[Freeipa-users] freeipa and User Private Groups

[Les Stott]

Hi All,

Running ipa-3.0.0-42.el6 and sssd-1.11.6-30.el6_6.3.x86_64

So, by default, when you create a user in freeipa, That user will be set to 
have a primary group that is hidden and not a POSIX group.

This means that when the user logs in to a host, they will see something like...

id: cannot find name for group ID group_number

running the id command shows no name returned for this group.

I understand you can disable private groups globally, however it is 
discouraged. I also realise you can simply create POSIX groups when creating 
users.

In the spirit of trying to stick with the defaults

Is there a way to avoid the login error where id can't retrieve the group name 
from a UPG?

Thanks,

Les

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

[Martin Basti]

On 12/07/15 10:05, Sina Owolabi wrote:

Hi

I have several dns zones defined in IPA. I noticed recently that the
zone files are empty. I find this odd because I created them like the
example below.
Is it possible to force clients to auto-update reverse zones?

Thanks in advance!

How I created all the zones:

  ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
--allow-sync-ptr=TRUE --dynamic-update
   Zone name: 0.14.10.in-addr.arpa.
   Active zone: TRUE
   Authoritative nameserver: services.ourdomain.com.
   Administrator e-mail address: hostmaster
   SOA serial: 1436688202
   SOA refresh: 3600
   SOA retry: 900
   SOA expire: 1209600
   SOA minimum: 3000
   BIND update policy: grant QRIOS.COM krb5-subdomain 0.14.10.in-addr.arpa. PTR;
   Dynamic update: TRUE
   Allow query: any;
   Allow transfer: none;
   Allow PTR sync: TRUE


Hello,

do you have --allow-sync-ptr=True configured in zones where the 
particular A/ records are?


SSSD is able to update records.
Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa)

--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] AD users not visible in FreeIPA mapped group

[Alexander Bokovoy]

On Mon, 13 Jul 2015, Angelo Pantano wrote:

I added the external groups to map my Domain Admins AD group like the
freeipa documentation suggests:

# ipa group-add --desc='ad_domain admins external map' ad_admins_external
--external
# ipa group-add --desc='ad_domain admins' ad_admins
# ipa group-add-member ad_admins_external --external 'ad_netbios\Domain
Admins'
# ipa group-add-member ad_admins --groups ad_admins_external

But I dont see any user in the web interface under ad_admins or
ad_admins_external. I thought that this would give us a view of the AD
users in FreeIPA, but I dont see any difference..
Am I missing something here?

Where did you look them?

External members for ad_admins_external group would be under 'external'
tab, like in the attached screenshot.

--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] DNS configuration for not resolving some addresses

[Petr Spacek]

On 8.7.2015 20:46, Karl Forner wrote:
 I forgot my main use case: I have name-based reverse proxies (SNI) for some
 web apps/services , that are accessible both from the internal and external
 network.
 They must be accessed with the exact same name/url, otherwise the dispatch
 can not work.
 Until now I manage this by manually editing all /etc/hosts on all internal
 computers, but I had hoped to benefit from the freeIPA DNS a more elegant
 solution.

Standard DNS cannot provide you with this, you need to hack it yourself. Sorry!

Petr Spacek  @  Red Hat

 On Wed, Jul 8, 2015 at 4:50 PM, Petr Spacek pspa...@redhat.com wrote:
 
 On 8.7.2015 16:32, Karl Forner wrote:
 Thanks Petr.

 My use case is: we have scripts that connect to some services, let's say
 a
 docker registry.
 I want these scripts to be work either internally or externally, without
 changing the URLs.
 What would the best or easiest setting to achieve this ?

 Personally I use config file for this. I.e. the script is the same and
 URLs,
 names, passwords, etc. are read from config file stored alongside the
 script.

 This allows me to test it easily without any changes in DNS or system-wide
 configuration like /etc/hosts.

 Yes, it requires more code, but in long-term it is way more debug-able than
 DNS tricks.

 Petr^2 Spacek

 On Wed, Jul 8, 2015 at 4:25 PM, Petr Spacek pspa...@redhat.com wrote:

 On 8.7.2015 15:07, Karl Forner wrote:
 On Wed, Jul 8, 2015 at 2:32 PM, Jan Pazdziora jpazdzi...@redhat.com
 wrote:

 On Wed, Jul 08, 2015 at 02:26:02PM +0200, Karl Forner wrote:

 When using my freeIPA DNS name server for my domain example.test, I
 need
 to
 exclude some names from the server( to be forwarded to the DNS
 forwarder
 for instance.

 For example, I'd like foo.example.test not to be resolved, but
 forwarded.
 How could I implement this ?

