Re: [Freeipa-users] IPA very very slow
Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and ipa-replica-manage list is still slow, maybe we should just strace it to see what it waits on. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] newer sssd on centos 5?
On (11/06/15 18:21), Janelle wrote: Has anyone built a newer version of sssd for RHEL/centos 5.x?? Currently only 1.5.x There is also 1.9 in COPR repo[1] Just wondering if maybe it is limited due to some library or compatibility issues? It's possible to build sssd-1.11 on el5 as well but without samba libraries an thus without ipa and ad provider. LS [1] https://copr.fedoraproject.org/coprs/sgallagh/sssd-1.9-rhel5/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Specific rights needed to enroll a new host
On 06/12/2015 01:30 AM, Christopher Young wrote: I'm trying to develop a process in Ansible to enroll new hosts (as well as check beforehand to see if the host is already enrolled). I was wondering a couple of things: #1. Has anyone else worked out a process for doing this using a non 'admin' account? #2. Is there a simple mechanism (preferably something that could be automated and thus not require any interactivity), that could be used to check as to whether a system is enrolled? I would hope that some type of simple LDAP search or simple command that could be run to check with easy return codes. In particular, I'm trying to avoid using the 'admin' user to enroll hosts because I'd like to minimize the rights to just the enrollment of new hosts as well as checking for an existing enrollment. You can do the same check that ipa host-show does - see if the host has a keytab generated or not. AFAIK, all authenticated users can do this check (not retrieve the key itself, but check if it is there). See my test as non-authenticated user/host: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1 Default principal: host/ipa.f22@F22 Valid starting Expires Service principal 06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22@F22 1. See all hosts [root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b cn=computers,cn=accounts,dc=f22 fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22@F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=computers,cn=accounts,dc=f22 with scope subtree # filter: (objectclass=*) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # ipa.f22, computers, accounts, f22 dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22 fqdn: ipa.f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 4 # numEntries: 3 2. See just the unenrolled hosts [root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b cn=computers,cn=accounts,dc=f22 (!(krbprincipalkey=*)) fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22@F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=computers,cn=accounts,dc=f22 with scope subtree # filter: (!(krbprincipalkey=*)) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 HTH. Any thoughts of feedback that could point me in the best direction would be greatly appreciated! Thanks, Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA very very slow
On 06/12/2015 09:15 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys 0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` (uid=admin) time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys 0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys 0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys 0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and ipa-replica-manage list is still slow, maybe we should just strace it to see what it waits on. HTH, Martin -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 rYUBJPLWtHHVLigc6lW7 =R7vN -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA very very slow
On 06/12/2015 02:10 PM, Martin Kosek wrote: On 06/12/2015 09:15 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` (uid=admin) To eliminate DNS from the equation, use # time ldapsearch -x -h 127.0.0.1 (uid=admin) time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and ipa-replica-manage list is still slow, maybe we should just strace it to see what it waits on. HTH, Martin -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 rYUBJPLWtHHVLigc6lW7 =R7vN -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA very very slow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys 0m0.052s time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys 0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys 0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys 0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and