Re: [Freeipa-users] sendmail.schema
Hi Martin, thank you for your advice. Now I solved this myself with the following procedure: I followed the page https://www.madboa.com/geek/ldap-aliases/ https://www.madboa.com/geek/ldap-aliases/ in a minimal invasive schema update for the freeipa directory server: ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (1.3.6.1.4.1.6152.945.2.1 NAME 'mailingListName' SUP name ) and ldapmodify -x -D cn=Directory Manager -W Enter LDAP Password: dn: cn=schema changetype: modify add: objectclasses objectClasses: ( 1.3.6.1.4.1.6152.945.1.1 NAME 'mailingListPerson' SUP inetOrgPerson STRUCTURAL MAY mailingListName ) After that I created a tree for our mail-aliases: ldapadd -x -D cn=Directory Manager -W dn: cn=mail-aliases,cn=accounts,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: mailingListPerson cn: mail-aliases sn: mail-aliases and now I’m able to feed this tree with entries like: dn: cn=FaxMaster,cn=mail-aliases,cn=accounts,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: mailingListPerson mail: FaxMaster mailingListName: nirvana cn: FaxMaster sn: FaxMaster which import into our sendmail.mc configuration like: ... define(`ALIAS_FILE', `/etc/aliases,ldap: -h freeipa.example.com -b”cn=mail-aliases,cn=accounts,dc=example,dc=com -v mailinglistname -k((objectClass=mailingListPerson)(mail=%0))')dnl … Regards, Rudi Gabler On 10 Jul 2015, at 08:43, Martin Kosek mko...@redhat.com wrote: On 07/09/2015 11:09 AM, Rudolf Gabler wrote: Hi, we are dealing with a huge number of mail aliases which are not purely user aliases but distribution-lists, actions on distribution-list and so on (mailman). There was a former sendmail.schema in fedora-ds (we are using fds 21 at the moment), which is gone (at least I didn’t find it). Is there now a different approach for freeipa to deal with this problem. Regards, Rudi Gabler I would recommend asking on 389-us...@lists.fedoraproject.org if nobody in this list has a good answer. signature.asc Description: Message signed with OpenPGP using GPGMail -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
On Wed, Jul 15, 2015 at 04:58:23PM +0200, Ludwig Krispenz wrote: On 07/15/2015 04:10 PM, Andrew E. Bruno wrote: On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is cn=meTosrv-m14-24.ccr.buffalo.edu - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b cn=config objectclass=nsds5replica nsds50ruv master is srv-m14-24.. here's the results of the ldapsearch: [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D cn=directory manager -W -b cn=config objectclass=nsds5replica nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f7110004 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7710004 55a55aed0014 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7730005 5591a3d200070005 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda0006 5594537800020006 so this is really strange, the master m14-24 has the latest change from replica 5(m14-26) as: 5591a3d200070005 which corresponds to Mon, 29 Jun 2015 20:00:18 GMT so no update from 14-24 since that did arrive, or could not update the ruv. So m14-26 tries to replicate all the changes back from that time, but looks like iit has no success. is there anything in the logs of m14-24 ? can you see successful mods with csn=xxx0005 ? Here's what I could find from the logs on srv-m14-24: [srv-m14-24 ~]# grep -r 0005 /var/log/dirsrv/slapd-[domain]/* access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f00054 ok, so no update originating at replica 5 has been replicated (probably since June,29) did you experience data inconsistency between the servers ? And here's the last few lines the error log on srv-m14-24: one set of messages refers to the o=ipaca backend and seem to be transient, replication continues later. the other set of msg No original tombstone .. is annoying (and it is fixed in ticket https://fedorahosted.org/389/ticket/47912) the next thing we can do to try to understand what is going on is to enable replication logging on m14-26, it will then not only consume all cpu, but write tons of messages to the error log. But it can be turned on and off: ldapmodify ... dn: cn=config replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 and let it run for a while, then set it back to: 0 I enabled replication logging and it's running now. I noticed the default value for nsslapd-errorlog-level was set to 16384 (not 0). OK to send you the logs off list? Looks like they contain quite a bit of sensitive data. Thanks again for all the help looking into this. Best, --Andrew [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a4060060): Operations error (1). Will retry later. [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca0060): Operations error (1). Will retry later. [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f20060): Operations error (1). Will retry later. [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a411020060): Operations error (1). Will retry later. [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b320060): Operations
