Re: [Freeipa-users] Recomendations on multi-domain environments
On 20.9.2013 17:36, Dmitri Pal wrote: On 09/18/2013 07:55 AM, Andrew Lau wrote: On Wed, Sep 18, 2013 at 9:40 PM, Arturo Borrero aborr...@cica.es mailto:aborr...@cica.es wrote: Hi there! This is my situation. I have some users of my main domain cica.es http://cica.es. But I also maintain a database of users of others domain, ie example.es http://example.es. I can apply most of FreeIPA configuration to cica.es http://cica.es users: access to hosts, groups, policies, roles, etc.. But users of example.es http://example.es are dummy users, who just have an LDAP account in order to use virtual mailboxes in Postfix/Dovecot. Do anyone have any advice on how handle this situation? I see some options: * create a second FreeIPA server, each to handle his own domain. * get the main FreeIPA server to handle two complete different LDAP tree (with different root DNs, don't know if possible). * integrate example.es http://example.es users into specific groups, prefix or something each group and user. We are talking of about 2k users in total (main domain + secondary domain). In addition, there is the possibility to have more than two domains. How FreeIPA handles this multi-domain environment? Best regards. -- If your second domain is just for LDAP (this is a little similar to what I did). It's not a fluid as you end up limited to the two domains.. . Keep the FreeIPA for hosting cica.es http://cica.es/ to do your host polices etc. Then on your virtual mailboxes two options we did was either: - Change the default mail atribute in FreeIPA settings so a user would have user.n...@example.es mailto:user.n...@example.es rather than user.dom...@cica.es mailto:user.dom...@cica.es in their mail attribute then have the LDAP config lookup that rather than username - The other simple alternative is simply have LDAP search the username and append @example.es http://example.es/ or not at all. HTH ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users I am not sure that the answer above is 100% relevant to what has been asked. The question was should I merge two domains or keep them separate, and if I merger the users into IPA how should I do it to be able to differentiate users from two different original sources. At least this is how I interpreted the question. I would say it depends. 1) Are the users in two domains are same users? If yes then you should follow advice above and merge. 2) If users are actually different users then I would keep the two namespaces separate and not merge. If you merge you would be able to use groups and prefixes and may be special attributes but would not be able to put users into different sub trees. Well... you can... but the rest of the IPA would not see them if you do it right or might be confused if you do it wrong. I would add one other point: Try to be 'future-proof'. Are you 100% sure that you will never merge both sets of users? 'Never' is a long time ... (Remember that you will have to solve UID/GID/naming conflicts during the merge. It will be painful.) What is the added value of two domains? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Elliptic curves with the CA
Hello, by the way, this article contains very interesting thoughts about world-wide ECC deployment in context of DNSSEC: https://www.myicann.org/news/articles/31935/related/29167 Most of the article is focused on DNSSEC, but I would recommend you to read the second part beginning with sentence 'It has been suggested that algorithm rollover towards elliptic curve cryptography (ECC)'. Petr^2 Spacek On 20.9.2013 18:09, Ade Lee wrote: As a partial answer to this, work has been ongoing to fully support ECC in Dogtag. Attached is a most likely out-of-date wiki page detailing ECC support in Dogtag. https://pki.fedoraproject.org/wiki/ECC_in_Dogtag If I recall correctly, we are somewhere around phase 3. Ade On Fri, 2013-09-20 at 11:48 -0400, Dmitri Pal wrote: On 09/18/2013 01:53 PM, mees virk wrote: I do not have a valid support contract, or other contracts with RedHat. Doesn't that stop me from opening proper RFE ticket? In any case, my interest was this time solely for evaluation purposes. If I were actively choosing an integrated identity management product, I might not choose Freeipa because it takes the longevity of the product and the development stance (lack of roadmap?) into question. I wonder where the lack of roadmap came from? http://www.freeipa.org/page/Roadmap So the trac system we use gives a good view of the dynamics of the project https://fedorahosted.org/freeipa/roadmap However