ipa-replica-manage list is still slow, maybe we should just strace it to see what it waits on. HTH, Martin -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVey+3AAoJEJFMz73A1+zruo8P/13JTUKxgSKUchH/2UQWH94N EAPj3hhgNeMjY1TCgjAhceavidXTj5oCbt3D2wSiZwxAodurXy1PkCmQUs9NpZ+N 3uKPD01tSnIl/eocP8aNHNrPfn5W7xijffbpaQsnNCgn5DMvLG0b8sEDKA2A9TQi qhluvjMrWM4yOITc4A2+IWCASy1UfG0fRBuK+hHp+F72at6Q6luEiaxC4TymSF7L f7XomuQmaEnvYl44hlqnyh/9FaERGyFs5crKTrLpFeLPrk149HYHwFqCbd28SY3p QLSQxraLnSvT/7y2d9kc7vmJFvxEFC/q4Q05xL81u/Sg691lb0qX0SVuHfFST87I xSypfQ3110wUzk7X4+oXpPX/ziomsXkjELhi81iurdU/iA9bAqtuEYf8HtvcrF7b QlqZA0t1D78QDTbaNOIE6LVAY2Zxkpdhu/qwCMvtS8TlPGt9U8Kt4U6eoFfTFn8C GFx61vNfBFmqOQX7w0Q36jqUCQG0VRipsC0oeqGVEeUvIDW/G9TG4m8O+vmZ60Lj DgpIoxwXaO4TT5aZcDDpIlgs67ZxaW+9VAmJh+G3w664rQ3jnE6JMwzyxDmqFhZ5 cto0910Y5GqWL9wShmpTBy1/nVAJivdXK4D6eykOgKq80vXKbZOWPqIT2oEqXSA0 rYUBJPLWtHHVLigc6lW7 =R7vN -END PGP SIGNATURE- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode
On Fri, Jun 12, 2015 at 11:32:58PM +0530, Prashant Bapat wrote: Hi, Has anyone seen this ? When a user tries to scan the QR code he gets a message saying invalid barcode. This happens only with iPhone + Google Authenticator. Google Authenticator or FreeOTP? This list might be a good place to ask about the latter, but not the former.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA very very slow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Ken, I ran this command back to back, I am snipping some of the results. First time I ran the command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - --snip-- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m0.056s user0m0.003s sys 0m0.004s Run on the same server not 5 seconds after the previous command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - -- snip -- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m31.756s user0m0.003s sys 0m0.005s I am starting to see this error in the dirserv logs: [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) Thanks, Bill Graboyes On 6/12/15 1:36 PM, Rich Megginson wrote: On 06/12/2015 02:10 PM, Martin Kosek wrote: On 06/12/2015 09:15 PM, William Graboyes wrote: Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` (uid=admin) To eliminate DNS from the equation, use # time ldapsearch -x -h 127.0.0.1 (uid=admin) time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If Kerberos is also OK and ipa-replica-manage list is still slow, maybe we should just strace it to see what it waits on. HTH, Martin -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJVe05nAAoJEJFMz73A1+zrg7QP/3s19crgzjSeic4KYZ3nYn80 9CWVLlm2/m7XU8Zeazm0nmlfMDTeBWJOLG0bXQKV3MYcGChSnX/vxQ9hqWJtzzvq 30MpgfyRKCNFOUcfAXB4YDINFd6/RrWl/lRii0eNksli+DXDlzarXsby+11G42kn XtRp/7EPmZixdy8G+CLYzY2mgzpyTheMWAk8+CQORjLJTi/hmMrkKxC5Ij8Q5Vtp qG2oUXgMeoBnCQyij+AQ1IqrlByt3iTtXsx5PdxB8eQ/kswOghFVokM83a1IqfOL
Re: [Freeipa-users] IPA very very slow
On 06/12/2015 03:25 PM, William Graboyes wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Ken, I ran this command back to back, I am snipping some of the results. First time I ran the command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - --snip-- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m0.056s user0m0.003s sys 0m0.004s Run on the same server not 5 seconds after the previous command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # - -- snip -- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m31.756s user0m0.003s sys 0m0.005s Ok. First, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes You'll also have to do # debuginfo-install ipa-server slapi-nis to get all of the ipa packages. Next, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs Reproduce the problem, and during the 30 seconds the directory server is processing the search request, run the gdb command several times to get stack traces during the search request. I am starting to see this error in the dirserv logs: [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) I doubt this is related to the performance. This looks like the server is attempting to contact a replica which is down, and has backed off for the full 5 minute max backoff. Thanks, Bill Graboyes On 6/12/15 1:36 PM, Rich Megginson wrote: On 06/12/2015 02:10 PM, Martin Kosek wrote: On 06/12/2015 09:15 PM, William Graboyes wrote: Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` (uid=admin) To eliminate DNS from the equation, use # time ldapsearch -x -h 127.0.0.1 (uid=admin) time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff: - Try bare ldapsearch against the FreeIPA LDAP server, see the response rate. If it is also slow, we have the root cause. Before ringing on DS people doors, see if for example DNS is not slow and there are no DNS timeouts in play - host ipa.server.test will tell you that - If DS is OK, try Kerberos - kinit, kvno commands - If
