Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 08:11:58AM +0100, Harald Dunkel wrote:
> On 02/22/2016 03:51 PM, Jakub Hrozek wrote:
> > 
> > Is there anything else in the logs (/var/log/sssd/*)
> > 
> 
> Only some events after sssd went away:
> 
> srvvm01:/var/log/sssd# cat sssd.log.1
> (Sun Feb 21 18:02:21 2016) [sssd] [monitor_restart_service] (0x0010): Process 
> [nss], definitely stopped!
> 
> srvvm01:/var/log/sssd# cat sssd_nss.log.1
> (Sun Feb 21 18:02:15 2016) [sssd[nss]] [sss_dp_init] (0x0010): Failed to 
> connect to monitor services.
> (Sun Feb 21 18:02:15 2016) [sssd[nss]] [sss_process_init] (0x0010): fatal 
> error setting up backend connector
> (Sun Feb 21 18:02:15 2016) [sssd[nss]] [nss_process_init] (0x0010): 
> sss_process_init() failed
> (Sun Feb 21 18:02:17 2016) [sssd[nss]] [sss_dp_init] (0x0010): Failed to 
> connect to monitor services.
> (Sun Feb 21 18:02:17 2016) [sssd[nss]] [sss_process_init] (0x0010): fatal 
> error setting up backend connector
> (Sun Feb 21 18:02:17 2016) [sssd[nss]] [nss_process_init] (0x0010): 
> sss_process_init() failed
> (Sun Feb 21 18:02:21 2016) [sssd[nss]] [sss_dp_init] (0x0010): Failed to 
> connect to monitor services.
> (Sun Feb 21 18:02:21 2016) [sssd[nss]] [sss_process_init] (0x0010): fatal 
> error setting up backend connector
> (Sun Feb 21 18:02:21 2016) [sssd[nss]] [nss_process_init] (0x0010): 
> sss_process_init() failed

Then unfortunately I can only suggest to set a more verbose debug_level
(maybe coupled with a logrotate settings to avoid flooding your disk
with logs) and monitor sssd.

Typically, this happens when the machine SSSD is running on is very
busy, the sssd_be process is blocked writing some large result from
LDAP, the monitor process considers it stuck and kills it. However, we
/should/ restart and reconnect the subprocesses.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] WARNING: Using deny rules is deprecated, the option ipa_hbac_treat_deny_as will be removed in the next upstream version

2016-02-23 Thread Harald Dunkel 
Hi folks,

journalctl shows me a bazillion of Logfile entries:

Jan 12 20:02:04 host.example.com sssd[be[2362]: WARNING: Using deny rules is 
deprecated, the option ipa_hbac_treat_deny_as will be removed in the next 
upstream version

This makes about 10% of the whole log.


What am I supposed to do to get rid of these messages?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] WARNING: Using deny rules is deprecated, the option ipa_hbac_treat_deny_as will be removed in the next upstream version

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 10:15:19AM +0100, Harald Dunkel wrote:
> Hi folks,
> 
> journalctl shows me a bazillion of Logfile entries:
> 
> Jan 12 20:02:04 host.example.com sssd[be[2362]: WARNING: Using deny rules is 
> deprecated, the option ipa_hbac_treat_deny_as will be removed in the next 
> upstream version
> 
> This makes about 10% of the whole log.
> 
> 
> What am I supposed to do to get rid of these messages?

ipa_hbac_treat_deny_as = ignore

should get rid of these (and any deny rules will be ignored as an
effect, but with a recent enough IPA server, there's no way to set them
either IIRC)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Harald Dunkel 
On 02/23/2016 10:00 AM, Jakub Hrozek wrote:
> 
> Typically, this happens when the machine SSSD is running on is very
> busy, the sssd_be process is blocked writing some large result from
> LDAP, the monitor process considers it stuck and kills it. However, we
> /should/ restart and reconnect the subprocesses.
> 

Shoot the slow horse? Sorry to say, but I doubt that this is
a reasonable approach. Can I turn off this feature?

I would like to avoid to move my mailhost back to NIS client,
but ypbind was never shot. Incoming EMails have been lost.
What would you suggest?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

2016-02-23 Thread Ludwig Krispenz 


On 02/22/2016 11:51 PM, Timothy Geier wrote:


What’s the established procedure to start a 389 instance without any 
replication agreements enabled?  The only thing that seemed close on 
google 
(http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-time-skew.html) 
seems risky and couldn’t be done

trivially in a production environment.
no, this is about how to get out of problems when replication could no 
longer synchronize its csn time generation, either by too many 
accumulate time drifts o playing with system time, hope you don't have 
to go thru this.


Enabling disabling a replication agreement can be done by setting the 
configuration parameter:


look for replication agreements (entries with 
objectclass=nsDS5ReplicationAgreement) and set

nsds5ReplicaEnabled: off

you can do this with an ldapmodify when the server is running or by 
editing /etc/dirsrv/slapd-/dse.ldif when teh server is stopped


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Lukas Slebodnik 
On (23/02/16 10:55), Harald Dunkel wrote:
>On 02/23/2016 10:00 AM, Jakub Hrozek wrote:
>> 
>> Typically, this happens when the machine SSSD is running on is very
>> busy, the sssd_be process is blocked writing some large result from
>> LDAP, the monitor process considers it stuck and kills it. However, we
>> /should/ restart and reconnect the subprocesses.
>> 
>
>Shoot the slow horse? Sorry to say, but I doubt that this is
>a reasonable approach. Can I turn off this feature?
>
>I would like to avoid to move my mailhost back to NIS client,
>but ypbind was never shot. Incoming EMails have been lost.
>What would you suggest?
>
I would rather focus on different thing.
Why is sssd_be process blocked for long time?

Do you use enumeration?
If yes do you really need it.

Workaround might be to increate timeout between heartbeats
which are used to ensure that the process is alive and capable of answering
requests. The default value is 10 seconds. Double it should be enough
because there is by default 6 heartbeats IIRC.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 10:55:18AM +0100, Harald Dunkel wrote:
> On 02/23/2016 10:00 AM, Jakub Hrozek wrote:
> > 
> > Typically, this happens when the machine SSSD is running on is very
> > busy, the sssd_be process is blocked writing some large result from
> > LDAP, the monitor process considers it stuck and kills it. However, we
> > /should/ restart and reconnect the subprocesses.
> > 
> 
> Shoot the slow horse? Sorry to say, but I doubt that this is
> a reasonable approach. Can I turn off this feature?

Well, the debug logs could have some clue, without them, I'm really just
guessing.

But in general you can increase the 'timeout' option in the
[domain] section up from the default '10'. Some users even move their
cache to tmpfs. We're also working on performance enhancements for the
next version.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Harald Dunkel 
On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
> I would rather focus on different thing.
> Why is sssd_be process blocked for long time?
> 

I have no idea. Was it really blocked?

> Do you use enumeration?
> If yes do you really need it.

Nope.

> 
> Workaround might be to increate timeout between heartbeats
> which are used to ensure that the process is alive and capable of answering
> requests. The default value is 10 seconds. Double it should be enough
> because there is by default 6 heartbeats IIRC.
> 

10 seconds is surely not OK. On Unix its not unlikely
that a job is swapped out for 20 seconds or more.
(Zabbix said that memory was fine, so this is not the
case here.)

Does it really have to be watched? Wouldn't it be the
job of systemd to restart the service when it dies?


Regards
Harri

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Lukas Slebodnik 
On (23/02/16 13:01), Harald Dunkel wrote:
>On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
>> I would rather focus on different thing.
>> Why is sssd_be process blocked for long time?
>> 
>
>I have no idea. Was it really blocked?
>
It needn't be blocked itself. But it was busy
with some non-blocking operation which main process
considered as bad state.

Would you mind to share sssd log files with
high debug level?



