Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

and Jakub for your help. Have a nice weekend. Dan > On Apr 28, 2017, at 10:34 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Fri, Apr 28, 2017 at 03:28:31PM +0000, Sullivan, Daniel [CRI] wrote: >> Hi, Sumit, >> >> Thank you for taking the time to res

Re: [Freeipa-users] Malformed representation of principal - krb5_child.log

t; > On Fri, Apr 28, 2017 at 02:54:44PM +0000, Sullivan, Daniel [CRI] wrote: >> HI, >> >> I haven’t posted in a while, I hope everybody is doing well. I have a >> problem that I am having a difficult time diagnosing. To start, I want to >> say that we have a pret

[Freeipa-users] Malformed representation of principal - krb5_child.log

HI, I haven’t posted in a while, I hope everybody is doing well. I have a problem that I am having a difficult time diagnosing. To start, I want to say that we have a pretty large IPA environment. It generally works good. Most of our servers are of the same flavor RHEL6/7, and pull down

Re: [Freeipa-users] Cannot install 3rd party certificate

Is the chain in mydomain_com_bundle.crt? Have you tried it with the cert only (disclaimer: I’ve never done this). Dan > On Feb 13, 2017, at 4:08 PM, Matt . wrote: > > Hi Guys, > > I'm trying to install a 3rd party certificate using: > >

Re: [Freeipa-users] Needs help understand this timeout issue

;> the entire group info? >> >> I can see, that even though the cache is refreshed the attribute >> initgrExpireTimestamp (in the ldb cache) isn't updated. >> I have been unable to find out exactly what this controls? >> >> lastUpdate and dataExpireTimesta

Re: [Freeipa-users] Needs help understand this timeout issue

find out exactly what this controls? lastUpdate and dataExpireTimestamp is updated to the time stamp of when the refresh ran. - On Feb 1, 2017, at 2:27 PM, Sullivan, Daniel [CRI] dsulliv...@bsd.uchicago.edu wrote: Have you checked to see if the user is expired in the cache, or i

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

Also, check your ssshd configuration, there might be some restriction in there. Dan > On Feb 5, 2017, at 8:21 AM, Sullivan, Daniel [CRI] > <dsulliv...@bsd.uchicago.edu> wrote: > > Did you check /var/log/messages and /var/log/secure? I think I’ve seen > problems with h

Re: [Freeipa-users] freeipa hostbased auth "connection closed"

Did you check /var/log/messages and /var/log/secure? I think I’ve seen problems with hosts.allow/hosts.deny dump output in there. Dan On Feb 5, 2017, at 8:17 AM, Rakesh Rajasekharan > wrote: Hi, I am running a freeipa

Re: [Freeipa-users] ipactl services running, but auth not working

, at 4:11 PM, pgb205 <pgb...@yahoo.com<mailto:pgb...@yahoo.com>> wrote: there are reports from multiple clients being unable to authenticate. ipactl status shows all services as running. The problem is fixed when I 'ipactl restart'. From: "Sull

Re: [Freeipa-users] ipactl services running, but auth not working

iding services even though it claims to do so. would be curious to know what to look at on freeipa server or how to inrease logging ____________ From: "Sullivan, Daniel [CRI]" <dsulliv...@bsd.uchicago.edu<mailto:dsulliv...@bsd.uchicago.edu>> To: pgb205 &l

Re: [Freeipa-users] caching of lookups / performance problem

Alright cool, thank you for getting back to me. I appreciate your input and expertise. Dan > On Feb 1, 2017, at 9:08 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Wed, Feb 01, 2017 at 02:35:00PM +0000, Sullivan, Daniel [CRI] wrote: >> Jakub, >> >>

Re: [Freeipa-users] caching of lookups / performance problem

)? Based on my knowledge a user’s groups are evaluated at login so this should be a non-issue from a security standpoint. Dan > On Feb 1, 2017, at 1:55 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Tue, Jan 31, 2017 at 08:05:18PM +0000, Sullivan, Daniel [CRI] wrote: >>