Re: [Freeipa-users] IPA very very slow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Martin, Et al, Now that debugging is installed and running, I cannot duplicate. Isn't that always the way though? I'll let you know if it happens again. Thanks, Bill On 6/12/15 3:32 PM, Rich Megginson wrote: On 06/12/2015 03:25 PM, William Graboyes wrote: Hi Ken, I ran this command back to back, I am snipping some of the results. First time I ran the command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # --snip-- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m0.056s user0m0.003s sys0m0.004s Run on the same server not 5 seconds after the previous command: time ldapsearch -x -h 127.0.0.1 (uid=admin) # extended LDIF # # LDAPv3 # base dc=foo,dc=org (default) with scope subtree # filter: (uid=admin) # requesting: ALL # -- snip -- # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 real0m31.756s user0m0.003s sys0m0.005s Ok. First, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes You'll also have to do # debuginfo-install ipa-server slapi-nis to get all of the ipa packages. Next, see http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-hangs Reproduce the problem, and during the 30 seconds the directory server is processing the search request, run the gdb command several times to get stack traces during the search request. I am starting to see this error in the dirserv logs: [12/Jun/2015:14:06:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:11:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:16:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) [12/Jun/2015:14:21:51 -0700] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 107 (Transport endpoint is not connected) I doubt this is related to the performance. This looks like the server is attempting to contact a replica which is down, and has backed off for the full 5 minute max backoff. Thanks, Bill Graboyes On 6/12/15 1:36 PM, Rich Megginson wrote: On 06/12/2015 02:10 PM, Martin Kosek wrote: On 06/12/2015 09:15 PM, William Graboyes wrote: Hi Martin, Here are the outputs of the various commands, cleaned of course: time ldapsearch SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: real0m32.464s user0m0.385s sys0m0.052s This is quite long time. We should check respective dirsrv errors and access logs snippets. Also, the command above did not exit successfully, I would recommend doing at least # ldapsearch -x -h `hostname` (uid=admin) To eliminate DNS from the equation, use # time ldapsearch -x -h 127.0.0.1 (uid=admin) time host ipa-server-2.foo.org -- server with issues ipa-server-2.foo.org has address 10.0.0.2 real0m0.070s user0m0.010s sys0m0.006s time host ipa-server-1.foo.org -- replicant with no issues ipa-server-1.foo.org has address 10.0.0.3 real0m0.073s user0m0.012s sys0m0.006s time kinit kinit: Cannot contact any KDC for realm 'FOO.ORG' while getting initial credentials real0m27.049s user0m0.013s sys0m0.004s ^^^ has been something I have been seeing intermittently On 6/12/15 12:11 AM, Martin Kosek wrote: Hi List, This is a problem that has surfaced after a reboot of this system in particular. It is being really, really slow. In terms of hardware usage issues, there are none. It is taking 3-5 minutes to list users in the gui. Running commands like ipa-replica-manage list is taking between 30seconds and 3 minutes. Memory usage is low, cpu usage is low, iops are low. I really have no idea where to start here, there is noting really damning in the logs. I have tried restarting IPA (ipactl restart) stopping and starting IPA (ipactl stop wait... ipactl start), and rebooting the entire server. The oddest thing is that there have been some krb errors saying that they cannot contact the krb server.. logging into the gui saying your session has timed out.. It is just general strangeness. ipa-server-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 krb5-server-1.12.2-14.el7.x86_64 Any help would be greatly appreciated. Thanks, Bill I would recommend starting with simple things, seeing the performance and then following with more complex stuff:
Re: [Freeipa-users] Specific rights needed to enroll a new host
