[Freeipa-users] Re: How to investigate error "Cannot contact any KDC for realm" when it occured randomly ?
lune voo via FreeIPA-users wrote: > Hello everyone. > > I send you this mail because I have sometimes errors "Cannot contact any > KDC for realm". When I retry it works fine. So this error is kind of random. > > I'm using Freeipa 3.0 in RHEL6.6 with sssd. > > I was wondering how to investigate this kind of error ? > > May I monitore some KPI from the KDC or check from logs ? Do you know > which kind of logs I can check ? You probably need to watch the SSSD logs. My guess would be DNS issues. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QAYETYBARLZQODXOALXIOLGUQFNPIE4Y/
[Freeipa-users] Forcing ssh key login
Hi all. I wonder how to force ssh keys only all the users with freeIPA. We have 4.5.4 version. Is it the only way changing the sshd_config from PasswordAuthentication from yes to *NO*? Cheers -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Y2BZIXM6M4XMUQWH7FXUQACV6LMG5XKK/
[Freeipa-users] Re: Can we install LDAP only
None via FreeIPA-users writes: > Can we only install LDAP related components, with Kerberos? How? Not using freeIPA - freeIPA is mostly all or nothing. MIT has some documentation on how to install a KDC with openLDAP: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html Please note, though, that Red Hat considers use of openLDAP deprecated; we recommend the use of 389ds going forward, and strongly suggest that freeIPA be used rather than configuring 389 by hand. Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5VY4XWVFJGNR3X2AFNYQ3WLS6YDZHC3W/
[Freeipa-users] Re: How to investigate error "Cannot contact any KDC for realm" when it occured randomly ?
lune voo via FreeIPA-users writes: > I'm using Freeipa 3.0 in RHEL6.6 with sssd. This version is pretty old, so I'm not sure how much support you're going to get, but some thoughts: > I send you this mail because I have sometimes errors "Cannot contact > any KDC for realm". When I retry it works fine. So this error is kind > of random. How is your realm set up? Are there multiple freeipa servers? Do you rely on DNS for discovery? Is there anything in KRB5_TRACE output? Thanks, --Robbie signature.asc Description: PGP signature ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/65CJ7E5EP56YREE7YR7WI3NP3DKBPHJA/
[Freeipa-users] Re: 回复:[Freeipa-users] Re: Can we install LDAP only
On to, 26 heinä 2018, michael...@sina.cn wrote: Thanks for your reminding. One more question, can we set the krb5.conf location to a different path? The default is /etc/krb5.conf, can we change it to a different path? Again, please give a bit more context on what you are trying to achieve. Are you talking about IPA masters? Or the context is an IPA client? what you are trying to achieve? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/V7J2LBDV5DEE7HDGISWOLQJPWQK6JRW3/
[Freeipa-users]回复:Re: Can we install LDAP only
Thanks for your reminding. One more question, can we set the krb5.conf location to a different path? The default is /etc/krb5.conf, can we change it to a different path? - 原始邮件 - 发件人:Alexander Bokovoy via FreeIPA-users 收件人:michael...@sina.cn, FreeIPA users list 抄送人:Alexander Bokovoy 主题:[Freeipa-users] Re: Can we install LDAP only 日期:2018年07月26日 15点06分 On to, 26 heinä 2018, None via FreeIPA-users wrote: >Dear, > >Can we only install LDAP related components, with Kerberos? How? Do you mean you want LDAP server only? LDAP server with Kerberos KDC? LDAP server without Kerberos KDC? FreeIPA is an integrated solution, so you cannot install separate components alone. If you need LDAP only, FreeIPA is not a best solution to that. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ECQCB6SAQO2RSDXLJMX7PUMC7T5RKEUQ/ ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HSPZ6G2ZUP2VRX3OCGWE25AHRCJV6ART/
[Freeipa-users] How to investigate error "Cannot contact any KDC for realm" when it occured randomly ?