Re: [Freeipa-users] Reverse DNS and Forwarding
On Wednesday, July 15, 2015, Martin Basti mba...@redhat.com wrote: On 14/07/15 19:12, Nevada Sanchez wrote: I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global forwarding ('Forward First') so that it will forward queries to Amazon's DNS, and then fall back on IPA if it doesn't see a hit. This works perfectly fine for forward DNS lookups: $ # This host does not exist on FreeIPA, but does on Amazon DNS $ host ip-10-0-6-17.ec2.internal ip-10-0-6-17.ec2.internal has address 10.0.6.17 However, for reverse lookups, it doesn't seem to get forwarded $ # Same host, reverse lookup fails at FreeIPA $ host 10.0.6.17 Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) $ # Explicitly forwarding to Amazon DNS, reverse lookup works $ host 10.0.6.17 10.0.0.2 Using domain server: Name: 10.0.0.2 Address: 10.0.0.2#53 Aliases: 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. Please help. Thanks! -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead http://www.butterflynetinc.com/ tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us http://www.4combinator.com/#opportunities and put a dent in the universe! Hello, do you have any reverse zones configured on IPA DNS? (with suffix 10.in-addr.arpa)? -- Martin Basti Yes. -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead http://www.butterflynetinc.com/ tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us http://www.4combinator.com/#opportunities and put a dent in the universe! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] CIFS share with no active directory
Hi, My question is quite simple, yet I didn't find any answer on the Internet regarding how to do it :) How can I configure a linux samba server to use FreeIPA for authentication, without having clients to join an active directory domain when using Windows 8? I followed this article : https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA It works like a charm on Windows 7. Though, most of my users are using Windows 8 and authentication doesn't work (NT_STATUS_NO_SUCH_USER) What I understand is that Windows 8 is passing [usern...@domain.ipa]@[COMPUTER] as login instead of [username]@[DOMAIN.IPA]. Is there any solution for this? Thanks, -- Youenn Piolet piole...@gmail.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-prepare error
On 07/14/2015 11:53 PM, Jan Cholasta wrote: Hi, Dne 10.7.2015 v 22:33 Orion Poplawski napsal(a): On 07/08/2015 11:31 AM, Orion Poplawski wrote: But then when I go to make a replica: # ipa-replica-prepare ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12 --dirsrv_pin=XX --http_pkcs12=nwra.com.p12 --http_pin=XX Directory Manager (existing master) password: (SEC_ERROR_LIBRARY_FAILURE) security library failure. Which looks like others are experiencing (with not resolution that I could see) https://www.redhat.com/archives/freeipa-users/2015-April/msg00514.html Unfortunately this error code can mean almost anything, NSS isn't particularly helpful with errors. Putting AddTrustExternalCARoot into nwra.com.p12 doesn't appear to help. Filed https://fedorahosted.org/freeipa/ticket/5117 Without ipa-replica-prepare log or pk12util output it's really hard to tell what's going on. Could you provide the output of the following commands: # pk12util -l nwra.com.p12 Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 00:d1:3f:8c:79:cf:1c:87:53:f0:05:7c:f6:56:18:3a: 5c Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB Validity: Not Before: Thu Oct 11 00:00:00 2012 Not After : Sun Jan 10 23:59:59 2016 Subject: CN=*.nwra.com,OU=PositiveSSL Wildcard,OU=Domain Control Val idated Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d8:08:80:96:8f:f0:80:86:cd:f0:e7:6a:11:7f:8e:fb: 4b:95:6a:42:93:c7:cf:c3:76:80:bd:a6:cc:6c:fd:e2: 89:1a:3f:97:c1:3d:2d:fe:e4:4a:90:c5:aa:33:97:b3: 