>> Do you use enumeration?
>> If yes do you really need it.
>
>Nope.
>
>> 
>> Workaround might be to increate timeout between heartbeats
>> which are used to ensure that the process is alive and capable of answering
>> requests. The default value is 10 seconds. Double it should be enough
>> because there is by default 6 heartbeats IIRC.
>> 
>
>10 seconds is surely not OK. On Unix its not unlikely
>that a job is swapped out for 20 seconds or more.
>(Zabbix said that memory was fine, so this is not the
>case here.)
>
>Does it really have to be watched? Wouldn't it be the
>job of systemd to restart the service when it dies?
>
sssd works also on non-systemd distribution.
We plan to reply on systemd. If you want to speed-up
process then patches are always welcomed.

And moreover systemd would not solve the main issue.
we should try to find out why sssd_be did not respond for long time.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] could not get zone keys for secure dynamic update

2016-02-23 Thread Winfried de Heiden 

  
  
Hi all,
  
  And so did I, following
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:
  
  ipa-dns-install --dnssec-master
  
  The log file for this installation can be found in
  /var/log/ipaserver-install.log
==
  This program will setup DNS for the FreeIPA Server.
  
  This includes:
    * Configure DNS (bind)
    * Configure SoftHSM (required by DNSSEC)
    * Configure ipa-dnskeysyncd (required by DNSSEC)
    * Configure ipa-ods-exporter (required by DNSSEC key master)
    * Configure OpenDNSSEC (required by DNSSEC key master)
    * Generate DNSSEC master key (required by DNSSEC key master)
  
  NOTE: DNSSEC zone signing is not enabled by default
  
  Plan carefully, replacing DNSSEC key master is not recommended
  
  
  To accept the default shown in brackets, press the Enter key.
  
  Do you want to setup this IPA server as DNSSEC key master? [no]:
  yes
  DNSSEC signing is already enabled for following zone(s):
  example.com.
  Installation cannot continue without the OpenDNSSEC database file
  from the original DNSSEC master server.
  Please use option --kasp-db to specify location of the kasp.db
  file copied from the original DNSSEC master server.
  WARNING: Zones will become unavailable if you do not provide the
  original kasp.db file.
  
  However, it seems like I don't have a key, that was the problem in
  the first place
  
  Anyway, trying to continue:
  
  bash-4.3$ ods-ksmutil zone list
  zonelist filename set to /etc/opendnssec/zonelist.xml.
  Cannot open destination file, will not make backup.
  No zones in DB or zonelist.
  
  Indeed, the file /etc/opendnssec/zonelist.xml is the installed by
  default, only having the not-used example zones.
  
  Also, python2
  /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does
  not show any zone private keys.
  
  Is still looks like these are not created.
  
  So, it still looks like DNSSEC signing is enabled, but the key is
  not there.
  
  Winny

Op 22-02-16 om 16:31 schreef Petr
  Spacek:


  On 22.2.2016 14:02, Winfried de Heiden wrote:

  
Hi all,

Following 
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work was 
most usefull, It turned out the package "freeipa-server-dns"was missing. 
Strange, I am running DNS, but...:

  * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
  * Also: I'm running this on a Bananapi "server".
  * There's no slave.


Anyway, ipa dnszone-show tells DNSsec was ebabled:


Allow in-line DNSSEC signing: TRUE

but most likely due to the missing freeipa-server-dns it was missing 
dependencies as well, for example the package opendnssec was missing.

After installing freeipa-server-dns all packages seems to be in place, but the 
kasp.db file is empty:

root@ipa ~]# ls -l /var/opendnssec/kasp.db
-rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db

No wonder I still get messages like "could not get zone keys".

Shouldn't a key be added? How? (without blowing the current DNS)

  
  
DNSSEC key master should do that automatically.

Please continue with next steps as described on
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
and we will see.

Petr^2 Spacek


  

Winny


Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec


  On 22.2.2016 09:36, Winfried de Heiden wrote:

  
Hi all,

I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p err )
like these:

Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found

What's going wrong here, how to fix it?

  
  Hello,

this might have multiple reasons.

Please walk step-by-step through following page:
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work

Additional questions:
* What version of FreeIPA and on what platform do you use?
* Is the zone signed on DNSSEC key master or on replica? Does it work on one
F

[Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Karl Forner 
Hello,

I tried to postpone a password expiration date, as indicated here:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html

% ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'krbPasswordExpiration' attribute of entry
'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.

Is this expected ? What is the canonical way of doing this ?


Thanks,
Karl
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] could not get zone keys for secure dynamic update

2016-02-23 Thread Petr Spacek 
On 23.2.2016 14:18, Winfried de Heiden wrote:
> Hi all,
> 
> And so did I, following 
> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:
> 
> ipa-dns-install --dnssec-master
> 
> The log file for this installation can be found in 
> /var/log/ipaserver-install.log
> ==
> This program will setup DNS for the FreeIPA Server.
> 
> This includes:
>* Configure DNS (bind)
>* Configure SoftHSM (required by DNSSEC)
>* Configure ipa-dnskeysyncd (required by DNSSEC)
>* Configure ipa-ods-exporter (required by DNSSEC key master)
>* Configure OpenDNSSEC (required by DNSSEC key master)
>* Generate DNSSEC master key (required by DNSSEC key master)
> 
> NOTE: DNSSEC zone signing is not enabled by default
> 
> Plan carefully, replacing DNSSEC key master is not recommended
> 
> 
> To accept the default shown in brackets, press the Enter key.
> 
> Do you want to setup this IPA server as DNSSEC key master? [no]: yes
> DNSSEC signing is already enabled for following zone(s): example.com.
> Installation cannot continue without the OpenDNSSEC database file from the 
> original DNSSEC master server.
> Please use option --kasp-db to specify location of the kasp.db file copied 
> from 
> the original DNSSEC master server.
> WARNING: Zones will become unavailable if you do not provide the original 
> kasp.db file.
> 
> However, it seems like I don't have a key, that was the problem in the first 
> place

Right. This is a special case so you need to provide --force option to
override the check and continue with installation.

When you do that, please go through the Troubleshooting page again, hopefully
it will help.

Petr^2 Spacek


> Anyway, trying to continue:
> 
> bash-4.3$ ods-ksmutil zone list
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Cannot open destination file, will not make backup.
> No zones in DB or zonelist.
> 
> Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, 
> only 
> having the not-used example zones.
> 
> Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py 
> does 
> not show any zone private keys.
> 
> Is still looks like these are not created.
> 
> So, it still looks like DNSSEC signing is enabled, but the key is not there.
> 
> Winny
> 
> Op 22-02-16 om 16:31 schreef Petr Spacek:
>> On 22.2.2016 14:02, Winfried de Heiden wrote:
>>> Hi all,
>>>
>>> Following
>>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work  
>>> was
>>> most usefull, It turned out the package "freeipa-server-dns"was missing.
>>> Strange, I am running DNS, but...:
>>>
>>>* I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
>>>* Also: I'm running this on a Bananapi "server".
>>>* There's no slave.
>>>
>>>
>>> Anyway, ipa dnszone-show tells DNSsec was ebabled:
>>>
>>>
>>>  Allow in-line DNSSEC signing: TRUE
>>>
>>> but most likely due to the missing freeipa-server-dns it was missing
>>> dependencies as well, for example the package opendnssec was missing.
>>>
>>> After installing freeipa-server-dns all packages seems to be in place, but 
>>> the
>>> kasp.db file is empty:
>>>
>>> root@ipa ~]# ls -l /var/opendnssec/kasp.db
>>> -rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db
>>>
>>> No wonder I still get messages like "could not get zone keys".
>>>
>>> Shouldn't a key be added? How? (without blowing the current DNS)
>> DNSSEC key master should do that automatically.
>>
>> Please continue with next steps as described on
>> http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
>> and we will see.
>>
>> Petr^2 Spacek
>>
>>> Winny
>>>
>>>
>>> Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec
 On 22.2.2016 09:36, Winfried de Heiden wrote:
> Hi all,
>
> I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p 
> err )
> like these:
>
> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): could not get zone keys for secure dynamic update
> Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
> (signed): receive_secure_serial: not found
>
> What's going wrong here, how to fix it?
 Hello,

 this might have multiple reasons.