Hello everyone. I send you this mail because I have sometimes errors "Cannot contact any KDC for realm". When I retry it works fine. So this error is kind of random. I'm using Freeipa 3.0 in RHEL6.6 with sssd. I was wondering how to investigate this kind of error ? May I monitore some KPI from the KDC or check from logs ? Do you know which kind of logs I can check ? Thank you in advance for your help. Best regards. Lune ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/RXB6THJF3R2EWT5I2JROM7T6TOC7B2FO/
[Freeipa-users] sssd is going down and up and down and up and down and ... until it breaks
Hi folks, Apparently sssd goes down and up again and again. I found this in /var/log/daemon.log on our git server: Jul 23 18:02:08 git01 sssd[be[example.de]]: Shutting down Jul 23 18:02:08 git01 sssd[pam]: Shutting down Jul 23 18:02:08 git01 sssd[nss]: Shutting down Jul 23 18:02:09 git01 sssd[pam]: Starting up Jul 23 18:02:09 git01 sssd[nss]: Starting up Jul 23 18:02:09 git01 sssd[be[example.de]]: Starting up Jul 23 18:02:11 git01 sssd[nss]: Starting up Jul 23 18:02:11 git01 sssd[pam]: Starting up Jul 23 20:01:33 git01 sssd[nss]: Shutting down Jul 23 20:01:33 git01 sssd[pam]: Shutting down Jul 23 20:01:33 git01 sssd[be[example.de]]: Shutting down Jul 23 20:01:33 git01 sssd[nss]: Starting up Jul 23 20:01:33 git01 sssd[pam]: Starting up Jul 23 20:01:33 git01 sssd[be[example.de]]: Starting up Jul 23 20:01:35 git01 sssd[nss]: Starting up Jul 23 20:01:35 git01 sssd[pam]: Starting up Jul 23 20:02:44 git01 sssd[nss]: Shutting down Jul 23 20:02:44 git01 sssd[nss]: Starting up Jul 23 20:03:43 git01 sssd[nss]: Shutting down Jul 23 20:03:43 git01 sssd[pam]: Shutting down Jul 23 20:03:43 git01 sssd[nss]: Starting up Jul 23 20:03:43 git01 sssd[pam]: Starting up Jul 23 20:06:24 git01 sssd[be[example.de]]: Shutting down Jul 23 20:06:24 git01 sssd[be[example.de]]: Starting up Jul 23 20:07:34 git01 sssd[be[example.de]]: Shutting down Jul 23 20:07:37 git01 sssd[pam]: Shutting down Jul 23 20:07:37 git01 sssd[be[example.de]]: Starting up Jul 23 20:07:37 git01 sssd[pam]: Starting up Jul 23 20:07:37 git01 sssd[pam]: Starting up Jul 23 20:14:39 git01 sssd[pam]: Shutting down Jul 23 20:14:39 git01 sssd[be[example.de]]: Starting up Jul 23 20:14:39 git01 sssd[pam]: Starting up Jul 23 20:18:44 git01 sssd[be[example.de]]: Shutting down Jul 23 20:18:44 git01 sssd[pam]: Shutting down Jul 23 20:18:44 git01 sssd[be[example.de]]: Starting up Jul 23 20:18:44 git01 sssd[pam]: Starting up Jul 24 04:05:28 git01 sssd[pam]: Shutting down Jul 24 04:05:28 git01 sssd[pam]: Starting up Jul 24 05:21:53 git01 sssd[be[example.de]]: Shutting down Jul 24 05:21:53 git01 sssd[be[example.de]]: Starting up Jul 24 05:27:50 git01 sssd[pam]: Shutting down Jul 24 05:27:50 git01 sssd[pam]: Starting up Jul 24 05:27:50 git01 sssd[be[example.de]]: Starting up Jul 24 05:27:53 git01 sssd[pam]: Starting up Jul 24 05:30:31 git01 sssd[pam]: Shutting down Jul 24 05:30:31 git01 sssd[pam]: Starting up Jul 24 05:31:59 git01 sssd[nss]: Shutting down Jul 24 05:31:59 git01 sssd[pam]: Shutting down Jul 24 05:31:59 git01 sssd[nss]: Starting up Jul 24 05:31:59 git01 sssd[be[example.de]]: Shutting down Jul 24 05:31:59 git01 sssd[pam]: Starting up Jul 24 05:31:59 git01 sssd[be[example.de]]: Starting up Jul 24 05:32:01 git01 sssd[pam]: Starting up Jul 24 05:33:24 git01 sssd[pam]: Shutting down Jul 24 05:33:24 git01 sssd[pam]: Starting up Jul 24 05:33:24 git01 sssd[be[example.de]]: Starting up Jul 24 06:01:38 git01 sssd[pam]: Shutting down Jul 24 06:01:38 git01 sssd[be[example.de]]: Starting up Jul 24 06:01:38 git01 sssd[pam]: Starting up Jul 24 06:02:39 git01 sssd[be[example.de]]: Shutting down Jul 24 06:02:39 git01 sssd[be[example.de]]: Starting up Jul 24 09:56:52 git01 sssd[pam]: Shutting down Jul 24 09:56:52 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[nss]: Shutting down Jul 24 10:02:42 git01 sssd[pam]: Shutting down Jul 24 10:02:42 git01 sssd[nss]: Starting up Jul 24 10:02:42 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[nss]: Shutting down Jul 24 10:02:42 git01 sssd[pam]: Shutting down Jul 24 10:02:42 git01 sssd[nss]: Starting up Jul 24 10:02:42 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[be[example.de]]: Shutting down Jul 24 10:02:42 git01 sssd[be[example.de]]: Starting up Jul 24 10:06:14 git01 sssd[be[example.de]]: Shutting down Jul 24 