Martin Kosek wrote: On 06/12/2015 01:30 AM, Christopher Young wrote: I'm trying to develop a process in Ansible to enroll new hosts (as well as check beforehand to see if the host is already enrolled). I was wondering a couple of things: #1. Has anyone else worked out a process for doing this using a non 'admin' account? Create a role and add the privilege 'Host Enrollment'. #2. Is there a simple mechanism (preferably something that could be automated and thus not require any interactivity), that could be used to check as to whether a system is enrolled? I would hope that some type of simple LDAP search or simple command that could be run to check with easy return codes. In particular, I'm trying to avoid using the 'admin' user to enroll hosts because I'd like to minimize the rights to just the enrollment of new hosts as well as checking for an existing enrollment. You can do the same check that ipa host-show does - see if the host has a keytab generated or not. AFAIK, all authenticated users can do this check (not retrieve the key itself, but check if it is there). See my test as non-authenticated user/host: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1 Default principal: host/ipa.f22@F22 Valid starting Expires Service principal 06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22@F22 1. See all hosts [root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b cn=computers,cn=accounts,dc=f22 fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22@F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=computers,cn=accounts,dc=f22 with scope subtree # filter: (objectclass=*) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # ipa.f22, computers, accounts, f22 dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22 fqdn: ipa.f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 4 # numEntries: 3 2. See just the unenrolled hosts [root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b cn=computers,cn=accounts,dc=f22 (!(krbprincipalkey=*)) fqdn SASL/GSSAPI authentication started SASL username: host/ipa.f22@F22 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base cn=computers,cn=accounts,dc=f22 with scope subtree # filter: (!(krbprincipalkey=*)) # requesting: fqdn # # computers, accounts, f22 dn: cn=computers,cn=accounts,dc=f22 # is.not.enrolled, computers, accounts, f22 dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22 fqdn: is.not.enrolled # search result search: 4 result: 0 Success # numResponses: 3 # numEntries: 2 HTH. Any thoughts of feedback that could point me in the best direction would be greatly appreciated! Thanks, Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [SSSD] Announcing SSSD 1.12.5
=== SSSD 1.12.5 === The SSSD team is proud to announce the release of version 1.12.5 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 21, 22 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release adds several new enhancements and fixes many bugs * Notable new enhancements: * The background refresh tasks now supports refreshing users and groups as well. Please see the description of the `refresh_expired_interval` parameter in the `sssd.conf` man page. * A new option subdomain_inherit was added. Options included in the subdomain_inherit option also apply for trusted domains, if supported. This release supports inheriting ignore_group_members, ldap_purge_cache_timeout, ldap_use_tokengroups and ldap_user_principal. * When an expired account attempts to log in, a configurable error message can be displayed with sufficient pam_verbosity setting. Please see the description of the pam_account_expired_message option for more information. * OpenLDAP ppolicy can be honored even when an alternate login method (such as SSH key) is used. Please see the description of the new ppolicy value of the ldap_access_order option. * A new option krb5_map_user was added. This option allows the admin to map UNIX usernames to Kerberos principals. The option would be mostly useful for setups that wish to continue using UNIX file-based identities together with SSSD Kerberos authentication * The important bug fixes include: * Several AD-specific bugs that resulted in the incorrect set of groups being displayed after the initgroups operation were fixed * Many fixes related to the IPA ID views feature are included. Setups using the ID views feature should update the SSSD instance on both IPA servers and clients. * The AD provider now handles binary GUIDs correctly. This bug was manifested with an error message saying ldb_modify failed: Invalid attribute syntax. * The AD provider no longer downloads full group objects during initgroups request if POSIX attributes are used. This fix may speed up the login times significantly. * A bug that prevented the `ignore_group_members` parameter