[Freeipa-users] mysql connection has been blocked by sss_ssh_knownhostsproxy
There is a weird issue occurred with sss_ssh_knownhostsproxy. I am not sure it is within the coverage of IPA mail-list. but want to get some suggestions from your side Background: server A running with mysql database. And it will simultaneously send a 1.3GB file to 14 clients. With 'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h': mysql connection will be blocked by those 14 rsync connections. from 'netstat -tupnlo' result, we can find that send-queue is higher and higher, looks like it has sent has been blocked. Finally, after mysql 'net_write_timeout', connection will be closed since no data can be sent from this connection. without 'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h': mysql connection can be worked as normal. sss_ssh_knownhostsproxy version: sssd-common-1.14.0-43.el7_3.11.x86_64 rsync version: rsync-3.0.9-17.el7.x86_64 kernel version: 3.10.0-229.el7.x86_64 Can you provide some hints on this, that would be appreciated. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] integrated DNS vs external DNS
No, integrated dns is an optional component of ipa, even for ad integration. But without integrated DNS, you have to correctly configure all srv records by manual. Matrix -- Original -- From: Iulian Roman <iulian.ro...@gmail.com> Date: Thu,Feb 23,2017 09:16 To: freeipa-users <freeipa-users@redhat.com> Subject: Re: [Freeipa-users] integrated DNS vs external DNS-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa replica info to clents: guidance
Hi, Rakesh Try 'ipa-client-install' with this option '--fixed-primary'. with it, '_srv_' will disappeared From man page: --fixed-primary Configure SSSD to use a fixed server as the primary IPA server. The default is to use DNS SRV records to determine the primary server to use and fall back to the server the client is enrolled with. When used in conjunction with --server then no _srv_ value is set in the ipa_server option in sssd.conf. Matrix -- Original -- From: "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; Date: Sat, Jan 21, 2017 10:09 PM To: "Matrix"<matrix...@qq.com>; Cc: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] Freeipa replica info to clents: guidance Thanks Matrix.. for the inputs.. > Firstly, '_srv_' means clients will find out which servers will be connected > with by dns srv records. In your explanation, DNS did not configure in your > env. After running the ipa-client, the _srv_ was automatically added . The configs options I passed for configuring the host as a IPA client is ipa-client-install --domain=mydomain.com --server=ipa-master-int.mydomain.com --realm=MYDOMAIN.COM -p admin --password=mypass --mkhomedir --hostname=first-client-int.mydomain.com --no-ssh --no-sshd -N -f -U While configuring IPA server , I did not pass the setup-dns options.( that avoids setting up the dns server I assume ) ipa-server-install -r 'MYDOMAIN.COM' -n 'mydomain.com' -p mypass -P mypass -a mypass --hostname=ipa-master-int.mydomain.com -N -U So, I did not explicitly specify the _srv_ options. However, this has been working fine till now. > Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. > is it really working fine? sorry that was a typo from my side . Its actually ipa_server = _srv_, ipa-master-mydomain.com, ipa-replica-mydomain.com. > So, I suggested to configure it in this way: > ipa_server = > ipa_backup_server = > For another half clients, > ipa_server = > ipa_backup_server = I will try this out.. probably I can safely leave out _srv_ Thanks Rakesh On Sat, Jan 21, 2017 at 6:10 PM, Matrix <matrix...@qq.com> wrote: For my understanding, there is something wrong with your configuration >> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com Firstly, '_srv_' means clients will find out which servers will be connected with by dns srv records. In your explanation, DNS did not configure in your env. Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. is it really working fine? >>Also, can I define priority based on the order in which the IPA servers are >>defined in >>ipa_server = _srv_ ,, your understanding is correct. server priority is based on sequence in conf file. There is a problem for this configuration. Once 'ipa1' failed, all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all clients will be sticky on 'ipa2' So, I suggested to configure it in this way: ipa_server = ipa_backup_server = For another half clients, ipa_server = ipa_backup_server = Matrix -- Original -- From: "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; Date: Sat, Jan 21, 2017 08:25 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: [Freeipa-users] Freeipa replica info to clents: guidance Hi, My Freeipa setup is on AWS ec2 instances and has been working fine with just one master for a while now. I am now trying to setup replica servers which, I was able to and the replication between both masters go fine. So, I have a master serer ipa-master-mydomain.com and repilca ipa-replica-mydomain.com I am not using DNS and rely on AWS for DNS resolution instead. My question is , how do I tell clients about the new replica server . I tried an entry in the sssd.conf domain section of the clients id_provider = ipa auth_provider = ipa ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com This approach works fine and clients reach out to the replica as a failover. However, wanted to verify if this is the correct way. Also, can I define priority based on the order in which the IPA servers are defined in ipa_server = _srv_ ,, If the above assumption is right, I could have half of my clients connect to master always and rest to the replica that way balancing the load. Thanks Rakesh-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa replica info to clents: guidance
For my understanding, there is something wrong with your configuration >> ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com Firstly, '_srv_' means clients will find out which servers will be connected with by dns srv records. In your explanation, DNS did not configure in your env. Secondly, 'replica' key words ? I can not find it from man pages of sssd-ipa. is it really working fine? >>Also, can I define priority based on the order in which the IPA servers are >>defined in >>ipa_server = _srv_ ,, your understanding is correct. server priority is based on sequence in conf file. There is a problem for this configuration. Once 'ipa1' failed, all id lookup/authentication will be happened with 'ipa2'. Even 'ipa1' was back, all clients will be sticky on 'ipa2' So, I suggested to configure it in this way: ipa_server = ipa_backup_server = For another half clients, ipa_server = ipa_backup_server = Matrix -- Original -- From: "Rakesh Rajasekharan";<rakesh.rajasekha...@gmail.com>; Date: Sat, Jan 21, 2017 08:25 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: [Freeipa-users] Freeipa replica info to clents: guidance Hi, My Freeipa setup is on AWS ec2 instances and has been working fine with just one master for a while now. I am now trying to setup replica servers which, I was able to and the replication between both masters go fine. So, I have a master serer ipa-master-mydomain.com and repilca ipa-replica-mydomain.com I am not using DNS and rely on AWS for DNS resolution instead. My question is , how do I tell clients about the new replica server . I tried an entry in the sssd.conf domain section of the clients id_provider = ipa auth_provider = ipa ipa_server = _srv_, ipa-master-mydomain.com, repilca ipa-replica-mydomain.com This approach works fine and clients reach out to the replica as a failover. However, wanted to verify if this is the correct way. Also, can I define priority based on the order in which the IPA servers are defined in ipa_server = _srv_ ,, If the above assumption is right, I could have half of my clients connect to master always and rest to the replica that way balancing the load. Thanks Rakesh-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] where is ipa cache?
it should be. you mean 'sss_cache -E' ? i have also tried to use to invalidate everything. sudo did not trigger any packets between client and server. Matrix -- Original -- From: "Fraser Tweedale";<ftwee...@redhat.com>; Date: Sat, Jan 14, 2017 07:29 PM To: "Matrix"<matrix...@qq.com>; Cc: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] where is ipa cache? On Sat, Jan 14, 2017 at 07:03:00PM +0800, Matrix wrote: > Hi, all > > > I have removed everything in /var/lib/sss/db. but sudo works fine. > > > I have also tried to capture sudo search packets with tcpdump. I found that > there is no packets transferred between ipa client and server. I am wondering > where is ipa cache? in memory? > I think it is in memory. Run `sss-cache -E' to dump the cache. > > Best Regards > > > Matrix > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] where is ipa cache?
