On 20 September 2017 at 16:15, Lachlan Musicman <data...@gmail.com> wrote:
> On 20 September 2017 at 15:54, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> >> Ok. By the look of this commit (to 4.5): >>> >>> https://pagure.io/freeipa/c/bdf9a34dffdf4d7925208e5df9f69e3927b88858 >>> >>> from this issue https://pagure.io/freeipa/issue/7083 >>> >>> It is (or was) the IPv6 problem. >>> >>> We have an >>> >>> [root@linuxidm ~]# cat /etc/sysctl.d/ipv6.conf >>> # Disable IPv6 >>> net.ipv6.conf.all.disable_ipv6 = 1 >>> net.ipv6.conf.ens160.disable_ipv6 = 1 >>> >>> We don't have the 'lo' interface defined in there, but it's never been an >>> issue. >>> >>> The /etc/hosts entry for ::1 must have thrown ipa-server-upgrade. >>> >> I'm a bit tired to repeat this multiple times but FreeIPA does require >> IPv6 stack to be enabled in the kernel. We absolutely do. If you don't >> use IPv6 stack, disable it on specific interfaces. However, there is a >> practical problem with the way how glibc DNS resolver works: in default >> configuration it always prefers IPv6 answers to IPv4 because this is >> actually a policy of RFC3484. As result, if you have ::1 in /etc/hosts, >> it will be returned first. If you don't have ::1 on any of your >> interfaces ('lo' is a typical one), then apps cannot contact ::1 >> (localhost) even if those apps that use IPv6 bind to all interfaces. >> >> FreeIPA uses modern APIs provided by glibc to listen on both IPv6 and >> IPv4. It simply means that FreeIPA servers bind to IPv6 addresses (on >> all interfaces or on a specific one, if needed) and treat IPv4 as mapped >> ones because IPv6 and IPv4 share the same port space on the same >> machine. This works transparently thanks to glibc and is a recommended >> way to write networking applications. See man ipv6(7) for details. >> >> Here is how it looks on a real system, for TCP listeners: >> >> # netstat -nltp >> Active Internet connections (only servers) >> Proto Recv-Q Send-Q Local Address Foreign Address >> State PID/Program name tcp 0 0 127.0.0.1:953 >> 0.0.0.0:* LISTEN 13361/named-pkcs11 tcp >> 0 0 0.0.0.0:445 0.0.0.0:* LISTEN >> 13760/smbd tcp 0 0 0.0.0.0:49152 0.0.0.0:* >> LISTEN 13765/smbd tcp 0 0 >> 0.0.0.0:135 0.0.0.0:* LISTEN 13763/smbd >> tcp 0 0 0.0.0.0:139 0.0.0.0:* >> LISTEN 13760/smbd tcp 0 0 0.0.0.0:749 >> 0.0.0.0:* LISTEN 13351/kadmind tcp >> 0 0 0.0.0.0:464 0.0.0.0:* LISTEN >> 13351/kadmind tcp 0 0 192.168.100.233:53 0.0.0.0:* >> LISTEN 13361/named-pkcs11 tcp 0 0 >> 127.0.0.1:53 0.0.0.0:* LISTEN >> 13361/named-pkcs11 tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN 2838/sshd tcp 0 0 >> 0.0.0.0:88 0.0.0.0:* LISTEN >> 13345/krb5kdc tcp6 0 0 ::1:953 :::* >> LISTEN 13361/named-pkcs11 tcp6 0 0 :::8443 >> :::* LISTEN 13603/java tcp6 >> 0 0 :::443 :::* LISTEN >> 13379/httpd tcp6 0 0 :::636 :::* >> LISTEN 13296/ns-slapd tcp6 0 0 :::445 >> :::* LISTEN 13760/smbd tcp6 >> 0 0 :::49152 :::* LISTEN >> 13765/smbd tcp6 0 0 :::9090 :::* >> LISTEN 1/systemd tcp6 0 0 >> 127.0.0.1:8005 :::* LISTEN 13603/java >> tcp6 0 0 :::389 :::* >> LISTEN 13296/ns-slapd tcp6 0 0 :::135 >> :::* LISTEN 13763/smbd tcp6 0 0 >> 127.0.0.1:8009 :::* LISTEN 13603/java >> tcp6 0 0 :::139 :::* >> LISTEN 13760/smbd tcp6 0 0 :::749 >> :::* LISTEN 13351/kadmind tcp6 0 0 >> :::8080 :::* LISTEN 13603/java >> tcp6 0 0 :::80 :::* >> LISTEN 13379/httpd tcp6 0 0 :::464 >> :::* LISTEN 13351/kadmind tcp6 0 0 >> :::53 :::* LISTEN >> 13361/named-pkcs11 tcp6 0 0 :::22 :::* >> LISTEN 2838/sshd tcp6 0 0 :::88 >> :::* LISTEN 13345/krb5kdc >> Notice that many ports are only available as tcp6 listeners? Like 636 >> (LDAPS), 389 (LDAP), 80 (HTTP), 443 (HTTPS) and so on? This is an effect >> of using v6 API that supports v4-mapped-on-v6 addresses. It makes the >> code less complex and handles with the same code both IPv6 and IPv4. > > > Alex, Is it sufficient to turn ipv6 on only on the IPA server (and replicas), or do the sssd clients expect it on for the interface lo as well? cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org