 Please walk step-by-step through following page:
 http://www.free

[Freeipa-users] lock table errors

2016-02-23 Thread Andy Thompson 
Came across one of my replicas this morning with the following in the error log

[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Deleting C1 
failed; Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD 1031, err=12 
Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] - 
index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328662 (rc: 1)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem: Failed to 
position cursor at the key: 1328666: Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Failed to 
position cursor at the key: 1328666: Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD 1031, err=12 
Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] - 
index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog program - 
_cl5CompactDBs: failed to compact 5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error 
- 12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328663 (rc: 1)
[20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No 
original_tombstone for changenumber=1330335,cn=changelog!!

And then nothing.  Was troubleshooting some clients that were having issues 
resolving some trusted domain users.

I restarted IPA and it rolled through a few thousand missing change records

23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328696 (rc: 32)

Any thoughts as to what might have caused the lock table errors?

Thanks

-andy



*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Karl Forner 
I forgot to say that I did a "kinit admin" before the  ipa user-mod.

On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner  wrote:

> Hello,
>
> I tried to postpone a password expiration date, as indicated here:
>
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
>
> % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
>
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'krbPasswordExpiration' attribute of entry
> 'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
>
> Is this expected ? What is the canonical way of doing this ?
>
>
> Thanks,
> Karl
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Ludwig Krispenz 


On 02/23/2016 03:02 PM, Andy Thompson wrote:

Came across one of my replicas this morning with the following in the error log

[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Deleting C1 
failed; Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD 1031, err=12 
Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] - 
index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328662 (rc: 1)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem: Failed to 
position cursor at the key: 1328666: Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key: Failed to 
position cursor at the key: 1328666: Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of available 
lock entries
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD 1031, err=12 
Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] - 
index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog program - 
_cl5CompactDBs: failed to compact 5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error 
- 12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328663 (rc: 1)
[20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1] No 
original_tombstone for changenumber=1330335,cn=changelog!!

And then nothing.  Was troubleshooting some clients that were having issues 
resolving some trusted domain users.

I restarted IPA and it rolled through a few thousand missing change records

23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord: could not 
delete change record 1328696 (rc: 32)

Any thoughts as to what might have caused the lock table errors?
in BerkeleyDB this means that the number of pages which would have to be 
locked in one transaction exceeds the configured number of locks. This 
could happen if eg a large group is deleted and for each member of the 
group inside the same transaction the memberof attribute has to be modified


Thanks

-andy



*** This communication may contain privileged and/or confidential information. 
It is intended solely for the use of the addressee. If you are not the intended 
recipient, you are strictly prohibited from disclosing, copying, distributing 
or using any of this information. If you received this communication in error, 
please contact the sender immediately and destroy the material in its entirety, 
whether electronic or hard copy. ***




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Andy Thompson 
> -Original Message-
> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> boun...@redhat.com] On Behalf Of Ludwig Krispenz
> Sent: Tuesday, February 23, 2016 9:31 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] lock table errors
> 
> 
> On 02/23/2016 03:02 PM, Andy Thompson wrote:
> > Came across one of my replicas this morning with the following in the
> > error log
> >
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
> > Deleting C1 failed; Cannot allocate memory(12)
> > [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> > 1031, err=12 Cannot allocate memory
> > [20/Feb/2016:17:23:38 -0500] -
> > index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed (12)
> > [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328662 (rc: 1)
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem:
> > Failed to position cursor at the key: 1328666: Cannot allocate
> > memory(12)
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
> > Failed to position cursor at the key: 1328666: Cannot allocate
> > memory(12)
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> > 1031, err=12 Cannot allocate memory
> > [20/Feb/2016:17:23:38 -0500] -
> > index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed (12)
> > [20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog program
> > - _cl5CompactDBs: failed to compact
> > 5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error - 12 Cannot allocate
> > memory
> > [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328663 (rc: 1)
> > [20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1]
> No original_tombstone for changenumber=1330335,cn=changelog!!
> >
> > And then nothing.  Was troubleshooting some clients that were having
> issues resolving some trusted domain users.
> >
> > I restarted IPA and it rolled through a few thousand missing change
> > records
> >
> > 23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328696 (rc: 32)
> >
> > Any thoughts as to what might have caused the lock table errors?
> in BerkeleyDB this means that the number of pages which would have to be
> locked in one transaction exceeds the configured number of locks. This could
> happen if eg a large group is deleted and for each member of the group
> inside the same transaction the memberof attribute has to be modified
> >


Are there any configuration options to increase that setting?  And would it 
have caused the replica to become unresponsive?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

2016-02-23 Thread Endi Sukma Dewata 

On 1/28/2016 2:45 PM, Endi Sukma Dewata wrote:

Hi,

If you're cloning from an IPA running on RHEL/CentOS 6 with CA signed by 
another CA you are likely hitting this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1291747

The bug has been fixed in this package: pki-ca-9.0.3-45. You'll need to install 
it on the master, then restart the server, then try cloning again.

The latest PKI available on RHEL/CentOS 7 is version 10.2.5, but it's patched 
with relevant bug fixes from newer versions.

If you're still having a problem, try enabling the debug log on the master and 
clone by setting the following property in CS.cfg:
debug.level=1

See also: http://pki.fedoraproject.org/wiki/PKI_Server_Logs

--
Endi S. Dewata


Just a note, I believe the fix is already available on CentOS 6:
http://mirror.centos.org/centos/6.7/updates/x86_64/Packages/

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] server installation but client part fails

2016-02-23 Thread lejeczek 

hi everybody

I'm trying server installation but it fails, I think very 
last leg, and I was hoping you could suggest places which I 
should start looking at.


  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service 
(ipa-dnskeysyncd).

Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
ipa.ipapython.install.cli.install_tool(Server): ERROR 
Configuration of client side components failed!
ipa-client-install returned: Command 
''/usr/sbin/ipa-client-install' '--on-master' '--unattended' 
'--domain' '.private.my.private' '--server' 
'.private.my.private' '--realm' 'PRIVATE.MY.PRIVATE' 
'--hostname' '.private.my.private'' returned non-zero exit 
status 1


many thanks

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] could not get zone keys for secure dynamic update

2016-02-23 Thread Winfried de Heiden 

  
  
Hi all,
  
  ipa-dns-install --dnssec-master --force did the trick, this is
  looking much better. I'l  do some more tests later. For now, thanks
  a lot!
  
  Winny
  

Op 23-02-16 om 14:52 schreef Petr
  Spacek:


  On 23.2.2016 14:18, Winfried de Heiden wrote:

  
Hi all,

And so did I, following 
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured:

ipa-dns-install --dnssec-master

The log file for this installation can be found in /var/log/ipaserver-install.log
==
This program will setup DNS for the FreeIPA Server.

This includes:
   * Configure DNS (bind)
   * Configure SoftHSM (required by DNSSEC)
   * Configure ipa-dnskeysyncd (required by DNSSEC)
   * Configure ipa-ods-exporter (required by DNSSEC key master)
   * Configure OpenDNSSEC (required by DNSSEC key master)
   * Generate DNSSEC master key (required by DNSSEC key master)

NOTE: DNSSEC zone signing is not enabled by default

Plan carefully, replacing DNSSEC key master is not recommended


To accept the default shown in brackets, press the Enter key.

Do you want to setup this IPA server as DNSSEC key master? [no]: yes
DNSSEC signing is already enabled for following zone(s): example.com.
Installation cannot continue without the OpenDNSSEC database file from the 
original DNSSEC master server.
Please use option --kasp-db to specify location of the kasp.db file copied from 
the original DNSSEC master server.
WARNING: Zones will become unavailable if you do not provide the original 
kasp.db file.

However, it seems like I don't have a key, that was the problem in the first 
place

  
  
Right. This is a special case so you need to provide --force option to
override the check and continue with installation.

When you do that, please go through the Troubleshooting page again, hopefully
it will help.

Petr^2 Spacek



  
Anyway, trying to continue:

bash-4.3$ ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
Cannot open destination file, will not make backup.
No zones in DB or zonelist.

Indeed, the file /etc/opendnssec/zonelist.xml is the installed by default, only 
having the not-used example zones.

Also, python2 /usr/lib/python2.*/site-packages/ipapython/dnssec/localhsm.py does 
not show any zone private keys.

Is still looks like these are not created.

So, it still looks like DNSSEC signing is enabled, but the key is not there.

