Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

2016-11-10 Thread James Harrison 
Hello.Thanks for your help Martin that worked.
James Harrison  
 
  On Thu, 10 Nov, 2016 at 12:15, Martin Basti wrote:   

 
 
 On 10.11.2016 13:00, James Harrison wrote:
  
  Hi All, We use port 2234 for all sshd connections on our systems. 
  It looks loke ipa-conncheck uses port 22. 
  Can this be changed to use 2234? This would be for replicas and clients I 
presume. 
  This is quite urgent.
  
  Many thanks, James Harrison
  
  
   
  
 
 Hello,
 
 maybe is possible to use local ssh config and manually set port per host
http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/
 
 if not then it is not possible to change SSH port without changing 
ipa-conncheck code
 You didn't specify version of IPA, so in master git branch related code is in 
ipa-replica-conncheck, class SshExec.__call__
 
 
 Martin
 
  
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IDM server doesn't boot after update to RHEL 7.3

2016-11-10 Thread Prasun Gera 
Yes, from my experiments, it gets stuck at some point where it has to start
avahi. And it fails to start it because it is dependent on something that
is not started yet (which is started when sssd is started). Googling for
that error pointed took me to
http://www.calculate-linux.org/boards/15/topics/26673, which seems to be
somewhat related I think. I'll post the journal messages soon. Is there
some sort of a systemd diff utility which can compare the start sequence of
services from two different systems ? Since my replica is on 7.2, which
afaik works fine, doing a diff between the two might highlight if something
has changed in the start sequence.

On Thu, Nov 10, 2016 at 12:35 PM, Petr Vobornik  wrote:

> On 11/09/2016 12:53 PM, Prasun Gera wrote:
> > It looks like something is messed up in the systemd configuration after
> 7.3. My
> > system doesn't boot at all. The boot screen would display the message:
> "Failed
> > to register match for Disconnected message: Connection timed out". After
> some
> > trial and error, I've managed to boot it. Here's what works right now:
> 1) Boot
> > into system rescue target with debug shell 2) start sssd 3) isolate
> graphical.target
> >
> > I have a replica which I haven't upgraded to 7.3 yet. So I can compare
> the two
> > systems to isolate the problem.
> >
>
> I'm afraid that without more info(messages/journal) nobody will be able
> to help.
>
> But based on the description it seems that it didn't even get to step
> where IPA is started.
>
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] guidance and strategies for supporting production use including dev/test IPA systems?

2016-11-10 Thread Petr Vobornik 
On 11/09/2016 02:39 PM, Chris Dagdigian wrote:
> 
> Thanks to support from folks on this list I have a 3-node multi-site
> replicating FreeIPA system supporting a number of 1-way trusts to
> various AD Forests. Testing has gone well and it's clear that this "POC"
> will soon transition to production.
> 
> Because of the importance of this system to our environment I'm trying
> to flesh out a proper strategy for testing upgrades and updates in a way
> that lets us keep our system highly available and online.
> 
> And seeing how rapidly this software is being developed w/ new features
> and how dependent we are on the most recent version (or how badly I want
> to try the version in RHEL-BETA-3) I think this is a system we will
> possibly be upgrading somewhat often ...
> 
> I understand that replicas can run newer versions of IPA/IDM than the
> master so that is one path by which we can carefully test updates and
> patches but I don't think that covers all the scenarios ...

But be careful how much you want to test using this method. Setting up a
new replica in prod environment should not be used as a playground.
Usually new version of IPA modify some existing data in LDAP - schema
change, add of some value here and there to support new features. Since
IPA use master-master replication then all these changes are replicated
to all other replicas(the older ones). It is fine because the changes
are backwards compatible but they cannot be undone by removing the new
replica.

> 
> Can anyone share strategies or war stories for how testing is done in
> support of production IPA/IDM environments? Especially when Trusts need
> to be set up with many external AD systems?
> 
> Do people run discrete standalone dev/test IPA domains/realms to create
> isolated  environments or is there some other good strategy that allows
> testing to be done within the same domain/realm?
> 
> Thanks!
> 
> -Chris
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Package naming conflicts with update to RHEL 7.3

2016-11-10 Thread Petr Vobornik 
On 11/09/2016 12:43 PM, Prasun Gera wrote:
> Thanks Martin. That bug report is private.

Fixed, it's public now.

> I take it that it's not very serious ?

Should not affect IPA functionality.