54:cc:67:73:57:2d:cb:9f:d0:27:ea:f0:d8:9b:5d:24: 94:2f:f5:84:06:d4:04:e8:83:c5:b2:40:b1:59:2c:f8: 4f:73:9c:41:fc:8d:46:3d:be:46:e7:9f:15:5d:8c:a5: 47:23:de:e2:cf:b3:be:97:ed:0c:82:3e:00:29:b7:8b: a0:86:92:ec:07:00:8b:35:77:1c:27:ba:c8:a0:80:dc: 9a:69:dd:99:89:df:b4:70:f6:f6:8c:23:8b:f9:1d:bf: ba:07:32:36:17:bc:25:e7:fb:7a:b0:11:86:de:88:59: 51:ed:e5:de:5e:14:e5:c0:28:ce:d3:5b:92:38:de:fa: 4b:15:9d:62:13:69:31:5a:0d:21:6e:2e:a6:c6:ae:30: 94:95:ce:e6:6c:dc:22:71:b4:1a:3a:f9:ec:4b:72:e4: 9d:82:ba:6b:a5:46:b0:b7:5a:23:22:d3:92:57:5b:bf: 55:fd:70:df:36:13:9c:a9:df:50:6e:62:43:23:13:eb: f5:ef:ee:c7:15:e0:46:37:21:9b:3d:86:ea:2c:c7:01 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 90:af:6a:3a:94:5a:0b:d8:90:ea:12:56:73:df:43:b4: 3a:28:da:e7 Name: Certificate Subject Key ID Data: e9:88:f0:50:0f:f6:09:89:5c:3d:53:70:38:ca:82:22: 42:7e:21:e3 Name: Certificate Key Usage Critical: True Usages: Digital Signature Key Encipherment Name: Certificate Basic Constraints Critical: True Data: Is not a CA. Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: Certificate Policies Data: Policy Name: OID.1.3.6.1.4.1.6449.1.2.2.7 Policy Qualifier Name: PKIX CPS Pointer Qualifier Policy Qualifier Data: https://secure.comodo.com/CPS; Policy Name: OID.2.23.140.1.2.1 Name: CRL Distribution Points Distribution point: URI: http://crl.comodoca.com/COMODORSADomainValidationSecure ServerCA.crl Name: Authority Information Access Method: PKIX CA issuers access method Location: URI: http://crt.comodoca.com/COMODORSADomainValidationSecure ServerCA.crt Method: PKIX Online Certificate Status Protocol Location: URI: http://ocsp.comodoca.com; Name: Certificate Subject Alt Name DNS name: *.nwra.com DNS name: nwra.com Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 54:10:0f:42:9a:1f:42:df:1d:4e:e2:b8:bb:9f:c2:fc: e1:d7:b7:02:c5:9f:ed:5a:f1:d7:b4:58:23:ab:3c:a7: d3:9a:8d:71:f5:f4:a1:8b:02:0f:ce:ec:79:30:90:09: 41:fe:03:0d:0a:ee:44:ea:f0:9b:c0:e4:92:16:da:fd: b3:aa:bf:1d:30:7d:2d:40:33:cb:e5:a3:cc:a5:8f:0e:
Re: [Freeipa-users] AD users not visible in FreeIPA mapped group
On Wed, Jul 15, 2015 at 01:09:42PM -0700, Angelo Pantano wrote: SSSD is able to evaluate group membership, but if for instance I create a view for my user and I add a ssh public key I can only use it to login passwordless in the IPA server, not on an IPA client. The password still works, but I see nothing in the sssd logs that explains why the pubkey was rejected on the IPA client. Could be that the client is not really aware that there is a view override? I thought that the external mapping would facilitate this.. The views usage is new to me in this thread. Please note there was a number of bugs in the views functionality in 7.1 that were not fixes in a 7.1.z stream so far. If you have a test setup, then it would be best to try and reproduce the bug with the latest 1.12 packages from a COPR repo we have. Would that be possible? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is cn=meTosrv-m14-24.ccr.buffalo.edu - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b cn=config objectclass=nsds5replica nsds50ruv master is srv-m14-24.. here's the results of the ldapsearch: [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D cn=directory manager -W -b cn=config objectclass=nsds5replica nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f7110004 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7710004 55a55aed0014 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7730005 5591a3d200070005 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda0006 5594537800020006 so this is really strange, the master m14-24 has the latest change from replica 5(m14-26) as: 5591a3d200070005 which corresponds to Mon, 29 Jun 2015 20:00:18 GMT so no update from 14-24 since that did arrive, or could not update the ruv. So m14-26 tries to replicate all the changes back from that time, but looks like iit has no success. is there anything in the logs of m14-24 ? can you see successful mods with csn=xxx0005 ? Here's what I could find from the logs on srv-m14-24: [srv-m14-24 ~]# grep -r 0005 /var/log/dirsrv/slapd-[domain]/* access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f00054 And here's the last few lines the error log on srv-m14-24: [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a4060060): Operations error (1). Will retry later. [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca0060): Operations error (1). Will retry