Winny

Op 22-02-16 om 16:31 schreef Petr Spacek:


  On 22.2.2016 14:02, Winfried de Heiden wrote:

  
Hi all,

Following
http://www.freeipa.org/page/Troubleshooting#DNSSEC_signing_does_not_work  was
most usefull, It turned out the package "freeipa-server-dns"was missing.
Strange, I am running DNS, but...:

   * I upgraded form Fedora 22 to 23 includng upgrading from IPA 4.1 to 4.2.
   * Also: I'm running this on a Bananapi "server".
   * There's no slave.


Anyway, ipa dnszone-show tells DNSsec was ebabled:


 Allow in-line DNSSEC signing: TRUE

but most likely due to the missing freeipa-server-dns it was missing
dependencies as well, for example the package opendnssec was missing.

After installing freeipa-server-dns all packages seems to be in place, but the
kasp.db file is empty:

root@ipa ~]# ls -l /var/opendnssec/kasp.db
-rw-rw. 1 ods ods 0 Feb 22 11:29 /var/opendnssec/kasp.db

No wonder I still get messages like "could not get zone keys".

Shouldn't a key be added? How? (without blowing the current DNS)

  
  DNSSEC key master should do that automatically.

Please continue with next steps as described on
http://www.freeipa.org/page/Troubleshooting#DNSSEC_master_is_not_configured
and we will see.

Petr^2 Spacek


  
Winny


Op 22-02-16 om 11:10 schreef Petr Spaceopendnssec


  On 22.2.2016 09:36, Winfried de Heiden wrote:

  
Hi all,

I get lot's of messages in my log (journalctl -u named-pkcs11.service  -p err )
like these:

Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:17:32 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:19:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): could not get zone keys for secure dynamic update
Feb 22 09:20:06 ipa.example.com named-pkcs11[8982]: zone example.com/IN
(signed): receive_secure_serial: not found

What's going wrong here, how to fix it?

  
  Hello,

this might have multip

Re: [Freeipa-users] server installation but client part fails

2016-02-23 Thread Rob Crittenden 
lejeczek wrote:
> hi everybody
> 
> I'm trying server installation but it fails, I think very last leg, and
> I was hoping you could suggest places which I should start looking at.
> 
>   [7/7]: configuring ipa-dnskeysyncd to start on boot
> Done configuring DNS key synchronization service (ipa-dnskeysyncd).
> Restarting ipa-dnskeysyncd
> Restarting named
> Restarting the web server
> ipa.ipapython.install.cli.install_tool(Server): ERROR Configuration of
> client side components failed!
> ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
> '--on-master' '--unattended' '--domain' '.private.my.private' '--server'
> '.private.my.private' '--realm' 'PRIVATE.MY.PRIVATE' '--hostname'
> '.private.my.private'' returned non-zero exit status 1
> 
> many thanks
> 

Look in /var/log/ipaserver-install.log and
/var/log/ipaclient-install.log for a more detailed reason.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Rob Crittenden 
Karl Forner wrote:
> I forgot to say that I did a "kinit admin" before the  ipa user-mod.
> 
> On Tue, Feb 23, 2016 at 2:31 PM, Karl Forner  > wrote:
> 
> Hello,
> 
> I tried to postpone a password expiration date, as indicated here:
> 
> https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/pwd-expiration.html
> 
> % ipa user-mod myuser --setattr=krbpasswordexpiration=20170301121443Z
> 
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to
> the 'krbPasswordExpiration' attribute of entry
> 'uid=myuser,cn=users,cn=accounts,dc=quartzbio,dc=com'.
> 
> Is this expected ? What is the canonical way of doing this ?

The docs you are referring to are quite old: 5 full Fedora releases,
several IPA releases.

To fix you'd need to add a new ACI that grants write access to this
attribute in the user container.

You can either do this via the permission/privilege/role route and add
the admins gropu to the new role, or you can directly add an ACI (more
direct but also less supportable and error-prone).

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Ludwig Krispenz 


On 02/23/2016 03:43 PM, Andy Thompson wrote:

-Original Message-
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
boun...@redhat.com] On Behalf Of Ludwig Krispenz
Sent: Tuesday, February 23, 2016 9:31 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] lock table errors


On 02/23/2016 03:02 PM, Andy Thompson wrote:

Came across one of my replicas this morning with the following in the
error log

[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
Deleting C1 failed; Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
1031, err=12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] -
index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328662 (rc: 1)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem:
Failed to position cursor at the key: 1328666: Cannot allocate
memory(12)
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
Failed to position cursor at the key: 1328666: Cannot allocate
memory(12)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
1031, err=12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] -
index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed (12)
[20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog program
- _cl5CompactDBs: failed to compact
5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error - 12 Cannot allocate
memory
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328663 (rc: 1)
[20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry: 1]

No original_tombstone for changenumber=1330335,cn=changelog!!

And then nothing.  Was troubleshooting some clients that were having

issues resolving some trusted domain users.

I restarted IPA and it rolled through a few thousand missing change
records

23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328696 (rc: 32)

Any thoughts as to what might have caused the lock table errors?

in BerkeleyDB this means that the number of pages which would have to be
locked in one transaction exceeds the configured number of locks. This could
happen if eg a large group is deleted and for each member of the group
inside the same transaction the memberof attribute has to be modified


Are there any configuration options to increase that setting?  And would it 
have caused the replica to become unresponsive?

you can change

nsslapd-db-locks

in the entry:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config

yes. in that state it would not process updates, the txn should be 
finally aborted and the system should recover,but ..


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA 4.2: pki-tomcatd in terrible shape

2016-02-23 Thread Rob Crittenden 
Ludwig Krispenz wrote:
> The crash is an abort because of a failed assertion in  the kerberos code
> 
> Thread 1 (Thread 0x7fa7d4c88700 (LWP 3125)):
> #0  0x7fa7e6ace5f7 in raise () from /lib64/libc.so.6
> No symbol table info available.
> #1  0x7fa7e6acfce8 in abort () from /lib64/libc.so.6
> No symbol table info available.
> #2  0x7fa7e6ac7566 in __assert_fail_base () from /lib64/libc.so.6
> No symbol table info available.
> #3  0x7fa7e6ac7612 in __assert_fail () from /lib64/libc.so.6
> No symbol table info available.
> #4  0x7fa7e8d71b83 in k5_mutex_lock.part.1 () from /lib64/libkrb5.so.3
> No symbol table info available.
> #5  0x7fa7e8d7bda1 in k5_cc_mutex_lock () from /lib64/libkrb5.so.3
> No symbol table info available.
> #6  0x7fa7e8d851bf in krb5_mcc_store () from /lib64/libkrb5.so.3
> No symbol table info available.
> #7  0x7fa7e8d88070 in krb5_cc_store_cred () from /lib64/libkrb5.so.3
> No symbol table info available.
> #8  0x7fa7e8d98be3 in complete () from /lib64/libkrb5.so.3
> No symbol table info available.
> #9  0x7fa7e8d99ba1 in krb5_tkt_creds_step () from /lib64/libkrb5.so.3
> No symbol table info available.
> #10 0x7fa7e8d9a637 in krb5_tkt_creds_get () from /lib64/libkrb5.so.3
> No symbol table info available.
> #11 0x7fa7e8d9a75c in krb5_get_credentials () from /lib64/libkrb5.so.3
> No symbol table info available.
> #12 0x7fa7e0f6736a in krb5_gss_init_sec_context_ext () from
> /lib64/libgssapi_krb5.so.2
> No symbol table info available.
> #13 0x7fa7e0f67c97 in krb5_gss_init_sec_context () from
> /lib64/libgssapi_krb5.so.2
> No symbol table info available.
> #14 0x7fa7e0f516ab in gss_init_sec_context () from
> /lib64/libgssapi_krb5.so.2
> No symbol table info available.
> #15 0x7fa7e118ac44 in gssapi_client_mech_step () from
> /usr/lib64/sasl2/libgssapiv2.so
> No symbol table info available.
> #16 0x7fa7e72847f5 in sasl_client_step () from /lib64/libsasl2.so.3
> No symbol table info available.
> #17 0x7fa7e7284b76 in sasl_client_start () from /lib64/libsasl2.so.3
> No symbol table info available.
> #18 0x7fa7e8475e73 in ldap_int_sasl_bind () from
> /lib64/libldap_r-2.4.so.2
> No symbol table info available.
> #19 0x7fa7e8479492 in ldap_sasl_interactive_bind () from
> /lib64/libldap_r-2.4.so.2
> No symbol table info available.
> #20 0x7fa7e84796bd in ldap_sasl_interactive_bind_s () from
> /lib64/libldap_r-2.4.so.2
> 
> Directory server tries to open a replication connetion usig GSSAPI. I
> don't know which assertion fails in krb, but
> - could you try with the replication agreement disabled ?
> - Rob, you have been discussing renewals of keytabs, would we have to
> renew the ds.keytab ?

