Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Martin Babinsky]

On 09/20/2016 12:17 AM, Simpson Lachlan wrote:

-Original Message-

On 09/19/2016 03:12 AM, Lachlan Musicman wrote:

Hi

Sometimes when I visit the ID Views page in the webgui, it is
crushingly slow, and often it times out.

Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

Is there a reason, can I do something to fix this?



What kind of ID Views do you use? Do you use them to  override AD users?
Is there any useful info in '/var/log/httpd/error_log'?


There is the single ID View Name, Default Trust View, and in that we have a 
number of users over riding the AD usernames and home dirs.

The httpd error log is relatively large, tbh, but there's nothing in there that looks 
like an obvious reason. In fact, for an error log, there is a hell of a lot of 
"SUCCESS" messages? The most obvious culprit in the error log is 
jsonserver_session...

Next time I see it (I only see it intermittently), I'll grab the logs and have 
a look.

Cheers
L.



This email (including any attachments or links) may contain
confidential and/or legally privileged information and is
intended only to be read or used by the addressee.  If you
are not the intended addressee, any use, distribution,
disclosure or copying of this email is strictly
prohibited.
Confidentiality and legal privilege attached to this email
(including any attachments) are not waived or lost by
reason of its mistaken delivery to you.
If you have received this email in error, please delete it
and notify us immediately by telephone or email.  Peter
MacCallum Cancer Centre provides no guarantee that this
transmission is free of virus or that it has not been
intercepted or altered and will not be liable for any delay
in its receipt.



One thing that crossed my mind is to check the connectivity to the AD 
domain controllers. To resolve AD user overrides, FreeIPA uses SSSD to 
contact AD DCs to do the username -> SID translation. If there is some 
problem contacting them, then there may be hangs/timeouts when resolving 
override anchors.


Thus you may also want to to check SSSD logs (see
https://fedorahosted.org/sssd/wiki/Troubleshooting) to see whether this 
is not the case.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] sssd.conf - the server and host-client relationship

[Lachlan Musicman]

Hola,

What is the relationship between the IPA server, host-clients and the
sssd.conf?

>From what I can tell, sssd.conf is edited/changed by the ipa-client-install
process on the host-client.

What level of similarity does there need to be between the two sssd.confs?

My server's sssd.conf has a significant number of extra parameters set that
are not getting put onto the clients.

Debug levels are the most obvious, and understandable, omissions - but some
others are frustrating.

The (non debug_level) parameters missing are:
--
[domain/unixdev.etc]
ignore_group_members = True
ldap_purge_cache_timeout = 0
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
selinux_provider = none
ipa_server_mode = True
sudo_provider = ldap
ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au

[sssd]
config_file_version = 2
domains = unixdev.etc

[nss]
memcache_timeout = 600
--

The other diff is that the

host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au
client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au

Which I presume is expected/desired.

And the reason I ask is because we have selinux disabled, and without the
"selinux_provider = none" line, we would get kicked out as soon as freeipa
had logged us in with message:

Connection to test_client.unixdev.petermac.org.au closed by remote host.

and on that host-client there was a brand new selinux_child.log that I'd
never seen before.


cheers
L.


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC doesn't work issues

[Lachlan Musicman]

(redface)

It seems to be working.

Thanks


--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 20 September 2016 at 09:57, Lachlan Musicman  wrote:

> We have one "allow all" sudo rule (anyone, any host, any command).
>
> Matching Defaults entries for root on this host:
> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>
> User root may run the following commands on this host:
> (ALL) ALL
>
>
> My sssd.conf has:
>
> [domain/unixdev.etc]
> ...
> sudo_provider = ldap
> ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
> ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
> ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
> krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au
>
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
> domains = unixdev.petermac.org.au
> debug_level = 6
>
> [sudo]
> debug_level = 6
>
> but only on the server - does that need to filter down to each client? The
> client side sssd.confs seem to be auto created when ipa-client-install is
> run, and are stripped down...
>
> cheers
> L.
>
> --
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
> On 19 September 2016 at 18:21, Lukas Slebodnik 
> wrote:
>
>> On (19/09/16 16:43), Lachlan Musicman wrote:
>> >I must have made an error again:
>> >
>> >- ipa hbactest gives seemingly correct answer on both server and client
>> >- user can't actually use sudo on client?
>> >
>> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>> >
>> >>From the server:
>> >
>> >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au
>> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
>> >
>> >Access granted: True
>> >
>> >  Matched rules: Cluster Admin Users (sudo)
>> >  Not matched rules: Cluster Users
>> >[root@vmdv-linuxidm1 ~]#
>> >
>> >
>> >>From the host in question:
>> >
>> >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au
>> >--host `hostname` --service sudo
>> >
>> >Access granted: True
>> >
>> >  Matched rules: Cluster Admin Users (sudo)
>> >  Not matched rules: Cluster Users
>> >[root@vmts-linuxclient1 ~]#
>> >
>> >
>> >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
>> >[sudo] password for lsimp...@petermac.org.au:
>> >lsimp...@petermac.org.au is not allowed to run sudo on
>> vmts-linuxclient1.
>> >This incident will be reported.
>> >
>> Did you configure sudo rules for such user?
>> What is an output of "sudo -l"
>>
>> LS
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC doesn't work issues

[Lachlan Musicman]

We have one "allow all" sudo rule (anyone, any host, any command).

Matching Defaults entries for root on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User root may run the following commands on this host:
(ALL) ALL


My sssd.conf has:

[domain/unixdev.etc]
...
sudo_provider = ldap
ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = unixdev.petermac.org.au
debug_level = 6

[sudo]
debug_level = 6

but only on the server - does that need to filter down to each client? The
client side sssd.confs seem to be auto created when ipa-client-install is
run, and are stripped down...

cheers
L.

--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper

On 19 September 2016 at 18:21, Lukas Slebodnik  wrote:

> On (19/09/16 16:43), Lachlan Musicman wrote:
> >I must have made an error again:
> >
> >- ipa hbactest gives seemingly correct answer on both server and client
> >- user can't actually use sudo on client?
> >
> >Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
> >
> >>From the server:
> >
> >[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au
> >--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
> >
> >Access granted: True
> >
> >  Matched rules: Cluster Admin Users (sudo)
> >  Not matched rules: Cluster Users
> >[root@vmdv-linuxidm1 ~]#
> >
> >
> >>From the host in question:
> >
> >[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au
> >--host `hostname` --service sudo
> >
> >Access granted: True
> >
> >  Matched rules: Cluster Admin Users (sudo)
> >  Not matched rules: Cluster Users
> >[root@vmts-linuxclient1 ~]#
> >
> >
> >[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
> >[sudo] password for lsimp...@petermac.org.au:
> >lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
> >This incident will be reported.
> >
> Did you configure sudo rules for such user?
> What is an output of "sudo -l"
>
> LS
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] bind crashes on rndc reload

[Anthony Joseph Messina]