> 
> On Mon, Nov 7, 2016 at 3:12 AM, Martin Babinsky  > wrote:
> 
> On 11/07/2016 01:31 AM, Prasun Gera wrote:
> 
> Getting this in yum check all after update to 7.3
> 
> ipa-client-4.4.0-12.el7.x86_64 has installed conflicts freeipa-client:
> ipa-client-4.4.0-12.el7.x86_64
> ipa-client-common-4.4.0-12.el7.noarch has installed conflicts
> freeipa-client-common: ipa-client-common-4.4.0-12.el7.noarch
> ipa-common-4.4.0-12.el7.noarch has installed conflicts freeipa-common:
> ipa-common-4.4.0-12.el7.noarch
> ipa-python-compat-4.4.0-12.el7.noarch has installed conflicts
> freeipa-python-compat: ipa-python-compat-4.4.0-12.el7.noarch
> 
> 
> 
> 
> Hi Prasun,
> 
> That is a false positive caused by a bug in yum, see
> https://bugzilla.redhat.com/show_bug.cgi?id=1370134
> 
> 
> -- 
> Martin^3 Babinsky
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> Go to http://freeipa.org for more info on the project
> 
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IDM server doesn't boot after update to RHEL 7.3

2016-11-10 Thread Petr Vobornik 
On 11/09/2016 12:53 PM, Prasun Gera wrote:
> It looks like something is messed up in the systemd configuration after 7.3. 
> My 
> system doesn't boot at all. The boot screen would display the message: 
> "Failed 
> to register match for Disconnected message: Connection timed out". After some 
> trial and error, I've managed to boot it. Here's what works right now: 1) 
> Boot 
> into system rescue target with debug shell 2) start sssd 3) isolate 
> graphical.target
> 
> I have a replica which I haven't upgraded to 7.3 yet. So I can compare the 
> two 
> systems to isolate the problem.
> 

I'm afraid that without more info(messages/journal) nobody will be able
to help.

But based on the description it seems that it didn't even get to step
where IPA is started.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] slapi_ldap_bind - Error: could not bind id ....

2016-11-10 Thread lejeczek 

hello you IPA addicts..

with a hope driven by previous (extremely) positive 
experience I'd like to ask for some help with:


[10/Nov/2016:16:54:53 +] slapi_ldap_bind - Error: could 
not bind id [cn=Replication Manager 
masterAgreement1-swir.xx.xx.xx.xx.x-pki-tomcat,ou=csusers,cn=config] 
authentication mechanism [SIMPLE]: error 32 (No such object) 
errno 0 (Success)


this is one server (out of four) that logs it. I thinks it 
has to do with replication? This entry gets logged ~every 
few minutes.


Servers seems to work, but how to look for some more obvious 
symptoms of something being wrong/broken?


many thanks.
L

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate renewal - not the CA though

2016-11-10 Thread Rob Crittenden 
Graham Johnston wrote:
> Hi,
> 
>  
> 
> We are just about to come up on two years of having our freeipa instance
> in place. We are running version 4.2 on CentOS 7.2. We are using the
> internal/default CA configuration from the install.
> 
>  
> 
> Our monitoring system just notified me that the server certificate used
> when accessing the admin web portal will expire in December. I can’t
> seem to find information about whether this cert just auto renews in the
> background somehow or not. I can see lots of information about CA
> renewal but as my CA is not set to expire until 2022 I’m not worried
> about that. 

The CA has a number of subsystems that also have certificates that will
likely be expiring in December as well. Run getcert list to see them all.

> Can someone put my mind at ease, or point me to the documentation I
> can’t seem to find.

certmonger _should_ renew them automatically for you. To force a renewal
attempt the easiest thing to do is to restart the certmonger process. It
may be close enough to renewal time that it'll just go ahead and try.
Watch the status in getcert list.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Certificate renewal - not the CA though

2016-11-10 Thread Graham Johnston 
Hi,

We are just about to come up on two years of having our freeipa instance in 
place. We are running version 4.2 on CentOS 7.2. We are using the 
internal/default CA configuration from the install.

Our monitoring system just notified me that the server certificate used when 
accessing the admin web portal will expire in December. I can't seem to find 
information about whether this cert just auto renews in the background somehow 
or not. I can see lots of information about CA renewal but as my CA is not set 
to expire until 2022 I'm not worried about that.

Can someone put my mind at ease, or point me to the documentation I can't seem 
to find.

Thanks,
Graham Johnston
Network Planner
Westman Communications Group
204.717.2829
johnst...@westmancom.com
P think green; don't print this email.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fwd: Deployment query

2016-11-10 Thread Sambit Nayak 
Hi everyone,

Requesting answers to some queries regarding FreeIPA deployment.

Here is a short description of the deployment scenario.

User/group identities are present in multiple identity/authentication
sources - such as Windows AD, LDAP/Kerberos. The identity source servers -
such as Windows AD Domain Controller - could be in multiple data centers
across WAN/internet.