 That would mean you have two different nameservers authoritative for
 the same DNS domain. That is generally not recommended setup.


 Yes, that's what I read, but I do not know how to easily do
 differently.
 But in the end, what I'd like for my users, is to have foo.example.test
 resolved from the outside to my external server IP, and from the inside
 to
 the internal server IP.

 Such setup is generally not recommended because it is usually pain when
 it
 comes to long-term operation and maintenance.

 http://www.freeipa.org/page/DNS#Caveats
 http://www.freeipa.org/page/Deployment_Recommendations#DNS


 Two main use-cases are:

 a) Two or more different servers are using the same name and which
 server
 is
 used depends on client's network.

 This is usually very cumbersome because DNS caching will play against
 you,
 especially when we introduce system-wide cache into Fedora 23.

 It is also hard to manage and debug because you have to ask the same
 question
 from different networks etc. And it will be harder when you deploy
 DNSSEC
 to
 increase security...

 The typical recommendation is to use a sub-domain for internal names,
 e.g.
 i.example.com for internal names and example.com for
 externally-resolvable names.


 b) Seconds use-case: Attempt to optimize IP routing by using DNS tricks.

 Yes, it is as bad idea as it sounds.


 Can't you make foo.example.test a CNAME to foo.example.org or another
 hostname, in domain with different authoritative DNS server?


 Hmm yes that should work, thanks !

 Please keep in mind that it only hides the problem under yet another
 layer
 of
 indirection.

 humor
 Yes, it is always possible! We know it because it is written in
 The Twelve Networking Truths:
 https://tools.ietf.org/html/rfc1925#page-2
 point
 (6) but you should take into account point (3) into account, too :-)
 /humor

 --
 Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Primary certificates

[Janelle]

Good morning,

I was wondering, I install my servers with the self-signed certs. Now my 
management wants me to use official certificates. Is there an 
easy/recommended way to swap out all the certificates on all the 
servers? Especially with 16 servers, just trying to figure out if this 
is something I could script with PSSH or similar in order to do them all 
at once. Does it matter the order?


Thank you
~Janelle

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd high cpu usage

[Ludwig Krispenz]

can you get a pstack of the slapd process along with a top -H to find th 
ethread with high cpu usage


Ludwig

On 07/13/2015 04:46 PM, Andrew E. Bruno wrote:

We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and
389-ds 1.3.3.1-16.

Recently, the ns-slapd process on one of our replicas started showing higher
than normal CPU usage. ns-slapd is pegged at high CPU usage more or less
constantly.

Seems very similar to this thread:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html

There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not
sure if these are related):


[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2277387,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:04:11:50 -0400] - Operation error fetching 
changenumber=2277387,cn=changelog (null), error -30993.
[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2277387, dn = changenumber=2277387,cn=changelog: 
Operations error.
[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN 
(01de36ac-295411e5-b94db2ab-07afbca6), error -30993.
[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2281464,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:07:41:49 -0400] - Operation error fetching 
changenumber=2281464,cn=changelog (null), error -30993.
[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2281464, dn = changenumber=2281464,cn=changelog: 
Operations error.
[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]


access logs seem to be showing normal activity. Here's the number of open
connections:

# ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l
62

Note: the other two replicas have much higher open connections (250) and low
cpu load avgs.

Here's some output of logconv.pl from our most recent access log on the replica
with high cpu load:

Start of Logs:13/Jul/2015:04:49:18
End of Logs:  13/Jul/2015:10:06:11

Processed Log Time:  5 Hours, 16 Minutes, 53 Seconds

Restarts: 0
Total Connections:2343
  - LDAP Connections:  2120
  - LDAPI Connections: 223
  - LDAPS Connections: 0
  - StartTLS Extended Ops: 45
  Secure Protocol Versions:
   - TLS1.2 128-bit AES - 45

Peak Concurrent Connections:  22
Total Operations: 111865
Total Results:111034
Overall Performance:  99.3%

Searches: 95585 (5.03/sec)  (301.64/min)
Modifications:3369  (0.18/sec)  (10.63/min)
Adds: 0 (0.00/sec)  (0.00/min)
Deletes:  0 (0.00/sec)  (0.00/min)
Mod RDNs: 0 (0.00/sec)  (0.00/min)
Compares: 0 (0.00/sec)  (0.00/min)
Binds:7082  (0.37/sec)  (22.35/min)

Proxied Auth Operations:  0
Persistent Searches:  0
Internal Operations:  0
Entry Operations: 0
Extended Operations:  5317
Abandoned Requests:   416
Smart Referrals Received: 0

VLV Operations:   96
VLV Unindexed Searches:   0
VLV Unindexed Components: 32
SORT Operations:  64

