[Freeipa-users] LDAP Server stop to response after a period of time
I deployed a two replica FreeIPA Servers,it woks well until this month,it start at the service report the LDAP is Timeout,I try to restart the server,even reinstall two IPA server and maintain the data via replica from another server. And it still happen after several days. The 389ds server just simply stop to response to any connection ,the wierd thing is the connection is established but no response after the connection. LDAP server seems to blocked on something,even replica is dead because the ldap is blocked.simply restart not slove the problem,the ldap server will blocked really soon caused other service like IPA Web service or kinit dead too. I guess the blocked is caused via replica function somehow,since I figure out I have to close the ldap port on blocked server firewall to make it isolate,and restart the server,waiting for about 10 min after the server is start,reopen the ldap port on firewall to let replica recover,and everything will be fine...And I notice there some connection stuck at CLOSE_WAIT of ns-slapd may be related. Need some help . I not so familiar with of freeipa,and trying to deal this problem over the week but nothing works. FreeIPA server version:4.8.4 Server System: Fedora 31 (Cloud Edition) server1 access log ``` krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink krbAuthIndMaxTicke..." [08/Mar/2020:10:01:23.390837315 +0800] conn=4 op=6091 RESULT err=0 tag=101 nentries=1 etime=0.000276689 [08/Mar/2020:10:01:23.390906790 +0800] conn=4 op=6092 SRCH base="cn=ENMD.NET,cn=kerberos,dc=enmd,dc=net" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife krbAuthIndMaxRenewableAge" [08/Mar/2020:10:01:23.391302403 +0800] conn=4 op=6092 RESULT err=0 tag=101 nentries=1 etime=0.000432879 [08/Mar/2020:10:01:23.392418974 +0800] conn=3351 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [08/Mar/2020:10:01:25.953517485 +0800] conn=3352 fd=161 slot=161 connection from .152 to .165 [08/Mar/2020:10:01:27.007620375 +0800] conn=3353 fd=162 slot=162 connection from .154 to .165 [08/Mar/2020:10:01:27.151656148 +0800] conn=3354 fd=163 slot=163 connection from .150 to .165 [08/Mar/2020:10:01:27.559750675 +0800] conn=3355 fd=164 slot=164 connection from .153 to .165 [08/Mar/2020:10:01:39.015400434 +0800] conn=3356 fd=165 slot=165 connection from .154 to .165 [08/Mar/2020:10:01:51.582586229 +0800] conn=3357 fd=166 slot=166 connection from .153 to .165 [08/Mar/2020:10:01:52.513047687 +0800] conn=3358 fd=167 slot=167 connection from .150 to .165 [08/Mar/2020:10:01:53.573811317 +0800] conn=3359 fd=168 slot=168 connection from .152 to .165 [08/Mar/2020:10:02:44.012371005 +0800] conn=3360 fd=169 slot=169 connection from .160 to .165 [08/Mar/2020:10:02:44.419580574 +0800] conn=3361 fd=170 slot=170 connection from .151 to .165 [08/Mar/2020:10:02:45.548493596 +0800] conn=3362 fd=171 slot=171 connection from .153 to .165 [08/Mar/2020:10:02:50.018712852 +0800] conn=3363 fd=172 slot=172 connection from .160 to .165 [08/Mar/2020:10:02:51.081867407 +0800] conn=3364 fd=173 slot=173 connection from .152 to .165 [08/Mar/2020:10:03:04.062925765 +0800] conn=3365 fd=174 slot=174 connection from .154 to .165 [08/Mar/2020:10:03:06.223438080 +0800] conn=3366 fd=175 slot=175 connection from .150 to .165 [08/Mar/2020:10:03:10.063982993 +0800] conn=3367 fd=176 slot=176 connection from .154 to .165 [08/Mar/2020:10:03:52.027006125 +0800] conn=3368 fd=177 slot=177 connection from .153 to .165 [08/Mar/2020:10:03:57.005297121 +0800] conn=3369 fd=178 slot=178 connection from .152 to .165 [08/Mar/2020:10:04:01.001767909 +0800] conn=3370 fd=179 slot=179 connection from .150 to .165 [08/Mar/2020:10:04:08.003082421 +0800] conn=3371 fd=180 slot=180 connection from .154 to .165 [08/Mar/2020:10:04:12.014090964 +0800] conn=3372 fd=181 slot=181 connection from .151 to .165 [08/Mar/2020:10:04:18.140192092 +0800] conn=3373 fd=182 slot=182 connection from .166 to .165 [08/Mar/2020:10:04:20.007046774 +0800] conn=3374 fd=183 slot=183 connection from .154 to .165 [08/Mar/2020:10:04:24.040348027 +0800] conn=3375 fd=184 slot=184 connection from .160 to .165 [08/Mar/2020:10:04:30.139898749 +0800] conn=3376 fd=185 slot=185 connection from .160 to .165 [08/Mar/2020:10:05:22.043556910 +0800] conn=3377 fd=186 slot=186 connection from .160 to .165 [08/Mar/2020:10:05:34.140357676 +0800] conn=3378 fd=187 slot=187 connection from .160 to .165 [08/Mar/2020:10:05:36.006033007 +0800] conn=3379 fd=188 slot=188 connection from .165 to .165 [08/Mar/2020:10:06:07.002808000 +0800] conn=3380 fd=189 slot=189 connection from .150 to .165 [08/Mar/2020:10:06:12.043478717 +0800] conn=3381 fd=190 slot=190 connection from .152 to .165