This is in the context of renewing certificates, not keytabs.

I guess installing the krb5 debuginfo might give more details on where
it is crashing.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Andy Thompson 
> >> On 02/23/2016 03:02 PM, Andy Thompson wrote:
> >>> Came across one of my replicas this morning with the following in
> >>> the error log
> >>>
> >>> [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> >>> available lock entries
> >>> [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
> >>> Deleting C1 failed; Cannot allocate memory(12)
> >>> [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> >>> 1031, err=12 Cannot allocate memory
> >>> [20/Feb/2016:17:23:38 -0500] -
> >>> index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed
> (12)
> >>> [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> >>> could not delete change record 1328662 (rc: 1)
> >>> [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> >>> available lock entries
> >>> [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem:
> >>> Failed to position cursor at the key: 1328666: Cannot allocate
> >>> memory(12)
> >>> [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
> >>> Failed to position cursor at the key: 1328666: Cannot allocate
> >>> memory(12)
> >>> [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> >>> available lock entries
> >>> [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> >>> 1031, err=12 Cannot allocate memory
> >>> [20/Feb/2016:17:23:38 -0500] -
> >>> index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed
> (12)
> >>> [20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog
> >>> program
> >>> - _cl5CompactDBs: failed to compact
> >>> 5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error - 12 Cannot allocate
> >>> memory
> >>> [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> >>> could not delete change record 1328663 (rc: 1)
> >>> [20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry:
> >>> 1]
> >> No original_tombstone for changenumber=1330335,cn=changelog!!
> >>> And then nothing.  Was troubleshooting some clients that were having
> >> issues resolving some trusted domain users.
> >>> I restarted IPA and it rolled through a few thousand missing change
> >>> records
> >>>
> >>> 23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord:
> >>> could not delete change record 1328696 (rc: 32)
> >>>
> >>> Any thoughts as to what might have caused the lock table errors?
> >> in BerkeleyDB this means that the number of pages which would have to
> >> be locked in one transaction exceeds the configured number of locks.
> >> This could happen if eg a large group is deleted and for each member
> >> of the group inside the same transaction the memberof attribute has
> >> to be modified
> >
> > Are there any configuration options to increase that setting?  And would it
> have caused the replica to become unresponsive?
> you can change
> 
> nsslapd-db-locks
> 
> in the entry:
> 
> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> 
> yes. in that state it would not process updates, the txn should be finally
> aborted and the system should recover,but ..

Is there any rule of thumb or anything I can look at to get an idea of what I 
should increase that to or should it even be necessary?

The current setting has a default of 1

cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config

currently shows 

nsslapd-db-current-locks: 82

What might cause that to spike up that significantly to deplete the locks?  
That's a pretty huge jump.

Running 389-ds-base-1.3.4.0-26.el7_2.x86_64

-andy


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Ludwig Krispenz 


On 02/23/2016 05:10 PM, Andy Thompson wrote:

On 02/23/2016 03:02 PM, Andy Thompson wrote:

Came across one of my replicas this morning with the following in
the error log

[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
Deleting C1 failed; Cannot allocate memory(12)
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
1031, err=12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] -
index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed

(12)

[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328662 (rc: 1)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem:
Failed to position cursor at the key: 1328666: Cannot allocate
memory(12)
[20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_delete_key:
Failed to position cursor at the key: 1328666: Cannot allocate
memory(12)
[20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
available lock entries
[20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
1031, err=12 Cannot allocate memory
[20/Feb/2016:17:23:38 -0500] -
index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed

(12)

[20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog
program
- _cl5CompactDBs: failed to compact
5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error - 12 Cannot allocate
memory
[20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328663 (rc: 1)
[20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry:
1]

No original_tombstone for changenumber=1330335,cn=changelog!!

And then nothing.  Was troubleshooting some clients that were having

issues resolving some trusted domain users.

I restarted IPA and it rolled through a few thousand missing change
records

23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord:
could not delete change record 1328696 (rc: 32)

Any thoughts as to what might have caused the lock table errors?

in BerkeleyDB this means that the number of pages which would have to
be locked in one transaction exceeds the configured number of locks.
This could happen if eg a large group is deleted and for each member
of the group inside the same transaction the memberof attribute has
to be modified

Are there any configuration options to increase that setting?  And would it

have caused the replica to become unresponsive?
you can change

nsslapd-db-locks

in the entry:

dn: cn=config,cn=ldbm database,cn=plugins,cn=config

yes. in that state it would not process updates, the txn should be finally
aborted and the system should recover,but ..

Is there any rule of thumb or anything I can look at to get an idea of what I 
should increase that to or should it even be necessary?

The current setting has a default of 1

cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config

currently shows

nsslapd-db-current-locks: 82

What might cause that to spike up that significantly to deplete the locks?  
That's a pretty huge jump.
I have given you an example of what operation could use a high number of 
page locks, to find out what was going on in your case would require to 
investigate which operations were active when the problem started, what 
the entries modified added looked like ..


Running 389-ds-base-1.3.4.0-26.el7_2.x86_64

-andy



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] server installation but client part fails

2016-02-23 Thread lejeczek 

On 23/02/16 15:04, Rob Crittenden wrote:

lejeczek wrote:

hi everybody

I'm trying server installation but it fails, I think very last leg, and
I was hoping you could suggest places which I should start looking at.

   [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Restarting the web server
ipa.ipapython.install.cli.install_tool(Server): ERROR Configuration of
client side components failed!
ipa-client-install returned: Command ''/usr/sbin/ipa-client-install'
'--on-master' '--unattended' '--domain' '.private.my.private' '--server'
'.private.my.private' '--realm' 'PRIVATE.MY.PRIVATE' '--hostname'
'.private.my.private'' returned non-zero exit status 1

many thanks


Look in /var/log/ipaserver-install.log and
/var/log/ipaclient-install.log for a more detailed reason.

rob


thanks Rob, I was missing client part of logs.
I just have to be careful with my finely grained 
configuration & config files.
If anybody stumbles upon similar errors - first thing to do 
is to make sure your already existing httpd config(s) does 
not exclude *.conf from Apache's main dir, which is where 
IPA renders its files.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Error setting krbpasswordexpiration using ipa user-mod

2016-02-23 Thread Karl Forner 
>
> The docs you are referring to are quite old: 5 full Fedora releases,
> several IPA releases.
>

You're right, sorry. I found this documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/pwd-expiration.html
which has updated instructions based on ldapmodify which worked for me.