later. [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f20060): Operations error (1). Will retry later. [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a411020060): Operations error (1). Will retry later. [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b320060): Operations error (1). Will retry later. [13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a0060): Operations error (1). Will retry later. [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a45ad60060): Operations error (1). Will retry later. [13/Jul/2015:22:41:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a476f60060): Operations error (1). Will retry later. [14/Jul/2015:06:56:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4eafa0060): Operations error (1). Will retry later. [14/Jul/2015:09:56:52 -0400]
Re: [Freeipa-users] ns-slapd high cpu usage
On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is cn=meTosrv-m14-24.ccr.buffalo.edu - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b cn=config objectclass=nsds5replica nsds50ruv master is srv-m14-24.. here's the results of the ldapsearch: [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D cn=directory manager -W -b cn=config objectclass=nsds5replica nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f7110004 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7710004 55a55aed0014 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7730005 5591a3d200070005 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda0006 5594537800020006 so this is really strange, the master m14-24 has the latest change from replica 5(m14-26) as: 5591a3d200070005 which corresponds to Mon, 29 Jun 2015 20:00:18 GMT so no update from 14-24 since that did arrive, or could not update the ruv. So m14-26 tries to replicate all the changes back from that time, but looks like iit has no success. is there anything in the logs of m14-24 ? can you see successful mods with csn=xxx0005 ? # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f74b0060 nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7540060 55a557f60060 nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e0056 55943e6f00010056 nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba005b 5582c7e40004005b server with high cpu load is srv-m14-26. here's the results of the ldapsearch from this server: [srv-m14-26 ~]$ ldapsearch -o ldif-wrap=no -x -D cn=directory manager -W -b cn=config objectclass=nsds5replica nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f7110004 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7730005 55a55b4700030005 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7710004 55a53eba0004 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda0006 5594537800020006 # replica, o\3Dipaca, mapping tree, config dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f74b0060 nsds50ruv: {replica 91 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7ba005b 5582c7e40004005b nsds50ruv: {replica 96 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7540060 55a557f60060 nsds50ruv: {replica 86 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943e6e0056 55943e6f00010056 srv-m14-25-02 is our 3rd replicate which we recently added back in after it failed (was added back in 7/1). Let me know if you need anything else. Thanks for the help. --Andrew On 07/14/2015 02:35 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 01:41:57PM +0200, Ludwig Krispenz wrote: On 07/13/2015 06:36 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 05:29:13PM +0200, Ludwig Krispenz wrote: On 07/13/2015 05:05 PM, Andrew E. Bruno wrote: On Mon, Jul 13, 2015 at 04:58:46PM +0200, Ludwig Krispenz wrote: can you get a pstack of the slapd process along with a top -H to find th ethread with high cpu usage Attached is the full stacktrace of the running ns-slapd proccess. top -H shows this thread (2879) with high cpu usage: 2879 dirsrv20 0 3819252 1.962g 11680 R 99.9 3.1 8822:10 ns-slapd this thread is a replication thread sending updates, what is strange is that the current csn_str is quite old (july, 7th), I can't tell which agreeement this thread is handling, but looks like it is heavily reading the changeglog and sending updates. anything changed recently in replication setup ? Yes, we had one replica fail on (6/19) which we removed (not this one showing high CPU load). Had to perform some manual cleanup of the ipa-ca RUVs. Then we added the replica back in on 7/1. Since then, replication appears to have been running normally between the 3 replicas. We've been monitoring utilization since 7/1 and only recently seen this spike (past 24 hours or so). is it still in this state ? or was it a spike. Yes same state. if it still is high cpu consuming, could you - get a few