Entire Search Base Queries:   0
Paged Searches:   3882
Unindexed Searches:   0
Unindexed Components: 5

FDs Taken:2566
FDs Returned: 2643
Highest FD Taken: 249

Broken Pipes: 0
Connections Reset By Peer:0
Resource Unavailable: 0
Max BER Size Exceeded:0

Binds:7082
Unbinds:  2443
  - LDAP v2 Binds: 0
  - LDAP v3 Binds: 6859
  - AUTOBINDs: 223
  - SSL Client Binds:  0
  - Failed SSL Client Binds:   0
  - SASL Binds:6814
 GSSAPI - 6591
 EXTERNAL - 223
  - Directory Manager Binds:   0
  - Anonymous Binds:   6591
  - Other Binds:   491




strace timing on the ns-slapd process:


% time seconds  usecs/call callserrors syscall
-- --- --- - - 
  94.400.346659597758   poll
   4.100.015057   15057 1   restart_syscall
   0.910.003353  575959 getpeername
   0.490.001796 15012   futex
   0.100.000364  73 5   read
-- --- --- - - 
100.000.367229   13559 total


top output (with threads 'H'):

   PID USER  

[Freeipa-users] ns-slapd high cpu usage

[Andrew E. Bruno]

We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and
389-ds 1.3.3.1-16. 

Recently, the ns-slapd process on one of our replicas started showing higher
than normal CPU usage. ns-slapd is pegged at high CPU usage more or less
constantly.

Seems very similar to this thread:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html

There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not
sure if these are related):


[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2277387,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:04:11:50 -0400] - Operation error fetching 
changenumber=2277387,cn=changelog (null), error -30993.
[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2277387, dn = changenumber=2277387,cn=changelog: 
Operations error. 
[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN 
(01de36ac-295411e5-b94db2ab-07afbca6), error -30993.
[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2281464,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:07:41:49 -0400] - Operation error fetching 
changenumber=2281464,cn=changelog (null), error -30993.
[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2281464, dn = changenumber=2281464,cn=changelog: 
Operations error. 
[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]


access logs seem to be showing normal activity. Here's the number of open
connections:

# ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l
62

Note: the other two replicas have much higher open connections (250) and low
cpu load avgs.

Here's some output of logconv.pl from our most recent access log on the replica
with high cpu load:

Start of Logs:13/Jul/2015:04:49:18
End of Logs:  13/Jul/2015:10:06:11

Processed Log Time:  5 Hours, 16 Minutes, 53 Seconds

Restarts: 0
Total Connections:2343
 - LDAP Connections:  2120
 - LDAPI Connections: 223
 - LDAPS Connections: 0
 - StartTLS Extended Ops: 45
 Secure Protocol Versions:
  - TLS1.2 128-bit AES - 45

Peak Concurrent Connections:  22
Total Operations: 111865
Total Results:111034
Overall Performance:  99.3%

Searches: 95585 (5.03/sec)  (301.64/min)
Modifications:3369  (0.18/sec)  (10.63/min)
Adds: 0 (0.00/sec)  (0.00/min)
Deletes:  0 (0.00/sec)  (0.00/min)
Mod RDNs: 0 (0.00/sec)  (0.00/min)
Compares: 0 (0.00/sec)  (0.00/min)
Binds:7082  (0.37/sec)  (22.35/min)

Proxied Auth Operations:  0
Persistent Searches:  0
Internal Operations:  0
Entry Operations: 0
Extended Operations:  5317
Abandoned Requests:   416
Smart Referrals Received: 0

VLV Operations:   96
VLV Unindexed Searches:   0
VLV Unindexed Components: 32
SORT Operations:  64

Entire Search Base Queries:   0
Paged Searches:   3882
Unindexed Searches:   0
Unindexed Components: 5

FDs Taken:2566
FDs Returned: 2643
Highest FD Taken: 249

Broken Pipes: 0
Connections Reset By Peer:0
Resource Unavailable: 0
Max BER Size Exceeded:0

Binds:7082
Unbinds:  2443
 - LDAP v2 Binds: 0
 - LDAP v3 Binds: 6859
 - AUTOBINDs: 223
 - SSL Client Binds:  0
 - Failed SSL Client Binds:   0
 - SASL Binds:6814
GSSAPI - 6591
EXTERNAL - 223
 - Directory Manager Binds:   0
 - Anonymous Binds:   6591
 - Other Binds:   491




strace timing on the ns-slapd process:


% time seconds  usecs/call callserrors syscall
-- --- --- - - 
 94.400.346659597758   poll
  4.100.015057   15057 1   restart_syscall
  0.910.003353  575959 getpeername
  0.490.001796 15012   futex
  0.100.000364  73 5   read
-- --- --- - - 
100.000.367229   13559 total


top output (with threads 'H'):

  PID USER  PR  NIVIRTRESSHR S %CPU %MEM TIME+ COMMAND  


 

Re: [Freeipa-users] ipa client on ubuntu and sudo rules

[Karl Forner]

For reference:
I could not make the sudo rules on ubuntu 12.04, I tried many many things.

