On Tue, 08 Apr 2014, Sumit Bose wrote:
On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote:
On Fri, 04 Apr 2014, Alexander Bokovoy wrote:
>>tevent: Destroying timer event 0x7facb82e9d30
>>"dcerpc_connect_timeout_handler"
>^^ stopped just short of authenticating to smbd prior to ask it for
>informational policy about the domain.
>
>This means there is some problem in what smbd thinks about your
>admin@UNIX account.
>
>Can you do following:
>
># for i in /var/log/samba/log.* ; do echo > $i ; done
># smbcontrol all debug 100
># kinit admin@UNIX
># ipa trust-add sbx.local ....
># smbcontrol all debug 1
>
>now archive logs in /var/log/samba/log.* and send them to me privately.

After several rounds of capturing logs, we've solved the issue by
finding out that IPv6 stack was completely disabled on the machine.

Even though certain security guides may suggest disabling IPv6 stack
when it is not in use, this suggestion is not very usable. IPv4 and IPv6
share the same port range on the local side, so it is a recommended
programming practice for networking applications to only open IPv6
sockets. Standard C library (glibc, for example) handles transparently
both IPv4 and IPv6 cases for the applications.

Samba and some of other FreeIPA components open their networking sockets
as IPv6 ones. Completely disabling IPv6 stack on the machine causes
these requests to open a socket to fail as kernel will be responding "do
not know this socket address family".

If your security guidelines require disabling IPv6 address space, please
don't add ipv6.disable=1 to the kernel commandline to disable the whole
IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will
keep the IPv6 stack functional but will not assign IPv6 addresses to any
of your network devices. This is recommended approach for cases when
you don't use IPv6 networking.

Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid
assigning IPv6 addresses to a specific network interface:

 # Disable IPv6
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.<interface0>.disable_ipv6 = 1

where interface0 is your specialized interface. Note that all we are
requiring is that IPv6 stack is enabled at the kernel level and this
is recommended way to develop networking applications for a long time
already.

I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
and http://www.freeipa.org/page/Deployment_Recommendations with this
information.

Thank you for getting to the bottom of this. Do you think we should
check this settings during ipa-adtrust-install or even  during
ipa-server-install?
I think we should do both.

--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to