Re: [Freeipa-users] Reverse DNS and Forwarding
On 15/07/15 15:07, Nevada Sanchez wrote: On Wednesday, July 15, 2015, Martin Basti mba...@redhat.com mailto:mba...@redhat.com wrote: On 14/07/15 19:12, Nevada Sanchez wrote: I have FreeIPA setup as our primary DNS on an AWS VPC. I setup global forwarding ('Forward First') so that it will forward queries to Amazon's DNS, and then fall back on IPA if it doesn't see a hit. This works perfectly fine for forward DNS lookups: $ # This host does not exist on FreeIPA, but does on Amazon DNS $ host ip-10-0-6-17.ec2.internal ip-10-0-6-17.ec2.internal has address 10.0.6.17 However, for reverse lookups, it doesn't seem to get forwarded $ # Same host, reverse lookup fails at FreeIPA $ host 10.0.6.17 Host 17.6.0.10.in-addr.arpa. not found: 3(NXDOMAIN) $ # Explicitly forwarding to Amazon DNS, reverse lookup works $ host 10.0.6.17 10.0.0.2 Using domain server: Name: 10.0.0.2 Address: 10.0.0.2#53 Aliases: 17.6.0.10.in-addr.arpa domain name pointer ip-10-0-6-17.ec2.internal. Please help. Thanks! -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead http://www.butterflynetinc.com/ tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us http://www.4combinator.com/#opportunities and put a dent in the universe! Hello, do you have any reverse zones configured on IPA DNS? (with suffix 10.in-addr.arpa)? -- Martin Basti Yes. -- *Nevada Sanchez* Co-Founder, ASIC Design Team Lead http://www.butterflynetinc.com/ tel: 203.689.5650 x314 | mobile: 775.863.8726 Come join us http://www.4combinator.com/#opportunities and put a dent in the universe! Do you have configured proper delegation via NS records to subzones of 10.in-addr.arpa. on IPA DNS? Respectively do you have delegation for 6.0.10.in-addr.arpa. zone to Amazon DNS? Please notice that forward first doesn't mean that the forwarder will be contacted first, then fallback to IPA. Forward first means if there is no authoritative zone in IPA server, query will be forwarded to forwarder, if forwarder doesn't return the answer, then recursive search (if allowed) will be used from root zone. You have 10.in-addr.arpa. zone configured, so it is authoritative zone for 17.6.0.10.in-addr.arpa. query, and you will get the authoritative answer NXDOMAIN, there is no need for forwarding. You need to add an delegation ipa dnsrecord-add 10.in-addr.arpa. 6.0.10.in-addr.arpa. --ns-rec=amazon.dns. HTH -- Martin Basti -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] reverse lookup dns records in trust setup
On 14.7.2015 15:19, John Stein wrote: Hi, What I meant was that the IPA server is managing two zones: Linux.john.com Which has these records Ipa1 A 192.168.0.140 client1 A 192.168.0.11 0.168.192.in-addr.arpa. Which has these records 11 PTR client1.linux.john.com @ NS ipa1.linux.john.com In the AD forward lookup zones John.com linux (Same as parent folder) NS ipa1.linux.john.com Anything more that's unclear? This is enough. You have the same 'master' zone configured on IPA and AD, which does not make sense from DNS point of view. You need to move all records to one server and configure 'forward' zone on the other server. In AD terminology you need to create 'conditional forwarder'. Petr^2 Spacek Thank you very much! John On Tue, Jul 14, 2015, 15:52 Petr Spacek pspa...@redhat.com wrote: On 14.7.2015 14:49, John Stein wrote: I ran the above commands exactly as I told you on the IPA server. I also set the IPA server as a global forwarder in the AD. On Wed, Jul 8, 2015, 12:50 Petr Spacek pspa...@redhat.com wrote: On 5.7.2015 08:38, John Stein wrote: Hi, I ran these commands in the IdM server $ ipa dnszone-mod 2.0.192.in-addr.arpa. --update-policy='grant JOHN.COM krb5-self * PTR; grant LINUX.JOHN.COM krb5-self * PTR;' $ ipa dnszone-mod 2.0.192.in-addr.arpa. --dynamic-update=1 At the Active Directory I have A and PTR records for the IdM server and it is configured as a global forwarder. At the IdM server there are A and PTR records for both the IdM server and another client. Can you explain what you did, exactly? I do not know what 'I have A and PTR records for the IdM server' exactly means. We need to know exactly what you typed in and where you clicked in AD. The original information is not sufficient, that is why I asking for more details. Petr^2 Spacek However this setup does not work. From the IdM and linux client every record is resolvable, however from the AD only the IdM is resolvable and the client is not. Maybe there's another thing I need to configure in the AD in order to enable forwarding that I'm missing? I'm not sure I understand you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd high cpu usage