On Monday, September 19, 2016 2:16:55 PM CDT Petr Spacek wrote:
> On 12.9.2016 11:55, Anthony Joseph Messina wrote:
> > On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote:
> >> Hi,
> >> 
> >> I have a major issue with my setup:
> >> Fedora 24
> >> freeipa-common-4.3.2-2.fc24.noarch
> >> freeipa-admintools-4.3.2-2.fc24.noarch
> >> freeipa-server-dns-4.3.2-2.fc24.noarch
> >> freeipa-client-common-4.3.2-2.fc24.noarch
> >> freeipa-server-4.3.2-2.fc24.x86_64
> >> freeipa-server-common-4.3.2-2.fc24.noarch
> >> freeipa-client-4.3.2-2.fc24.x86_64
> >> bind-dyndb-ldap-9.0-3.fc24.x86_64
> >> bind-libs-lite-9.10.4-1.P2.fc24.x86_64
> >> bind-pkcs11-libs-9.10.4-1.P2.fc24.x86_64
> >> bind99-libs-9.9.9-1.P2.fc24.x86_64
> >> bind-utils-9.10.4-1.P2.fc24.x86_64
> >> rpcbind-0.2.3-11.rc1.fc24.x86_64
> >> bind-license-9.10.4-1.P2.fc24.noarch
> >> bind-pkcs11-9.10.4-1.P2.fc24.x86_64
> >> bind-9.10.4-1.P2.fc24.x86_64
> >> bind-libs-9.10.4-1.P2.fc24.x86_64
> >> bind99-license-9.9.9-1.P2.fc24.noarch
> >> bind-pkcs11-utils-9.10.4-1.P2.fc24.x86_64
> >> 
> >> It seems that there is a regular but not daily "rndc reload" sent to the
> >> nameserver that leads to a crash of it. I sent a SIGHUP to the named
> >> process, but that didn't lead to a crash. Only "rndc reload" does. It
> >> does not crash EVERY time, but most of the times. I need to do an
> >> "ipactl restart" in order to get the nameserver up and running again.
> >> 
> >> I found this thread, but this doesn't give me any clues:
> >> https://www.redhat.com/archives/freeipa-users/2012-May/msg00340.html
> >> 
> >> This is what the log says:
> >> http://paste.debian.net/818354/
> >> Please understand that I obfuscated my IP addresses and domain names
> >> 
> >> This is the strace:
> >> http://paste.debian.net/818365/
> >> 
> >> This is my named.conf:
> >> http://paste.debian.net/818368/
> >> 
> >> Hope someone can help.
> >> Jochen
> > 
> > I wish I could, as I have the same issue, usually early Sunday morning
> > after some cron/timer job that reloads:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1362162
> 
> Could you please try bind-dyndb-ldap-10.1-1.fc24 from updates-testing?
> 
> Alternatively the package can be downloaded from
> http://koji.fedoraproject.org/koji/buildinfo?buildID=792505
> 
> Please let me know if it fixes your problem or not.

bind-dyndb-ldap-10.1-1.fc24 from updates-testing seems to work, or at least is 
does not crash on rndc reload. I'll give it some time and see what happens, 
since it didn't crash every time before either.  Thank you Petr.  -A

-- 
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
F9B6 560E 68EA 037D 8C3D  D1C9 FF31 3BDB D9D8 99B6


signature.asc
Description: This is a digitally signed message part.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Simpson Lachlan]

> -Original Message-
> 
> On 09/19/2016 03:12 AM, Lachlan Musicman wrote:
> > Hi
> >
> > Sometimes when I visit the ID Views page in the webgui, it is
> > crushingly slow, and often it times out.
> >
> > Centos 7, ipa --version
> > VERSION: 4.2.0, API_VERSION: 2.156
> >
> > Is there a reason, can I do something to fix this?
> >
> 
> What kind of ID Views do you use? Do you use them to  override AD users?
> Is there any useful info in '/var/log/httpd/error_log'?

There is the single ID View Name, Default Trust View, and in that we have a 
number of users over riding the AD usernames and home dirs.

The httpd error log is relatively large, tbh, but there's nothing in there that 
looks like an obvious reason. In fact, for an error log, there is a hell of a 
lot of "SUCCESS" messages? The most obvious culprit in the error log is 
jsonserver_session...

Next time I see it (I only see it intermittently), I'll grab the logs and have 
a look.

Cheers
L.



This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd

[Robbie Harwood]

Rakesh Rajasekharan  writes:

> On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan
> >
> wrote:
>
> sorry I guess I did not put the question correctly
>
> I wanted to know .. like we have the ListenBacklog for apache to
> basically define the number of connections it can handle.. do we
> have some thing similar for our krb5kdc service.. as the SYN floodin
> at 88 looks like krb5kdc service is not able to handle sudden spurt
> in connections or the number of connections are more than it could
> handle..
>
> So, would be great if I could know how many connection it can
> support at any given time ..most of the times I see this error while
> i add clients to IPA master.. so if thers a known limit , I could
> first check netstat to see how many connections I have at any point
> and if its below the limit only then setup ipa-client-install

We intentionally do not have such a parameter in krb5.  We call
listen(5) internally, but please note this is probably not the parameter
you want to be able to tune.