Goal is to make a set of Linux (client) hosts access and authenticate such
identities. The Linux client hosts could be in a separate data center from
one or more such identity sources.

Will a SSSD/FreeIPA based deployment work here?

- Set up a FreeIPA server (and possibly replicas) in the Linux hosts data
center, and set up the Linux hosts to use SSSD and be enrolled in the
FreeIPA realm

- Set up cross-forest trusts between FreeIPA and (one or more) Windows AD
forests.

 - If FreeIPA server and Windows AD domain controllers have
their system clock synchronized (NTP or otherwise), then would it work even
though for some reason, the local time zone on the servers have been
configured differently? For instance, local time zone on FreeIPA server is
America/New_York and that on Windows AD DC is in Europe/London, but their
system clock are set to UTC.
I understand its better to have servers always set their clock
set to UTC, but still just to be sure, hence asking. Plus, this FreeIPA
webpage says time zone settings on FreeIPA and WindowsAD must be same :
https://www.freeipa.org/page/Active_Directory_trust_setup#
Date.2Ftime_settings
> Date/time settings
>
> Make sure both timezone settings and date/time settings on both servers
match.

And yes, system clock on Linux client hosts running SSSD will also be same
as on FreeIPA server.


- SSSD on FreeIPA-enrolled Linux hosts can identify/authenticate identities
from Windows AD through FreeIPA trust.

But what about identities in other stores - like simple LDAP, or another
Kerberos realm? Can FreeIPA act as a "single channel" to all Linux SSSD
client hosts for such identities, or does SSSD on the individual Linux
hosts have to directly interact with the non-Windows AD identity sources?

I read some information that FreeIPA server itself can have "trust" with
Windows AD realms only as of now, hence asking...


- Regarding connectivity between FreeIPA server (and/or SSSD Linux client
hosts) and the identity source servers (Windows AD DC, etc.), it will be
through something like VPN over WAN/internet. Will that be advisable?


Thanks & Regards,
Sambit
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

2016-11-10 Thread Martin Basti 



On 10.11.2016 13:00, James Harrison wrote:

Hi All,
We use port 2234 for all sshd connections on our systems.

It looks loke ipa-conncheck uses port 22.

Can this be changed to use 2234? This would be for replicas and 
clients I presume.


This is quite urgent.

Many thanks,
James Harrison





Hello,

maybe is possible to use local ssh config and manually set port per host
http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/

if not then it is not possible to change SSH port without changing 
ipa-conncheck code
You didn't specify version of IPA, so in master git branch related code 
is in ipa-replica-conncheck, class SshExec.__call__



Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Specify different ssh port for ipa-conncheck

2016-11-10 Thread James Harrison 
We get the below message for replica machines and Ive seen it for client 
machines too:
[root@pul-lv-ipa-02 bin]# /root/bin/freeipa-replica-install.sh 
/var/lib/ipa/replica-info-$(hostname -f).gpg
Using reverse zone(s) 23.10.in-addr.arpa.
Run connection check to master
Check connection from replica to remote master 'aa..com ':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
Check SSH connection to remote master
Could not SSH into remote host. Error output:
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 56: Applying options for *
    debug1: Connecting to aa..com [10.23.45.88] port 22.
    debug1: connect to address 10.23.45.88 port 22: Connection refused
    ssh: connect to host pul-lv-ipa-01.int.worldfirst.com port 22: Connection 
refused
Could not SSH to remote host.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    Connection check 
failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with --skip-conncheck 
parameter.


  From: James Harrison 
 To: "freeipa-users@redhat.com"  
 Sent: Thursday, 10 November 2016, 12:00
 Subject: Specify different ssh port for ipa-conncheck
   
Hi All,We use port 2234 for all sshd connections on our systems.
It looks loke ipa-conncheck uses port 22.
Can this be changed to use 2234? This would be for replicas and clients I 
presume.
This is quite urgent.

Many thanks,James Harrison




   -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Specify different ssh port for ipa-conncheck

2016-11-10 Thread James Harrison 
Hi All,We use port 2234 for all sshd connections on our systems.
It looks loke ipa-conncheck uses port 22.
Can this be changed to use 2234? This would be for replicas and clients I 
presume.
This is quite urgent.

