-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Jakub,

On 01/21/17 13:49, Jakub Hrozek wrote:
> 
> Can you check what kind of query do you see in the LDAP server log?
> 

The git server does just a few queries per hour:

[21/Jan/2017:16:27:53.098932003 +0100] conn=8 op=39431 SRCH 
base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example...@example.de)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example...@example.de)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge 
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType 
ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:27:53.100196009 +0100] conn=8 op=39435 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript 
ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:27:53.100426687 +0100] conn=8 op=39436 SRCH 
base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:27:53.100658375 +0100] conn=8 op=39437 MOD 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:27:53.125278099 +0100] conn=9119 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:28:37.001050661 +0100] conn=9119 op=891 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:28:37.003968246 +0100] conn=9119 op=892 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:28:37.006876504 +0100] conn=9119 op=894 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:42:47.447444525 +0100] conn=7 op=22424 SRCH 
base="dc=example,dc=de" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=host/tisde8i005.ac.example...@example.de))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
objectClass"
[21/Jan/2017:16:42:47.459190497 +0100] conn=9208 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:43:37.000841869 +0100] conn=9208 op=961 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:43:37.002362473 +0100] conn=9208 op=962 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:43:37.005732600 +0100] conn=9208 op=964 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"
[21/Jan/2017:16:57:41.203749166 +0100] conn=7 op=22574 SRCH 
base="dc=example,dc=de" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/tisde8i005.ac.example...@example.de)(krbPrincipalName:caseIgnoreIA5Match:=host/tisde8i005.ac.example...@example.de)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge 
nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType 
ipatokenRadiusConfigLink objectClass"
[21/Jan/2017:16:57:41.208535394 +0100] conn=7 op=22578 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbLastAdminUnlock krbTicketFlags ipaNTSecurityIdentifier ipaNTLogonScript 
ipaNTProfilePath ipaNTHomeDirectory ipaNTHomeDirectoryDrive"
[21/Jan/2017:16:57:41.209403021 +0100] conn=7 op=22579 SRCH 
base="cn=tisde8i005.ac.example.de,cn=masters,cn=ipa,cn=etc,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs=ALL
[21/Jan/2017:16:57:41.210326182 +0100] conn=7 op=22580 MOD 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:57:41.255723384 +0100] conn=9305 op=3 RESULT err=0 tag=97 
nentries=0 etime=0 
dn="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de"
[21/Jan/2017:16:58:37.000568448 +0100] conn=9305 op=1209 SRCH 
base="cn=accounts,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipaHost)(fqdn=tisde8i005.ac.example.de))" 
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[21/Jan/2017:16:58:37.002589641 +0100] conn=9305 op=1210 SRCH 
base="fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de" 
scope=0 filter="(objectClass=*)" attrs="objectClass cn memberOf ipaUniqueID"
[21/Jan/2017:16:58:37.004729752 +0100] conn=9305 op=1212 SRCH 
base="cn=sudo,dc=example,dc=de" scope=2 
filter="(&(objectClass=ipasudorule)(ipaEnabledFlag=TRUE)(|(!(memberHost=*))(hostCategory=ALL)(memberHost=fqdn=tisde8i005.ac.example.de,cn=computers,cn=accounts,dc=example,dc=de))(entryusn>=1))"
attrs="objectClass cn ipaUniqueID ipaEnabledFlag ipaSudoOpt ipaSudoRunAs 
ipaSudoRunAsGroup memberAllowCmd memberDenyCmd memberHost memberUser 
sudoNotAfter sudoNotBefore sudoOrder cmdCategory hostCategory userCategory 
ipaSudoRunAsUserCategory ipaSudoRunAsGroupCategory ipaSudoRunAsExtUser
ipaSudoRunAsExtGroup ipaSudoRunAsExtUserGroup externalUser entryusn"

> Do the server logs correlate with debug logs from the nss and domain sections 
> of sssd?
> 

You are right: I misread the log file on the client.

> Are you sure there is no other NSS module in nsswitch.conf other than files 
> and sss?
> 

It said "files nis sss". Fixed.


Thanx for your help (and patience)

Regards
Harri

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEH2V614LbR/u1O+a1Cp4qnmbTgcsFAliDiTkACgkQCp4qnmbT
gct1lgf9Hpb0vsGDEFxdWwTu/K6Pmo+aQpFsbx9m0NmBffXUVhMIY/h6FNliIc6E
iNup62Agt4Gfa4hnGQ3BDH+nmjB7KsTIjVgI8sB2xyf++oV+qADKiFk5ERNVgcAb
dXgIfSjxuLZCRKAKy3xXkN+a6F/HEuxF89uX3YeMocSdrdEkfatkAFZjKnEc9uvN
MS7A+mcIiLI/dZsvPnQjEbUwBhPvRx90Aqo6RVBR6Gy2ToEN0zcDXm/nbNG2CHWN
egUIHnMoi9gMpX/xYgODPDgg1rRCLyDkwKGTC7iXf/ePOHTV8yj5EgONv1lQxk6X
s9mvR8wb1PmPmVWv10KCLRYw/Y5N/g==
=PTte
-----END PGP SIGNATURE-----

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to