Re: [Freeipa-users] ns-slapd segfault
Il 29/11/2016 14:46, Giulio Casella ha scritto: Il 29/11/2016 14:19, Mark Reynolds ha scritto: On 11/29/2016 03:14 AM, Giulio Casella wrote: Il 28/11/2016 19:22, Mark Reynolds ha scritto: On 11/28/2016 10:22 AM, Giulio Casella wrote: Il 28/11/2016 15:25, Lukas Slebodnik ha scritto: On (28/11/16 12:39), Giulio Casella wrote: Hello, I have a setup with two ipa server in replica, based on CentOS 7. On one server (since a couple of days) ipa cannot start, the failing service is dirsrv@.service. In journal I have: ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp 7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000] (just after a lot of SSL alerts complaining about some enabled cypher suite, but I cannot say if this could be related). I'm using ipa 4.2.0, and 389-ds-base 1.3.4. It would be good to know the exact version. rpm -q 389-ds-base Installed version is: 389-ds-base-1.3.4.0-33.el7_2.x86_64 Please provide backtrace or coredump; other developers will know wheter it's know bug or a new bug. Ok, you can find attached full stacktrace. It's crashing trying to read updates from the replication changelog. Are you using attribute encryption? Any chance you have a way to reproduce this? Since this is happening on only one server then I think recreating the replication changelog will "fix" the issue. Just re-initializing that replica should do it. Does this server start - so it can be reinited? If not, you need to manually remove the changelog and start the directory server, and reinit it. Or perform a manual ldif initialization. (I can help with either one if needed) No, directory server can't start, so I think I have to manually remove the changelog. Probably best: Its under /var/lib/dirsrv/slapd-INSTANCE/db/changelog (something like that) Any help is obviously welcome. BTW: Do you confirm I won't lose data on second (working) server doing removal of changelog? Well the changelog appears to be hosed. So if something is lost, its already lost and is not recoverable. As long as you have another master you are okay, and IPA only creates masters so you should be good. Thank you Mark, I moved away and recreated entire /var/lib/dirsrv/slapd-INSTANCE/db/changelog directory, rebooted server and now it's up and running! For completeness: I've removed also the content of /var/lib/dirsrv/slapd-INSTANCE/cldb (I think cldb stands for changelog database) to make it work. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd segfault
Il 29/11/2016 14:19, Mark Reynolds ha scritto: On 11/29/2016 03:14 AM, Giulio Casella wrote: Il 28/11/2016 19:22, Mark Reynolds ha scritto: On 11/28/2016 10:22 AM, Giulio Casella wrote: Il 28/11/2016 15:25, Lukas Slebodnik ha scritto: On (28/11/16 12:39), Giulio Casella wrote: Hello, I have a setup with two ipa server in replica, based on CentOS 7. On one server (since a couple of days) ipa cannot start, the failing service is dirsrv@.service. In journal I have: ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp 7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000] (just after a lot of SSL alerts complaining about some enabled cypher suite, but I cannot say if this could be related). I'm using ipa 4.2.0, and 389-ds-base 1.3.4. It would be good to know the exact version. rpm -q 389-ds-base Installed version is: 389-ds-base-1.3.4.0-33.el7_2.x86_64 Please provide backtrace or coredump; other developers will know wheter it's know bug or a new bug. Ok, you can find attached full stacktrace. It's crashing trying to read updates from the replication changelog. Are you using attribute encryption? Any chance you have a way to reproduce this? Since this is happening on only one server then I think recreating the replication changelog will "fix" the issue. Just re-initializing that replica should do it. Does this server start - so it can be reinited? If not, you need to manually remove the changelog and start the directory server, and reinit it. Or perform a manual ldif initialization. (I can help with either one if needed) No, directory server can't start, so I think I have to manually remove the changelog. Probably best: Its under /var/lib/dirsrv/slapd-INSTANCE/db/changelog (something like that) Any help is obviously welcome. BTW: Do you confirm I won't lose data on second (working) server doing removal of changelog? Well the changelog appears to be hosed. So if something is lost, its already lost and is not recoverable. As long as you have another master you are okay, and IPA only creates masters so you should be good. Thank you Mark, I moved away and recreated entire /var/lib/dirsrv/slapd-INSTANCE/db/changelog directory, rebooted server and now it's up and running! Thank you again. Bye, gc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd segfault