Hi, all I have removed everything in /var/lib/sss/db. but sudo works fine. I have also tried to capture sudo search packets with tcpdump. I found that there is no packets transferred between ipa client and server. I am wondering where is ipa cache? in memory? Best Regards Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa_server and ipa_backup_server failover time
-- Original -- From: "Jakub Hrozek";<jhro...@redhat.com>; Date: Mon, Jan 9, 2017 07:04 PM To: "Matrix"<matrix...@qq.com>; Cc: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] ipa_server and ipa_backup_server failover time (please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'ipa02.example.com' as 'working' > > Re-check it with authentication, failover will be happened immediately. Yes, then that is expected, the identity lookup was probably answered from the cache. > > >> No, sorry, the timeouts for switching between back up and primary > >> servers are hardcoded. > > May I know how long it will take for worst case? > Seems to be 30 minutes: > > https://github.com/SSSD/sssd/blob/master/src/providers/data_provider_fo.c#L49 It should be 30 seconds? 30 min is too long. and in man page, has been explained as 30 seconds Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa_server and ipa_backup_server failover time
Hi, all The purpose of this email is to know more about timeout ipa server failover. Env: # rpm -qa | grep sssd sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 python-sssdconfig-1.13.0-40.el7_2.12.noarch sssd-ipa-1.13.0-40.el7_2.12.x86_64 sssd-client-1.13.0-40.el7_2.12.x86_64 sssd-ad-1.13.0-40.el7_2.12.x86_64 sssd-proxy-1.13.0-40.el7_2.12.x86_64 sssd-common-pac-1.13.0-40.el7_2.12.x86_64 sssd-ldap-1.13.0-40.el7_2.12.x86_64 sssd-krb5-1.13.0-40.el7_2.12.x86_64 sssd-common-1.13.0-40.el7_2.12.x86_64 sssd-1.13.0-40.el7_2.12.x86_64 base config: # cat /etc/sssd/sssd.conf [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spare01.example.com chpass_provider = ipa debug_level = 4 ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = example.com Situation A: both Server A and Server B have been configured in 'ipa_server' ipa_server = ipa01.example.com, ipa02.example.com Once ipa01 ipa service failed, id lookup/auth will be failed over to ipa02 around 15mins later. It should be controlled by 'ldap_connection_expire_timeout', with default value 900 seconds. I have proved it with changing it to 300 seconds. But if ipa01 was brought back, id lookup/auth will not be back to ipa01. Is it expected ? Situation B: Server A has been configured as 'ipa_server', and Server B configured as 'ipa_backup_server' ipa_server = ipa01.example.com ipa_backup_server = ipa02.example.com Once ipa01 ipa service failed, id lookup/auth will be failed over ipa02 some minutes later. I have tried 2 times, failover time is around 10min ~ 15min. Is it possible to control it more accurate? how to? any parameters I can try? Best Regards Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'
Hi, Sumit I have checked, and did not find anything more: error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: ... [10/Nov/2016:10:46:58 +] conn=816560 fd=189 slot=189 connection from 10.2.3.32 to 10.2.1.250 [10/Nov/2016:10:46:58 +] conn=816560 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [10/Nov/2016:10:46:58 +] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [10/Nov/2016:10:46:58 +] conn=816560 op=-1 fd=189 closed - B1 ... Matrix -- Original -- From: "Sumit Bose";<sb...@redhat.com>; Date: Thu, Nov 10, 2016 07:13 PM To: "Matrix"<matrix...@qq.com>; Cc: "Sumit Bose"<sb...@redhat.com>; "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]' On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote: > Hi, Sumit > > Thanks for your reply > > I have tried. still failed Do you see any related messages on the LDAP server side? bye, Sumit > > # cat /etc/openldap/ldap.conf | grep -v ^# > > URI ldap://ipaslave.stg.example.net > BASE dc=example,dc=net > TLS_CACERT /etc/ipa/ca.crt > SASL_MECH GSSAPI > TLS_REQCERT allow > SASL_NOCANON on > > > # cat /etc/krb5.conf| grep rdns > rdns = false > > Matrix > > -- Original -- > From: "Sumit Bose";<sb...@redhat.com>; > Date: Thu, Nov 10, 2016 06:32 PM > To: "freeipa-users"<freeipa-users@redhat.com>; > > Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind > failed(-2)[Localerror]' > > > > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > > debug steps have been tried: > > > > 1 kinit is workable: > > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net > > > > # /usr/kerberos/bin/klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: host/client02.stg.example@example.net > > > > Valid starting ExpiresService principal > > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > 2 ldapwhoami with krb auth failed. > > > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Local error (-2) > > additional info: SASL(-1): generic failure: GSSAPI Error: > > Unspecified GSS failure. Minor code may provide more information (Mutual > > authentication failed) > > > > Have you made sure that canonicalizing is disabled, i.e. > /etc/krb5.conf: > [libdefaults] > ... > rdns = false > ... > > /etc/openldap/ldap.conf > ... > SASL_NOCANONon > ... > > HTH > > bye, > Sumit > > > > > Matrix > > > > -- Original -- > > From: "Matrix";<matrix...@qq.com>; > > Date: Thu, Nov 10, 2016 02:11 PM > > To: "freeipa-users"<freeipa-users@redhat.com>; > > > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > > (-2)[Localerror]' > > > > > > > > Hi, > > > > I have installed sssd in a RHEL5 client. > > > > ipa-client/sssd version: > > ipa-client-2.1.3-7.el5 > > sssd-client-1.5.1-71.el5 > > sssd-1.5.1-71.el5 > > > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > > error]'. > > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (1): ldap_sasl_bind failed (-2)[Local error] > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (7): Waiting for child [7]. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (4): child [7] finished successfully. > > > > I have tried to google to find root cause. some link explained it should be > > something wrong with dns. I have double confirmed it. > > > > # nslookup client02.stg.example.net > > Server: 10.2.1.21 > > Address:10.2.1.21#53 > > > > Name: client02.stg.example.net > > Address: 10.2.3.32 > > > > > > # nslookup 10.2.3.32 > > Server: 10.2.1.21 > > Address:10.2.1.2
