[Freeipa-users] forcing ldaps and https

2015-09-04 Thread Danilo Aghemo 
Hi all,
how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP?
I've google before, but with no results.

I know that the server discovery is based upon SRV records in the DNS and
these points to 389, not 636. I don't know nor how to change from 389 to
636, nor is this would automatically enable LDAPS on port 636. Then, I have
to get rid of HTTP and use HTTPS only.

Regards,
Danilo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replacing the "master"

2015-09-04 Thread Rob Crittenden 

Martin Kosek wrote:

On 09/04/2015 12:00 AM, Rob Crittenden wrote:

Steven Jones wrote:

I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
try and remove the last one the master? it says,

"[root@vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.
Directory Manager password:

Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica file
and re-install.
Continue to delete? [no]: yes
Deleting this server will orphan 'vuwunicoipam001x  and
vuwunicoipam003.x
You will need to reconfigure your replication topology to delete this server.
[root@vuwunicoipam001 thing]# ipa-replica-manage list
Directory Manager password:

vuwunicoipam002. master
vuwunicoipam003. master
vuwunicoipam001. master
[root@vuwunicoipam001 thing]#"

So how do I re-configure?


Every server is a master. The only differences may be the services running (CA
and/or DNS) and only one generates the CRL and manages certificate renewal.
Otherwise they are all equal masters.

This doesn't show the topology. Were I to guess it looks like:

001
   /  \
002  003

So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003

Then you should be able to delete 0001. Just be sure at least one of those
other masters has a CA, if not both of them. You may need ipa-csreplica-manage
connect to connect that topology.

Also be aware of the DNA config. A master doesn't automatically get one. It
only gets it when it creates an entry that needs a range.


However, in this case this should not be a problem AFAIK, given that
ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:

https://fedorahosted.org/freeipa/ticket/3321


Well, Steven didn't mention his version so I assumed 3.0. It doesn't 
hurt to double-check the ranges in advance.


It can still be an issue if one of the masters lacks a DNA range. My 
patch harvests the DNA range but IIRC doesn't reset the DNA master 
server on all other masters. So one may still be pointing to nowhere and 
fail to get a range when needed.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Faulty LDAP record

2015-09-04 Thread Christoph Kaminski 
Hi All,

how can I delete a faulty user in IPA 4.1? The record in LDAP look like 
this:
nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso

It is not possible to delete it over the WebUI and with LDAP Browser I get 
this error:

Deleting is not possible, the following error appears:
Error while deleting entry LDAP: error code 32 - No Such Object

Greetz
Christoph Kaminski



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ugrading IPA to dogtag? CA?

2015-09-04 Thread Rob Crittenden 

Steven Jones wrote:

It seems I built IPA with self signed certs so I need to upgrade?  is this 
possible? and if so how on existing servers?


I think it depends heavily on what version of IPA you are running and 
what you mean by self-signed.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA

2015-09-04 Thread Matt . 
Hi,

Does everyone have this working or gived up on it ?

Chers,

Matt

2015-08-26 20:07 GMT+02:00 Matt . :
> Chris,
>
> How far are you on this ? I'm stuck atm :(
>
> I hope you have some reference notes to follow and check out.
>
> Thanks!
>
> Matt
>
> 2015-08-20 22:15 GMT+02:00 Matt . :
>> Hi Chris,
>>
>> Would be great to see!
>>
>> If I have it working and we have 2-3 testcases I think we can add it
>> to the IPA docs!
>>
>> Keep me updated!
>>
>> Thanks
>>
>> Matt
>>
>> 2015-08-20 8:49 GMT+02:00 Christopher Lamb :
>>> Matt
>>>
>>> Once I got Samba and FreeIPA integrated (by the "good old extensions"
>>> path), I always use FreeIPA to administer users. I have never tried the
>>> samba tools like smbpasswd.
>>>
>>> I still have a wiki how-to in the works, but I had to focus on some other
>>> issues for a while.
>>>
>>> Chris
>>>
>>>
>>>
>>> From:   "Matt ." 
>>> To: Youenn PIOLET 
>>> Cc: Christopher Lamb/Switzerland/IBM@IBMCH,
>>> "freeipa-users@redhat.com" 
>>> Date:   20.08.2015 08:12
>>> Subject:Re: [Freeipa-users] Ubuntu Samba Server Auth against IPA
>>>
>>>
>>>
>>> HI Guys,
>>>
>>> Anyone still a working clue/test here ?
>>>
>>> I didn't came further as it seems there need to be some domain join /
>>> match following the freeipa devs.
>>>
>>> Thanks!
>>>
>>> Matt
>>>
>>> 2015-08-13 13:09 GMT+02:00 Matt . :
 Hi,

 I might have found somthing which I already seen in the logs.