Il 28/11/2016 19:22, Mark Reynolds ha scritto: On 11/28/2016 10:22 AM, Giulio Casella wrote: Il 28/11/2016 15:25, Lukas Slebodnik ha scritto: On (28/11/16 12:39), Giulio Casella wrote: Hello, I have a setup with two ipa server in replica, based on CentOS 7. On one server (since a couple of days) ipa cannot start, the failing service is dirsrv@.service. In journal I have: ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp 7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000] (just after a lot of SSL alerts complaining about some enabled cypher suite, but I cannot say if this could be related). I'm using ipa 4.2.0, and 389-ds-base 1.3.4. It would be good to know the exact version. rpm -q 389-ds-base Installed version is: 389-ds-base-1.3.4.0-33.el7_2.x86_64 Please provide backtrace or coredump; other developers will know wheter it's know bug or a new bug. Ok, you can find attached full stacktrace. It's crashing trying to read updates from the replication changelog. Are you using attribute encryption? Any chance you have a way to reproduce this? Since this is happening on only one server then I think recreating the replication changelog will "fix" the issue. Just re-initializing that replica should do it. Does this server start - so it can be reinited? If not, you need to manually remove the changelog and start the directory server, and reinit it. Or perform a manual ldif initialization. (I can help with either one if needed) No, directory server can't start, so I think I have to manually remove the changelog. Any help is obviously welcome. BTW: Do you confirm I won't lose data on second (working) server doing removal of changelog? Thanks in advance, gc -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ns-slapd segfault
Il 28/11/2016 15:25, Lukas Slebodnik ha scritto:
On (28/11/16 12:39), Giulio Casella wrote:
Hello,
I have a setup with two ipa server in replica, based on CentOS 7.
On one server (since a couple of days) ipa cannot start, the failing service
is dirsrv@.service.
In journal I have:
ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp
7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000]
(just after a lot of SSL alerts complaining about some enabled cypher suite,
but I cannot say if this could be related).
I'm using ipa 4.2.0, and 389-ds-base 1.3.4.
It would be good to know the exact version.
rpm -q 389-ds-base
Installed version is:
389-ds-base-1.3.4.0-33.el7_2.x86_64
Please provide backtrace or coredump; other developers will know
wheter it's know bug or a new bug.
Ok, you can find attached full stacktrace.
Thanks in advance,
gc
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/ns-slapd...Reading symbols from
/usr/lib/debug/usr/sbin/ns-slapd.debug...done.
done.
[New LWP 4378]
[New LWP 4379]
[New LWP 4380]
[New LWP 4381]
[New LWP 4382]
[New LWP 4383]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-MYDOMAIN-LOCAL
-i /var/ru'.
Program terminated with signal 11, Segmentation fault.
#0 __memcpy_ssse3_back () at
../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1515
1515movdqu 0x10(%rsi), %xmm1
Thread 6 (Thread 0x7f023700 (LWP 4383)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
No locals.
#1 0x7f02565021f0 in PR_WaitCondVar (cvar=cvar@entry=0x7f025a3a2660,
timeout=4294967295) at ../../../nspr/pr/src/pthreads/ptsynch.c:396
rv =
thred = 0x7f0259e7a8a0
#2 0x7f0258348198 in slapi_wait_condvar (cvar=0x7f025a3a2660,
timeout=timeout@entry=0x0) at ldap/servers/slapd/slapi2nspr.c:150
prit =
#3 0x7f024e6d662e in cos_cache_wait_on_change (arg=) at
ldap/servers/plugins/cos/cos_cache.c:407
No locals.
#4 0x7f025650796b in _pt_root (arg=0x7f0259e7a8a0) at
../../../nspr/pr/src/pthreads/ptthread.c:212
rv =
thred = 0x7f0259e7a8a0
detached = 1
id = 139647640401664
tid = 4383
#5 0x7f0255ea8dc5 in start_thread (arg=0x7f023700) at
pthread_create.c:308
__res =
pd = 0x7f023700
now =
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139647640401664,
6391692756101938369, 0, 139647640402368, 139647640401664, 1,
-6433491789647921983, -6433548853668037439}, mask_was_saved = 0}}, priv = {pad
= {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call =
pagesize_m1 =
sp =
freesize =
#6 0x7f0255bd5ced in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.