IMO disconnect in expectations is that support of the ECC is not exactly FreeIPA's problem (yet). It needs to be implemented by the lower levels of the stack first: NSS, Dogtag etc. We have plans for support of the certs for users and we understand that RSA becomes outdated. Your RFE would allow us to track your specific requirements and interest (and make it our problem). Right now the position is that: let the underlying components grow ECC suppoirt and consume this functionality in FreeIPA when it matures. Filing an RFE would change this dynamics and would signal us that there is interest in the community in the actual end point solution, i.e. FreeIPA supporting ECC. Thanks! RSA is slowly getting into slippery slope, because it really isn't about what it's worth today. When you protect something with a cryptographic algorithm you have to take account for how long certain types of data will be stored, and factor that time frame in. Increasing the key sizes will not be solution, because several embedded devices such as VPN products, smartcards and RFID devices will start failing pretty fast after 1024-2048 bit keys. ECC was designed to solve some of these issues; it's important development not mostly because of security today but because it will scale better up (it was designed to be implementable better on hardware), and the key sizes start from nicer point of security vs size. So it's the feature that would future proof the CA. At this moment there is available ECC support on some products on all the areas such as smart cards, so the products not having that option out of the box will start basically losing in the competition. I'm not trying to make a technical point here (if I made some minor error there, sorry) but a managerial, and from product management viewpoint. ECC must be on the feature set, or the CA features will be discarded in the future by potential users. That means the Freeipa as a whole might not be selected for some projects. Plus, it doesn't really hurt having ECC in. :) IPA uses NSS, NSS support of ECC algorithms is very fresh, we have not looked at this area yet. I suspect it would require changes in Dogtag first. Would be best if you can file and RFE ticket, then we would be able to follow up. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Odd dereference processing failed : Input/output error
On Mon, Sep 23, 2013 at 10:19:13AM +1000, craig.free...@noboost.org wrote: Hi, Spec: Fedora release 19 * freeipa-client-3.3.0-2.fc19.x86_64 * sssd-ipa-1.11.0-0.2.beta2.fc19.x86_64 I've got a PC that keeps crashing The symptoms below don't indicate a crash, do you actually see a segfault? Anyone see this error before? So far I've seen this error with some old Novell eDir servers that claimed to support dereference control in rootDSE but didn't. I've never seen this error with IPA. Note: the dbus messages may be unrelated. File: /var/log/messages Sep 20 16:40:03 craigpc sssd[be[teratext.saic.com.au]]: dereference processing failed : Input/output error Can you reproduce this? Can you put debug_level=6 into the domain section of your sssd.conf, restart the sssd and attach logs? Sep 20 17:08:06 craigpc dbus-daemon[408]: dbus[408]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.2 (uid=70 pid=407 comm=avahi-daemon: starting up ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.2700 (uid=365 pid=21991 comm=evince /data/download/DOC200913-20092013104309.pdf) Sep 20 17:08:06 craigpc dbus[408]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.2 (uid=70 pid=407 comm=avahi-daemon: starting up ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.2700 (uid=365 pid=21991 comm=evince /data/download/DOC200913-20092013104309.pdf) Sep 20 17:08:06 craigpc dbus[408]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.2 (uid=70 pid=407 comm=avahi-daemon: starting up ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.2700 (uid=365 pid=21991 comm=evince /data/download/DOC200913-20092013104309.pdf) Sep 20 17:08:06 craigpc dbus-daemon[408]: dbus[408]: [system] Rejected send message, 2 matched rules; type=method_return, sender=:1.2 (uid=70 pid=407 comm=avahi-daemon: starting up ) interface=(unset) member=(unset) error name=(unset) requested_reply=0 destination=:1.2700 (uid=365 pid=21991 comm=evince /data/download/DOC200913-20092013104309.pdf) Any change these four above could be SELinux related? Sep 20 17:50:01 craigpc sssd[be[teratext.saic.com.au]]: dereference processing failed : Input/output error cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, Samba and AD