 I did a smbpasswd my username on the samba server, it connects to ldap
 very well. I give my new password and get the following:

 smbldap_search_ext: base => [dc=my,dc=domain], filter =>
 [(&(objectClass=ipaNTGroupAttrs)(|
>>> (ipaNTSecurityIdentifier=S-1my--sid---)))],
 scope => [2]
 Attribute [displayName] not found.
 Could not retrieve 'displayName' attribute from cn=Default SMB
 Group,cn=groups,cn=accounts,dc=my,dc=domain
 Sid S-1my--sid--- -> MYDOMAIN\Default SMB Group(2)

 So something is missing!

 Thanks so far guys!

 Cheers,

 Matt

 2015-08-13 12:02 GMT+02:00 Matt . :
> Hi Youenn,
>
> OK thanks! this takes me a little but futher now and I see some good
> stuff in my logging.
>
> I'm testing on a Windows 10 Machine which is not member of an AD or
> so, so that might be my issue for now ?
>
> When testing on the samba box itself as my user I get:
>
>
> [myusername@smb-01 ~]$ smbclient //smb-01.domain.local/shares
>
> ...
> Checking NTLMSSP password for MSP\myusername failed:
>>> NT_STATUS_WRONG_PASSWORD
> ...
> SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
>
>
> Maybe I have an issue with encrypted passwords ?
>
>
> When we have this all working, I think we have a howto :D
>
> Thanks!
>
> Matt
>
> 2015-08-13 10:53 GMT+02:00 Youenn PIOLET :
>> Hi Matt
>>
>> - CentOS : Did you copy ipasam.so and change your smb.conf accordingly?
>> sambaSamAccount is not needed anymore that way.
>> - Default IPA Way : won't work if your Windows is not part of a domain
>> controller. DOMAIN\username may work for some users using Windows 7 -
>>> not 8
>> nor 10 (it did for me but I was the only one at the office... quite
>>> useless)
>>
>> This config may work on your CentOS (for the ipasam way):
>> workgroup = TEST
>> realm = TEST.NET
>> kerberos method = dedicated keytab
>> dedicated keytab file = FILE:/<.>/samba.keytab
>> create krb5 conf = no
>> security = user
>> encrypt passwords = true
>> passdb backend = ipasam:ldaps://youripa.test.net
>> ldapsam:trusted = yes
>> ldapsuffix = test.net
>> ldap user suffix = cn=users,cn=accounts
>> ldap group suffix = cn=groups,cn=accounts
>>
>>
>> --
>> Youenn Piolet
>> piole...@gmail.com
>>
>>
>> 2015-08-12 22:15 GMT+02:00 Matt . :
>>>
>>> Hi,
>>>
>>> OK the default IPA way works great actually when testing it as
>>> described
>>> here:
>>>
>>>
>>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>>
>>> On the samba server I can auth and see my share where I want to
>>> connect
>>> to.
>>>
>>> The issue is, on Windows I cannot auth, even when I do DOMAIN\username
>>> as username
>>>
>>> So, the IPA way should work.
>>>
>>> Any comments here ?
>>>
>>> Cheers,
>>>
>>> Matt
>>>
>>> 2015-08-12 19:00 GMT+02:00 Matt . :
>>> > HI GUys,
>>> >
>>> > I'm testing this out and I think I almost setup, this on a CentOS
>>> samba
>>> > server.
>>> >

Re: [Freeipa-users] forcing ldaps and https

2015-09-04 Thread Alexander Bokovoy 

On Fri, 04 Sep 2015, Danilo Aghemo wrote:

Hi all,
how can I force ipa-client to prefer LDAPS and HTTPS over LDAP and HTTP?
I've google before, but with no results.