The listen() backlog is the number of connections that are waiting to be
accept()ed by the process.  They sit in the kernel, not receiving
SYNACK.  This number does not count connections that the process - here
krb5kdc - has accept()ed and is currently processing.

If you're truly seeing connections faster than they can be accept()ed,
you have a load problem that tuning this parameter likely won't fix.
You should probably configure replicas: krb5 will fall back if the
connection is refused from one kdc to the next configured one.  This
will result in faster operation for your users than waiting on an
enormous listen() backlog will as well.

A tunable for the listen value may be added in the future, but is not
available at the present time.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

[Rob Crittenden]

Natxo Asenjo wrote:

hi,


On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden > wrote:

The 3 certs you list are the ones that are renewed via the IPA API
(as opposed to the subsystem certs renewed directly by dogtag). I
think the failures are all related. I had someone else report the
CSR decoding failure and he just restarted IPA and that fixes things
for him though it was a rather unsatisfying fix.

What I'd do is this. Assuming each step works, move onto the next.

1. ipa cert-show 1

The serial # picked more or less at random, we're testing
connectivity and that the CA is up and operational.

2. I assume that getcert list | grep expire shows all certs
currently valid? The IPA service certs expire in a month, how about
the CA subsystem certs?

3. Is this the same server having problems talking to the CA due to
the other NSS errors? If so what I'd do is restart httpd then
immediately use ipa-getcert to resubmit the requests to try to get
into that few minute window.

If this is the same box you already have debugging enabled so seeing
what that shows might be helpful.

rob



yes, all certs are valid (see attachment getcert.txt).

So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
inmediately after I run

$ sudo ipa-getcert resubmit -i 20121107212513
Resubmitting "20121107212513" to "IPA".

and now the status is the one you see in the attached getcert.txt file.
The server failed request, will retry.

I do not know if it's important, but I saw that the usercertificate
attribute of the pki user admin was expired.1

I attach the error_log of httpd as well.


Ok, how about we work around the problem.

Since it is failing on the revocation what you might try is removing the 
userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.


I think this will work:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial


$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl

If this doesn't work you can use ldapmodify to delete the 
usercertificate value.


This will remove the certificate value so there is nothing to revoke and 
a new cert will be saved (hopefully).


Now try to resubmit the request via certmonger.

It if works then you can run ipa cert-revooke 

It isn't a great answer long-term because it is really just working 
around the problem but it should get the certs renewed.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA: Cannot add Centos7.2 replica to Centos6.8 ipa server

[Giorgos Kafataridis]

On 09/16/2016 06:39 PM, Petr Vobornik wrote:

On 09/14/2016 07:26 PM, Giorgos Kafataridis wrote:


On 09/13/2016 10:36 PM, Endi Sukma Dewata wrote:

On 9/12/2016 9:35 PM, Endi Sukma Dewata wrote:

On 9/9/2016 2:46 PM, Georgios Kafataridis wrote:

I've tried that but still the same result.

[root@ipa-server /]# ldapsearch -D "cn=directory manager" -W -p 389 -h
localhost -b "uid=admin,ou=people,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] bind crashes on rndc reload

[Petr Spacek]

