Re: [Freeipa-users] Trying to use the CLI logs me out
On 02/26/2014 07:25 AM, Bret Wortman wrote: # script /tmp/out-script Script started, file is /tmp/out-script # ipa help Script done, file is /tmp/out-script # cat /tmp/out-script Script started on Wed 26 Feb 2014 07:18:07 AM EST # ipa help Script done on Wed 26 Feb 2014 07:18:14 AM EST # So then I tried it using script's "-c" option to see if that would make a difference, kind of like strace did: #script -c 'ipa help' /tmp/out-script2 Script started, file is /tmp/out-script2 Usage: ipa [global-options] COMMAND {command-options] Manage an IPA domain Options: : : See "ipa --help" for more information on a specific command. Script done, file is /tmp/out-script2 # cat /tmp/out-script2 Script started on Wed 26 Feb 2014 07:20:27 AM EST Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: : : These colons... Where do they come from. Can it be that something here is interpreted in strange way? Can be some kind of weird new line conversion in the output that cause the shell to go south? Any strange settings in ENV defining terminal settings? Can you do any python based output? See "ipa --help" for more information on a specific command. Script done on Wed 26 Feb 2014 07:20:28 AM EST # It /looks/ like something is behaving differently when input comes from a tty vice when it doesn't. For grins, I did the same thing using "ipa host-find zw129.damascusgrp.com" and got basically the same result -- an empty log first, then successful completion (including expected results) using the -c option. Bret On 02/25/2014 08:32 PM, Bret Wortman wrote: I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? I think he said it fails with a simple ipa help, which eliminates a whole lot of the work we do because it does no networking in that case. Maybe running inside a typescript will show something like weird characters. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237<... close resumed> ) = 0 4229<... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/li
Re: [Freeipa-users] Trying to use the CLI logs me out
# script /tmp/out-script Script started, file is /tmp/out-script # ipa help Script done, file is /tmp/out-script # cat /tmp/out-script Script started on Wed 26 Feb 2014 07:18:07 AM EST # ipa help Script done on Wed 26 Feb 2014 07:18:14 AM EST # So then I tried it using script's "-c" option to see if that would make a difference, kind of like strace did: #script -c 'ipa help' /tmp/out-script2 Script started, file is /tmp/out-script2 Usage: ipa [global-options] COMMAND {command-options] Manage an IPA domain Options: : : See "ipa --help" for more information on a specific command. Script done, file is /tmp/out-script2 # cat /tmp/out-script2 Script started on Wed 26 Feb 2014 07:20:27 AM EST Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: : : See "ipa --help" for more information on a specific command. Script done on Wed 26 Feb 2014 07:20:28 AM EST # It /looks/ like something is behaving differently when input comes from a tty vice when it doesn't. For grins, I did the same thing using "ipa host-find zw129.damascusgrp.com" and got basically the same result -- an empty log first, then successful completion (including expected results) using the -c option. Bret On 02/25/2014 08:32 PM, Bret Wortman wrote: I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 8:05 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? I think he said it fails with a simple ipa help, which eliminates a whole lot of the work we do because it does no networking in that case. Maybe running inside a typescript will show something like weird characters. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237 <... close resumed> ) = 0 4229 <... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] Trying to use the CLI logs me out
I'll try that. And you're right--we've tried a number of sub commands. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On Feb 25, 2014, at 8:05 PM, Rob Crittenden wrote: > > Dmitri Pal wrote: >>> On 02/25/2014 07:31 PM, Bret Wortman wrote: >>> Nope, running with strace lets us use the IPA command again with impunity. >>> Without it, process termination. >> >> A theory. Your data has some output that is treated as escape sequence >> that crushes the shell so your connection is closed. >> Do you test it with the same command all the time? >> >> Have you tried other commands? >> Can you do a user/group/host add? >> >> Can you try other commands? > > I think he said it fails with a simple ipa help, which eliminates a whole lot > of the work we do because it does no networking in that case. > > Maybe running inside a typescript will show something like weird characters. > > rob > >> >> >>> >>> >>> Bret Wortman >>> http://bretwortman.com/ >>> http://twitter.com/BretWortman >>> On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: Bret Wortman wrote: > I don't know if this will be informative or not, but: > > # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com > -- > 1 host matched > -- > Host name: zw129.damascusgrp.com > : > : > # > > I