I know that the server discovery is based upon SRV records in the DNS and
these points to 389, not 636. I don't know nor how to change from 389 to
636, nor is this would automatically enable LDAPS on port 636. Then, I have
to get rid of HTTP and use HTTPS only.

LDAPS is deprecated in favor of StartTLS and not recommended. The client
actually uses STARTTLS on port 389, not a plain LDAP.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Problem with replication?

2015-09-04 Thread Christoph Kaminski 
Hi 

we have a lot of this messages in the error log of dirsrv... What can be 
the problem and how can we fix it?

our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int):
[04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":
 
32
[04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 
749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, line 
749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":
 
32
[04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":
 
32
[04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 
749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, line 
749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":
 
32
[04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":
 
32
[04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, line 
749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, line 
503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32

one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int):
[04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind id 
[cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config]
 
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 
(Success)

Greetz
Christoph Kaminski


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Failed to start pki-tomcatd Service

2015-09-04 Thread Martin Babinsky 

On 08/28/2015 05:46 PM, Alexandre Ellert wrote:



Le 28 août 2015 à 17:41, Alexander Bokovoy  a écrit :

On Fri, 28 Aug 2015, Alexandre Ellert wrote:



Le 28 août 2015 à 17:09, Alexander Bokovoy  a écrit :

On Wed, 26 Aug 2015, Alexandre Ellert wrote:



Le 28 juil. 2015 à 05:59, Alexander Bokovoy  a écrit :

If the problem is too hard to solve, maybe I should try to deploy another
replica ?

You may try that. Sorry for not responding, I have some other tasks that
occupy my time right now.




Can you please tell me the procedure to decommission and re-create a new 
replica ?
Are "ipa-server-install —uninstall" then "ipa-server-install" the only things 
to do ?

No, you need also to remove the server from the replication topology.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/removing-replica.html

--
/ Alexander Bokovoy


I can’t remove the node on which I have problem with pki-tomcatd :

# ipa-replica-manage del .example.com
Deleting a master is irreversible.
To reconnect to the remote master you will need to prepare a new replica file
and re-install.
Continue to delete? [no]: yes
Deleting this server is not allowed as it would leave your installation without 
a CA

I seem that it’s the only node where CA is installed. What should I do now ?

Add a replica with CA using ipa-ca-install on existing replica.

Read the guide, it has detailed coverage of these situations.
--
/ Alexander Bokovoy


On the first node (which is working and without pki-tomcatd service)
# ipa-ca-install
Directory Manager (existing master) password:

CA is already installed.

How is it possible ?


You must provide a replica file as an argument to ipa-ca-install if you 
want to setup CA on another replica.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Problem with replication?

2015-09-04 Thread Ludwig Krispenz 


On 09/04/2015 04:37 PM, Christoph Kaminski wrote:

Hi

we have a lot of this messages in the error log of dirsrv... What can 
be the problem and how can we fix it?


our (first) master (ipa-1.mgmt.biotronik-homemonitoring.int):
[04/Sep/2015:16:06:41 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 

[04/Sep/2015:16:08:00 +0200] ipalockout_preop - [file ipa_lockout.c, 
line 749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:08:00 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:11:41 +0200] ipalockout_preop - [file ipa_lockout.c, 
line 749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 

[04/Sep/2015:16:11:41 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 

[04/Sep/2015:16:13:00 +0200] ipalockout_preop - [file ipa_lockout.c, 
line 749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:13:00 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:16:40 +0200] ipalockout_preop - [file ipa_lockout.c, 
line 749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 

[04/Sep/2015:16:16:40 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config":32 

[04/Sep/2015:16:18:00 +0200] ipalockout_preop - [file ipa_lockout.c, 
line 749]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32
[04/Sep/2015:16:18:00 +0200] ipalockout_postop - [file ipa_lockout.c, 
line 503]: Failed to retrieve entry "cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.hss.int-pki-tomcat,ou=csusers,cn=config": 32


one of our other ipa's (ipa-1.mgmt.datacenter-homemonitoring.int):
[04/Sep/2015:16:21:41 +0200] slapi_ldap_bind - Error: could not bind 
id [cn=Replication Manager 
masterAgreement1-ipa-1.mgmt.datacenter-homemonitoring.int-pki-tomcat,ou=csusers,cn=config] 
authentication mechanism [SIMPLE]: error 32 (No such object) errno 0 
(Success)
this means you somehow lost the user for authentication in replication. 
you could try to add it back, as a template use one existing user in 
ou=csusers,cn=config