Many thanks,James Harrison


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-10 Thread Petr Spacek 
On 10.11.2016 12:08, lejeczek wrote:
> 
> 
> On 10/11/16 10:44, Petr Spacek wrote:
>> This is non-standard situation so it asks for non-standard commands.
>>
>> I would try:
>> $ ipa privilege-mod 'DNS Servers'
>> --addattr=member=krbprincipalname=DNS/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'
>>
>> $ ipa privilege-mod 'DNS Servers'
>> --addattr=member=krbprincipalname=ipa-dnskeysyncd/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'
>>
>>
>> Be very careful when constructing these DNs, --addattr do not validate the
>> input!
> 
> well, I realize these can be trivial trifles, but man, you saved the... week!
> And to finish (hopefully) - maybe even more of a puzzle: how it happened?
> This box member was fine, suddenly (I was recovering/reconnecting replication
> agreements), maybe not suddenly, but when I noticed at some point, it did
> that. It lost those ldap bits?

Good question! I really do not know. You may dig into /var/log/dirsrv/* and
look for modifications in the privilege LDAP entry but that is the only advice
I have.

Please let us know if you found out how it happened.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'

2016-11-10 Thread Matrix 
Hi, Sumit

I have checked, and did not find anything more:

error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: 
...
[10/Nov/2016:10:46:58 +] conn=816560 fd=189 slot=189 connection from 
10.2.3.32 to 10.2.1.250
[10/Nov/2016:10:46:58 +] conn=816560 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[10/Nov/2016:10:46:58 +] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[10/Nov/2016:10:46:58 +] conn=816560 op=-1 fd=189 closed - B1

...

Matrix


-- Original --
From:  "Sumit Bose";;
Date:  Thu, Nov 10, 2016 07:13 PM
To:  "Matrix"; 
Cc:  "Sumit Bose"; "freeipa-users"; 
Subject:  Re: [Freeipa-users] sssd failed with 
'ldap_sasl_bindfailed(-2)[Localerror]'



On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> Hi, Sumit
> 
> Thanks for your reply
> 
> I have tried. still failed

Do you see any related messages on the LDAP server side?

bye,
Sumit

> 
> # cat /etc/openldap/ldap.conf  | grep -v ^#
> 
> URI ldap://ipaslave.stg.example.net
> BASE dc=example,dc=net
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> TLS_REQCERT allow
> SASL_NOCANON on
> 
> 
> # cat /etc/krb5.conf| grep rdns
>   rdns = false
> 
> Matrix
> 
> -- Original --
> From:  "Sumit Bose";;
> Date:  Thu, Nov 10, 2016 06:32 PM
> To:  "freeipa-users"; 
> 
> Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind 
> failed(-2)[Localerror]'
> 
> 
> 
> On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > debug steps have been tried: 
> > 
> > 1 kinit is workable: 
> > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
> > 
> > # /usr/kerberos/bin/klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: host/client02.stg.example@example.net
> > 
> > Valid starting ExpiresService principal
> > 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net
> > 
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > 
> > 2 ldapwhoami with krb auth failed. 
> > 
> > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> > additional info: SASL(-1): generic failure: GSSAPI Error: 
> > Unspecified GSS failure.  Minor code may provide more information (Mutual 
> > authentication failed)
> > 
> 
> Have you made sure that canonicalizing is disabled, i.e.
> /etc/krb5.conf: 
> [libdefaults]
>  ...
>  rdns = false
>  ...
> 
> /etc/openldap/ldap.conf
> ...
> SASL_NOCANONon
> ...
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> > Matrix
> > 
> > -- Original --
> > From:  "Matrix";;
> > Date:  Thu, Nov 10, 2016 02:11 PM
> > To:  "freeipa-users"; 
> > 
> > Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> > (-2)[Localerror]'
> > 
> > 
> > 
> > Hi, 
> > 
> > I have installed sssd in a RHEL5 client. 
> > 
> > ipa-client/sssd version:
> > ipa-client-2.1.3-7.el5
> > sssd-client-1.5.1-71.el5
> > sssd-1.5.1-71.el5
> > 
> > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> > error]'. 
> > 
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (1): ldap_sasl_bind failed (-2)[Local error]
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (7): Waiting for child [7].
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (4): child [7] finished successfully.
> > 
> > I have tried to google to find root cause. some link explained it should be 
> > something wrong with dns. I have double confirmed it. 
> > 
> > # nslookup client02.stg.example.net
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > Name:   client02.stg.example.net
> > Address: 10.2.3.32
> > 
> > 
> > # nslookup 10.2.3.32
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> > 
> > 
> > # nslookup ipaslave.stg.example.net
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > Name:   ipaslave.stg.example.net
> > Address: 10.2.1.250
> > 
> > # nslookup 10.2.1.250
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> > 
> > Any hints or troubleshooting ideas would be appreciated. 
> > 
> > Matrix
> 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'

2016-11-10 Thread Sumit Bose 
On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> Hi, Sumit
> 
> Thanks for your reply
> 
> I have tried. still failed