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'
Hi, Sumit Thanks for your reply I have tried. still failed # cat /etc/openldap/ldap.conf | grep -v ^# URI ldap://ipaslave.stg.example.net BASE dc=example,dc=net TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI TLS_REQCERT allow SASL_NOCANON on # cat /etc/krb5.conf| grep rdns rdns = false Matrix -- Original -- From: "Sumit Bose";<sb...@redhat.com>; Date: Thu, Nov 10, 2016 06:32 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]' On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > debug steps have been tried: > > 1 kinit is workable: > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net > > # /usr/kerberos/bin/klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/client02.stg.example@example.net > > Valid starting ExpiresService principal > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > 2 ldapwhoami with krb auth failed. > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Mutual authentication > failed) > Have you made sure that canonicalizing is disabled, i.e. /etc/krb5.conf: [libdefaults] ... rdns = false ... /etc/openldap/ldap.conf ... SASL_NOCANONon ... HTH bye, Sumit > > Matrix > > -- Original -- > From: "Matrix";<matrix...@qq.com>; > Date: Thu, Nov 10, 2016 02:11 PM > To: "freeipa-users"<freeipa-users@redhat.com>; > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > (-2)[Localerror]' > > > > Hi, > > I have installed sssd in a RHEL5 client. > > ipa-client/sssd version: > ipa-client-2.1.3-7.el5 > sssd-client-1.5.1-71.el5 > sssd-1.5.1-71.el5 > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > error]'. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): > Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): > ldap_sasl_bind failed (-2)[Local error] > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (7): Waiting for child [7]. > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (4): child [7] finished successfully. > > I have tried to google to find root cause. some link explained it should be > something wrong with dns. I have double confirmed it. > > # nslookup client02.stg.example.net > Server: 10.2.1.21 > Address:10.2.1.21#53 > > Name: client02.stg.example.net > Address: 10.2.3.32 > > > # nslookup 10.2.3.32 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > # nslookup ipaslave.stg.example.net > Server: 10.2.1.21 > Address: 10.2.1.21#53 > > Name: ipaslave.stg.example.net > Address: 10.2.1.250 > > # nslookup 10.2.1.250 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > Any hints or troubleshooting ideas would be appreciated. > > Matrix > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'
debug steps have been tried: 1 kinit is workable: # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net # /usr/kerberos/bin/klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/client02.stg.example@example.net Valid starting ExpiresService principal 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached 2 ldapwhoami with krb auth failed. # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed) Matrix -- Original -- From: "Matrix";<matrix...@qq.com>; Date: Thu, Nov 10, 2016 02:11 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]' Hi, I have installed sssd in a RHEL5 client. ipa-client/sssd version: ipa-client-2.1.3-7.el5 sssd-client-1.5.1-71.el5 sssd-1.5.1-71.el5 sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [7]. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [7] finished successfully. I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. # nslookup client02.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: client02.stg.example.net Address: 10.2.3.32 # nslookup 10.2.3.32 Server: 10.2.1.21 Address:10.2.1.21#53 32.3.2.10.in-addr.arpa name = client02.stg.example.net. # nslookup ipaslave.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: ipaslave.stg.example.net Address: 10.2.1.250 # nslookup 10.2.1.250 Server: 10.2.1.21 Address:10.2.1.21#53 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. Any hints or troubleshooting ideas would be appreciated. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Local error]'
Hi, I have installed sssd in a RHEL5 client. ipa-client/sssd version: ipa-client-2.1.3-7.el5 sssd-client-1.5.1-71.el5 sssd-1.5.1-71.el5 sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [7]. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [7] finished successfully. I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. # nslookup client02.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: client02.stg.example.net Address: 10.2.3.32 # nslookup 10.2.3.32 Server: 10.2.1.21 Address:10.2.1.21#53 32.3.2.10.in-addr.arpa name = client02.stg.example.net. # nslookup ipaslave.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: ipaslave.stg.example.net Address: 10.2.1.250 # nslookup 10.2.1.250 Server: 10.2.1.21 Address:10.2.1.21#53 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. Any hints or troubleshooting ideas would be appreciated. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to renew kerberos tickets without user intervation?