[Freeipa-users] Re: ansible ipa_group failure
A flag is simply a boolean (True/False, Yes/No) value. In this case, it marks the group as external, which would accept users from trusted domains, or not. The error message you were receiving means that you try to modify a group with the same configuration the group already has. This case, IMHO, should be handled by the Ansible module. Oh... as they did here https://github.com/ansible/ansible/pull/26282/files and just now I realized that while the issue is open, looks like the fix has already been merged. Rafael On Sat, Mar 7, 2020 at 6:23 AM Monkey Bizness via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Solved it. > So it appears that external: False generates the error. > If I omit this parameter, the role works as expected. > "external" is of type flag in the documentation. What is the specificity > of flag type? > > Regards > Monkey > > On Fri, 2020-03-06 at 14:45 -0300, Rafael Jeffman via FreeIPA-users wrote: > > Hello, > > There is an open issue about this: > https://github.com/ansible/ansible/issues/25660 > > You can try ansible-freeipa (https://github.com/freeipa/ansible-freeipa), > that has an idempotent ipagroup module. > > Regards, > > Rafael > > On Wed, Mar 4, 2020 at 9:54 AM Monkey Bizness via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > I am working to automate my freeipa configuration (parts of it at least) > and I hit a strange behavior. > I'm not sure if it's a bug or if i'm doing it wrong. > > When creating a user group with the ipa_group ansible role (ansible 2.9.5) > it works fine if the there are some modifications to perform or if the > group doesn't exist. > But if I run it another time, the task fails with the message "msg": > "response group_mod: no modifications to be performed" > > It looks like the task sends a modification request with nothing to > modify... > > I do not see the same behavior for external groups. The tasks does nothing > as expected. > > Is it a known issue? Is there a workaround? Am I doing it wrong? > > Here is a sample of code that generates the error. > --- > - name: Playbook to configure IPA clients with username/password > hosts: localhost > become: true > > tasks: > - name: "Create IPA user group" > ipa_group: > cn: "ipagroup" > external: False > state: present > validate_certs: False > ipa_host: "{{ ipaserver_host }}" > ipa_user: "{{ ipaadmin_principal }}" > ipa_pass: "{{ ipaadmin_password }}" > ... > > Thank you > Monkey > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > ___ > > FreeIPA-users mailing list -- > > freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > -- Rafael Guterres Jeffman Senior Software Engineer FreeIPA - Red Hat ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authenticationdoes not
Do not drop the mailing list, please. On la, 07 maalis 2020, Nick DeMarco wrote: root@drupal:~# getent passwd ndemarco So, SSSD does not see the user. root@drupal:~# sssctl domain-status pchem.pro Unable to get online status [3]: Communication error org.freedesktop.systemd1.NoSuchUnit: Unit sssd-ifp.service not found. Unable to get online status I haven’t looked up what might be wrong yet. Install sssd-dbus package (or similar in your OS). In general, please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not
On la, 07 maalis 2020, Nicholas DeMarco via FreeIPA-users wrote: Hello, I've worked through many issues learning and implementing FreeIPA in my realm. Thanks to many for the helpful direction. One Ubuntu client is not behaving. It joined successfully, but will not authenticate. Kerberos works: # kinit ndemarco # klist Ticket cache: KEYRING:persistent:0:0 Default principal: ndema...@pchem.pro Valid starting Expires Service principal 03/07/2020 12:20:20 03/08/2020 13:20:17 krbtgt/pchem@pchem.pro However, I cannot login as the same user. The password is not recognized. No local user with the same name: # getent passwd | grep ndemarco None of the SSSD logs show anything interesting. I'm a learner. Please give me a hint++ on where to look next. Don't use 'getent passwd' without explicit user name. Enumeration of users is disabled by default in SSSD for a good reason, so not being able to see yourself this way is fine. Does 'getent passwd ndemarco' return anything on that machine? If not, does 'sssctl domain-status pchem.pro' work and show the domain online? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not
