Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote: Hi, Server Side: RHEL6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client Side Config: Centos 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-python-2.1.3-9.el6.x86_64 Issue: IPA (via sssd) requires that a hostname (as returned by the `hostname` commmand) be fully qualified. This requirement has caused us no end of grief due to ripple effects not related to IPA, it breaks other software we use which expects hostname to be not fully qualified. We don't understand why IPA sssd require that a machine's hostname be fully qualified when `hostname --fqdn` can be used instead? In our case we had hostname setup to be the machine name as in: # hostname foo # dnsdomainname bar.com.au # hostname --fqdn foo.bar.com.au Why doesn't IPA SSD use the value returned by `hostname --fqdn`? Why must `hostname` itself be fully qualified when `hostname --fqdn` is available? I think this requirement is only in place during ipa-client-install. sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use regardless of the value that 'hostname' returns. Is there some other place I'm missing? If so, that's probably a bug and should be reported as such. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] SSSD (sssd_be) crashing on RHEL 6.2
Hi, I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL 6.2 machines where we have installed SSSD connected to an IPA domain. SSSD can reach up to a month of uptime before sssd_be crashes. This happens on both physical and virtual machines. It happens at different machines at different times, sometimes during working hours, other times during the middle of the night. It's never happened on several machines at the same time. These machines does not have a GUI and the issue is similar but not directly related to the KDE screensaver lock as per my earlier posts. Also, the KDE screensaver issue was at RHEL 5. What happens is a line in the syslog about sssd_be crashing. sssd_be[1418] general protection ip:41d527 sp:7fff9e82ead0 error:0 in sssd_be[40+4a000] sssd_be is then being restarted by the parent process, but is no longer usable. Any login via ssh to these machines will just hang. Has anyone else seen this issue? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD (sssd_be) crashing on RHEL 6.2
On Fri, 2012-03-02 at 14:52 +0100, Sigbjorn Lie wrote: Hi, I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL 6.2 machines where we have installed SSSD connected to an IPA domain. SSSD can reach up to a month of uptime before sssd_be crashes. This happens on both physical and virtual machines. It happens at different machines at different times, sometimes during working hours, other times during the middle of the night. It's never happened on several machines at the same time. These machines does not have a GUI and the issue is similar but not directly related to the KDE screensaver lock as per my earlier posts. Also, the KDE screensaver issue was at RHEL 5. What happens is a line in the syslog about sssd_be crashing. sssd_be[1418] general protection ip:41d527 sp:7fff9e82ead0 error:0 in sssd_be[40+4a000] sssd_be is then being restarted by the parent process, but is no longer usable. Any login via ssh to these machines will just hang. Has anyone else seen this issue? Can you try to get us a backtrace, please? general protection isn't enough information. Though it's interesting that it's general protection and not segfault... That's certainly new. Do you have abrtd running on these systems? If so, it should be able to capture a core dump when this happens again, which you can use to generate a backtrace for us. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD (sssd_be) crashing on RHEL 6.2
On Fri, March 2, 2012 15:04, Stephen Gallagher wrote: On Fri, 2012-03-02 at 14:52 +0100, Sigbjorn Lie wrote: Hi, I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL 6.2 machines where we have installed SSSD connected to an IPA domain. SSSD can reach up to a month of uptime before sssd_be crashes. This happens on both physical and virtual machines. It happens at different machines at different times, sometimes during working hours, other times during the middle of the night. It's never happened on several machines at the same time. These machines does not have a GUI and the issue is similar but not directly related to the KDE screensaver lock as per my earlier posts. Also, the KDE screensaver issue was at RHEL 5. What happens is a line in the syslog about sssd_be crashing. sssd_be[1418] general protection ip:41d527 sp:7fff9e82ead0 error:0 in sssd_be[40+4a000] sssd_be is then being restarted by the parent process, but is no longer usable. Any login via ssh to these machines will just hang. Has anyone else seen this issue? Can you try to get us a backtrace, please? general protection isn't enough information. Though it's interesting that it's general protection and not segfault... That's certainly new. Do you have abrtd running on these systems? If so, it should be able to capture a core dump when this happens again, which you can use to generate a backtrace for us. ___ I certainly do have abrt, some of the dumps are quite large. I will send you these in a private email. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 08:10 -0500, Stephen Gallagher wrote: On Fri, 2012-03-02 at 05:16 +0300, Craig T wrote: Hi, Server Side: RHEL6.2 ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 Client Side Config: Centos 6.2 ipa-client-2.1.3-9.el6.x86_64 ipa-python-2.1.3-9.el6.x86_64 Issue: IPA (via sssd) requires that a hostname (as returned by the `hostname` commmand) be fully qualified. This requirement has caused us no end of grief due to ripple effects not related to IPA, it breaks other software we use which expects hostname to be not fully qualified. We don't understand why IPA sssd require that a machine's hostname be fully qualified when `hostname --fqdn` can be used instead? In our case we had hostname setup to be the machine name as in: # hostname foo # dnsdomainname bar.com.au # hostname --fqdn foo.bar.com.au Why doesn't IPA SSD use the value returned by `hostname --fqdn`? Why must `hostname` itself be fully qualified when `hostname --fqdn` is available? I think this requirement is only in place during ipa-client-install. sssd.conf has an option 'ipa_hostname=foo.bar.com.au' which it will use regardless of the value that 'hostname' returns. Is there some other place I'm missing? If so, that's probably a bug and should be reported as such. There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SSSD (sssd_be) crashing on RHEL 6.2