HI, All IPA server was installed on ipaserver.dev.example.net A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired. I would like to renew kerberos tickets before expiration without user intervation, but failed. krb configuration: # cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.NET dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} renew_lifetime = 7d [realms] EXAMPLE.NET = { kdc = ipaserver.dev.example.net:88 master_kdc = ipaserver.dev.example.net:88 admin_server = ipaserver.dev.example.net:749 default_domain = example.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [dbmodules] EXAMPLE.NET = { db_library = ipadb.so } When I was trying to renew kerberos ticket from client1, error message was shown as : $ kinit -R kinit: KDC can't fulfill requested option while renewing credentials And logs from ipa server: # tailf /var/log/krb5kdc.log .. Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0, a...@example.net for krbtgt/example@example.net, KDC can't fulfill requested option Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 10 .. any suggestions would be appreciated. Best Regards Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Is the krb5.conf no longer used?
Hi, Geordie I think it should be optional. here is one of my IPA client's krb5.conf # cat /etc/krb5.conf #File modified by ipa-client-install includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = EXAMPLE.NET dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] EXAMPLE.NET = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .dev.example.net = EXAMPLE.NET dev.example.net = EXAMPLE.NET Matrix -- Original -- From: "Geordie Grindle";<geordie.grin...@gmail.com>; Date: Thu, Jun 2, 2016 03:57 AM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: [Freeipa-users] Is the krb5.conf no longer used? Does IPA only use ??sssd.conf?? for kerberos authentication? Is there another file used to configure kerberos? I??ve built a host using Foreman and our puppet configuration usually pushes a krb5.conf file. However, if I delete it, everything still works fine. What if any function does /etc/krb5.conf have now? [root@ipa_client ggrindle]# cat /etc/krb5.conf cat: /etc/krb5.conf: No such file or directory [root@ipa_client ggrindle]# rpm -qa |grep ipa-client ipa-client-3.0.0-37.el6.x86_64 [root@ipa_client ggrindle]# kdestroy [root@ipa_client ggrindle]# kinit ggrindle Password for ggrin...@dev.example.com: [root@ipa_client ggrindle]# klist Ticket cache: FILE:/tmp/krb5cc_0.1 Default principal: ggrin...@dev.example.com Valid starting ExpiresService principal 06/01/16 19:40:19 06/02/16 19:40:14 krbtgt/dev.example@dev.example.com [root@ipa_client ggrindle]# tcpdump port 88 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 19:40:53.765163 IP ipa_client.test.dev.example.com.49228 > ipa_server.dev.example.com.kerberos: v5 19:40:53.788043 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.49228: 19:41:06.601826 IP ipa_client.test.dev.example.com.52896 > ipa_server.dev.example.com.kerberos: v5 19:41:06.630012 IP ipa_server.dev.example.com.kerberos > ipa_client.test.dev.example.com.52896: v5 ^C 4 packets captured 6 packets received by filter 0 packets dropped by kernel.kerberos: v5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain?