On 12.9.2016 11:55, Anthony Joseph Messina wrote:
> On Monday, September 12, 2016 10:31:10 AM CDT Jochen Demmer wrote:
>> Hi,
>>
>> I have a major issue with my setup:
>> Fedora 24
>> freeipa-common-4.3.2-2.fc24.noarch
>> freeipa-admintools-4.3.2-2.fc24.noarch
>> freeipa-server-dns-4.3.2-2.fc24.noarch
>> freeipa-client-common-4.3.2-2.fc24.noarch
>> freeipa-server-4.3.2-2.fc24.x86_64
>> freeipa-server-common-4.3.2-2.fc24.noarch
>> freeipa-client-4.3.2-2.fc24.x86_64
>> bind-dyndb-ldap-9.0-3.fc24.x86_64
>> bind-libs-lite-9.10.4-1.P2.fc24.x86_64
>> bind-pkcs11-libs-9.10.4-1.P2.fc24.x86_64
>> bind99-libs-9.9.9-1.P2.fc24.x86_64
>> bind-utils-9.10.4-1.P2.fc24.x86_64
>> rpcbind-0.2.3-11.rc1.fc24.x86_64
>> bind-license-9.10.4-1.P2.fc24.noarch
>> bind-pkcs11-9.10.4-1.P2.fc24.x86_64
>> bind-9.10.4-1.P2.fc24.x86_64
>> bind-libs-9.10.4-1.P2.fc24.x86_64
>> bind99-license-9.9.9-1.P2.fc24.noarch
>> bind-pkcs11-utils-9.10.4-1.P2.fc24.x86_64
>>
>> It seems that there is a regular but not daily "rndc reload" sent to the
>> nameserver that leads to a crash of it. I sent a SIGHUP to the named
>> process, but that didn't lead to a crash. Only "rndc reload" does. It
>> does not crash EVERY time, but most of the times. I need to do an
>> "ipactl restart" in order to get the nameserver up and running again.
>>
>> I found this thread, but this doesn't give me any clues:
>> https://www.redhat.com/archives/freeipa-users/2012-May/msg00340.html
>>
>> This is what the log says:
>> http://paste.debian.net/818354/
>> Please understand that I obfuscated my IP addresses and domain names
>>
>> This is the strace:
>> http://paste.debian.net/818365/
>>
>> This is my named.conf:
>> http://paste.debian.net/818368/
>>
>> Hope someone can help.
>> Jochen
> 
> I wish I could, as I have the same issue, usually early Sunday morning after 
> some cron/timer job that reloads:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1362162

Could you please try bind-dyndb-ldap-10.1-1.fc24 from updates-testing?

Alternatively the package can be downloaded from
http://koji.fedoraproject.org/koji/buildinfo?buildID=792505

Please let me know if it fixes your problem or not.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Want to extend schema for ipahost

[Deepak Dimri]

Thank You Flo
This helped!!!
Best regards,Deepak

> Subject: Re: [Freeipa-users] Want to extend schema for ipahost
> To: deepak_di...@hotmail.com; freeipa-users@redhat.com
> From: f...@redhat.com
> Date: Mon, 19 Sep 2016 13:41:00 +0200
> 
> On 09/19/2016 01:31 PM, Deepak Dimri wrote:
> > Hi All,
> >
> > I want to add couple of custom attribute to IPA Host. I have already
> > added custom attributes and objectclass "AWSInstanceDetails" to my
> > schema succesfully but when i am trying to modify existing host to
> > include the new objectclass i am getting below error
> >
> > ldap_modify: Object class violation (65)
> >
> > additional info: missing attribute "sn" required by object class
> > "AWSInstanceDetails"
> >
> >
> > my ldif file to add the newly created objectclass.
> >
> >
> > dn: fqdn=testhost,dc=ddiam,dd=online
> >
> > changetype: modify
> >
> > add: objectclass
> >
> > objectclass: AWSInstanceDetails
> >
> >
> > How can i extend my ipahost objectclass to include additional
> > attributes? i followed this document to extend ipa
> > userobjectclass 
> > https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but
> > now i need help with ipahost
> >
> >
> > As always any help would be much appreciated!
> >
> >
> > Thanks,
> >
> > Deepak
> >
> >
> >
> 
> Hi Deepak,
> 
> What is your schema definition for AWSInstanceDetails? If it requires 
> the "sn" attribute as a mandatory attribute (i.e in the MUST section), 
> then you need to define a value for sn in your ldif file. Otherwise the 
> schema would not be respected by your object.
> 
> For instance:
> dn: fqdn=testhost,dc=ddiam,dd=online
> changetype: modify
> add: objectclass
> objectclass: AWSInstanceDetails
> -
> add: sn
> sn: myValue
> 
> If, on the contrary, you do not want the attribute to be mandatory, you 
> can define the AWSInstanceDetails objectclass with an optional "sn" 
> attribute, by putting sn in the MAY section.
> 
> Hope this helps,
> Flo.
> 
  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Want to extend schema for ipahost