Thread 5 (Thread 0x7f0244eca700 (LWP 4382)):
#0 0x7f0255bcd413 in select () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1 0x7f02583590e9 in DS_Sleep (ticks=) at
ldap/servers/slapd/util.c:1035
mSecs =
tm = {tv_sec = 0, tv_usec = 893342}
#2 0x7f024b9f6784 in perfctrs_wait (milliseconds=milliseconds@entry=1000,
priv=, db_env=) at
ldap/servers/slapd/back-ldbm/perfctrs.c:100
interval =
#3 0x7f024b99e707 in perf_threadmain (param=) at
ldap/servers/slapd/back-ldbm/dblayer.c:3966
priv = 0x7f0259cd0a60
li =
#4 0x7f025650796b in _pt_root (arg=0x7f0259e7f770) at
../../../nspr/pr/src/pthreads/ptthread.c:212
rv =
thred = 0x7f0259e7f770
detached = 1
id = 139647723022080
tid = 4382
#5 0x7f0255ea8dc5 in start_thread (arg=0x7f0244eca700) at
pthread_create.c:308
__res =
pd = 0x7f0244eca700
now =
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139647723022080,
6391692756101938369, 0, 139647723022784, 139647723022080, 1,
-6433581822362993471, -6433548853668037439}, mask_was_saved = 0}}, priv = {pad
= {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
not_first_call =
pagesize_m1 =
sp =
freesize =
#6 0x7f0255bd5ced in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.
Thread 4 (Thread 0x7f02456cb700 (LWP 4381)):
#0 0x7f0255bcd413 in select () at ../sysdeps/unix/syscall-template.S:81
No loc
[Freeipa-users] ns-slapd segfault
Hello, I have a setup with two ipa server in replica, based on CentOS 7. On one server (since a couple of days) ipa cannot start, the failing service is dirsrv@.service. In journal I have: ns-slapd[4617]: segfault at 7fb53b1ce515 ip 7fb50126e1a6sp 7ffc0b80d6c8 error 4 in libc-2.17.so[7fb501124000+1b7000] (just after a lot of SSL alerts complaining about some enabled cypher suite, but I cannot say if this could be related). I'm using ipa 4.2.0, and 389-ds-base 1.3.4. Servers are identical in hardware (they're virtual machines) and software (installed and updated at the same time). Second server works like a charme. Any hint? -- Giulio Casellagiulio at di.unimi.it System and network manager Computer Science Dept. - University of Milano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and samba 4
I've seen that howto, but it's not my case. I cannot establish a trust between IPA and AD, because AD domain involves additional UPNs (mydomain.com and another.mydomain.com) in addition to main domain foobar.local. This scenario is not supported by current version of FreeIPA (maybe in future releases). So: FreeIPA domain and AD domain have to be different. Giulio Il 10/03/2016 13:23, Justin Stephenson ha scritto: Hello, Are you looking for this? This leverages the AD trust to allow samba within IPA to resolve AD users from a trusted AD domain/forest *Howto/Integrating a Samba File Server With IPA* http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA -Justin On 03/10/2016 06:29 AM, Giulio Casella wrote: Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Giulio Casellagiulio at di.unimi.it System and network manager Computer Science Dept. - University of Milano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and samba 4
Hi guys, I've got a FreeIPA domain up and running, with a nfs server, joined to IPA domain, offering user's home directories. I'd like to give users on Windows 7 PC (not joined to the same domain) the ability to mount those home directories via samba (entering credentials, not kerberos, being different domains). How can I configure samba to use IPA kerberos authentication authentication to offer access to home directories? I know this could be configured more as a samba question, but I hope someone in this list already faced my scenario. Thanks in advance, Giulio -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Password expiration after reset
Hi guys, I'm trying to populate FreeIPA (4.2.3) using API, but after user creation (and password has been set) user must change password at first logon. Same beahviour after a password change by admin. Although this behaviour is desirable in many situations, I can't afford it, I've got to import tens of thousands users, and I can't force them to change their password. How can I bypass this password change? And, by the way: is there a way to disable password expiration? Thanks in advance, Giulio -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password expiration after reset
Il 16/12/2015 16:07, Alexander Bokovoy ha scritto: On Wed, 16 Dec 2015, Giulio Casella wrote: Hi guys, I'm trying to populate FreeIPA (4.2.3) using API, but after user creation (and password has been set) user must change password at first logon. Same beahviour after a password change by admin. Although this behaviour is desirable in many situations, I can't afford it, I've got to import tens of thousands users, and I can't force them to change their password. How can I bypass this password change? And, by the way: is there a way to disable password expiration? http://www.freeipa.org/page/New_Passwords_Expired If you are using API to create users and set their passwords, you can use technique like described here: https://www.redhat.com/archives/freeipa-users/2012-June/msg00360.html Thank you for the info Alexander, I wasn't aware of the page /ipa/session/change_password. After creating a user via API in the usual way (json submission to /ipa/session/json) I can perform a password change submitting user credential to /ipa/session/change_password, thus resetting password expiration accordingly to system settings. It works like a charme. Thank you again, Giulio. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
