-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Jakub,
On 01/21/17 13:49, Jakub Hrozek wrote: > > Can you check what kind of query do you see in the LDAP server log? > The git server does just a few queries per hour: [21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL [21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" [21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/[email protected]))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" [21/Jan/2017:16:57:41.203749166 +0100] conn=7 op=22574 SRCH base="dc=example,dc=de" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/[email protected])(krbPrincipalName:caseIgnoreIA5Match:=host/[email protected])))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [21/Jan/2017:16:57:41.208535394 +0100] conn=7 op=22578 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber krbPrincipalName krbCanonicalName krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive" [21/Jan/2017:16:57:41.209403021 +0100] conn=7 op=22579 SRCH base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs=ALL [21/Jan/2017:16:57:41.210326182 +0100] conn=7 op=22580 MOD dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:57:41.255723384 +0100] conn=9305 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" [21/Jan/2017:16:58:37.000568448 +0100] conn=9305 op=1209 SRCH base="cn=accounts,dc=example,dc=de" scope=2 filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [21/Jan/2017:16:58:37.002589641 +0100] conn=9305 op=1210 SRCH base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID" [21/Jan/2017:16:58:37.004729752 +0100] conn=9305 op=1212 SRCH base="cn=sudo,dc=example,dc=de" scope=2 filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))" attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn" > Do the server logs correlate with debug logs from the nss and domain sections > of sssd? > You are right: I misread the log file on the client. > Are you sure there is no other NSS module in nsswitch.conf other than files > and sss? > It said "files nis sss". Fixed. Thanx for your help (and patience) Regards Harri -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAliDiTkACgkQCp4qnmbT gct1lgf9Hpb0vsGDEFxdWwTu/K6Pmo+aQpFsbx9m0NmBffXUVhMIY/h6FNliIc6E iNup62Agt4Gfa4hnGQ3BDH+nmjB7KsTIjVgI8sB2xyf++oV+qADKiFk5ERNVgcAb dXgIfSjxuLZCRKAKy3xXkN+a6F/HEuxF89uX3YeMocSdrdEkfatkAFZjKnEc9uvN MS7A+mcIiLI/dZsvPnQjEbUwBhPvRx90Aqo6RVBR6Gy2ToEN0zcDXm/nbNG2CHWN egUIHnMoi9gMpX/xYgODPDgg1rRCLyDkwKGTC7iXf/ePOHTV8yj5EgONv1lQxk6X s9mvR8wb1PmPmVWv10KCLRYw/Y5N/g== =PTte -----END PGP SIGNATURE----- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