Worked like a charm on ubuntu 14.04: as simple as adding sudo to services
in [sssd] section of nsssd.conf.


On Fri, Jul 10, 2015 at 5:18 PM, Lukas Slebodnik lsleb...@redhat.com
wrote:

 On (10/07/15 16:19), Karl Forner wrote:
 Hello,
 
 I setup an ubuntu client for freeIPA 4.1.4, and sudo rules do not seem to
 work.
 I then realized that I used ipa-client-install version 3.3.4.
 Is this a plausible cause ?
 And if so, where can I get a more recent version for ubuntu/debian ?
 Never version of ipa-client configures sssd integration with sudo by
 default.
 Please follow intructions from manual page sssd-sudo and you should be able
 to configure it yourself. Different version of sssd requires different
 configuration with ipa provider.

 IIRC sssd  1.10 nas native ipa sudo provider so you need't to
 configure sudo ldap provider with IPA. That's the reason why it's better to
 follow instruction form man page sssd-sudo.

 LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Windows sync agreement becomes uninitialized and crashes directory server

[Rich Megginson]

On 07/13/2015 07:07 PM, nat...@nathanpeters.com wrote:

2 FreeIPA 4.1.4 servers running on CentOS 7.
dc1 has a sync agreement to a windows server.


It has been running fine since June 5 when I re-initialized a sync
agreement that had somehow uninitialized itself.  Original issue report
here :
https://www.redhat.com/archives/freeipa-users/2015-June/msg00147.html
Bug report here : https://fedorahosted.org/freeipa/ticket/5054

It appears the same thing may have happened again, one month later, but
this time randomly, as we have not made any changes to our sync agreement
since the initial change in June.  it appears to have unitialized itself
without us changing it and managed to crash the directory server in doing
so.


Crash? http://www.port389.org/docs/389ds/FAQ/faq.html#debugging-crashes
# debuginfo-install 389-ds-base ipa-server slapi-nis


  Note that during the last week I could still login to the web ui, but
around the time the log entries change, I became unable to.

I tried to login to the web server today and it would not let me login, so
I went to the shell on the server and noticed that ipactl command would
freeze up again.  I looked at the logs (which I will paste below) and
restarted the directory server service.

I then found that my sync agreement had become uninitialized.

--- output ---
[root@dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D cn=directory manager
-W -b cn=config objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
  \2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
   entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
  RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
  0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
  I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAABoJPGME7jQAQAAYAEAAPc1qQAAA
  AD3NakAAMUjuImqVZhBkOkdt24C0IsBAA4AY4GwFkVcvEmMMExrVon4d6
  13PwAADGzFNzznrESIxHzA74fbsz4HUgAAOnFoO5OE2E27lR/g4EcjQTLbIwAAuEm
  PWjYok0qGS0HM/+TDmK7FgAMA6PTFXvAdnkaJSIkZT1lS+/FcJAAA4qTQaC46/Ua4KXgP
  /ixNcbK4dgAAWowbgYD1akibZ+sCul5C4VNsMQAAxSO4iapVmEGQ6R23bgLQi/c1qQAAA
  AAAogC6jFcyFUmhBp4B7FkaBcRHwwEAyhKMxsP0uUKGEnG2lsyA8eTUwgYA4n8Xx1bAlU
  mBUl3zhlZ9WBngDAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAGfO+4ndZCkaVKnwZNlNsf90
  NDAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAA
nsds50ruv: {replicageneration} 553fe9bb0004
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
  0004 557f49fb00020004
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
  40003 557f3e4a00020003
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
  t:389} 557f494a
nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n
  et:389} 557f3d95
oneWaySync: fromWindows
nsds5ReplicaEnabled: on
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1  - LDAP error: Can't contact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
--- output ---

Here are the error logs for the last month for the directory server.  They
are totally empty until July 2.