to be used with the AD provider was fixed * The fail over code now reads and honors TTL value for SRV queries as well. Previously, SRV queries used a hardcoded timeout * The SELinux context set up during login with an IPA provider is only called if the context had changed. This fixes a performance regression with the IPA provider. * Race condition between setting the timeout in the back ends and reading it in the front end during initgroup operation was fixed. This bug affected applications that perform the `initgroups(3)` operation in multiple processes simultaneously. * Setups that only want to use the domain SSSD is connected to, but not the autodiscovered trusted domains by setting `subdomains_provider=none` now work correctly as long as the domain SID is set manually in the config file * In case only allow rules are used, the simple access provider is now able to skip unresolvable groups. * The GPO access control code now handles situations where user and computer objects were in different domains. Previously, an attempt to log in as user from a different domain than computer always resulted in login failure. == Packaging Changes == * The cmocka unit tests now require cmocka version 1.0 or later * The libsss_krb5_common.so library had been moved to the sssd-common subpackage to avoid ordering issues between libsss_krb5_common and libsss_ldap_common * The proxy_child helper binary was marked as setuid in order for the proxy provider to work without root privileges. == Documentation Changes == * A new option subdomain_inherit was added. See the highlights section for more details. * A new option krb5_map_user was added. See the highlights section for more details. * The ldap_access_order option accepts new value ppolicy. * Account expiration message can be customized using a new option pam_account_expired_message == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1884 [RFE] Read and use the TTL value when resolving a SRV query https://fedorahosted.org/sssd/ticket/2050 ssh login reject is abrupt https://fedorahosted.org/sssd/ticket/2167 [RFE] Allow SSSD to issue shadow expiration warning even if alternate authentication method is used
Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode
On Jun 11, 2015, at 15:37, Alexander Bokovoy aboko...@redhat.com wrote: On Thu, 11 Jun 2015, Bobby Prins wrote: On Apr 7, 2015, at 13:41, Bobby Prins bobby.pr...@proxy.nl wrote: On Apr 3, 2015, at 14:40, Bobby Prins bobby.pr...@proxy.nl wrote: - Oorspronkelijk bericht - Van: Alexander Bokovoy aboko...@redhat.com Aan: Bobby Prins bobby.pr...@proxy.nl Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Vrijdag 3 april 2015 14:26:17 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode On Fri, 03 Apr 2015, Bobby Prins wrote: - Oorspronkelijk bericht - Van: Alexander Bokovoy aboko...@redhat.com Aan: Bobby Prins bobby.pr...@proxy.nl Cc: d...@redhat.com, freeipa-users@redhat.com Verzonden: Vrijdag 3 april 2015 12:45:07 Onderwerp: Re: [Freeipa-users] 'Preauthentication failed' with SSSD in ipa_server_mode On Fri, 03 Apr 2015, Bobby Prins wrote: access: [03/Apr/2015:11:58:47 +0200] conn=5950 fd=68 slot=68 connection from 192.168.140.107 to 192.168.140.133 [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 BIND dn= method=128 version=3 [03/Apr/2015:11:58:47 +0200] conn=5950 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn= [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 SRCH base=cn=users,cn=compat,dc=unix,dc=example,dc=corp scope=2 filter=((objectClass=posixaccount)(uid=bpr...@example.corp)) attrs=ALL [03/Apr/2015:11:59:04 +0200] conn=5950 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 SRCH base=cn=users,cn=compat,dc=unix,dc=example,dc=corp scope=2 filter=((objectClass=posixaccount)(uid=bprins)) attrs=ALL [03/Apr/2015:11:59:04 +0200] conn=5950 op=2 RESULT err=0 tag=101 nentries=0 etime=0 Above there are two lookups: - successful lookup for user bpri...