Hi, Petr all steps listed in section 7.4 of Windows integration guide have been done. user for sync is 'cn=ipa,cn=users,dc=examplemedia,dc=net' and l have been verified it with ldapsearch, detail cmd as below: # ldapsearch -H ldap://ipaad.examplemedia.net -D 'cn=ipa,cn=users,dc=examplemedia,dc=net' -w 'RedHat1!' -b "cn=users,dc=examplemedia,dc=net" -LLL -ZZ and sync cmd is created by: # ipa-replica-manage connect --winsync --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='RedHat1!' --passsync='redhatredhat' --cacert='/etc/openldap/cacerts/ad.cer' --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net after it has been created, i have also force-sync it. # ipa-replica-manage force-sync --from=ipaad.examplemedia.net Directory Manager password: ipa: INFO: Setting agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToipaad.examplemedia.net,cn=replica,cn=dc\=dev\,dc\=example\,dc\=net,cn=mapping tree,cn=config root@ipaserver:/var/log/dirsrv/slapd-DEV-EXAMPLE-NET · 06:47 AM Tue May 03 · !41 # echo $? 0 Nothing error was reported. Any debug info or log i can provide for further analysis? Thanks Matrix -- Original -- From: "Petr Vobornik";<pvobo...@redhat.com>; Date: Mon, May 2, 2016 02:46 AM To: "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] is it possible to use 'ipa-replica' to syncuserbetween different suffix AD and IPA domain? On 04/28/2016 05:30 PM, Matrix wrote: > Hi, Petr > > Thanks for your quickly reply. > > I want to integrated linux servers with existed AD, centralized manage > HBAC/Sudo > rules. > > So i have setup a standalone IPA server with domain 'example.net', trying to > sync users from existed AD to it with following cmd: > > ipa-replica-manage connect --winsync > --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='' > --passsync='' --cacert='/etc/openldap/cacerts/ipaad.cer' > --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net > > > After it has been successfully established, users in AD did not sync to IPA. Before we go into debugging, please make sure that you have done the steps described in section 7.4 of Windows integration guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/Setting_up_Active_Directory.html > > > For 'trusts' integration method, since user did not sync to IPA at all, how > to > set sudo/HBAC rules for users? I have not tried it. > > > Matrix > > > > > -- Original -- > *From: * "Petr Vobornik";<pvobo...@redhat.com>; > *Date: * Thu, Apr 28, 2016 11:21 PM > *To: * "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>; > *Subject: * Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync > userbetween different suffix AD and IPA domain? > > On 04/28/2016 04:44 PM, Matrix wrote: > > Hi, all > > > > I am trying to do a centrelized solution > > > > AD domain is 'examplemedia.net' > > > > IPA domain is 'example.net' > > > > After ipa-replica has been established, i found that nothing has been > synced > > from AD to IPA. > > > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > > > I doubt that for different suffix is supported ? If so, anyone can show > some > > hint for me to investigate more? > > > > Thanks for your kindly help. > > > > Matrix > > Hello, > > what is your goal and current setup? > > By "ipa-replica has been established" do you mean that you installed a > new currently standalone IPA server? And connected it somehow with AD? > > Or did you run `ipa-replica-manage connect --winsync ...` > > It would be good to mention that IPA server[1] cannot be a replica of an > AD server. But it can integrate with it. Either by using > winsync(synchronization) or the recommended solution: Trusts [2]. > > Documentation: > [1] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html > [2] > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html > > HTH > -- > Petr Vobornik > -- Petr Vobornik-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc'
e_trigger": 0x7f1c1c2dd3d0 s4_tevent: Destroying timer event 0x7f1c1c47fd40 "tevent_req_timedout" s4_tevent: Schedule immediate event "tevent_req_trigger": 0x7f1c1cb553c0 s4_tevent: Run immediate event "tevent_req_trigger": 0x7f1c1cb553c0 s4_tevent: Destroying timer event 0x7f1c1c0ff6b0 "dcerpc_connect_timeout_handler" [Sun May 01 13:53:05.420066 2016] [:error] [pid 6995] ipa: INFO: [jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError -- Original -- From: "Alexander Bokovoy";<aboko...@redhat.com>; Date: Sun, May 1, 2016 09:40 PM To: "Matrix"<matrix...