On 07/15/2015 04:10 PM, Andrew E. Bruno wrote: On Wed, Jul 15, 2015 at 03:22:51PM +0200, Ludwig Krispenz wrote: On 07/14/2015 08:59 PM, Andrew E. Bruno wrote: On Tue, Jul 14, 2015 at 04:52:10PM +0200, Ludwig Krispenz wrote: hm, the stack traces show csn_str, which correspond to Jul,8th, Jul,4th, and Jul,7th - so it looks like it is iterating the changelog over and over again. Th consumer side Is cn=meTosrv-m14-24.ccr.buffalo.edu - is this the master ? can you provide the result of the following search from m14-24.ccr.buffalo.edu adn the server with the high cpu: ldapsearch -o ldif-wrap=no -x -D ... -w -b cn=config objectclass=nsds5replica nsds50ruv master is srv-m14-24.. here's the results of the ldapsearch: [srv-m14-24 ~]$ ldapsearch -o ldif-wrap=no -x -D cn=directory manager -W -b cn=config objectclass=nsds5replica nsds50ruv # replica, dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu, mapping tree, config dn: cn=replica,cn=dc\3Dccr\2Cdc\3Dbuffalo\2Cdc\3Dedu,cn=mapping tree,cn=config nsds50ruv: {replicageneration} 5527f7110004 nsds50ruv: {replica 4 ldap://srv-m14-24.ccr.buffalo.edu:389} 5527f7710004 55a55aed0014 nsds50ruv: {replica 5 ldap://srv-m14-26.ccr.buffalo.edu:389} 5537c7730005 5591a3d200070005 nsds50ruv: {replica 6 ldap://srv-m14-25-02.ccr.buffalo.edu:389} 55943dda0006 5594537800020006 so this is really strange, the master m14-24 has the latest change from replica 5(m14-26) as: 5591a3d200070005 which corresponds to Mon, 29 Jun 2015 20:00:18 GMT so no update from 14-24 since that did arrive, or could not update the ruv. So m14-26 tries to replicate all the changes back from that time, but looks like iit has no success. is there anything in the logs of m14-24 ? can you see successful mods with csn=xxx0005 ? Here's what I could find from the logs on srv-m14-24: [srv-m14-24 ~]# grep -r 0005 /var/log/dirsrv/slapd-[domain]/* access.20150714-014346:[14/Jul/2015:03:10:05 -0400] conn=748529 op=14732 RESULT err=0 tag=103 nentries=0 etime=1 csn=55a4b5f00054 ok, so no update originating at replica 5 has been replicated (probably since June,29) did you experience data inconsistency between the servers ? And here's the last few lines the error log on srv-m14-24: one set of messages refers to the o=ipaca backend and seem to be transient, replication continues later. the other set of msg No original tombstone .. is annoying (and it is fixed in ticket https://fedorahosted.org/389/ticket/47912) the next thing we can do to try to understand what is going on is to enable replication logging on m14-26, it will then not only consume all cpu, but write tons of messages to the error log. But it can be turned on and off: ldapmodify ... dn: cn=config replace: nsslapd-errorlog-level nsslapd-errorlog-level: 8192 and let it run for a while, then set it back to: 0 [12/Jul/2015:10:11:14 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2456070,cn=changelog!! [12/Jul/2015:10:11:48 -0400] ldbm_back_delete - conn=0 op=0 [retry: 1] No original_tombstone for changenumber=2498441,cn=changelog!! [13/Jul/2015:07:41:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3a4060060): Operations error (1). Will retry later. [13/Jul/2015:11:56:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a3dfca0060): Operations error (1). Will retry later. [13/Jul/2015:14:26:50 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a402f20060): Operations error (1). Will retry later. [13/Jul/2015:15:26:49 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a411020060): Operations error (1). Will retry later. [13/Jul/2015:18:26:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a43b320060): Operations error (1). Will retry later. [13/Jul/2015:18:56:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat (srv-m14-26:389): Consumer failed to replay change (uniqueid cb7acfc1-df9211e4-a351aa45-2e06257b, CSN 55a4423a0060): Operations error (1). Will retry later. [13/Jul/2015:20:41:51 -0400] NSMMReplicationPlugin - agmt=cn=masterAgreement1-srv-m14-26.ccr.buffalo.edu-pki-tomcat