---output---
 389-Directory/1.3.3.8 B2015.040.128
 dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET)

[02/Jul/2015:03:19:02 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[02/Jul/2015:06:10:29 +] - Entry
uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net missing
attribute sn required by object class person
[03/Jul/2015:02:04:02 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:05:39:01 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:17:09:00 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:22:41:32 +] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id 

Re: [Freeipa-users] Force IPA client Reverse Zone Dynamic Updates

[Sina Owolabi]

Hi Martin

Yes all my sssd configs are set ipa_dyndns_update = True
I didn't have --allow-sync-ptr=TRUE in all the forward zones so I set them.
I've tried to set it in the very first zone (setup during
installation) but dnszone-mod complains:

# ipa dnszone-mod mydom.com --allow-sync-ptr=TRUE --dynamic-update=TRUE
ipa: ERROR: no modifications to be performed

But I don't see it in the show command:

 ipa dnszone-show mydom.com
  Zone name: mydom.com.
  Active zone: TRUE
  Authoritative nameserver: services.mydom.com.
  Administrator e-mail address: hostmaster.mydom.com.
  SOA serial: 1436799166
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  Allow query: any;
  Allow transfer: none;

On Mon, Jul 13, 2015 at 11:20 AM, Martin Basti mba...@redhat.com wrote:
 On 12/07/15 10:05, Sina Owolabi wrote:

 Hi

 I have several dns zones defined in IPA. I noticed recently that the
 zone files are empty. I find this odd because I created them like the
 example below.
 Is it possible to force clients to auto-update reverse zones?

 Thanks in advance!

 How I created all the zones:

   ipa dnszone-add 0.14.10.in-addr.arpa. --minimum=3000
 --allow-sync-ptr=TRUE --dynamic-update
Zone name: 0.14.10.in-addr.arpa.
Active zone: TRUE
Authoritative nameserver: services.ourdomain.com.
Administrator e-mail address: hostmaster
SOA serial: 1436688202
SOA refresh: 3600
SOA retry: 900
SOA expire: 1209600
SOA minimum: 3000
BIND update policy: grant QRIOS.COM krb5-subdomain
 0.14.10.in-addr.arpa. PTR;
Dynamic update: TRUE
Allow query: any;
Allow transfer: none;
Allow PTR sync: TRUE

 Hello,

 do you have --allow-sync-ptr=True configured in zones where the particular
 A/ records are?

 SSSD is able to update records.
 Please check if dyndns_update is set to true in sssd.conf. (man sssd-ipa)

 --
 Martin Basti


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd high cpu usage

[Ludwig Krispenz]

On 07/13/2015 05:05 PM, Andrew E. Bruno wrote:

On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote:

can you get a pstack of the slapd process along with a top -H to find th
ethread with high cpu usage

Attached is the full stacktrace of the running ns-slapd proccess. top -H
shows this thread (2879) with high cpu usage:

2879 dirsrv20   0 3819252 1.962g  11680 R 99.9  3.1   8822:10 ns-slapd
this thread is a replication thread sending updates, what is strange is 
that the current csn_str is quite old (july, 7th), I can't tell which 
agreeement this thread is handling, but looks like it is heavily reading 
the changeglog and sending updates. anything changed recently in 
replication setup ?







On 07/13/2015 04:46 PM, Andrew E. Bruno wrote:

We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and
389-ds 1.3.3.1-16.

Recently, the ns-slapd process on one of our replicas started showing higher
than normal CPU usage. ns-slapd is pegged at high CPU usage more or less
constantly.

Seems very similar to this thread:
https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html

There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors (not
sure if these are related):


[13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2277387,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:04:11:50 -0400] - Operation error fetching 
changenumber=2277387,cn=changelog (null), error -30993.
[13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2277387, dn = changenumber=2277387,cn=changelog: 
Operations error.
[13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]
[13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN 
(01de36ac-295411e5-b94db2ab-07afbca6), error -30993.
[13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for 
changenumber=2281464,cn=changelog from entryrdn index (-30993)
[13/Jul/2015:07:41:49 -0400] - Operation error fetching 
changenumber=2281464,cn=changelog (null), error -30993.
[13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured while 
adding change number 2281464, dn = changenumber=2281464,cn=changelog: 
Operations error.
[13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation failure 
[1]


access logs seem to be showing normal activity. Here's the number of open
connections:

# ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc -l
62

Note: the other two replicas have much higher open connections (250) and low
cpu load avgs.