@qq.com>; Cc: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] AD Trust failed with 'CIFS server configurationdoes not allow access to \\pipe\lsarpc' On Sun, 01 May 2016, Matrix wrote: >Hi, list > >I am trying to setup an integration env between IPA and AD Window 2012 R2. > >Below error occurred while running "# echo 'RedHat1!' | ipa trust-add >--type=ad examplemedia.net --admin Administrator --password" > ># echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin >Administrator --password >ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc > > >IPA / Samba Version, I am running with: > >ipa-server-4.2.0-15.el7.x86_64 >samba-4.2.3-12.el7_2.x86_64 > ># tailf /var/log/httpd/error_log >[Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: >[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', >trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', >all=False, raw=False, version=u'2.156'): RemoteRetrieveError >[Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: >[jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', >trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', >all=False, raw=False, version=u'2.156'): RemoteRetrieveError > >I have also tried latest ipa-server version shipped by RHEL. the same error >occurred. > >It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not >fixed it. Add 'log level = 100' to /usr/share/ipa/smb.conf.empty and re-try 'ipa trust-add'. You'll get more detailed debugging output in error_log. -- / Alexander Bokovoy-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] AD Trust failed with 'CIFS server configuration does not allow access to \\pipe\lsarpc'
Hi, list I am trying to setup an integration env between IPA and AD Window 2012 R2. Below error occurred while running "# echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password" # echo 'RedHat1!' | ipa trust-add --type=ad examplemedia.net --admin Administrator --password ipa: ERROR: CIFS server configuration does not allow access to \\pipe\lsarpc IPA / Samba Version, I am running with: ipa-server-4.2.0-15.el7.x86_64 samba-4.2.3-12.el7_2.x86_64 # tailf /var/log/httpd/error_log [Sun May 01 08:27:17.493412 2016] [:error] [pid 32267] ipa: INFO: [jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError [Sun May 01 08:35:00.600654 2016] [:error] [pid 32266] ipa: INFO: [jsonserver_session] ad...@dev.example.net: trust_add(u'examplemedia.net', trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'', all=False, raw=False, version=u'2.156'): RemoteRetrieveError I have also tried latest ipa-server version shipped by RHEL. the same error occurred. It ssems that https://bugzilla.redhat.com/show_bug.cgi?id=1249455 did not fixed it. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain?
Hi, Petr Thanks for your quickly reply. I want to integrated linux servers with existed AD, centralized manage HBAC/Sudo rules. So i have setup a standalone IPA server with domain 'example.net', trying to sync users from existed AD to it with following cmd: ipa-replica-manage connect --winsync --binddn="cn=ipa,cn=users,dc=examplemedia,dc=net" --bindpw='' --passsync='' --cacert='/etc/openldap/cacerts/ipaad.cer' --win-subtree='ou=users,dc=examplemedia,dc=net' -v ipaad.examplemedia.net After it has been successfully established, users in AD did not sync to IPA. For 'trusts' integration method, since user did not sync to IPA at all, how to set sudo/HBAC rules for users? I have not tried it. Matrix -- Original -- From: "Petr Vobornik";<pvobo...@redhat.com>; Date: Thu, Apr 28, 2016 11:21 PM To: "Matrix"<matrix...@qq.com>; "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] is it possible to use 'ipa-replica' to sync userbetween different suffix AD and IPA domain? On 04/28/2016 04:44 PM, Matrix wrote: > Hi, all > > I am trying to do a centrelized solution > > AD domain is 'examplemedia.net' > > IPA domain is 'example.net' > > After ipa-replica has been established, i found that nothing has been synced > from AD to IPA. > > IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 > > I doubt that for different suffix is supported ? If so, anyone can show some > hint for me to investigate more? > > Thanks for your kindly help. > > Matrix Hello, what is your goal and current setup? By "ipa-replica has been established" do you mean that you installed a new currently standalone IPA server? And connected it somehow with AD? Or did you run `ipa-replica-manage connect --winsync ...` It would be good to mention that IPA server[1] cannot be a replica of an AD server. But it can integrate with it. Either by using winsync(synchronization) or the recommended solution: Trusts [2]. Documentation: [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pt02.html HTH -- Petr Vobornik-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] is it possible to use 'ipa-replica' to sync user between different suffix AD and IPA domain?
Hi, all I am trying to do a centrelized solution AD domain is 'examplemedia.net' IPA domain is 'example.net' After ipa-replica has been established, i found that nothing has been synced from AD to IPA. IPA version: ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 I doubt that for different suffix is supported ? If so, anyone can show some hint for me to investigate more? Thanks for your kindly help. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project