[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

1 (Thread 0x9e13c280 (LWP 17245)): > #0 0xb67bbf2e in strlen () at /lib/libc.so.6 > #1 0xb6a06b40 in dosprintf () at /lib/libnspr4.so > #2 0x in None () > > Did you install 389-ds-base-debuginfo ? > How did you get that backtrace ? from a core dumped, pstack ? Can you >

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Still trying to figure this out. It looks like slapd is dying, I thought it was still running for some reason. slapd is dying to segfault. strace of it happening doesn't seem to reveal much: 18:32:41.543717 (+ 0.000801) openat(AT_FDCWD, "/var/run/dirsrv/slapd-COMPANY-INTERNAL.pid",

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Could this be part of the problem now? [root@ipa-12 master]# ipa-replica-manage list ipa-12.company.internal ipa-11.company.internal: replica ipa-13.company.internal: replica [root@ipa-12 master]# ipa-replica-manage list ipa-13.company.internal ipa-11.company.internal: replica

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Anyone have any further suggestions for troubleshooting this issue with the web UI? On Fri, May 18, 2018 at 4:01 PM, Jonathan Vaughn wrote: > httpd error_log > > [Fri May 18 15:58:29.546255 2018] [wsgi:error] [pid 14004:tid 2903716672] > [remote 10.10.11.3:59284] ipa:

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

httpd error_log [Fri May 18 15:58:29.546255 2018] [wsgi:error] [pid 14004:tid 2903716672] [remote 10.10.11.3:59284] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Fri May 18 15:58:29.547217 2018] [wsgi:error] [pid 14004:tid 2903716672] [remote 10.10.11.3:59284] ipa: DEBUG: WSGI

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

uot; >>> (ipa-12:5)", protocol = 0x2220930, changecounters = 0x20cb180, >>> num_changecounters = 0, >>> max_changecounters = 256, last_update_start_time = 1526499214, >>> last_update_end_time = 1526499214, >>> last_update_status = "Error (0)

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

<rcrit...@redhat.com> wrote: > Jonathan Vaughn via FreeIPA-users wrote: > > Oops, hit reply instead of reply-all > > > > NSPR RPMs > > > > # yum list installed nspr* > > Installed Packages > > nspr.armv7hl > > 4.19.0-1.fc27 > >

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

as planning to just copy the respective binaries on top of > the installed ones), but if it turned out the suggested code changes were > pointless then there's no point waiting for it to finish building. > > On Thu, May 17, 2018 at 4:11 PM, Rob Crittenden <rcrit...@redhat.com&

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

I thought it was fixed. It should have >> been fixed in 1.3.7.10-1 (https://pagure.io/389-ds-base/issue/49618). >> In your debug session go "up" into agmt_maxcsn_update() and do: >> >> (gdb) p *agmt >> >> Then send us that output please. >> >

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

;> '\000' , lock = 0x2741740, consumerRUV = 0x2772e50, >> consumerSchemaCSN = 0x39da520, consumerRID = 4, tmpConsumerRID = 0, >> timeout = 120, stop_in_progress = 0, busywaittime = 0, pausetime = 0, priv >> = 0x0, >> attrs_to_strip = 0x2757ba0, agreement

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

L_SOCKET, >> SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) >> <0.51> >> 15:13:31.665500 (+ 0.000334) setsockopt(33, SOL_SOCKET, SO_SNDBUF, >> [8388608], 4) = 0 <0.000229> >> 15:13:31.665973 (+ 0.000468) sendmsg(33, &g

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Copyright (C) 2017 Free Software Foundation, Inc. >> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.h >> tml> >> This is free software: you are free to change and redistribute it. >> There is NO WARRANTY, to the extent permitted by law. Type "sh

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

try the code changes, if that build >> finishes I can try it (I was planning to just copy the respective binaries >> on top of the installed ones), but if it turned out the suggested code >> changes were pointless then there's no point waiting for it to finish >> building. >> >

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Thanks! I'm looking forward to seeing these fixes hit the Fedora repo :) On Sat, Jun 2, 2018 at 8:07 AM, Mark Reynolds wrote: > I was right I did fix all the ARM issues, but not in 1.3.8, only in > 1.4.0. It was a large change though that required a few patches. I'll see > what I can do about