Thanks.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] lock table errors

2016-02-23 Thread Andy Thompson 
> On 02/23/2016 05:10 PM, Andy Thompson wrote:
>  On 02/23/2016 03:02 PM, Andy Thompson wrote:
> > Came across one of my replicas this morning with the following in
> > the error log
> >
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index -
> _entryrdn_delete_key:
> > Deleting C1 failed; Cannot allocate memory(12)
> > [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> > 1031, err=12 Cannot allocate memory
> > [20/Feb/2016:17:23:38 -0500] -
> > index_del_entry(changenumber=1328662,cn=changelog, 0x26) failed
> >> (12)
> > [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328662 (rc: 1)
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index - _entryrdn_get_elem:
> > Failed to position cursor at the key: 1328666: Cannot allocate
> > memory(12)
> > [20/Feb/2016:17:23:38 -0500] entryrdn-index -
> _entryrdn_delete_key:
> > Failed to position cursor at the key: 1328666: Cannot allocate
> > memory(12)
> > [20/Feb/2016:17:23:38 -0500] - libdb: BDB2055 Lock table is out of
> > available lock entries
> > [20/Feb/2016:17:23:38 -0500] - database index operation failed BAD
> > 1031, err=12 Cannot allocate memory
> > [20/Feb/2016:17:23:38 -0500] -
> > index_del_entry(changenumber=1328663,cn=changelog, 0x26) failed
> >> (12)
> > [20/Feb/2016:17:23:38 -0500] NSMMReplicationPlugin - changelog
> > program
> > - _cl5CompactDBs: failed to compact
> > 5f1d2b12-cf1411e4-b055ba8a-f4b484f7; db error - 12 Cannot allocate
> > memory
> > [20/Feb/2016:17:23:38 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328663 (rc: 1)
> > [20/Feb/2016:17:23:41 -0500] ldbm_back_delete - conn=0 op=0 [retry:
> > 1]
>  No original_tombstone for changenumber=1330335,cn=changelog!!
> > And then nothing.  Was troubleshooting some clients that were
> > having
>  issues resolving some trusted domain users.
> > I restarted IPA and it rolled through a few thousand missing
> > change records
> >
> > 23/Feb/2016:08:39:34 -0500] DSRetroclPlugin - delete_changerecord:
> > could not delete change record 1328696 (rc: 32)
> >
> > Any thoughts as to what might have caused the lock table errors?
>  in BerkeleyDB this means that the number of pages which would have
>  to be locked in one transaction exceeds the configured number of
> locks.
>  This could happen if eg a large group is deleted and for each
>  member of the group inside the same transaction the memberof
>  attribute has to be modified
> >>> Are there any configuration options to increase that setting?  And
> >>> would it
> >> have caused the replica to become unresponsive?
> >> you can change
> >>
> >> nsslapd-db-locks
> >>
> >> in the entry:
> >>
> >> dn: cn=config,cn=ldbm database,cn=plugins,cn=config
> >>
> >> yes. in that state it would not process updates, the txn should be
> >> finally aborted and the system should recover,but ..
> > Is there any rule of thumb or anything I can look at to get an idea of what 
> > I
> should increase that to or should it even be necessary?
> >
> > The current setting has a default of 1
> >
> > cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config
> >
> > currently shows
> >
> > nsslapd-db-current-locks: 82
> >
> > What might cause that to spike up that significantly to deplete the locks?
> That's a pretty huge jump.
> I have given you an example of what operation could use a high number of
> page locks, to find out what was going on in your case would require to
> investigate which operations were active when the problem started, what
> the entries modified added looked like ..
> >

Right, is there anything I can look at now that might give me any useful 
information?  Access log looks pretty normal around that time.  At the time the 
error occurred there would have been very little going on in the system other 
than internal processing and normal user access.  My environment is almost 
entirely an AD trust setup with HBAC and sudo.  There are very few users and 
groups in the local database for a large transaction to even be in the scope of 
possible that I can think of.

I'm checking with the windows group to see if there was anything out of the 
ordinary going on in AD at the time but there were no changes scheduled.  Is it 
possible that AD changes could be suspect?

-andy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jester 
New IPA install of Fedora 23 with FreeIPA 4.2.3.  Client is Ubuntu
Desktop 15.10 (nuc) with IPA client 4.1.4.

ipa-client-install was successful.  Host object created, DNS updated, etc.

I am not able to log into the Ubuntu client with any user aside from
Admin.  I get inconsistent password prompting behavior.  It doesn't
always prompt.  Most of the time, it just gives the client not found
message.   kinit works with all users on the IPA server directly.

root@nuc0:/var/lib/sss# kinit admin
Password for ad...@mrjester.net:
root@nuc0:/var/lib/sss# kinit jon
kinit: Client 'j...@mrjester.net' not found in Kerberos database while
getting initial credentials
root@nuc0:/var/lib/sss# kinit jon-test
Password for jon-t...@mrjester.net:
Password expired.  You must change it now.
Enter new password:
Enter it again:
kinit: Password change failed while getting initial credentials
root@nuc0:/var/lib/sss# kinit jon-test
kinit: Client 'jon-t...@mrjester.net' not found in Kerberos database
while getting initial credentials
root@nuc0:/var/lib/sss#

I am able to do GSSAPI auth from the client.

/usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b
"dc=mrjester,dc=net" cn

Some various messages I see that stand out as possibly related. SSSD
debug level 8

[parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!


[sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child
responded: 14 [Decrypt integrity check failed], expired on [0]


[sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get
TGT: 14 [Bad address]
[sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a
TGT: ret [1432158219](Authentication Failed)
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port
389 of server 'dir0.mrjester.net' as 'not working'
[sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port
389 of duplicate server 'dir0.mrjester.net' as 'not working'


[sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a
sysbus message, quit
[sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request
for [0x1001][1][name=*]
[sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing
request domain from [mrjester.net] to [mrjester.net]
[sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping]
(0x0080): Could not parse domain SID from [(null)]
[sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400):
Searching for users with base [cn=accounts,dc=mrjester,dc=net]
[sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=mrjester,dc=net].
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [objectClass]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uid]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userPassword]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gecos]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [homeDirectory]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginShell]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbPrincipalName]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [cn]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [memberOf]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaUniqueID]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [ipaNTSecurityIdentifier]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [modifyTimestamp]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [entryUSN]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowLastChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMin]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowMax]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowWarning]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowInactive]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowExpire]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [shadowFlag]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [krbLastPwdChange]
[sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
Req

[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

2016-02-23 Thread Marat Vyshegorodtsev 
Hi!

I've been doing backups using the tool like this:
ipa-backup --data --online

I didn't want any configuration to be backed up, since it is managed
from a chef recipe.

However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.

LDAP password-based authentication works alright.

After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
kadmin: 
http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server

Then it broke  in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
https://yadi.sk/i/WVe8u1_ZpNh3w

For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.

I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.

Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?

Best regards,
Marat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Delete DNS record along with hostname

2016-02-23 Thread Olivier Cervello 
Hello,


I am trying to delete DNS record with the --updatedns options of ipa host-del 
command.

The steps I followed were:


root@server$ kinit admin

root@server$ ipa host-del  --updatedns

'ipa: ERROR: : host not found'.


The following:


ipa host-del  (without --updatedns flag) doesn't return this error.

ipa dnsrecord-del   works fine as well, meaning I have 
permission to view and delete DNS records.


I think it might be related to the following issue:

https://fedorahosted.org/freeipa/ticket/4329


Please advise.


Best,



Olivier Cervello | DevOps Engineer
CCC Information Services Inc.
222 Merchandise Mart Plaza, Suite 900 Chicago, IL 60654
Cell : 312-918-6018
ocerve...@cccis.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 01:32:11PM -0500, Jester wrote:
> New IPA install of Fedora 23 with FreeIPA 4.2.3.  Client is Ubuntu
> Desktop 15.10 (nuc) with IPA client 4.1.4.
> 
> ipa-client-install was successful.  Host object created, DNS updated, etc.
> 
> I am not able to log into the Ubuntu client with any user aside from
> Admin.  I get inconsistent password prompting behavior.  It doesn't
> always prompt.  Most of the time, it just gives the client not found
> message.   kinit works with all users on the IPA server directly.
> 
> root@nuc0:/var/lib/sss# kinit admin
> Password for ad...@mrjester.net:
> root@nuc0:/var/lib/sss# kinit jon
> kinit: Client 'j...@mrjester.net' not found in Kerberos database while
> getting initial credentials
> root@nuc0:/var/lib/sss# kinit jon-test
> Password for jon-t...@mrjester.net:
> Password expired.  You must change it now.
> Enter new password:
> Enter it again:
> kinit: Password change failed while getting initial credentials
> root@nuc0:/var/lib/sss# kinit jon-test
> kinit: Client 'jon-t...@mrjester.net' not found in Kerberos database
> while getting initial credentials
> root@nuc0:/var/lib/sss#
> 
> I am able to do GSSAPI auth from the client.
> 
> /usr/bin/ldapsearch -LLL -H ldap://dir0.mrjester.net/ -Y GSSAPI -N -b
> "dc=mrjester,dc=net" cn
> 
> Some various messages I see that stand out as possibly related. SSSD
> debug level 8
> 
> [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty!
> 
> 
> [sssd[be[mrjester.net]]] [sdap_get_tgt_recv] (0x0400): Child
> responded: 14 [Decrypt integrity check failed], expired on [0]

Please look into ldap_child with high debug level, it looks like sssd
has some issues authenticating to the directory.

