On Tue, Jan 07, 2014 at 08:51:49AM -0500, Simo Sorce wrote: > On Tue, 2014-01-07 at 07:48 +0200, Alexander Bokovoy wrote: > > On Fri, 03 Jan 2014, Simo Sorce wrote: > > >On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote: > > >> On Thu, Jan 02, 2014 at 08:06:31PM +0000, Andrew Holway wrote: > > >> > /var/log/sssd/* > > >> > this is using bob@host (prattle.com is the windows domain) > > >> > https://gist.github.com/anonymous/ff817a251948ff58bdb1 > > >> > > > >> > this is using [email protected]@host (prattle.com is the windows domain) > > >> > > >> Thanks, these logs have somewhat more info than those in the other > > >> thread. > > >> > > >> It seems that Winbind on the IPA server has trouble talking to the AD > > >> server: > > >> > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status] > > >> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working' > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] > > >> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as > > >> 'working' > > >> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done] > > >> (0x0040): s2n exop request failed. > > >> > > >> (The s2n exop does a special LDAP call to IPA which in turn calls > > >> winbind on the server). > > >> > > >> To generate the winbind logs on the server, can you do 'smbcontrol > > >> winbindd > > >> debug 100', then request the trusted user. The winbind logs would be at > > >> /var/log/samba/log.w* > > > > > >Don't use debug level 100, it will litter the tmp with packet dumps and > > >[possibly fill the disk. > > > > > >Log level 10 is the max that is ever useful. > > No, you are not right. > > > > It looks in this case that there are some unfinished async tasks > > associated with the outgoing socket and they prevent cli_negprot from > > starting. On debug level 100 we see content of the packets sent by > > smbd/winbindd in the log itself which will help to identify what > > happens. On debug level 10 we simply have two lines in succession > > telling that winbindd attempted to start cli_negprot and then failed it. > > Yes it is ok to ask for 100 in specific cases if you find out it is > really needed, but shouldn't normally be advised, the starting point is > level 10, imo. > > Simo.
I agree that 10 is a better default value to advice. To be honest, I didn't try the debug level before I adviced it, I just copied what I had in bash history on my IPA server. Sorry. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