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Alright, I think I've got everything* working. (* Not running the CA server on the Arm device, not tested, but from what I've read before I would need to adjust the startup timeout since OpenJDK is so slow). 1) I removed the Arm replica from the cluster and reimaged the device entirely and

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

Created https://pagure.io/389-ds-base/issue/49746 I'll get you the build log once it's done building without the patch. On Fri, Jun 1, 2018 at 3:54 PM, Mark Reynolds wrote: > > > On 06/01/2018 04:32 PM, Jonathan Vaughn wrote: > > Alright, I think I've got everything* working. (* Not running

[Freeipa-users] Problems setting up replica on Raspberry Pi 3B (ARM)

Yes, I know, not recommended etc, low performance. I'm not going to run the CA on it. I just want to have a backup LDAP/Kerberos server. Right now I'm just trying to test things out. I've got a master and a replica (so you could say two masters I suppose) running in Virtualbox VMs, and I'm trying

[Freeipa-users] Re: Problems setting up replica on Raspberry Pi 3B (ARM)

It's still running. Here's the error log from slapd during that run: [01/May/2018:19:22:24.567650453 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=42 op=5 replica="dc=company,dc=internal": Unable to acquire replica: error: permission denied

[Freeipa-users] Questions about SSL certificates

Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and custom built things that manage our PKI and so on, to FreeIPA (which looks like it can probably cover all our needs), and had a couple of SSL related questions. 1) It looks like improvements are proposed for being able to

[Freeipa-users] Re: Questions about SSL certificates

On Tue, Mar 13, 2018 at 9:07 PM, Fraser Tweedale <ftwee...@redhat.com> wrote: > On Tue, Mar 13, 2018 at 07:41:32PM -0500, Jonathan Vaughn via > FreeIPA-users wrote: > > Looking at migrating from a hodgepodge of 389 DS, kerberos-ldap, and > custom > > built things

[Freeipa-users] Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

If I set up FreeIPA on 10.x.x.x internal IP, and have it manage company.net, it seems to want to set the NS record to it's FQDN that only will be reachable internally. The internal IP is SNAT mapped to an external IP (vs using DMZ), so DNS requests can reach the server via the external IP. Other

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

Thanks for the pointers / explanations everyone. It would be nice if adding a replica didn't reset the SOA/NS, but the main reason I say that isn't due to the actual work of fixing it, but that once we're set up with replicas in all our offices we'll add new ones so infrequently I guarantee this

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

As an update, TL;DR it doesn't appear that IPA resets any of my override changes, everything is awesome. Here's copy paste of my followup on another thread I had started asking about allow-recursion specifically (so that if someone stumbles upon this thread instead, they'll get the full howto)

[Freeipa-users] Re: Changing allow-recursion in named.conf - issues / gotchas ?

Well, I've tested this and so far no weirdness has occurred when adding a replica or making various changes via the web UI, as far as I can tell nothing rewrites the named.conf after the replica has been set up. Changed "allow-recursion { any; }" to "allow-recursion { internal; }", and added the

[Freeipa-users] Re: Manage public DNS using FreeIPA, when FreeIPA is on internal network/IPs?

John, thanks for the tip on removing the MNAME to allow the SOA to define it (changing the SOA was actually the first thing I tried, and when that didn't work I remembered reading something about fake_mname, which Google results kept telling me was in named.conf but at some point moved to LDAP and

[Freeipa-users] Re: is anyone running Debian as freeipa-client

Another option might be able to use packages from Ubuntu somehow? I've been playing with a replica on a device (Rock64) running Armbian (which appears mostly Ubuntu based, which in turn is Debian based), and was able to upgrade it from Bionic to Cosmic to get the more recent FreeIPA packages

[Freeipa-users] Changing allow-recursion in named.conf - issues / gotchas ?