Here's some output of logconv.pl from our most recent access log on the replica
with high cpu load:

Start of Logs:13/Jul/2015:04:49:18
End of Logs:  13/Jul/2015:10:06:11

Processed Log Time:  5 Hours, 16 Minutes, 53 Seconds

Restarts: 0
Total Connections:2343
  - LDAP Connections:  2120
  - LDAPI Connections: 223
  - LDAPS Connections: 0
  - StartTLS Extended Ops: 45
  Secure Protocol Versions:
   - TLS1.2 128-bit AES - 45

Peak Concurrent Connections:  22
Total Operations: 111865
Total Results:111034
Overall Performance:  99.3%

Searches: 95585 (5.03/sec)  (301.64/min)
Modifications:3369  (0.18/sec)  (10.63/min)
Adds: 0 (0.00/sec)  (0.00/min)
Deletes:  0 (0.00/sec)  (0.00/min)
Mod RDNs: 0 (0.00/sec)  (0.00/min)
Compares: 0 (0.00/sec)  (0.00/min)
Binds:7082  (0.37/sec)  (22.35/min)

Proxied Auth Operations:  0
Persistent Searches:  0
Internal Operations:  0
Entry Operations: 0
Extended Operations:  5317
Abandoned Requests:   416
Smart Referrals Received: 0

VLV Operations:   96
VLV Unindexed Searches:   0
VLV Unindexed Components: 32
SORT Operations:  64

Entire Search Base Queries:   0
Paged Searches:   3882
Unindexed Searches:   0
Unindexed Components: 5

FDs Taken:2566
FDs Returned: 2643
Highest FD Taken: 249

Broken Pipes: 0
Connections Reset By Peer:0
Resource Unavailable: 0
Max BER Size Exceeded:0

Binds:7082
Unbinds:  2443
  - LDAP v2 Binds: 0
  - LDAP v3 Binds: 6859
  - AUTOBINDs: 223
  - SSL Client Binds:  0
  - Failed SSL Client Binds:   0
  - SASL Binds:6814
 GSSAPI - 6591
 EXTERNAL - 223
  - Directory Manager Binds:   0
  - Anonymous Binds:   6591
  - Other Binds:   491




strace timing on the ns-slapd 

Re: [Freeipa-users] ipa client on ubuntu and sudo rules

[Lukas Slebodnik]

On (13/07/15 14:49), Karl Forner wrote:
For reference:
I could not make the sudo rules on ubuntu 12.04, I tried many many things.

Ahh,
Default version of sssd in ubuntu 12.04 is 1.8.2
http://packages.ubuntu.com/precise/sssd
it's better to use newer version which contains fixes for sudo.
I would suggest at least the latest 1.9.

But there is another problem.
The default version of sudo in ununtu 12.04 (1.8.3p1) does not contain sssd
support.
http://packages.ubuntu.com/precise/sudo.

The support for sssd in sudo code was added in upstream sudo 1.8.6
http://www.sudo.ws/stable.html#1.8.6

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ns-slapd high cpu usage

[Andrew E. Bruno]

On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote:
 
 On 07/13/2015 05:05 PM, Andrew E. Bruno wrote:
 On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote:
 can you get a pstack of the slapd process along with a top -H to find th
 ethread with high cpu usage
 Attached is the full stacktrace of the running ns-slapd proccess. top -H
 shows this thread (2879) with high cpu usage:
 
 2879 dirsrv20   0 3819252 1.962g  11680 R 99.9  3.1   8822:10 ns-slapd
 this thread is a replication thread sending updates, what is strange is that
 the current csn_str is quite old (july, 7th), I can't tell which agreeement
 this thread is handling, but looks like it is heavily reading the changeglog
 and sending updates. anything changed recently in replication setup ?


Yes, we had one replica fail on (6/19) which we removed (not this one
showing high CPU load). Had to perform some manual cleanup of the ipa-ca
RUVs. Then we added the replica back in on 7/1. Since then, replication
appears to have been running normally between the 3 replicas. We've been
monitoring utilization since 7/1 and only recently seen this spike (past
24 hours or so). 

On a side note, we get hit with this bug often:

https://www.redhat.com/archives/freeipa-users/2015-July/msg00018.html

(rouge sssd_be processing hammering a replica). 

This causes high ns-slapd utilization on the replica and restarting sssd
on the client host immediately fixes the issue. However, in this
case, we're not seeing this behavior.




 
 
 
 
 
 On 07/13/2015 04:46 PM, Andrew E. Bruno wrote:
 We have 3 freeipa-replicas. Centos 7.1.1503, ipa-server 4.1.0-18, and
 389-ds 1.3.3.1-16.
 
 Recently, the ns-slapd process on one of our replicas started showing 
 higher
 than normal CPU usage. ns-slapd is pegged at high CPU usage more or less
 constantly.
 