then found this pattern occurring a number of times within the (17564 > line) output file: > > 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 > 4237 <... close resumed> ) = 0 > 4229 <... mmap resumed> ) = 0x7f936aad2000 > 4229 read(13, > 4237 dup2(7, 0)= 0 > 4237 dup2(10, 1) = 1 > 4237 dup2(12, 2) = 2 > 4237 close(7) = 0 > 4237 close(10) = 0 > 4237 close(12) = 0 > 4237 close(3) = 0 > 4237 close(4) = 0 > 4237 close(5) = 0 > 4237 close(6) = 0 > 4237 close(7) = -1 EBADF (Bad file descriptor) > 4237 close(8) = -1 EBADF (Bad file descriptor) > 4237 close(9) = -1 EBADF (Bad file descriptor) > 4237 close(10) = -1 EBADF (Bad file descriptor) > : > : Continues for a thousand entries or so, then > : > 4237 close(1022) = -1 EBADF (Bad file descriptor) > 4237 close(1023) = -1 EBADF (Bad file descriptor) > 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", > "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] > Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> --- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Dmitri Pal wrote: On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? I think he said it fails with a simple ipa help, which eliminates a whole lot of the work we do because it does no networking in that case. Maybe running inside a typescript will show something like weird characters. rob Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237 <... close resumed> ) = 0 4229 <... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On 02/25/2014 07:31 PM, Bret Wortman wrote: Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. A theory. Your data has some output that is treated as escape sequence that crushes the shell so your connection is closed. Do you test it with the same command all the time? Have you tried other commands? Can you do a user/group/host add? Can you try other commands? Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237<... close resumed> ) = 0 4229<... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Nope, running with strace lets us use the IPA command again with impunity. Without it, process termination. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On Feb 25, 2014, at 6:06 PM, Rob Crittenden wrote: > > Bret Wortman wrote: >> I don't know if this will be informative or not, but: >> >> # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com >> -- >> 1 host matched >> -- >> Host name: zw129.damascusgrp.com >> : >> : >> # >> >> I then found this pattern occurring a number of times within the (17564 >> line) output file: >> >> 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, >> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 >> 4237 <... close resumed> ) = 0 >> 4229 <... mmap resumed> ) = 0x7f936aad2000 >> 4229 read(13, >> 4237 dup2(7, 0)= 0 >> 4237 dup2(10, 1) = 1 >> 4237 dup2(12, 2) = 2 >> 4237 close(7) = 0 >> 4237 close(10) = 0 >> 4237 close(12) = 0 >> 4237 close(3) = 0 >> 4237 close(4) = 0 >> 4237 close(5) = 0 >> 4237 close(6) = 0 >> 4237 close(7) = -1 EBADF (Bad file descriptor) >> 4237 close(8) = -1 EBADF (Bad file descriptor) >> 4237 close(9) = -1 EBADF (Bad file descriptor) >> 4237 close(10) = -1 EBADF (Bad file descriptor) >> : >> : Continues for a thousand entries or so, then >> : >> 4237 close(1022) = -1 EBADF (Bad file descriptor) >> 4237 close(1023) = -1 EBADF (Bad file descriptor) >> 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", >> "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] >> > > Just noise while we fork off and run another process, in this case keyctl to > store the session cookie in the kernel keyring. > > So running with strace doesn't result in the session logging out? > > rob > smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237 <... close resumed> ) = 0 4229 <... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Just noise while we fork off and run another process, in this case keyctl to store the session cookie in the kernel keyring. So running with strace doesn't result in the session logging out? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On 25.2.2014 19:10, Bret Wortman wrote: I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237 <... close resumed> ) = 0 4229 <... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Interesting, or just noise? This is just a noise, unfortunately. It is common practice to close all file descriptors before you start a new program. Petr^2 Spacek On 02/21/2014 02:50 PM, Bret Wortman wrote: D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 21, 2014, at 2:13 PM, Mauricio Tavares wrote: On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman wrote: Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ When you logged back in, did /tmp/out have anything interesting? On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