Do you see any related messages on the LDAP server side?

bye,
Sumit

> 
> # cat /etc/openldap/ldap.conf  | grep -v ^#
> 
> URI ldap://ipaslave.stg.example.net
> BASE dc=example,dc=net
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> TLS_REQCERT allow
> SASL_NOCANON on
> 
> 
> # cat /etc/krb5.conf| grep rdns
>   rdns = false
> 
> Matrix
> 
> -- Original --
> From:  "Sumit Bose";;
> Date:  Thu, Nov 10, 2016 06:32 PM
> To:  "freeipa-users"; 
> 
> Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind 
> failed(-2)[Localerror]'
> 
> 
> 
> On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > debug steps have been tried: 
> > 
> > 1 kinit is workable: 
> > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
> > 
> > # /usr/kerberos/bin/klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: host/client02.stg.example@example.net
> > 
> > Valid starting ExpiresService principal
> > 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net
> > 
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > 
> > 2 ldapwhoami with krb auth failed. 
> > 
> > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> > additional info: SASL(-1): generic failure: GSSAPI Error: 
> > Unspecified GSS failure.  Minor code may provide more information (Mutual 
> > authentication failed)
> > 
> 
> Have you made sure that canonicalizing is disabled, i.e.
> /etc/krb5.conf: 
> [libdefaults]
>  ...
>  rdns = false
>  ...
> 
> /etc/openldap/ldap.conf
> ...
> SASL_NOCANONon
> ...
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> > Matrix
> > 
> > -- Original --
> > From:  "Matrix";;
> > Date:  Thu, Nov 10, 2016 02:11 PM
> > To:  "freeipa-users"; 
> > 
> > Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> > (-2)[Localerror]'
> > 
> > 
> > 
> > Hi, 
> > 
> > I have installed sssd in a RHEL5 client. 
> > 
> > ipa-client/sssd version:
> > ipa-client-2.1.3-7.el5
> > sssd-client-1.5.1-71.el5
> > sssd-1.5.1-71.el5
> > 
> > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> > error]'. 
> > 
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (1): ldap_sasl_bind failed (-2)[Local error]
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (7): Waiting for child [7].
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (4): child [7] finished successfully.
> > 
> > I have tried to google to find root cause. some link explained it should be 
> > something wrong with dns. I have double confirmed it. 
> > 
> > # nslookup client02.stg.example.net
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > Name:   client02.stg.example.net
> > Address: 10.2.3.32
> > 
> > 
> > # nslookup 10.2.3.32
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> > 
> > 
> > # nslookup ipaslave.stg.example.net
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > Name:   ipaslave.stg.example.net
> > Address: 10.2.1.250
> > 
> > # nslookup 10.2.1.250
> > Server: 10.2.1.21
> > Address:10.2.1.21#53
> > 
> > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> > 
> > Any hints or troubleshooting ideas would be appreciated. 
> > 
> > Matrix
> 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-10 Thread lejeczek 



On 10/11/16 10:44, Petr Spacek wrote:

This is non-standard situation so it asks for non-standard commands.

I would try:
$ ipa privilege-mod 'DNS Servers'
--addattr=member=krbprincipalname=DNS/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'
$ ipa privilege-mod 'DNS Servers'
--addattr=member=krbprincipalname=ipa-dnskeysyncd/rider..xx.xx..xx.x...@.xx.xx..xx.xx.x,cn=services,cn=xxcounts,dc=,dc=xx,dc=xx,dc=,dc=xx,dc=xx,dc=x'

Be very careful when constructing these DNs, --addattr do not validate the 
input!


well, I realize these can be trivial trifles, but man, you 
saved the... week!
And to finish (hopefully) - maybe even more of a puzzle: how 
it happened?
This box member was fine, suddenly (I was 
recovering/reconnecting replication agreements), maybe not 
suddenly, but when I noticed at some point, it did that. It 
lost those ldap bits?


many! thanks
L.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'

2016-11-10 Thread Matrix 
Hi, Sumit

Thanks for your reply

I have tried. still failed

# cat /etc/openldap/ldap.conf  | grep -v ^#

URI ldap://ipaslave.stg.example.net
BASE dc=example,dc=net
TLS_CACERT /etc/ipa/ca.crt
SASL_MECH GSSAPI
TLS_REQCERT allow
SASL_NOCANON on


# cat /etc/krb5.conf| grep rdns
  rdns = false

Matrix

-- Original --
From:  "Sumit Bose";;
Date:  Thu, Nov 10, 2016 06:32 PM
To:  "freeipa-users"; 

Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind 
failed(-2)[Localerror]'



On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> debug steps have been tried: 
> 
> 1 kinit is workable: 
> # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
> 
> # /usr/kerberos/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/client02.stg.example@example.net
> 
> Valid starting ExpiresService principal
> 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> 2 ldapwhoami with krb auth failed. 
> 
> # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Mutual authentication 
> failed)
> 

Have you made sure that canonicalizing is disabled, i.e.
/etc/krb5.conf: 
[libdefaults]
 ...
 rdns = false
 ...