 Seems very similar to this thread:
 https://www.redhat.com/archives/freeipa-users/2015-February/msg00281.html
 
 There are a few errors showing in /var/log/dirsrv/slapd-[domain]/errors 
 (not
 sure if these are related):
 
 
 [13/Jul/2015:02:56:49 -0400] retrocl-plugin - retrocl_postob: operation 
 failure [1]
 [13/Jul/2015:04:11:50 -0400] - dn2entry_ext: Failed to get id for 
 changenumber=2277387,cn=changelog from entryrdn index (-30993)
 [13/Jul/2015:04:11:50 -0400] - Operation error fetching 
 changenumber=2277387,cn=changelog (null), error -30993.
 [13/Jul/2015:04:11:50 -0400] DSRetroclPlugin - replog: an error occured 
 while adding change number 2277387, dn = 
 changenumber=2277387,cn=changelog: Operations error.
 [13/Jul/2015:04:11:50 -0400] retrocl-plugin - retrocl_postob: operation 
 failure [1]
 [13/Jul/2015:07:41:49 -0400] - Operation error fetching Null DN 
 (01de36ac-295411e5-b94db2ab-07afbca6), error -30993.
 [13/Jul/2015:07:41:49 -0400] - dn2entry_ext: Failed to get id for 
 changenumber=2281464,cn=changelog from entryrdn index (-30993)
 [13/Jul/2015:07:41:49 -0400] - Operation error fetching 
 changenumber=2281464,cn=changelog (null), error -30993.
 [13/Jul/2015:07:41:49 -0400] DSRetroclPlugin - replog: an error occured 
 while adding change number 2281464, dn = 
 changenumber=2281464,cn=changelog: Operations error.
 [13/Jul/2015:07:41:49 -0400] retrocl-plugin - retrocl_postob: operation 
 failure [1]
 
 
 access logs seem to be showing normal activity. Here's the number of open
 connections:
 
 # ls -al /proc/`cat /var/run/dirsrv/slapd-[domain].pid`/fd|grep socket|wc 
 -l
 62
 
 Note: the other two replicas have much higher open connections (250) and 
 low
 cpu load avgs.
 
 Here's some output of logconv.pl from our most recent access log on the 
 replica
 with high cpu load:
 
 Start of Logs:13/Jul/2015:04:49:18
 End of Logs:  13/Jul/2015:10:06:11
 
 Processed Log Time:  5 Hours, 16 Minutes, 53 Seconds
 
 Restarts: 0
 Total Connections:2343
   - LDAP Connections:  2120
   - LDAPI Connections: 223
   - LDAPS Connections: 0
   - StartTLS Extended Ops: 45
   Secure Protocol Versions:
- TLS1.2 128-bit AES - 45
 
 Peak Concurrent Connections:  22
 Total Operations: 111865
 Total Results:111034
 Overall Performance:  99.3%
 
 Searches: 95585 (5.03/sec)  (301.64/min)
 Modifications:3369  (0.18/sec)  (10.63/min)
 Adds: 0 (0.00/sec)  (0.00/min)
 Deletes:  0 (0.00/sec)  (0.00/min)
 Mod RDNs: 0 (0.00/sec)  (0.00/min)
 Compares: 0 (0.00/sec)  (0.00/min)
 Binds:7082  (0.37/sec)  (22.35/min)
 
 Proxied Auth Operations:  0
 Persistent Searches:  0
 Internal Operations:  0
 Entry Operations: 0
 Extended Operations:  5317
 Abandoned Requests:   416
 Smart Referrals Received: 0
 
 VLV Operations:   96
 VLV Unindexed 

[Freeipa-users] Windows sync agreement becomes uninitialized and crashes directory server

[nathan]

2 FreeIPA 4.1.4 servers running on CentOS 7.
dc1 has a sync agreement to a windows server.


It has been running fine since June 5 when I re-initialized a sync
agreement that had somehow uninitialized itself.  Original issue report
here :
https://www.redhat.com/archives/freeipa-users/2015-June/msg00147.html
Bug report here : https://fedorahosted.org/freeipa/ticket/5054

It appears the same thing may have happened again, one month later, but
this time randomly, as we have not made any changes to our sync agreement
since the initial change in June.  it appears to have unitialized itself
without us changing it and managed to crash the directory server in doing
so.  Note that during the last week I could still login to the web ui, but
around the time the log entries change, I became unable to.

I tried to login to the web server today and it would not let me login, so
I went to the shell on the server and noticed that ipactl command would
freeze up again.  I looked at the logs (which I will paste below) and
restarted the directory server service.

I then found that my sync agreement had become uninitialized.