Greetz
Christoph Kaminski






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Faulty LDAP record

2015-09-04 Thread Ludwig Krispenz 


On 09/04/2015 04:49 PM, Christoph Kaminski wrote:

Hi All,

how can I delete a faulty user in IPA 4.1? The record in LDAP look 
like this:

nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso
this is a replication conflict entry, the user uid=zimt was added in 
parallel on two servers. you should be able to delete it with ldapmodify


ldapmodify .
dn: 
nsuniqueid=a69f868e-4b4411e5-99ef9ac3-776749aa+uid=zimt,cn=users,cn=accounts,dc=hso

changetype: delete



It is not possible to delete it over the WebUI and with LDAP Browser I 
get this error:


Deleting is not possible, the following error appears:
Error while deleting entry LDAP: error code 32 - No Such Object

Greetz
Christoph Kaminski







-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Replacing the "master"

2015-09-04 Thread Martin Kosek 
On 09/04/2015 12:00 AM, Rob Crittenden wrote:
> Steven Jones wrote:
>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>> try and remove the last one the master? it says,
>>
>> "[root@vuwunicoipam001 thing]# ipa-replica-manage del 
>> vuwunicoipam002.
>> Directory Manager password:
>>
>> Deleting a master is irreversible.
>> To reconnect to the remote master you will need to prepare a new replica file
>> and re-install.
>> Continue to delete? [no]: yes
>> Deleting this server will orphan 'vuwunicoipam001x  and  
>> vuwunicoipam003.x
>> You will need to reconfigure your replication topology to delete this server.
>> [root@vuwunicoipam001 thing]# ipa-replica-manage list
>> Directory Manager password:
>>
>> vuwunicoipam002. master
>> vuwunicoipam003. master
>> vuwunicoipam001. master
>> [root@vuwunicoipam001 thing]#"
>>
>> So how do I re-configure?
> 
> Every server is a master. The only differences may be the services running (CA
> and/or DNS) and only one generates the CRL and manages certificate renewal.
> Otherwise they are all equal masters.
> 
> This doesn't show the topology. Were I to guess it looks like:
> 
>001
>   /  \
> 002  003
> 
> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003
> 
> Then you should be able to delete 0001. Just be sure at least one of those
> other masters has a CA, if not both of them. You may need ipa-csreplica-manage
> connect to connect that topology.
> 
> Also be aware of the DNA config. A master doesn't automatically get one. It
> only gets it when it creates an entry that needs a range.

However, in this case this should not be a problem AFAIK, given that
ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:

https://fedorahosted.org/freeipa/ticket/3321

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] kinit admin not working anymore (LOCKED_OUT: Clients credentials have been revoked)

2015-09-04 Thread Torsten Harenberg 
Janelle,

Am 03.09.15 um 21:38 schrieb Janelle:
> As soon as I get another failed replica in this state (about once every
> 2-3 weeks) I will post the logs and open a ticket. On one server, I
> simply did a reboot, and when it came back, the keytab was wrong and the
> replica now claimed that it was no longer a member of the replica list. 
> Let me get more information and logs to open a ticket.

May I ask you to post a link to the ticket here once it's open? I am
really intereted to follow this issue.

Besides only two people having the password here, we have a two-factor
authentication on ssh, so there shouldn't be login failures via ssh to
valid accounts. I posted my "ipa user-show" output earlier.

But we run IPA to authenticate users to a compute cluster of about 3000
job slots, so there are in fact a lot of ssh connections to be handled.
And if a flood of jobs is started more or less at the same time, these
ssh connections will spread out in parallel. So that could match what
Rob was saying.

Hope we can find out at the end what is really causing this..

Best regards

  Torsten

-- 
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<>  <>
<> Dr. Torsten Harenberg harenb...@physik.uni-wuppertal.de  <>
<> Bergische Universitaet   <>
<> FB C - Physik Tel.: +49 (0)202 439-3521  <>
<> Gaussstr. 20  Fax : +49 (0)202 439-2811  <>
<> 42097 Wuppertal  <>
<>  <>
<><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project