/etc/openldap/ldap.conf
...
SASL_NOCANONon
...

HTH

bye,
Sumit

> 
> Matrix
> 
> -- Original --
> From:  "Matrix";;
> Date:  Thu, Nov 10, 2016 02:11 PM
> To:  "freeipa-users"; 
> 
> Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> (-2)[Localerror]'
> 
> 
> 
> Hi, 
> 
> I have installed sssd in a RHEL5 client. 
> 
> ipa-client/sssd version:
> ipa-client-2.1.3-7.el5
> sssd-client-1.5.1-71.el5
> sssd-1.5.1-71.el5
> 
> sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> error]'. 
> 
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): 
> Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): 
> ldap_sasl_bind failed (-2)[Local error]
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> (7): Waiting for child [7].
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> (4): child [7] finished successfully.
> 
> I have tried to google to find root cause. some link explained it should be 
> something wrong with dns. I have double confirmed it. 
> 
> # nslookup client02.stg.example.net
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> Name:   client02.stg.example.net
> Address: 10.2.3.32
> 
> 
> # nslookup 10.2.3.32
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> 
> 
> # nslookup ipaslave.stg.example.net
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> Name:   ipaslave.stg.example.net
> Address: 10.2.1.250
> 
> # nslookup 10.2.1.250
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> 
> Any hints or troubleshooting ideas would be appreciated. 
> 
> Matrix

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-10 Thread Petr Spacek 
On 10.11.2016 11:32, lejeczek wrote:
> 
> 
> On 10/11/16 06:51, Petr Spacek wrote:
>> On 9.11.2016 16:57, lejeczek wrote:
>>>
>>> On 09/11/16 14:35, Martin Basti wrote:

 On 09.11.2016 15:33, lejeczek wrote:
>
> On 09/11/16 13:48, Martin Basti wrote:
>>
>> On 09.11.2016 14:11, lejeczek wrote:
>>>
>>> On 09/11/16 12:43, Martin Basti wrote:

 On 09.11.2016 12:15, lejeczek wrote:
>
> On 08/11/16 19:37, Martin Basti wrote:
>>
>> On 08.11.2016 19:41, lejeczek wrote:
>>> hi everyone
>>> when I look at my domain I see something which seems inconsistent to
>>> me (eg. work5 is not part of the domain, was --uninstalled)
>>> Do these record need fixing?
>>> I'm asking becuase one of the servers, despite the fact the ipa dns
>>> related toolkit(on that server) shows zone & records, to
>>> dig/host/etc. presents nothing, empty responses!??
>>>
>>> $ ipa dnsrecord-find xx.xx.xx.xx.x.
>>>Record name: @
>>>NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
>>>   dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.
>>>
>>>Record name: _kerberos
>>>TXT record: .xx.xx..xx.xx.x
>>>
>>>Record name:
>>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>SRV record: 0 100 88 rider, 0 100 88 work5
>>>
>>>Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
>>>SRV record: 0 100 389 rider, 0 100 389 work5
>>>
>>>Record name:
>>> _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
>>>SRV record: 0 100 88 rider, 0 100 88 work5
>>>
>>>Record name: _kerberos._tcp.dc._msdcs
>>>SRV record: 0 100 88 rider, 0 100 88 work5
>>>
>>>Record name: _ldap._tcp.dc._msdcs
>>>SRV record: 0 100 389 rider, 0 100 389 work5
>>>
>>>Record name: _kerberos._udp.dc._msdcs
>>>SRV record: 0 100 88 rider, 0 100 88 work5
>>>
>>>Record name: _kerberos._tcp
>>>SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>> 88 swir
>>>
>>>Record name: _kerberos-master._tcp
>>>SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>> 88 swir
>>>
>>>Record name: _kpasswd._tcp
>>>SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
>>> 100
>>> 464 whale
>>>
>>>Record name: _ldap._tcp
>>>SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 
>>> 100
>>> 389 rider
>>>
>>>Record name: _kerberos._udp
>>>SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>> 88 swir
>>>
>>>Record name: _kerberos-master._udp
>>>SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
>>> 88 swir
>>>
>>>Record name: _kpasswd._udp
>>>SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 
>>> 100
>>> 464 whale
>>>
>>>Record name: _ntp._udp
>>>SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
>>> 100 123 swir
>>>
>>> thanks.
>>> L.
>>>
>>
>> Hello,
>>
>> if server work5 is uninstalled, then work5 SRV records should be
>> removed.
>>
>> Martin
> Martin, would you be able suggest a way to troubleshoot that problem
> that one (only) server (rider) seems to present no data for the whole
> domain? Remaining servers correctly respond to any queries. One 
> curious
> thing is that I $rndc trace 6; and (I see debug level changed in
> journalctl) I do not see anything in the logs when I query.
> Zone allows any to query it.
>
>
 What dig @rider  command returns for SRV queries?