We have a use case for letting the FreeIPA named instances handle public DNS for some zones, but we don't want them to allow anyone to use it as a recursive resolver (DOS attacks and such). I tested simply changing 'any' to 'none' for the allow-recursion setting in /etc/named.conf and that worked

[Freeipa-users] Re: Is IPA's DNS working as a recursive DNS server for internal + external requests

We're planning to set it up this way. Going to be switching from our old cobbled together LDAP / etc solution to FreeIPA "Soon" (tm). Have tested things. You'll have to make some changes from defaults. First, for any replica that is going to be serving DNS publicly (in our case, only a few will,

[Freeipa-users] Re: Certmonger spawns many processes, causing huge load due to swapping

ast reduce the impact to just being very annoying. On Wed, May 15, 2019 at 9:00 PM Fraser Tweedale wrote: > On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via FreeIPA-users > wrote: > > Jonathan Vaughn via FreeIPA-users wrote: > > > I previously had tested FreeI

[Freeipa-users] Password policy character classes - 8-bit characters?

If I am reading the documentation right, the effect of having the "8-bit" character class (decimal 128 or less - though this seems more like 7 bit plus decimal 128) is that if you change the password policy character classes from 0 (no checking) to 1, almost anything will match, but unicode

[Freeipa-users] pki-tomcat generating ~280MB debug logs per day - best practices for managing disk usage?

Is it safe to nuke older log files? Some of our CA instances are on VMs which were only allocated a reasonable amount of space for just running FreeIPA, and this adds up fast. The ones on physical have space to spare for some time yet, but some day it would be an issue for them too. Is there a

[Freeipa-users] Certmonger spawns many processes, causing huge load due to swapping

I previously had tested FreeIPA running on a Raspberry Pi 3B+ and as long as I didn't run the Dogtag server on it performance seemed acceptable for the purpose. These are only being used as local DNS/LDAP/Krb5 replicas, everything also runs on both physical x86_64 and VM x86_64 servers as well in

[Freeipa-users] Re: Certmonger spawns many processes, causing huge load due to swapping

> being very annoying. > > On Wed, May 15, 2019 at 9:00 PM Fraser Tweedale > wrote: > >> On Wed, May 15, 2019 at 05:15:38PM -0400, Rob Crittenden via >> FreeIPA-users wrote: >> > Jonathan Vaughn via FreeIPA-users wrote: >> > > I previously had tested Fr

[Freeipa-users] Re: Add Subject Alternative Name of HA/LB host to LDAPS servers?

Ah, I didn't realize I could do SSL termination in TCP mode. That would certainly solve our LDAP HA problem with less effort! I'll try that. On Wed, Aug 21, 2019 at 8:27 PM Daniel Oetken via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Why doesn’t terminating SSL on the proxy

[Freeipa-users] Re: Add Subject Alternative Name of HA/LB host to LDAPS servers?

Okay, I think I finally got somewhere. Created the host for the load balancers: # ipa host-add ipa.example.com Added a LDAP service for it: # ipa service-add LDAP/ipa.example.com Added both IPA servers to the "managed by" attribute: # ipa service-add-host LDAP/ipa.example.com --host

[Freeipa-users] Re: Add Subject Alternative Name of HA/LB host to LDAPS servers?

the multiple SRV records or other means of assigning / detecting multiple LDAP servers (i.e. Jira, Confluence, Bitbucket ... ) On Thu, Aug 22, 2019 at 1:22 AM Alexander Bokovoy wrote: > On ke, 21 elo 2019, Jonathan Vaughn via FreeIPA-users wrote: > >Ah, I didn't realize I could do SSL terminati

[Freeipa-users] Re: Add Subject Alternative Name of HA/LB host to LDAPS servers?

.. ) > > Yes, that was clear -- I was more worried on not going that backwards > with LDAPS replacement of what is relying on LDAP STARTTLS + GSSAPI. > > > > >On Thu, Aug 22, 2019 at 1:22 AM Alexander Bokovoy > >wrote: > > > >> On ke, 21 elo 2019, Jonathan Va

[Freeipa-users] Use SSH keys in FreeIPA to access local account on server?

We have some systems which are FreeIPA connected, but (most) users don't log in as themselves, there's a local system account they use instead (simplifies file ownership for website changes and such, for example). Is there a way to have their public keys automatically accepted for this local