The clocks are synchronized. Chrony is working. I believe kinit would not succeed if the clocks were off, no? On Sat, Mar 7, 2020, 3:00 PM Kevin Vasko wrote: > Is the clock off? NTP working correctly? > > -Kevin > > On Mar 7, 2020, at 12:55 PM, Nicholas DeMarco > wrote: > > > Good question. Yes. The user is in the admin group and has access to other > newly joined machines. > > On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote: > >> Does the user have access to the machine? >> >> -Kevin >> >> > On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> > >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not
Is the clock off? NTP working correctly? -Kevin > On Mar 7, 2020, at 12:55 PM, Nicholas DeMarco wrote: > > > Good question. Yes. The user is in the admin group and has access to other > newly joined machines. > >> On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote: >> Does the user have access to the machine? >> >> -Kevin >> >> > On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users >> > wrote: >> > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not
Good question. Yes. The user is in the admin group and has access to other newly joined machines. On Sat, Mar 7, 2020, 1:39 PM Kevin Vasko wrote: > Does the user have access to the machine? > > -Kevin > > > On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Ubuntu client: Kerberos works, authentication does not
Does the user have access to the machine? -Kevin > On Mar 7, 2020, at 11:33 AM, Nicholas DeMarco via FreeIPA-users > wrote: > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Ubuntu client: Kerberos works, authentication does not
Hello, I've worked through many issues learning and implementing FreeIPA in my realm. Thanks to many for the helpful direction. One Ubuntu client is not behaving. It joined successfully, but will not authenticate. Kerberos works: # kinit ndemarco # klist Ticket cache: KEYRING:persistent:0:0 Default principal: ndema...@pchem.pro Valid starting Expires Service principal 03/07/2020 12:20:20 03/08/2020 13:20:17 krbtgt/pchem@pchem.pro However, I cannot login as the same user. The password is not recognized. No local user with the same name: # getent passwd | grep ndemarco None of the SSSD logs show anything interesting. I'm a learner. Please give me a hint++ on where to look next. Sincerely, Nick ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: ansible ipa_group failure
Solved it.So it appears that external: False generates the error.If I omit this parameter, the role works as expected."external" is of type flag in the documentation. What is the specificity of flag type? RegardsMonkey On Fri, 2020-03-06 at 14:45 -0300, Rafael Jeffman via FreeIPA-users wrote: > Hello, > > There is an open issue about this: > https://github.com/ansible/ansible/issues/25660 > > You can try ansible-freeipa ( > https://github.com/freeipa/ansible-freeipa), that has an idempotent > ipagroup module. > > Regards, > > Rafael > > > On Wed, Mar 4, 2020 at 9:54 AM Monkey Bizness via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > Hello, > > > > I am working to automate my freeipa configuration (parts of it at > > least) and I hit a strange behavior. > > I'm not sure if it's a bug or if i'm doing it wrong. > > > > When creating a user group with the ipa_group ansible role (ansible > > 2.9.5) it works fine if the there are some modifications to perform > > or if the group doesn't exist. > > But if I run it another time, the task fails with the > > message "msg": "response group_mod: no modifications to be > > performed" > > > > It looks like the task sends a modification request with nothing to > > modify... > > > > I do not see the same behavior for external groups. The tasks does > > nothing as expected. > > > > Is it a known issue? Is there a workaround? Am I doing it wrong? > > > > Here is a sample of code that generates the error. > > --- > > - name: Playbook to configure IPA clients with username/password > > hosts: localhost > > become: true > > > > tasks: > > - name: "Create IPA user group" > > ipa_group: > > cn: "ipagroup" > > external: False > > state: present > > validate_certs: False > > ipa_host: "{{ ipaserver_host }}" > > ipa_user: "{{ ipaadmin_principal }}" > > ipa_pass: "{{ ipaadmin_password }}" > > ... > > > > Thank you > > Monkey > > ___ > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > ___FreeIPA-users mailing > list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org