Suppose we would bite the bullet and *move* IPA to another domain. This would be a subdomain (IPA.MYCOMP.EDU). I have to install 2 new IPA servers. No problems there. However, I have to migrate the data. That is a real problem, I think. For HBAC rules, SUDO rules, etc we can do this manually. However Users and DNS is quit a lot *and* we want to migrate the user passwords. For DNS we could use zone transfers But for user passwords? Is there IPA export import type of functionality (in RHEL64) that can provide this? Met vriendelijke groeten, * Fred van Zwieten * *Enterprise Open Source Services* * Consultant* *(woensdags afwezig)* *VX Company IT Services B.V.* *T* (035) 539 09 50 mobiel (06) 41 68 28 48 *F* (035) 539 09 08 *E* fvzwie...@vxcompany.com *I* www.vxcompany.com Seeing, contrary to popular wisdom, isn’t believing. It’s where belief stops, because it isn’t needed any more.. (Terry Pratchett) On Sun, Sep 22, 2013 at 10:37 PM, Simo Sorce s...@redhat.com wrote: On Sun, 2013-09-22 at 18:09 +0200, Fred van Zwieten wrote: Well, as explained in this thread, the problem here is that we have an IPA domain named MYCOMP.EDU _and_ an AD domain named MYCOMP.EDU as well. Both have there own DNS servers. It's beyond the scope of this mail to explain why we have named them exactly the same, and we do wish we didn't, but this is the current situation. Migrating any of these to another domain name would be the best solution but would involve quite a lot of work. So now we have a bunch of SAMBA services running on RHEL6.4 boxes that are IPA-clients and we would like to give the AD users access to them. How to proceed? We cannot use an IPA - AD trust, because both domains have the same name. We also cannot make the SAMBA services member of the AD domain, because the server itself is an IPA-member and krb5.conf already points to the IPA servers for domain MYCOMP.EDU.. Also /etc/resolv points to the DNS services of IPA. See my problem? If not, read the whole mail thread.. I haven't read all the thread way back, but what you *could* do is to configure Samba in a completely independent way for the rest of the machine. Join just the samba file server to the Ad domain but use net rpc join and configure samba with security = domain not security = ads, basically treat the AD domain as a legacy NT4 domain. It will allow you to use only NTLM, no kerberos. The main issue will be how to provide users to the system. If you can map the AD domain SIDs in a different ID range you could run both the normal sssd and add on top winbindd configured with idmap rid to map the Ad domain SIDs in a range that do not conflict and use fully qualified names for users so you have no chance of conflict with the native IPA users. It *might* work, but you'd have to try to know and you need to fully understand the nsswitch interactions as well as winbindd configuration nuissances to pull it off. It will be a fragile setup, in any case. It get's even more complicated. The AD MYCOMP.EDU domain has a trust with an AD OTHERCOMP.EDU and users in OTHERCOMP.EDU must access resource in MYCOMP.EDU. There is a trust between the AD domain MYCOMP.EDU and the AD domain OTHERCOMP.EDU. This works. We have some shares on a NetApp filer who is member of the AD domain MYCOMP.EDU and people from OTHERCOMP.EDU can successfully access those shares (given correct group membership offcourse). Now, we would like to have peoply in the AD domains OTHERCOMP.EDU and MYCOMP.EDU to access shares served by SAMBA services on RHEL64 machines that are IPA clients in the IPA domain MYCOMP.EDU. As all out RHEL servers are IPA clients by default we also want the servers running SAMBA to stay IPA-clients for system level central administration of users, groups, sudo policies, hbac, etc. Now, how to proceed: I see 2 possible solutions (besides byting the bullet and name change one of the MYCOMP domains): Byting the bullet will be by far the easiest I think, although *changing* here really means installing a new domain and slowly phasing off the old one. Solution 1: Create an intermediary domain. This gives the following trust relationships: AD(OTHERCOMP.EDU) --trusts-- AD(MYCOMP.EDU) --trusts-- AD(MYCOMP-INTERMEDIARY.EDU) --trusts-- IPA(MYCOMP.EDU). I don't like this one and I am not even sure it solves my problem. Another problem involves adding to (virtual) Windows boxes to maintain this domain. We do not have yet full support for transitive trusts, so it will not work with any released buts, although we *are* getting close. Solution 2: Make a SAMBA only domain. Make one of the SAMBA servers a PDC and one BDC. Make a NT-4 style trust to the AD domain MYCOMP.EDU. NT-4 style to have no Kerberos involvement as that is used for IPA. Also no DNS clashes as NT-4 style doesn't use DNS SRV records. I do not recall how good the old NT