>>> don't mind SRV records for now, it returns no record at all, it forwards
>>> and caches but not for the domain itself.
>>> on rider (suffice I point to other member server and records are there)
>>>
>>> $ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100
>>>
>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
>>> @10.5.6.100
>>> ;; global options: +cmd
>>> ;; Sending:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
>>> ;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags:; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;.xx.xx..xx.xx.x. IN ANY
>>>
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status:

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'

2016-11-10 Thread Sumit Bose 
On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> debug steps have been tried: 
> 
> 1 kinit is workable: 
> # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net
> 
> # /usr/kerberos/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/client02.stg.example@example.net
> 
> Valid starting ExpiresService principal
> 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> 2 ldapwhoami with krb auth failed. 
> 
> # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
> GSS failure.  Minor code may provide more information (Mutual authentication 
> failed)
> 

Have you made sure that canonicalizing is disabled, i.e.
/etc/krb5.conf: 
[libdefaults]
 ...
 rdns = false
 ...

/etc/openldap/ldap.conf
...
SASL_NOCANONon
...

HTH

bye,
Sumit

> 
> Matrix
> 
> -- Original --
> From:  "Matrix";;
> Date:  Thu, Nov 10, 2016 02:11 PM
> To:  "freeipa-users"; 
> 
> Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> (-2)[Localerror]'
> 
> 
> 
> Hi, 
> 
> I have installed sssd in a RHEL5 client. 
> 
> ipa-client/sssd version:
> ipa-client-2.1.3-7.el5
> sssd-client-1.5.1-71.el5
> sssd-1.5.1-71.el5
> 
> sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> error]'. 
> 
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): 
> Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): 
> ldap_sasl_bind failed (-2)[Local error]
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> (7): Waiting for child [7].
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> (4): child [7] finished successfully.
> 
> I have tried to google to find root cause. some link explained it should be 
> something wrong with dns. I have double confirmed it. 
> 
> # nslookup client02.stg.example.net
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> Name:   client02.stg.example.net
> Address: 10.2.3.32
> 
> 
> # nslookup 10.2.3.32
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> 
> 
> # nslookup ipaslave.stg.example.net
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> Name:   ipaslave.stg.example.net
> Address: 10.2.1.250
> 
> # nslookup 10.2.1.250
> Server: 10.2.1.21
> Address:10.2.1.21#53
> 
> 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> 
> Any hints or troubleshooting ideas would be appreciated. 
> 
> Matrix

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SRV (mixed?) records

2016-11-10 Thread lejeczek 



On 10/11/16 06:51, Petr Spacek wrote:

On 9.11.2016 16:57, lejeczek wrote:


On 09/11/16 14:35, Martin Basti wrote:


On 09.11.2016 15:33, lejeczek wrote:


On 09/11/16 13:48, Martin Basti wrote:


On 09.11.2016 14:11, lejeczek wrote:


On 09/11/16 12:43, Martin Basti wrote:


On 09.11.2016 12:15, lejeczek wrote:


On 08/11/16 19:37, Martin Basti wrote:


On 08.11.2016 19:41, lejeczek wrote:

hi everyone
when I look at my domain I see something which seems inconsistent to
me (eg. work5 is not part of the domain, was --uninstalled)
Do these record need fixing?
I'm asking becuase one of the servers, despite the fact the ipa dns
related toolkit(on that server) shows zone & records, to
dig/host/etc. presents nothing, empty responses!??

$ ipa dnsrecord-find xx.xx.xx.xx.x.
   Record name: @
   NS record: swir.xx.xx.xx.xx.x., rider.xx.xx.xx.xx.x.,
  dzien.xx.xx.xx.xx.x., whale.xx.xx.xx.xx.x.