[Martin Basti]

On 19.09.2016 13:41, Florence Blanc-Renaud wrote:

On 09/19/2016 01:31 PM, Deepak Dimri wrote:

Hi All,

I want to add couple of custom attribute to IPA Host. I have already
added custom attributes and objectclass "AWSInstanceDetails" to my
schema succesfully but when i am trying to modify existing host to
include the new objectclass i am getting below error

ldap_modify: Object class violation (65)

additional info: missing attribute "sn" required by object class
"AWSInstanceDetails"


my ldif file to add the newly created objectclass.


dn: fqdn=testhost,dc=ddiam,dd=online

changetype: modify

add: objectclass

objectclass: AWSInstanceDetails


How can i extend my ipahost objectclass to include additional
attributes? i followed this document to extend ipa
userobjectclass 
https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but

now i need help with ipahost


As always any help would be much appreciated!


Thanks,

Deepak





Hi Deepak,

What is your schema definition for AWSInstanceDetails? If it requires 
the "sn" attribute as a mandatory attribute (i.e in the MUST section), 
then you need to define a value for sn in your ldif file. Otherwise 
the schema would not be respected by your object.


For instance:
dn: fqdn=testhost,dc=ddiam,dd=online
changetype: modify
add: objectclass
objectclass: AWSInstanceDetails
-
add: sn
sn: myValue

If, on the contrary, you do not want the attribute to be mandatory, 
you can define the AWSInstanceDetails objectclass with an optional 
"sn" attribute, by putting sn in the MAY section.


Hope this helps,
Flo.



Yes please use only MAY attributes otherwise you will not be able to 
create new entries using IPA CLI/webUI


Martin^2

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User gecos in IPA-AD trust

[Jakub Hrozek]

On Mon, Sep 19, 2016 at 01:47:22PM +0200, Troels Hansen wrote:
> Hi, i'm having some problems setting user's gecos in AD trust environment. 
> 
> No matter what I change ldap_user_gecos to its not changes on AD users. 
> 
> I guess its because I can only set it on the IPA domain, in SSSD config, and 
> it can't be added to the subdomain_inherit ? 

Currently it's not possible.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] User gecos in IPA-AD trust

[Troels Hansen]

Hi, i'm having some problems setting user's gecos in AD trust environment. 

No matter what I change ldap_user_gecos to its not changes on AD users. 

I guess its because I can only set it on the IPA domain, in SSSD config, and it 
can't be added to the subdomain_inherit ? 


-- 


Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Want to extend schema for ipahost

[Florence Blanc-Renaud]

On 09/19/2016 01:31 PM, Deepak Dimri wrote:

Hi All,

I want to add couple of custom attribute to IPA Host. I have already
added custom attributes and objectclass "AWSInstanceDetails" to my
schema succesfully but when i am trying to modify existing host to
include the new objectclass i am getting below error

ldap_modify: Object class violation (65)

additional info: missing attribute "sn" required by object class
"AWSInstanceDetails"


my ldif file to add the newly created objectclass.


dn: fqdn=testhost,dc=ddiam,dd=online

changetype: modify

add: objectclass

objectclass: AWSInstanceDetails


How can i extend my ipahost objectclass to include additional
attributes? i followed this document to extend ipa
userobjectclass 
https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf but
now i need help with ipahost


As always any help would be much appreciated!


Thanks,

Deepak





Hi Deepak,

What is your schema definition for AWSInstanceDetails? If it requires 
the "sn" attribute as a mandatory attribute (i.e in the MUST section), 
then you need to define a value for sn in your ldif file. Otherwise the 
schema would not be respected by your object.