Re: [Freeipa-users] migrating FreeIPA to another domain name (was: Re: IPA, Samba and AD)
On 23.9.2013 09:54, Fred van Zwieten wrote: Suppose we would bite the bullet and*move* IPA to another domain. This would be a subdomain (IPA.MYCOMP.EDU). I have to install 2 new IPA servers. No problems there. However, I have to migrate the data. That is a real problem, I think. For HBAC rules, SUDO rules, etc we can do this manually. However Users and DNS is quit a lot*and* we want to migrate the user passwords. For DNS we could use zone transfers FreeIPA stores all the data in LDAP, it would be better to do this: 1) export whole DNS sub-tree to LDIF (via ldapsearch) 2) change LDAP DNs (add dc=ipa to the DN components) 3) import all the data back (via ldapadd) SRV FreeIPA host records will need some manual work, but basically you just need to add '.ipa.' component to all host names and references to them. Don't forget to add/change delegation NS+A records in the parent DNS zone (MYCOMP.EDU). Let us know if you need any assistance. But for user passwords? Guys, could migrate-ds script help? Is there IPA export import type of functionality (in RHEL64) that can provide this? -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Incorrect user information
On Sat, Sep 14, 2013 at 01:11:36PM -0400, Brian Lindblom wrote: Of course, I would imagine that since the GECOS field is set upon account creation based on the values provided for first and last name, and since GECOS is not a provided field in the UI for user attributes, that GECOS should be updated automatically to reflect those changes. Bug perhaps? The ticket https://fedorahosted.org/freeipa/ticket/3569 tracks addition of the WebUI GECOS field. It's been added in upstream FreeIPA and it should find its way to the next RHEL releases as well. -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Changing the WebUI idiom
Hi there! FreeIPA WebUI in spanish has some annoyances in how the text is showed. http://img545.imageshack.us/img545/9016/9eur.png We would like to switch from spanish to standar english in the WebUI. Could anyone please point me in the right direction about changing that? Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Changing the WebUI idiom
On 09/23/2013 07:19 AM, Arturo Borrero wrote: Hi there! FreeIPA WebUI in spanish has some annoyances in how the text is showed. http://img545.imageshack.us/img545/9016/9eur.png We would like to switch from spanish to standar english in the WebUI. Could anyone please point me in the right direction about changing that? Changing the language preference in your browser should accomplish that. In Firefox open the preferences dialog and select languages under Content. -- John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Recomendations on multi-domain environments
On 23/09/13 09:04, Petr Spacek wrote: I would add one other point: Try to be 'future-proof'. Are you 100% sure that you will never merge both sets of users? 'Never' is a long time ... (Remember that you will have to solve UID/GID/naming conflicts during the merge. It will be painful.) What is the added value of two domains? One of the added values of two domains (two servers) is the situation when owners of second-domain.com want to take its users db away. In that case, they just take the second-domain.com server. Anyway, both situations (merge of users, and users take-away) are unlikely to happen. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informático Científico de Andalucía (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Changing the WebUI idiom
On 09/23/2013 07:55 AM, John Dennis wrote: On 09/23/2013 07:19 AM, Arturo Borrero wrote: Hi there! FreeIPA WebUI in spanish has some annoyances in how the text is showed. http://img545.imageshack.us/img545/9016/9eur.png We would like to switch from spanish to standar english in the WebUI. Could anyone please point me in the right direction about changing that? Changing the language preference in your browser should accomplish that. In Firefox open the preferences dialog and select languages under Content. Oh by the way, you could help us and file a bug on the spanish translation so we can get the translation fixed. -- John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Wildcard SSL