On Fri, 2012-03-02 at 15:08 +0100, Sigbjorn Lie wrote: On Fri, March 2, 2012 15:04, Stephen Gallagher wrote: On Fri, 2012-03-02 at 14:52 +0100, Sigbjorn Lie wrote: Hi, I'm experiencing that SSSD is now crashing at random times on _ALL_ RHEL 6.2 machines where we have installed SSSD connected to an IPA domain. SSSD can reach up to a month of uptime before sssd_be crashes. This happens on both physical and virtual machines. It happens at different machines at different times, sometimes during working hours, other times during the middle of the night. It's never happened on several machines at the same time. These machines does not have a GUI and the issue is similar but not directly related to the KDE screensaver lock as per my earlier posts. Also, the KDE screensaver issue was at RHEL 5. What happens is a line in the syslog about sssd_be crashing. sssd_be[1418] general protection ip:41d527 sp:7fff9e82ead0 error:0 in sssd_be[40+4a000] sssd_be is then being restarted by the parent process, but is no longer usable. Any login via ssh to these machines will just hang. Has anyone else seen this issue? Can you try to get us a backtrace, please? general protection isn't enough information. Though it's interesting that it's general protection and not segfault... That's certainly new. Do you have abrtd running on these systems? If so, it should be able to capture a core dump when this happens again, which you can use to generate a backtrace for us. ___ I certainly do have abrt, some of the dumps are quite large. I will send you these in a private email. Thanks, can you also let me know the exact version of SSSD that you're running? signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. Normally, you should have both: [root@ara tmp]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 19 host/ara.prague.s3group@dublin.ad.s3group.com 19 host/a...@dublin.ad.s3group.com right? Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 15:21 +0100, Ondrej Valousek wrote: There are kerberized programs that expect to use gethostname() and use that name to compose principals. If that name is not fully qualified they will break. Simo. Normally, you should have both: [root@ara tmp]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 19 host/ara.prague.s3group@dublin.ad.s3group.com 19 host/a...@dublin.ad.s3group.com right? No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a - a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a- a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. I understand now, thanks. But still I see 2 limitations in this: 1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS domain IPA domain. 2. You see problems like this - there is nowhere said that your `hostname` must be FQDN as the OS itself happily accept both. Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling there is even BZ already opened against this). Ondrej Proud winners of the prestigious Irish Software Exporter Award 2011 from Irish Exporters Association (IEA). Please, refer to our web site for more details regarding the award. The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communicati...@s3group.com. Thank You. Silicon and Software Systems Limited. Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA hostnames. Why not use `hostname -fqdn` instead of forcing `hostname` to be fully qualified?
On Fri, 2012-03-02 at 16:10 +0100, Ondrej Valousek wrote: No, unless you can alias them in the KDC. Our KDC can technically supports aliases now, but we haven't added these kind of aliases yet to it. And it is a bit controversial on whether we want to. In A windows domain you simply cannot have client residing in a DNA domain that is not the same as the domain controller. This is a pretty hard limitation and we do not want to add it to FreeIPA. Now why does it matter in this case ? It matter because, by forcing a single DNS Domain windows can univocally say a - a.b.c given the b.c part is forced on all clients joined to that domain. This does not hold true for FreeIPA. You could have foo.bar.example.com and foo.rab.example.com ie 2 host with the same short name but in different subdomains. if we alias both foo's and then we try to obtain a ticket for host/foo@REALM then the KDC does not know which foo you refer to. And if we alias only one then the second foo will simply fail to use the shortname. So the solution is to always use fully qualified names, which seem a pretty decent compromise that shouldn't really cause issues in the vast majority of cases. Simo. I understand now, thanks. But still I see 2 limitations in this: 1. I dare to say most people do not care that they CAN join foo.rab.example.com machine to the bar.example.com domain - to me, it is only confusing. In fact, this is a complete new information to me. I still believe we should produce at least a small warning if we find that DNS domain IPA domain. Well if it were a bet you'd lost it :-) We already have multiple users doing exactly that and for good reasons as far as I can tell. 2. You see problems like this - there is nowhere said that your `hostname` must be FQDN as the OS itself happily accept both. Either case, the ipa-client-install script should be able to detect such a case and offer some solution at least (I have a faint feeling there is even BZ already opened against this). If ipa-client-install is not detecting this situation I think it is a bug. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