@example.com - unsuccessful lookup for user bprins What is causing to perform a lookup without @example.com? Compat tree presents AD users fully qualified, it is the only way it knows to trigger lookup via SSSD on IPA master for these users (because non-fully qualified users are in IPA LDAP tree already and copied to compat tree automatically). This seems to be (standard?) behaviour of the AIX LDAP client. Did some more tests with different accounts and always see the two lookups. I doubt if I can influence that.. No, this is not standard -- I haven't seen such behavior when testing FreeIPA with AIX last autumn. -- / Alexander Bokovoy OK, with the idsldap client software and an AD trust configured? This is on AIX7.1. I'm spinning up an AIX5.3 machine now for another test. Might try AIX6.1 as well. What works is creating the user object in freeIPA so the lookup succeeds. After that I can authenticate succesfully against AD. Not the solution I'm looking for though. Did some tests with AIX5.3 and then I don’t run into any issues. There is no lookup to be seen after entering my username on AIX5.3 (as there was on AIX7.1), only the authentication request which succeeds. Will test AIX6.1 later on.. AIX6.1 also worked without any problems. In the end my methods.cfg was causing the problems on AIX7.1. After deleting these lines authentication worked: KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,kadmind=no KRB5LDAP: options = auth=KRB5,db=LDAP So my methods.cfg now looks like this: LDAP: program = /usr/lib/security/LDAP program_64 = /usr/lib/security/LDAP64 NIS: program = /usr/lib/security/NIS program_64 = /usr/lib/security/NIS_64 DCE: program = /usr/lib/security/DCE I was not expecting this since I was not using KRB5 or KRB5LDAP in /etc/security/user. Well, I’m glad I got this sorted out now :) Great. Could you please write your configurations up somewhere so that we can have an article on freeipa.org detailing the configs for future users? Yes, I will do that Alexander. Hope to have some time for that next week. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Is something.local hostname possible
Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is something.local hostname possible
I can't answer you, but don't use .local, it conflicts with avahi. -- Sent from mobile On June 12, 2015 17:45:52 James Benson james.ben...@utsa.edu wrote: Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa-users Digest, Vol 83, Issue 65
I've tried increasing the timeout limit but no dice (the exact number was 30 seconds I think for the error.). I'm not running avahi but just a straight up Ubuntu federa server with nothing else but this. Eventually we'll try to tie this into either a Hortonworks, MapR, Cloudera server as authentication, but I can't tie it to our domain since I'm not in charge of it and frankly I tried and just goes to oblivion since I'm inside the firewall and the domain is outside and not going to punch those holes. Anyone else have thoughts? James On 06/12/2015 11:00 AM, freeipa-users-requ...@redhat.com wrote: Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-requ...@redhat.com You can reach the person managing the list at freeipa-users-ow...@redhat.com When replying, please edit your Subject line so it is more specific than Re: Contents of Freeipa-users digest... Today's Topics: 1. Is something.local hostname possible (James Benson) 2. Re: Is something.local hostname possible (Tamas Papp) -- Message: 1 Date: Fri, 12 Jun 2015 10:40:12 -0500 From: James Benson james.ben...@utsa.edu To: freeipa-users@redhat.com Subject: [Freeipa-users] Is something.local hostname possible Message-ID: 557afd5c.5000...@utsa.edu Content-Type: text/plain; charset=utf-8; Format=flowed Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -- next part -- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3706 bytes Desc: S/MIME Cryptographic Signature URL: https://www.redhat.com/archives/freeipa-users/attachments/20150612/025ae655/attachment.bin -- Message: 2 Date: Fri, 12 Jun 2015 17:48:47 +0200 From: Tamas Papp tom...@martos.bme.hu To: James Benson james.ben...@utsa.edu, freeipa-users@redhat.com Subject: Re: [Freeipa-users] Is something.local hostname possible Message-ID: 14de8758b18.2774.b4c2854741c50caf28b8595b5e98f...@martos.bme.hu Content-Type: text/plain; charset=us-ascii; format=flowed I can't answer you, but don't use .local, it conflicts with avahi. -- Sent from mobile On June 12, 2015 17:45:52 James Benson james.ben...@utsa.edu wrote: Hi all, I'm trying to duplicate freeIPA on a local host but I keep on getting errors, primarily a RuntimeError('CA did not start in %%ss' %timeout). Has anyone tried this before and succeeded or have suggestions? Thanks James -- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users End of Freeipa-users Digest, Vol 83, Issue 65 * smime.p7s Description: S/MIME Cryptographic Signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OTP - Google Authenticator - iPhone - Invalid barcode
Hi, Has anyone seen this ? When a user tries to scan the QR code he gets a message saying invalid barcode. This happens only with iPhone + Google Authenticator. Thanks for your help. --Prashant -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project