   Record name: _kerberos
   TXT record: .xx.xx..xx.xx.x

   Record name: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 389 rider, 0 100 389 work5

   Record name: _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _kerberos._tcp.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _ldap._tcp.dc._msdcs
   SRV record: 0 100 389 rider, 0 100 389 work5

   Record name: _kerberos._udp.dc._msdcs
   SRV record: 0 100 88 rider, 0 100 88 work5

   Record name: _kerberos._tcp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kerberos-master._tcp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kpasswd._tcp
   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale

   Record name: _ldap._tcp
   SRV record: 0 100 389 swir, 0 100 389 dzien, 0 100 389 whale, 0 100
389 rider

   Record name: _kerberos._udp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kerberos-master._udp
   SRV record: 0 100 88 whale, 0 100 88 dzien, 0 100 88 rider, 0 100
88 swir

   Record name: _kpasswd._udp
   SRV record: 0 100 464 rider, 0 100 464 swir, 0 100 464 dzien, 0 100
464 whale

   Record name: _ntp._udp
   SRV record: 0 100 123 dzien, 0 100 123 rider, 0 100 123 whale, 0
100 123 swir

thanks.
L.



Hello,

if server work5 is uninstalled, then work5 SRV records should be removed.

Martin

Martin, would you be able suggest a way to troubleshoot that problem
that one (only) server (rider) seems to present no data for the whole
domain? Remaining servers correctly respond to any queries. One curious
thing is that I $rndc trace 6; and (I see debug level changed in
journalctl) I do not see anything in the logs when I query.
Zone allows any to query it.



What dig @rider  command returns for SRV queries?


don't mind SRV records for now, it returns no record at all, it forwards
and caches but not for the domain itself.
on rider (suffice I point to other member server and records are there)

$ dig +qr any .xx.xx..xx.xx.x. @10.5.6.100

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> +qr any .xx.xx..xx.xx.x.
@10.5.6.100
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36196
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36196
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.xx.xx..xx.xx.x. IN ANY

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x.
1478696070 1800 900 604800 3600

;; Query time: 5 msec
;; SERVER: 10.5.6.100#53(10.5.6.100)
;; WHEN: Wed Nov 09 12:56:16 GMT 2016
;; MSG SIZE  rcvd: 120

I obfuscated FQDNs but it seems like it forwards to a parent domain (to
which it's supposed, by dnsforwardzone)
And like I mentioned earlier, I do dnszone-find, etc. (on rider) it's all
there.




I'm lost now, I don't understand you, you told me that resolving on
'rider' server doesn't work, then you write me that it is expected because
you have fowardzone set, but you cannot have forwardzone and master zone
for the same domain, IPA doesn't allow it, so I have no idea what is not
working for you. (You didn't make it easier by obfuscating output)

Martin

no no, sorry, I mean - it forwards whereas is should be authoritative for
it's own FQDN.
I realize it is not obvious after I obfuscated the output, but here:

;; AUTHORITY SECTION:
.xx.xx.x.  3600  IN  SOA ipreg.xxx.xx.xx.x. hostmaster.xx.xx.x. 1478696070
1800 900 604800 3600

this looks like the only domain with is dnsforwardzone, everything else is

Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'

2016-11-10 Thread Matrix 
debug steps have been tried: 

1 kinit is workable: 
# /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net

# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/client02.stg.example@example.net

Valid starting ExpiresService principal
11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example@example.net

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

2 ldapwhoami with krb auth failed. 

# ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (Mutual authentication 
failed)


Matrix

-- Original --
From:  "Matrix";;
Date:  Thu, Nov 10, 2016 02:11 PM
To:  "freeipa-users"; 

Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
(-2)[Localerror]'



Hi, 

I have installed sssd in a RHEL5 client. 

ipa-client/sssd version:
ipa-client-2.1.3-7.el5
sssd-client-1.5.1-71.el5
sssd-1.5.1-71.el5

sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
error]'. 

(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): 
Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): 
ldap_sasl_bind failed (-2)[Local error]
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): 
Waiting for child [7].
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): 
child [7] finished successfully.

I have tried to google to find root cause. some link explained it should be 
something wrong with dns. I have double confirmed it. 

# nslookup client02.stg.example.net
Server: 10.2.1.21
Address:10.2.1.21#53

Name:   client02.stg.example.net
Address: 10.2.3.32


# nslookup 10.2.3.32
Server: 10.2.1.21
Address:10.2.1.21#53

32.3.2.10.in-addr.arpa  name = client02.stg.example.net.


# nslookup ipaslave.stg.example.net
Server: 10.2.1.21
Address:10.2.1.21#53

Name:   ipaslave.stg.example.net
Address: 10.2.1.250

# nslookup 10.2.1.250
Server: 10.2.1.21
Address:10.2.1.21#53

250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.

Any hints or troubleshooting ideas would be appreciated. 

Matrix-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project