On 16.9.2013 01:20, Andrew Lau wrote: On Mon, Sep 16, 2013 at 4:23 AM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/14/2013 04:00 AM, Andrew Lau wrote: Hi, I have a reverse proxy infront of many of my hosts, each of the virtual hosts have their own SSL cert, currently with FreeIPA I'm adding hosts for each virtual host and then creating a cert. From what I've found, it doesn't seem to be possible to do a wildcard ssl through FreeIPA, I tried exporting the ca root private key to manually sign a wildcard cert with no success. I may have done that wrong. Any suggestions? Is this what you are looking for? https://fedorahosted.org/freeipa/ticket/3475 It is currently on a distant roadmap but help always welcome. Thanks, Andrew ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yeah. Is there any way of manually doing that now by pulling the root ca and key out to sign a cert? You can do it manually via Dogtag. First, import the client cert from /root/ca-agent.p12 found on your IPA server to your web browser. Then, navigate your web browser to https://ipaserver:8443/ca/ee/ca/profileSelect?profileId=caServerCert, paste the wildcard CSR in the form and submit it. Then, navigate your web browser to https://ipaserver:8443/ca/agent/ca/listRequests.html, find your request and approve it. This should give you the signed certificate. Honza -- Jan Cholasta ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client auth with windomain account
On 09/20/2013 03:21 PM, Михаил А wrote: hi! TRUST OK! dig SRV _ldap._tcp.wiindomain---ok win serv SRV dig SRV _ldap._tcp.ipadomain.wiindomain--ok serv SRV dns1:ipaserver1 dns2:winserv1 sorry for my english Please do not reply to me directly, reply to the list. This way people would be able too see and continue conversation. When I asked about DNS, I was asking about the relation between windows DNS and IPA. AFAIU in the setup you delegate a DNS zone from AD DNS to IPA. Is that the case? Also on the client please change the debug_level in sssd.conf to 9 or use a bitmask (see `man sssd.conf` on the client and search for debug_level), restart sssd and provide sssd logs to the list. Do not forget to sanitize them. We will be able to see what is going on in SSSD and why it does not get the user. BTW, have you restarted SSSD after adding trust? If so sssd might not yet know that the trust was added. We have a ticket about it. Please try restarting SSSD. Thanks Dmitri 2013/9/20 Dmitri Pal d...@redhat.com mailto:d...@redhat.com On 09/18/2013 11:42 AM, Михаил А wrote: Hi, Do I need network access to ports from the ipa-client to the server- windows for authentication with windomain accounts? ipa-server fedora19 ipa-client fedora19 winserver win2012 the ipa-client is located in another network within the network ipa-server, ipa-client and windows-server authentication works to the ipa-client: #id windomainuser@windomain id: windomainuser@windomain: No such user please tell me what I'm doing wrong ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We need to understand more about your setup. Are you using trusts? What is your DNS configuration? Generally if you are using trusts than clients should be able to resolve AD server and connect to it. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] slapi-nis bypass Password Policies
Hi JR, Thanks and I'm sorry for the delay. Your idea is good and I used something like that for other openldap implementation but in this case I need that all my users continue using their userid and pass in order to log in. We use NoMachine for Remote Access and this application has problem with password expiration or password change that is the reason why I was thinking bypass the password policies. Please let me know if you need any additional information about it. Thanks! On 09/20/2013 04:10 PM, JR Aquino wrote: Is your client simply using LDAP to bind and authenticate your service? If so, you may be able to create a special dedicated sysaccount in: cn=sysaccounts,cn=etc,dc=domain,dc=com This account could be used to bind your service without having it be a member of the standard users database subjected to Password Policy expirations etc. You cannot hope to secure that which you do not first understand ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ On Sep 18, 2013, at 10:00 AM, cbul...@gmail.commailto:cbul...@gmail.com wrote: Hi, We have a client server connected to the IPA server using NIS. It's working well but we have a service running at client server that doesn't handle the password expiration properly. Is it possible to bypass the Password Policies from this client server? Thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Timeout (?) issues