Re: [Freeipa-users] Needs help understand this timeout issue

60 >> (Wed Feb 1 09:40:56 2017) [sssd[be[lx.dr.dk]]] [dp_copy_options_ex] >> (0x0400): >> Option ldap_enumeration_search_timeout has value 60 >> >> LDAP seems speedy enough, not timeouts while querying it manually while a >> client >> is doing

Re: [Freeipa-users] Needs help understand this timeout issue

g it manually while a > client is doing a user lookup. > > - On Jan 30, 2017, at 6:06 PM, Sullivan, Daniel [CRI] > dsulliv...@bsd.uchicago.edu wrote: > >> >> If the timeout is occurring on the server, I would start by increasing one or >> both of these

Re: [Freeipa-users] caching of lookups / performance problem

and allowing entry_cache_nowait_percentage to fill this function, although that seems hacky to me. Any advisement that could be provided would be greatly appreciated. Best, Dan Sullivan > On Jan 30, 2017, at 10:52 AM, Sullivan, Daniel [CRI] > <dsulliv...@bsd.uchicago.edu> wrote: >

Re: [Freeipa-users] Needs help understand this timeout issue

I have had to deal with the symptoms you describe, never with 730 groups though. Based on my experience doing a lookup for a user in an AD trusted domain is a resource intensive process on the server. I’d first start by taking a look at your logs to see if the lookup is failing on the server

[Freeipa-users] caching of lookups / performance problem

Hi, I have another question about sssd performance. I’m having a difficult time doing a regularly performant ‘ls -l’ operation against /home, a mounted NFS share of all of our users home directories. There are 667 entries in this folder, and all of them have IDs that are resolvable via

Re: [Freeipa-users] performance scaling of sssd / freeipa

t Bose <sb...@redhat.com> wrote: > > On Wed, Jan 25, 2017 at 10:58:34PM +, Sullivan, Daniel [CRI] wrote: >> Hi, >> >> My apologizes for resurrecting this thread. This issue is still ongoing, at >> this point we’ve been looking at it for over a week a

Re: [Freeipa-users] performance scaling of sssd / freeipa

reasonable and sane… And, no, winbind is not configured in nsswitch. Dan > On Jan 20, 2017, at 4:48 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > > On (20/01/17 20:18), Sullivan, Daniel [CRI] wrote: >> Sorry to clutter people's inboxes. I found another pi

Re: [Freeipa-users] performance scaling of sssd / freeipa

Sorry I didn’t realize you might want all sssd logs… Working on it. Dan > On Jan 20, 2017, at 10:27 AM, Sumit Bose <sb...@redhat.com> wrote: > > On Fri, Jan 20, 2017 at 03:41:46PM +0000, Sullivan, Daniel [CRI] wrote: >> Hi, >> >> I have some more information on

Re: [Freeipa-users] performance scaling of sssd / freeipa

.com> wrote: > > On Fri, Jan 20, 2017 at 03:41:46PM +, Sullivan, Daniel [CRI] wrote: >> Hi, >> >> I have some more information on this issue. I’m tracing it down through the >> slapd logs and I am continuing to struggle; I was hoping that s

Re: [Freeipa-users] performance scaling of sssd / freeipa

he information above; I can definitely lookup the user on both domain controllers & both IPA servers only use themselves for IPA servers. Thank you so much for reading and for your help. Dan > On Jan 19, 2017, at 4:15 PM, Sullivan, Daniel [CRI] > <dsulliv...@bsd.uchicag

[Freeipa-users] performance scaling of sssd / freeipa

Hi, I’ve received incredibly good support from this mailing list previously; I am hoping that somebody can help me succeed in my ongoing efforts. I have spent a few days on this at this point and I can’t seem to figure it out how to address this issue. On my DCs I am seeing excessive