> 
> 
> [sssd[be[mrjester.net]]] [sdap_kinit_done] (0x0100): Could not get
> TGT: 14 [Bad address]
> [sssd[be[mrjester.net]]] [sdap_cli_kinit_done] (0x0400): Cannot get a
> TGT: ret [1432158219](Authentication Failed)
> [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0100): Marking port
> 389 of server 'dir0.mrjester.net' as 'not working'
> [sssd[be[mrjester.net]]] [fo_set_port_status] (0x0400): Marking port
> 389 of duplicate server 'dir0.mrjester.net' as 'not working'
> 
> 
> [sssd[be[mrjester.net]]] [sbus_get_sender_id_send] (0x2000): Not a
> sysbus message, quit
> [sssd[be[mrjester.net]]] [be_get_account_info] (0x0200): Got request
> for [0x1001][1][name=*]
> [sssd[be[mrjester.net]]] [be_req_set_domain] (0x0400): Changing
> request domain from [mrjester.net] to [mrjester.net]
> [sssd[be[mrjester.net]]] [sdap_idmap_domain_has_algorithmic_mapping]
> (0x0080): Could not parse domain SID from [(null)]
> [sssd[be[mrjester.net]]] [sdap_search_user_next_base] (0x0400):
> Searching for users with base [cn=accounts,dc=mrjester,dc=net]
> [sssd[be[mrjester.net]]] [sdap_print_server] (0x2000): Searching 10.8.10.40
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x0400): calling
> ldap_search_ext with
> [(&(uid=\2a)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0][cn=accounts,dc=mrjester,dc=net].

Do you use enumerate=true?

> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [objectClass]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [uid]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [userPassword]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [uidNumber]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [gidNumber]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [gecos]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [homeDirectory]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [loginShell]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [krbPrincipalName]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [cn]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [memberOf]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaUniqueID]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [ipaNTSecurityIdentifier]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [modifyTimestamp]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [entryUSN]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowLastChange]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowMin]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowMax]
> [sssd[be[mrjester.net]]] [sdap_get_generic_ext_step] (0x1000):
> Requesting attrs: [shadowWarning]
> [sssd[be[mrjester.net]]] [sdap_get_gener

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jester 
Recent events from ldap_child.


(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0400):
ldap_child started.
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
context initialized
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): total buffer size: 52
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): realm_str size: 9
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): got realm_str: MRJESTER.NET
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): princ_str size: 19
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): got princ_str: host/nuc0.mrjester.net
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): keytab_name size: 0
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x1000): lifetime: 86400
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
(0x0200): Will run as [0][0].
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[privileged_krb5_setup] (0x2000): Kerberos context initialized
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
Kerberos context initialized
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [become_user]
(0x0200): Trying to become user [0][0].
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [become_user]
(0x0200): Already user [0].
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
Running as [0][0].
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
getting TGT sync
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x2000): got realm_name: [MRJESTER.NET]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/nuc0.mrjester@mrjester.net]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x0100): Using keytab
[MEMORY:/etc/krb5.keytab]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials:
Decrypt integrity check failed
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[ldap_child_get_tgt_sync] (0x2000): Unlinking
[/var/lib/sss/db/ccache_MRJESTER.NET_GsnnAd]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
[prepare_response] (0x0400): Building response for result
[-1765328353]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [pack_buffer]
(0x2000): response size: 50
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [pack_buffer]
(0x1000): result [14] krberr [-1765328353] msgsize [30] msg [Decrypt
integrity check failed]
(Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0400):
ldap_child completed successfully
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x0400):
ldap_child started.
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
context initialized
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): total buffer size: 52
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): realm_str size: 9
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): got realm_str: MRJESTER.NET
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): princ_str size: 19
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): got princ_str: host/nuc0.mrjester.net
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): keytab_name size: 0
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x1000): lifetime: 86400
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
(0x0200): Will run as [0][0].
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
[privileged_krb5_setup] (0x2000): Kerberos context initialized
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
Kerberos context initialized
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [become_user]
(0x0200): Trying to become user [0][0].
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [become_user]
(0x0200): Already user [0].
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
Running as [0][0].
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
getting TGT sync
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
[ldap_child_get_tgt_sync] (0x2000): got realm_name: [MRJESTER.NET]
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/nuc0.mrjester@mrjester.net]
(Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
[ldap_child_get_tgt_sync] (0x0100): Usi

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 03:14:20PM -0500, Jester wrote:
> Recent events from ldap_child.
> 
> 
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0400):
> ldap_child started.
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
> context initialized
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): total buffer size: 52
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): realm_str size: 9
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): got realm_str: MRJESTER.NET
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): princ_str size: 19
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): got princ_str: host/nuc0.mrjester.net
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): keytab_name size: 0
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x1000): lifetime: 86400
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [unpack_buffer]
> (0x0200): Will run as [0][0].
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [privileged_krb5_setup] (0x2000): Kerberos context initialized
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
> Kerberos context initialized
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [become_user]
> (0x0200): Trying to become user [0][0].
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [become_user]
> (0x0200): Already user [0].
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
> Running as [0][0].
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x2000):
> getting TGT sync
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x2000): got realm_name: [MRJESTER.NET]
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x0100): Principal name is:
> [host/nuc0.mrjester@mrjester.net]
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x0100): Using keytab
> [MEMORY:/etc/krb5.keytab]
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials:
> Decrypt integrity check failed
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [ldap_child_get_tgt_sync] (0x2000): Unlinking
> [/var/lib/sss/db/ccache_MRJESTER.NET_GsnnAd]
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0020):
> ldap_child_get_tgt_sync failed.
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646
> [prepare_response] (0x0400): Building response for result
> [-1765328353]
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [pack_buffer]
> (0x2000): response size: 50
> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [pack_buffer]
> (0x1000): result [14] krberr [-1765328353] msgsize [30] msg [Decrypt
> integrity check failed]

Here authenticating with the keytab failed..

> (Tue Feb 23 14:52:37 2016) [[sssd[ldap_child[5646 [main] (0x0400):
> ldap_child completed successfully
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x0400):
> ldap_child started.
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
> context initialized
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): total buffer size: 52
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): realm_str size: 9
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): got realm_str: MRJESTER.NET
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): princ_str size: 19
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): got princ_str: host/nuc0.mrjester.net
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): keytab_name size: 0
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x1000): lifetime: 86400
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [unpack_buffer]
> (0x0200): Will run as [0][0].
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
> [privileged_krb5_setup] (0x2000): Kerberos context initialized
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
> Kerberos context initialized
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [become_user]
> (0x0200): Trying to become user [0][0].
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [become_user]
> (0x0200): Already user [0].
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
> Running as [0][0].
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647 [main] (0x2000):
> getting TGT sync
> (Tue Feb 23 14:52:38 2016) [[sssd[ldap_child[5647
> [ldap_chil

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jakub Hrozek 
On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote:
> Made no changes to the system between posting.  Only tried a couple of
> kinits to generate some logs.
> 
> Set sssd debug to 9, restarted, did a few kinits.

kinit doesn't hit sssd, but goes directly to the KDC.