I'm pretty sure this is the root of my problem (not confirmed yet, but it's AIX -- that's always the problem): http://www-01.ibm.com/support/docview.wss?uid=swg21212940 The takeaway is this: The first query (184) is a normal IPV4 lookup for ldap.austin.texas.com, which returns 192.168.1.255. But then an IPV6 lookup is done for the same name. Because there is no IPV6 address for ldap.austin.texas.com, it continues searching every search domain in the resolv.conf file ( example.austin.texas.com austin.texas.com texas.com) trying to find one. On Fri, Sep 20, 2013 at 3:07 AM, Petr Spacek pspa...@redhat.com wrote: On 20.9.2013 01:24, KodaK wrote: This is ridiculous, right? IPA server 1: # for i in $(ls access*); do echo -n $i:\ ;grep err=32 $i | wc -l; done access: 248478 access.20130916-043207: 302774 access.20130916-123642: 272572 access.20130916-201516: 294308 access.20130917-081053: 295060 access.20130917-144559: 284498 access.20130917-231435: 281035 access.20130918-091611: 291165 access.20130918-154945: 275792 access.20130919-014322: 296113 IPA server 2: access: 4313 access.20130909-200216: 4023 access.20130910-200229: 4161 access.20130911-200239: 4182 access.20130912-200249: 5069 access.20130913-200258: 3833 access.20130914-200313: 4208 access.20130915-200323: 4702 access.20130916-200332: 4532 IPA server 3: access: 802 access.20130910-080737: 3876 access.20130911-080748: 3902 access.20130912-080802: 3678 access.20130913-080810: 3765 access.20130914-080826: 3524 access.20130915-080907: 4142 access.20130916-080916: 4930 access.20130917-080926: 4769 access.20130918-081005: 2879 IPA server 4: access: 2812 access.20130910-003051: 4095 access.20130911-003105: 3623 access.20130912-003113: 3606 access.20130913-003125: 3581 access.20130914-003135: 3758 access.20130915-003150: 3935 access.20130916-003159: 4184 access.20130917-003210: 3859 access.20130918-003221: 5110 The vast majority of the err=32 messages are DNS entries. It depends on your setup. Bind-dyndb-ldap does LDAP search for each non-existent name to verify that the name wasn't added to LDAP in meanwhile. If you have clients doing 1M queries for non-existing names per day, then you will see 1M LDAP queries with err=32 per day. Next major version of bind-dyndb-ldap will have reworked internal database and it will support negative caching, so number of err=32 should drop significantly. Here are some samples: [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 SRCH base=idnsName=xxx.com ,idnsname=unix.xxx.com,cn=dns,**dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169764 RESULT err=32 tag=101 nentries=0 etime=0 This is interesting, because this LDAP query is equal to DNS query for xxx.com.unix.xxx.com. Are your clients that crazy? :-) [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 SRCH base=idnsName= slpoxacl01.unix.xxx.com,**idnsname=unix.xxx.com,cn=dns,** dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169774 RESULT err=32 tag=101 nentries=0 etime=0 This is equivalent to DNS query for slpoxacl01.unix.xxx.com.unix.** xxx.com http://slpoxacl01.unix.xxx.com.unix.xxx.com.. [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 SRCH base=idnsName= sla400q1.unix.xxx.com,**idnsname=unix.xxx.com,cn=dns,** dc=unix,dc=xxx,dc=com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169770 RESULT err=32 tag=101 nentries=0 etime=0 And this is sla400q1.unix.xxx.com.unix.**xxx.comhttp://sla400q1.unix.xxx.com.unix.xxx.com .. [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 SRCH base=idnsName= magellanhealth.com,idnsname=un**ix.magellanhealth.comhttp://unix.magellanhealth.com ,cn=dns,**dc=unix,dc=magellanhealth,dc=**com scope=0 filter=(objectClass=**idnsRecord) attrs=ALL [19/Sep/2013:18:19:51 -0500] conn=9 op=169772 RESULT err=32 tag=101 nentries=0 etime=0 So far today there are over half a million of these. That can't be right. I would recommend you to use network sniffer and check which clients sends these crazy queries. My guess is that your resolver library (libc?) causes this. On my Linux system with glibc-2.17-14.fc19.x86_64 it behaves in this way: client query = nonexistent.example.com. (I used $ ping nonexistent.example.com.) search domain in /etc/resolv.conf = brq.redhat.com. DNS query #1: nonexistent.example.com. = NXDOMAIN DNS query #2: nonexistent.example.com.brq.**redhat.comhttp://nonexistent.example.com.brq.redhat.com. = NXDOMAIN DNS query #3: nonexistent.example.com.**redhat.comhttp://nonexistent.example.com.redhat.com. = NXDOMAIN On Thu, Sep 19, 2013 at 3:05 PM, KodaK sako...@gmail.com wrote: I didn't realize that DNS created one connection. I thought it was one connection spanning several days. In theory, there should be 2-4 LDAP connections