn=accounts,dc=ipa,dc=example,dc=com description: replicate cn=accounts from ipa to hermes nsds5replicatedattributelist: (objectclass=*) $ EXCLUDE authorityRevocationList accountUnlockTime memberof nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE accountUnlockTime nsds5replicacredentials: notTheRealButSameAsAbove nsds5ReplicaIgnoreMissingChange: once nsds5BeginReplicaRefresh: start After some log-entries regarding the schema versions, we stopped the consumer and copied the schema from the supplier to the consumer by hand... This fixed most of the noise in the log, but we are still getting the following error: [18/May/2017:10:23:41.311816674 +0200] NSMMReplicationPlugin - agmt="cn=accountsToMail" (mail:389): The remote replica has a different database generation ID tha n the local database. You may have to reinitialize the remote replica, or the local replica. Of course, we tried to re-initialize the remote-replica by, dn: cn=accountsToMail,cn=replica,cn=dc\=ipa\,dc\=example\,dc\=com,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start What are we missing? Best regards, Bernhard -- Bernhard Kneip Systemadministration E-Mail: Bernhard.Kneip at isa.de.com Tel: +49(0)3677/46929-144 Internet: www.isa.de.com ISA Institut f?r Serviceautomation GmbH & Co. KG Ziolkowskistra?e 8, 98693 Ilmenau Amtsgericht Jena, HRA 301735 pers?nlich haftende Gesellschafterin: ISA GmbH Amtsgericht Jena, HRB 306708 Gesch?ftsf?hrer: Dr.-Ing. Walther Spies, Dipl.-Ing. (FH) Peter Mayer Member of SIELAFF GROUP