10:06:14 git01 sssd[nss]: Shutting down Jul 24 10:06:14 git01 sssd[nss]: Starting up Jul 24 10:06:14 git01 sssd[be[example.de]]: Starting up Jul 24 10:06:14 git01 sssd[nss]: Starting up Jul 24 10:15:49 git01 sssd[be[example.de]]: Shutting down Jul 24 10:15:49 git01 sssd[be[example.de]]: Starting up Jul 24 10:16:44 git01 sssd[be[example.de]]: Shutting down Jul 24 10:17:00 git01 sssd[pam]: Shutting down Jul 24 10:17:00 git01 sssd[pam]: Starting up Jul 24 10:17:00 git01 sssd[be[example.de]]: Starting up Jul 24 10:17:00 git01 sssd[pam]: Starting up Jul 24 10:18:48 git01 sssd[pam]: Shutting down Jul 24 10:18:48 git01 sssd[pam]: Starting up Jul 24 10:19:43 git01 sssd[be[example.de]]: Shutting down Jul 24 10:19:43 git01 sssd[be[example.de]]: Starting up Jul 24 10:20:32 git01 sssd[pam]: Shutting down Jul 24 10:20:32 git01 sssd[pam]: Starting up Jul 24 10:21:12 git01 sssd[be[example.de]]: Shutting down Jul 24 10:21:15 git01 sssd[be[example.de]]: Starting up Jul 24 10:27:11 git01 sssd[be[example.de]]: Shutting down Jul 24 10:27:11 git01 sssd[pam]: Shutting down Jul 24 10:27:11 git01 sssd[pam]: Starting up Jul 24 10:27:11 git01 sssd[be[example.de]]: Starting up Jul 24 10:27:13 git01 sssd[pam]: Starting up Jul 24
[Freeipa-users] Re: AD and IPA integration
OK, maybe it’s this: (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_print_server] (0x2000): Searching 192.168.2.105:389 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))][cn=Default Trust View,cn=v iews,cn=accounts,dc=fs,dc=lan]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_add] (0x2000): New operation 21 timeout 6 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_destructor] (0x2000): Operation 21 finished (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 2/4 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x0040): The group name=domainus...@fs.lan,cn=groups,cn=fs.lan,cn=sysdb has no UUID attribute objectSIDString, error! —> here (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_dom_offline] (0x1000): Marking subdomain start-line.local offline (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56065d7255a0 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56065d6f6dd0 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Running timer event 0x56065d7255a0 "ltdb_callback" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Destroying timer event 0x56065d6f6dd0 "ltdb_timeout" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Ending timer event 0x56065d7255a0 "ltdb_callback" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_subdom_offline] (0x1000): Marking subdomain start-line.local as inactive (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Недопустимый аргумент. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Недопустимый аргумент. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_req_done] (0x0400): DP Request [Initgroups #4]: Request handler finished [0]: Победа So this group doesn’t have a SID (note that the objectSIDString is what SSSD saves into the database, not the actual LDAP attribute. On the IPA side, all groups a trusted object is a member of must have the attribute ipaNTSecurityIdentifier. Does the group domainusers have one? You can check with “ipa group-show —all —raw domainusers”. btw when you established the trust, the ipa-adtrust-install command should have given you the option to generate SIDs for IPA objects. I don’t know exactly how to generate the SIDs post-install, maybe one of the IPA developers would help me out. Looking at the —help output of ipa-adtrust-install there is an option —add-sids.. > On 24 Jul 2018, at 19:33, Николай Савельев via FreeIPA-users > wrote: > > Here logs after attempt autentication via ssh. > > Also config files, > > >> 23.07.2018, 14:49, "Jakub Hrozek" : > > -- > С уважением, Николай. > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: >
[Freeipa-users] Re: Can we install LDAP only
On to, 26 heinä 2018, None via FreeIPA-users wrote: Dear, Can we only install LDAP related components, with Kerberos? How? Do you mean you want LDAP server only? LDAP server with Kerberos KDC? LDAP server without Kerberos KDC? FreeIPA is an integrated solution, so you cannot install separate components alone. If you need LDAP only, FreeIPA is not a best solution to that. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/ECQCB6SAQO2RSDXLJMX7PUMC7T5RKEUQ/