For instance:
dn: fqdn=testhost,dc=ddiam,dd=online
changetype: modify
add: objectclass
objectclass: AWSInstanceDetails
-
add: sn
sn: myValue

If, on the contrary, you do not want the attribute to be mandatory, you 
can define the AWSInstanceDetails objectclass with an optional "sn" 
attribute, by putting sn in the MAY section.


Hope this helps,
Flo.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] 3rd party Cert install now IPA total broken

[Florence Blanc-Renaud]

On 09/16/2016 03:06 PM, Günther J. Niederwimmer wrote:

Hello,
Freeipa 4.3.1

I have now install a 3rd Party Certificat from Startcom now my IPA is total
broken?
I make this

ipa-cacert-manage -p '' -n STARTCOM-ROOT -t C,, install
root.crt

ipa-certupdate

ipa-server-certinstall -w -d ipa_3rd_ca.p12

I create this p12 with key.pem, cert.pem root.crt

I insert also in the cert.pem the intermediate.crt


Hi,

there were some issues with ipa-server-certinstall (see tickets #4785, 
#4786 and #6263).
In order to check your configuration, you must make sure that the NSS 
DBs for Apache and the LDAP server (/etc/httpd/alias, 
/var/lib/pki/pki-tomcat/alias, /etc/dirsrv/slapd-DOMxx) contain:
- the server certificate with flags u,u,u (= the one contained in 
ipa_3rd_ca.p12)
- the certificate of the CA which signed the server certificate, with 
flags C,, (= the one contained in root.rt)


Then you can also check if the nickname for the server cert is properly 
set in /etc/httpd/conf.d/nss.conf (in the directive NSSNickname), and in 
the LDAP entry cn=RSA,cn=encryption,cn=config (in the attribute 
nsSSLPersonalitySSL).


If this doesn't fix the issue, the logs of pki-tomcat/ca/debug may 
provide more information.


Also note that it is important to run ipa-certupdate on all the clients 
and replicas in order to install the new certificates in the NSS DBs 
*before* you run ipa-server-certinstall.


Hope this helps,
Flo.


the kerberos don't start anymore ?
The Error Is
 Unspecified GSS failure.Minor (2529639068): Cannot contact any KDC for realm
'4GJN.COM'

after insert in nss.conf
"NSSEnforceValidCerts off"

ipactl restart  is starting (?) but

ipactl status tell me
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-ods-exporter Service: STOPPED
ods-enforcerd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

with certutil -d /etc/httpd/alias -L I have now this
Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

Signing-Cert u,u,u
4GJN_CA_FILE u,u,u
ipaCert  u,u,u
4GJN.COM IPA CA  CT,C,C
STARTCOM-ROOTC,,

I can  Insert in nss.conf by the
#NSSNickname "Signing-Cert" original
or
NSSNickname 4GJN_CA_FILE but all is now broken ?

I also add this, found in Bugzilla
 certutil -d /var/lib/pki/pki-tomcat/alias -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
caSigningCert cert-pki-caCTu,Cu,Cu
Server-Cert cert-pki-ca  u,u,u
auditSigningCert cert-pki-ca u,u,Pu
STARTCOM-ROOTCT,,

this is created in the

certutil -d /etc/dirsrv/slapd-4GJN.COM -L

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

4GJN_CA_FILE u,u,u
4GJN.COM IPA CA  CT,C,C
STARTCOM-ROOTC,,

Can any help a little, please ;-)

The bad Problem, I tested this with my master server with DNS / DNSSEC I can't
new install (DNSSEC Keys)



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[lejeczek]

thanks a lot!