I don't know if this will be informative or not, but: # strace -f -o /tmp/out ipa host-find zw129.damascusgrp.com -- 1 host matched -- Host name: zw129.damascusgrp.com : : # I then found this pattern occurring a number of times within the (17564 line) output file: 4229 mmap(NULL, 1052672, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 4237 <... close resumed> ) = 0 4229 <... mmap resumed> ) = 0x7f936aad2000 4229 read(13, 4237 dup2(7, 0)= 0 4237 dup2(10, 1) = 1 4237 dup2(12, 2) = 2 4237 close(7) = 0 4237 close(10) = 0 4237 close(12) = 0 4237 close(3) = 0 4237 close(4) = 0 4237 close(5) = 0 4237 close(6) = 0 4237 close(7) = -1 EBADF (Bad file descriptor) 4237 close(8) = -1 EBADF (Bad file descriptor) 4237 close(9) = -1 EBADF (Bad file descriptor) 4237 close(10) = -1 EBADF (Bad file descriptor) : : Continues for a thousand entries or so, then : 4237 close(1022) = -1 EBADF (Bad file descriptor) 4237 close(1023) = -1 EBADF (Bad file descriptor) 4237 execve("/bin/keyctl", ["keyctl", "padd", "user", "ipa_session_cookie:ad...@damascusgrp.com", "@s"], [/* 27 vars */] Interesting, or just noise? On 02/21/2014 02:50 PM, Bret Wortman wrote: D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman On Feb 21, 2014, at 2:13 PM, Mauricio Tavares wrote: On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman wrote: Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ When you logged back in, did /tmp/out have anything interesting? On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
D'oh! I'm blaming Friday. Didn't think to heck. Will try Monday. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortman > On Feb 21, 2014, at 2:13 PM, Mauricio Tavares wrote: > > On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman > wrote: >> Bizarre. >> >> # strace -f -o /tmp/out ipa help >> >> Usage: ipa [global-options] COMMAND [command-options] >> >> : >> >> : >> >> : >> >> >> # ipa help >> >> Connection to ipamaster closed. >> >> $ > When you logged back in, did /tmp/out have anything interesting? >> >> >> >>> On 02/21/2014 01:36 PM, Rob Crittenden wrote: >>> >>> Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. >>> >>> >>> For the life of me I can't figure out what the ipa command might do that >>> would log you out. I think brute force might be a way to go with this: >>> >>> strace -f o /tmp/out ipa help >>> >>> Then go back in and see what happened. >>> >>> As for login delay you may want to pick a client system and bump up the >>> sssd debug level and see if that provides any clues. >>> >>> rob >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME cryptographic signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 2:05 PM, Bret Wortman wrote: > Bizarre. > > # strace -f -o /tmp/out ipa help > > Usage: ipa [global-options] COMMAND [command-options] > > : > > : > > : > > > # ipa help > > Connection to ipamaster closed. > > $ > When you logged back in, did /tmp/out have anything interesting? > > > > On 02/21/2014 01:36 PM, Rob Crittenden wrote: >> >> Bret Wortman wrote: >>> >>> I'm getting ready to leave for the weekend, and this isn't the kind of >>> thing I want to track down on a Friday, but if anyone has any ideas for >>> things I should look at come Monday morning, I'd be very appreciative. >>> >>> I've got a system with 12 replicas, and no matter which IPA server I log >>> into and try to run "ipa" CLI commands on (even "ipa help"), I get my >>> session terminated. I also tried from a client system that has the >>> ipatools rpm installed, and in that case I got bounced out of my sudo'd >>> root session. >>> >>> I need to figure this out because something's obviously amiss, and we >>> have discovered a number of systems that are lacking Kerberos keys. I >>> was hoping the CLI would provide the mechanism to get them fixed. We're >>> also trying to track down a 6-10 second delay every time a user logs in >>> using SSSD to authenticate; the password check passes almost instantly, >>> but something is taking up an additional bunch of time and my users are >>> starting to complain. So I need to get past this so I can debug that. >>> >>> Thanks, and have a great weekend, all. >> >> >> For the life of me I can't figure out what the ipa command might do that >> would log you out. I think brute force might be a way to go with this: >> >> strace -f o /tmp/out ipa help >> >> Then go back in and see what happened. >> >> As for login delay you may want to pick a client system and bump up the >> sssd debug level and see if that provides any clues. >> >> rob > > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Bizarre. # strace -f -o /tmp/out ipa help Usage: ipa [global-options] COMMAND [command-options] : : : # ipa help Connection to ipamaster closed. $ On 02/21/2014 01:36 PM, Rob Crittenden wrote: Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Sorry, I wasn't clear at all. Running the "ipa" command terminates my session. I can log in just fine. All the IPA services appear to be working. But no interaction via the command line is possible; it all ends with terminated sessions after about a 5 second pause: [ipamaster]# ipa help Connection to ipamaster closed. [desktop]$ On 02/21/2014 01:27 PM, Jakub Hrozek wrote: On Fri, Feb 21, 2014 at 01:15:52PM -0500, Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I'm not sure I understand, does the login itself fail or do you log in fine, but running 'ipa' kicks you out? Does login as root (or a local, non-ipa user) work? I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. What SSSD version is this? Can we see the logs to take a look where the delay is? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 1:36 PM, Rob Crittenden wrote: > Bret Wortman wrote: >> >> I'm getting ready to leave for the weekend, and this isn't the kind of >> thing I want to track down on a Friday, but if anyone has any ideas for >> things I should look at come Monday morning, I'd be very appreciative. >> >> I've got a system with 12 replicas, and no matter which IPA server I log >> into and try to run "ipa" CLI commands on (even "ipa help"), I get my >> session terminated. I also tried from a client system that has the >> ipatools rpm installed, and in that case I got bounced out of my sudo'd >> root session. >> >> I need to figure this out because something's obviously amiss, and we >> have discovered a number of systems that are lacking Kerberos keys. I >> was hoping the CLI would provide the mechanism to get them fixed. We're >> also trying to track down a 6-10 second delay every time a user logs in >> using SSSD to authenticate; the password check passes almost instantly, >> but something is taking up an additional bunch of time and my users are >> starting to complain. So I need to get past this so I can debug that. >> >> Thanks, and have a great weekend, all. > > > For the life of me I can't figure out what the ipa command might do that > would log you out. I think brute force might be a way to go with this: > > strace -f o /tmp/out ipa help > > Then go back in and see what happened. > > As for login delay you may want to pick a client system and bump up the sssd > debug level and see if that provides any clues. > I would also run ldapsearch in the client after you manually kinit'ed, to see which part of the show is boink. > rob > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
Bret Wortman wrote: I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. For the life of me I can't figure out what the ipa command might do that would log you out. I think brute force might be a way to go with this: strace -f o /tmp/out ipa help Then go back in and see what happened. As for login delay you may want to pick a client system and bump up the sssd debug level and see if that provides any clues. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Trying to use the CLI logs me out
On Fri, Feb 21, 2014 at 01:15:52PM -0500, Bret Wortman wrote: > I'm getting ready to leave for the weekend, and this isn't the kind > of thing I want to track down on a Friday, but if anyone has any > ideas for things I should look at come Monday morning, I'd be very > appreciative. > > I've got a system with 12 replicas, and no matter which IPA server I > log into and try to run "ipa" CLI commands on (even "ipa help"), I > get my session terminated. I also tried from a client system that > has the ipatools rpm installed, and in that case I got bounced out > of my sudo'd root session. I'm not sure I understand, does the login itself fail or do you log in fine, but running 'ipa' kicks you out? Does login as root (or a local, non-ipa user) work? > > I need to figure this out because something's obviously amiss, and > we have discovered a number of systems that are lacking Kerberos > keys. I was hoping the CLI would provide the mechanism to get them > fixed. We're also trying to track down a 6-10 second delay every > time a user logs in using SSSD to authenticate; the password check > passes almost instantly, but something is taking up an additional > bunch of time and my users are starting to complain. So I need to > get past this so I can debug that. What SSSD version is this? Can we see the logs to take a look where the delay is? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Trying to use the CLI logs me out
I'm getting ready to leave for the weekend, and this isn't the kind of thing I want to track down on a Friday, but if anyone has any ideas for things I should look at come Monday morning, I'd be very appreciative. I've got a system with 12 replicas, and no matter which IPA server I log into and try to run "ipa" CLI commands on (even "ipa help"), I get my session terminated. I also tried from a client system that has the ipatools rpm installed, and in that case I got bounced out of my sudo'd root session. I need to figure this out because something's obviously amiss, and we have discovered a number of systems that are lacking Kerberos keys. I was hoping the CLI would provide the mechanism to get them fixed. We're also trying to track down a 6-10 second delay every time a user logs in using SSSD to authenticate; the password check passes almost instantly, but something is taking up an additional bunch of time and my users are starting to complain. So I need to get past this so I can debug that. Thanks, and have a great weekend, all. -- Bret Wortman http://damascusgrp.com/ http://about.me/wortmanbret smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users