--- output ---
[root@dc1 slapd-IPADOMAIN-NET]# ldapsearch -xLLL -D cn=directory manager
-W -b cn=config objectclass=nsDSWindowsReplicationAgreement
Enter LDAP Password:
dn: cn=meToofficedc2.office.addomain.net,cn=replica,cn=dc\3Dipadomain
 \2Cdc\3Dnet,cn=mapping tree,cn=config
nsds7WindowsReplicaSubtree: OU=Staff,DC=office,DC=addomain,DC=net
nsds7DirectoryReplicaSubtree: cn=users,cn=accounts,dc=ipadomain,dc=net
cn: meToofficedc2.office.addomain.net
nsds7NewWinGroupSyncEnabled: false
objectClass: nsDSWindowsReplicationAgreement
objectClass: top
nsDS5ReplicaTransportInfo: TLS
description: me to officedc2.office.addomain.net
nsDS5ReplicaRoot: dc=ipadomain,dc=net
nsDS5ReplicaHost: officedc2.office.addomain.net
nsds5replicaTimeout: 120
nsDS5ReplicaBindDN: cn=freeipa syncuser,ou=Service
Account,dc=office,dc=addomain,dc=net
nsds7NewWinUserSyncEnabled: true
nsDS5ReplicaPort: 389
nsds7WindowsDomain: ipadomain.net
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof
idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: simple
nsDS5ReplicaCredentials:
{AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVG
 RERBNEJDUmtOelUzTTJJNVlpMDBaV1EyTTJRMQ0KWXkwNU0yTm1aV05sTVMxbU5qRXpaak5oTlFBQ
 0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQ2k0N0NxRGZFd2JIdm
 I0MFVFZVI3MA==}gWI9NIB8lbt9tmNszzbBFCAe4Vs/e0sMyn5+NZPJg9E=
nsds7DirsyncCookie::
TVNEUwMAAABoJPGME7jQAQAAYAEAAPc1qQAAA
 AD3NakAAMUjuImqVZhBkOkdt24C0IsBAA4AY4GwFkVcvEmMMExrVon4d6
 13PwAADGzFNzznrESIxHzA74fbsz4HUgAAOnFoO5OE2E27lR/g4EcjQTLbIwAAuEm
 PWjYok0qGS0HM/+TDmK7FgAMA6PTFXvAdnkaJSIkZT1lS+/FcJAAA4qTQaC46/Ua4KXgP
 /ixNcbK4dgAAWowbgYD1akibZ+sCul5C4VNsMQAAxSO4iapVmEGQ6R23bgLQi/c1qQAAA
 AAAogC6jFcyFUmhBp4B7FkaBcRHwwEAyhKMxsP0uUKGEnG2lsyA8eTUwgYA4n8Xx1bAlU
 mBUl3zhlZ9WBngDAAA71vM2ebFEkCJkBaLjB4CGU+4CQMAGfO+4ndZCkaVKnwZNlNsf90
 NDAAAgD6n+M2bcUGkOwo5gPLx7IOjAwAA
nsds50ruv: {replicageneration} 553fe9bb0004
nsds50ruv: {replica 4 ldap://dc1.ipadomain.net:389} 553fe9c9
 0004 557f49fb00020004
nsds50ruv: {replica 3 ldap://dc2.ipadomain.net:389} 553fe9c
 40003 557f3e4a00020003
nsruvReplicaLastModified: {replica 4 ldap://dc1.ipadomain.ne
 t:389} 557f494a
nsruvReplicaLastModified: {replica 3 ldap://dc2.ipadomain.n
 et:389} 557f3d95
oneWaySync: fromWindows
nsds5ReplicaEnabled: on
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1  - LDAP error: Can't contact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
--- output ---

Here are the error logs for the last month for the directory server.  They
are totally empty until July 2.

---output---
389-Directory/1.3.3.8 B2015.040.128
dc1.ipadomain.net:636 (/etc/dirsrv/slapd-IPADOMAIN-NET)

[02/Jul/2015:03:19:02 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[02/Jul/2015:06:10:29 +] - Entry
uid=jenkinsdev,cn=users,cn=accounts,dc=ipadomain,dc=net missing
attribute sn required by object class person
[03/Jul/2015:02:04:02 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:05:39:01 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:17:09:00 +] NSMMReplicationPlugin - windows sync - failed
to send dirsync search request: 2
[03/Jul/2015:22:41:32 +] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Cannot contact any KDC
for realm 

[Freeipa-users] AD users not visible in FreeIPA mapped group

[Angelo Pantano]

I added the external groups to map my Domain Admins AD group like the
freeipa documentation suggests:

# ipa group-add --desc='ad_domain admins external map' ad_admins_external
--external
# ipa group-add --desc='ad_domain admins' ad_admins
# ipa group-add-member ad_admins_external --external 'ad_netbios\Domain
Admins'
# ipa group-add-member ad_admins --groups ad_admins_external

But I dont see any user in the web interface under ad_admins or
ad_admins_external. I thought that this would give us a view of the AD
users in FreeIPA, but I dont see any difference..
Am I missing something here?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project