On 19/09/16 08:49, Martin Babinsky wrote:

ipaConfigString: enabledService


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] HBAC doesn't work issues

[Lukas Slebodnik]

On (19/09/16 16:43), Lachlan Musicman wrote:
>I must have made an error again:
>
>- ipa hbactest gives seemingly correct answer on both server and client
>- user can't actually use sudo on client?
>
>Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR
>
>>From the server:
>
>[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au
>--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo
>
>Access granted: True
>
>  Matched rules: Cluster Admin Users (sudo)
>  Not matched rules: Cluster Users
>[root@vmdv-linuxidm1 ~]#
>
>
>>From the host in question:
>
>[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au
>--host `hostname` --service sudo
>
>Access granted: True
>
>  Matched rules: Cluster Admin Users (sudo)
>  Not matched rules: Cluster Users
>[root@vmts-linuxclient1 ~]#
>
>
>[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
>[sudo] password for lsimp...@petermac.org.au:
>lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
>This incident will be reported.
>
Did you configure sudo rules for such user?
What is an output of "sudo -l"

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] In webgui, ID Views slow, to crashingly slow

[Martin Babinsky]

On 09/19/2016 03:12 AM, Lachlan Musicman wrote:

Hi

Sometimes when I visit the ID Views page in the webgui, it is crushingly
slow, and often it times out.

Centos 7, ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

Is there a reason, can I do something to fix this?

cheers
L.
--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper




What kind of ID Views do you use? Do you use them to  override AD users? 
Is there any useful info in '/var/log/httpd/error_log'?


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] how to revert ipa-adtrust-install...

[Martin Babinsky]

On 09/19/2016 09:49 AM, Martin Babinsky wrote:

On 09/17/2016 12:43 PM, lejeczek wrote:



On 15/09/16 22:37, Rob Crittenden wrote:

What do you mean control? If you don't want ipactl to manage the smb
service, look for an entry in
cn=masters,cn=ipa,cn=etc,dc=example,dc=com and delete it if you find it.

rob

all I find there is:

objectClass: nsContainer
objectClass: top
cn: masters



You must perform subtree search and search for the entry named
'cn=ADTRUST', like so:

"""
ldapsearch -Y GSSAPI -b 'cn=masters,cn=ipa,cn=etc,dc=ipa,dc=test'
'(cn=ADTRUST)'
SASL/GSSAPI authentication started
SASL username: ad...@ipa.test
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base 

Re: [Freeipa-users] ipa trust-add using password

[Troels Hansen]

> If you add 'log level = 50' to /usr/share/ipa/smb.conf.empty, then
> /var/log/httpd/error_log will contain detailed debug information from
> IPA attempts to talk to AD DCs.
> 
> --
> / Alexander Bokovoy


Hi Alexander

I added the log level, and had the domain admin try to create the trust, and 
today it just worked, soo...   not any further on finding out what went wrong 
last week, but the trust got created so not going to spent more time on this.

Anyway, thanks for the help. I have made a mental note on debugging IPA-AD 
trust creation.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] HBAC doesn't work issues

[Lachlan Musicman]

I must have made an error again:

- ipa hbactest gives seemingly correct answer on both server and client
- user can't actually use sudo on client?

Centos 7, freeipa 4.2.o/2.156; sssd 1.14.1 from COPR

>From the server:

[root@vmdv-linuxidm1 ~]# ipa hbactest --user=lsimp...@petermac.org.au
--host=vmts-linuxclient1.unixdev.petermac.org.au --service=sudo

Access granted: True

  Matched rules: Cluster Admin Users (sudo)
  Not matched rules: Cluster Users
[root@vmdv-linuxidm1 ~]#


>From the host in question:

[root@vmts-linuxclient1 ~]# ipa hbactest --user lsimp...@petermac.org.au
--host `hostname` --service sudo

Access granted: True

  Matched rules: Cluster Admin Users (sudo)
  Not matched rules: Cluster Users
[root@vmts-linuxclient1 ~]#


[lsimp...@petermac.org.au@vmts-linuxclient1 ~]$ sudo reboot
[sudo] password for lsimp...@petermac.org.au:
lsimp...@petermac.org.au is not allowed to run sudo on vmts-linuxclient1.
This incident will be reported.


On the client, in the sssd_sudo.log I can see (debug_level=6) a number of
lines, most notably three that start "Searching sysdb with" and then follow
with all my ipa and AD groups - both groups that would give me HBAC sudo
are listed in those log entries.

What should I try next?

cheers
L.



--
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project