> 
> root@nuc0:/var/log/sssd# service sssd start
> root@nuc0:/var/log/sssd# kinit admin
> Password for ad...@mrjester.net:
> root@nuc0:/var/log/sssd# kinit jon
> kinit: Client 'j...@mrjester.net' not found in Kerberos database while

Again, if you're sure the principal 'jon' exists on the server, then I
would suggest to try:
KRB5_TRACE=/dev/stderr kinit jon
and see if you talk to the KDC you expect.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jester 
It looks like I have a replication issue.  What process manages replication?

root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon
[6175] 1456260239.45010: Resolving unique ccache of type KEYRING
[6175] 1456260239.45131: Getting initial credentials for j...@mrjester.net
[6175] 1456260239.45497: Sending request (157 bytes) to MRJESTER.NET
[6175] 1456260239.47271: Resolving hostname dir1.mrjester.net.
[6175] 1456260239.48927: Sending initial UDP request to dgram 10.8.10.41:88
[6175] 1456260239.330215: Received answer (162 bytes) from dgram 10.8.10.41:88
[6175] 1456260239.330749: Response was from master KDC
[6175] 1456260239.330781: Received error from KDC: -1765328378/Client
not found in Kerberos database
kinit: Client 'j...@mrjester.net' not found in Kerberos database while
getting initial credentials
root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon
[6176] 1456260254.528974: Resolving unique ccache of type KEYRING
[6176] 1456260254.529030: Getting initial credentials for j...@mrjester.net
[6176] 1456260254.529189: Sending request (157 bytes) to MRJESTER.NET
[6176] 1456260254.530384: Resolving hostname dir1.mrjester.net.
[6176] 1456260254.531265: Sending initial UDP request to dgram 10.8.10.41:88
[6176] 1456260254.533058: Received answer (162 bytes) from dgram 10.8.10.41:88
[6176] 1456260254.533548: Response was from master KDC
[6176] 1456260254.533598: Received error from KDC: -1765328378/Client
not found in Kerberos database
kinit: Client 'j...@mrjester.net' not found in Kerberos database while
getting initial credentials
root@nuc0:/var/log/sssd# KRB5_TRACE=/dev/stderr kinit jon
[6177] 1456260255.920994: Resolving unique ccache of type KEYRING
[6177] 1456260255.921053: Getting initial credentials for j...@mrjester.net
[6177] 1456260255.921216: Sending request (157 bytes) to MRJESTER.NET
[6177] 1456260255.922335: Resolving hostname dir0.mrjester.net.
[6177] 1456260255.923163: Sending initial UDP request to dgram 10.8.10.40:88
[6177] 1456260255.924918: Received answer (164 bytes) from dgram 10.8.10.40:88
[6177] 1456260255.925408: Response was from master KDC
[6177] 1456260255.925452: Received error from KDC:
-1765328361/Password has expired
[6177] 1456260255.925471: Principal expired; getting changepw ticket
[6177] 1456260255.925481: Getting initial credentials for j...@mrjester.net
[6177] 1456260255.925502: Setting initial creds service to kadmin/changepw
[6177] 1456260255.925531: Sending request (156 bytes) to MRJESTER.NET (master)
[6177] 1456260255.926385: Resolving hostname dir0.mrjester.net.
[6177] 1456260255.926895: Sending initial UDP request to dgram 10.8.10.40:88
[6177] 1456260256.927253: Received answer (243 bytes) from dgram 10.8.10.40:88
[6177] 1456260256.927330: Received error from KDC:
-1765328359/Additional pre-authentication required
[6177] 1456260256.927382: Processing preauth types: 136, 19, 2, 133
[6177] 1456260256.927410: Selected etype info: etype aes256-cts, salt
"v7Avt65hL wrote:
> On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote:
>> Made no changes to the system between posting.  Only tried a couple of
>> kinits to generate some logs.
>>
>> Set sssd debug to 9, restarted, did a few kinits.
>
> kinit doesn't hit sssd, but goes directly to the KDC.
>
>>
>> root@nuc0:/var/log/sssd# service sssd start
>> root@nuc0:/var/log/sssd# kinit admin
>> Password for ad...@mrjester.net:
>> root@nuc0:/var/log/sssd# kinit jon
>> kinit: Client 'j...@mrjester.net' not found in Kerberos database while
>
> Again, if you're sure the principal 'jon' exists on the server, then I
> would suggest to try:
> KRB5_TRACE=/dev/stderr kinit jon
> and see if you talk to the KDC you expect.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Client Auth Failing - Ubuntu 15.10

2016-02-23 Thread Jester 2.0 
The "KRB5_TRACE=/dev/stderr kinit jon" command helped out immensely by
pointing out that it was failing on dir1, but not dir0.

Turns out it was a DNS issue on my second directory server was breaking
replication.

Thank you for the assistance.


On Tue, Feb 23, 2016 at 3:42 PM, Jakub Hrozek  wrote:

> On Tue, Feb 23, 2016 at 03:33:31PM -0500, Jester wrote:
> > Made no changes to the system between posting.  Only tried a couple of
> > kinits to generate some logs.
> >
> > Set sssd debug to 9, restarted, did a few kinits.
>
> kinit doesn't hit sssd, but goes directly to the KDC.
>
> >
> > root@nuc0:/var/log/sssd# service sssd start
> > root@nuc0:/var/log/sssd# kinit admin
> > Password for ad...@mrjester.net:
> > root@nuc0:/var/log/sssd# kinit jon
> > kinit: Client 'j...@mrjester.net' not found in Kerberos database while
>
> Again, if you're sure the principal 'jon' exists on the server, then I
> would suggest to try:
> KRB5_TRACE=/dev/stderr kinit jon
> and see if you talk to the KDC you expect.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sssd went away, failed to restart

2016-02-23 Thread Harald Dunkel 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hi Lukas,

On 02/23/16 13:46, Lukas Slebodnik wrote:
> On (23/02/16 13:01), Harald Dunkel wrote:
>> On 02/23/2016 11:58 AM, Lukas Slebodnik wrote:
>>> I would rather focus on different thing. Why is sssd_be process blocked for 
>>> long time?
>>> 
>> 
>> I have no idea. Was it really blocked?
>> 
> It needn't be blocked itself. But it was busy with some non-blocking 
> operation which main process considered as bad state.
> 

Do you think this is OK? Did it try to terminate the unresponsive
sssd_be, or did it just try to start a new one and ran into a
conflict with the old?

> Would you mind to share sssd log files with high debug level?
> 

Surely I can increase the log level for sssd. I wonder why
sssd_be doesn't write its own log file?

>> 
>> Does it really have to be watched? Wouldn't it be the job of systemd to 
>> restart the service when it dies?
>> 
> sssd works also on non-systemd distribution. We plan to reply on systemd. If 
> you want to speed-up process then patches are always welcomed.
> 

I highly appreciate your effort on providing compatibility with
sysv init and others, but do you know that ipa-client-install (4.0.5)
dies without systemd? I cannot tell for more recent ipa versions,
since they are not available for Debian 8.

> And moreover systemd would not solve the main issue. we should try to find 
> out why sssd_be did not respond for long time.
> 

Maybe it would help to improve the way how the monitor checks for un-
responsive threads instead? We have no indication that sssd_be had
any problem, except for sssd trying to start a new one. Since sssd
couldn't I would assume that the old sssd_be was still up and running
and that sssd was the buggy part.

Would you agree to that?


Regards
Harri

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJWzOIiAAoJEAqeKp5m04HLBRoH/3mxHo35XDqUlBFqNsB9k9Cj
e+G+7I0gZtQr1+a0aWt5mSFTOesJIhL0xEUZZcr+6PTgGch8w9OThz9udYAqsa89
4s4KRwBHtMMggyQ4Z1eb+2KfOL4RmZbw85EfdN+8ExLY/Ui07SQDkiEpXW6WgeRx
BIcUGqD877CH8q0hIrQte/VNY94LeN4rgxYhkAeijY7+tOSngP39ZHph2sx4a0ES
jE5RgiVh799iRZLIk7OTrUmYKhAo1ZLfeMUqiOZYovjL3ZpxckbMr68vWkmePoj7
EFyZGjpZeOfix77iZ7h3kcQDH3nUv90F17F7N+BLmKEaKSgoe8YItEp98g4LO/4=
=/Tr1
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Traceback starting pki-cad - ca.subsystem.certreq missing?

2016-02-23 Thread Ian Pilcher 

This looks as something PKI specific (given it is in /usr/sbin/pki-server),
CCing Endi from Dogtag team.


From doing some additional Googling, it seems like the request should be
in the PKI-CA dirsrv instance.  Thus far, I haven't been able to figure
out the incantation necessary to get ldapsearch to connect, though.

--

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project