[Freeipa-users] named's LDAP connection hangs
Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? Thank you in advance! Best regards, Thomas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] convert krbExtraData password to plain text
On Mon, Jun 16, 2014 at 12:28:09AM -0400, Dmitri Pal wrote: On 06/16/2014 12:20 AM, barry...@gmail.com wrote: dear all: Is it possible to quiry freeipa 's account password and displan in plain txt ? or convert krbExtraData to plaintxt. rather than reset it. Regards barry ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users No. IPA passwords are not reversible by design. In general it is a very bad security practice to make password reversible. Password reset is the way to go. Additionally krbExtraData does not contain the password only data needed by the kdc which does not have a specific LDAP attribute. iirc the data in krbExtraData is mostly ASN.1 coded. bye, Sumit -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named's LDAP connection hangs
On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1.Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] convert krbExtraData password to plain text
On Mon, 2014-06-16 at 12:20 +0800, barry...@gmail.com wrote: dear all: Is it possible to quiry freeipa 's account password and displan in plain txt ? or convert krbExtraData to plaintxt. rather than reset it. FWIW, krbExtraData does not contain passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] External collaboration edits
[...talking about views...] It's not only about AD, but use-case and examples in the design page currently all refer to AD. The key is to find a unique reference to the upstream object which in the AD case is obviously the SID. In a previous version of the page there were a bit more details who the original/upstream objects can be referenced, e.g. it can a fully qualified name or Kerberos principal. Can views handle the case when there is no upstream object? Or when the upstream attribute store is not published as a searchable database (which is almost no upstream object)? I'd very much like to see these as explicit use cases for views. Case one would represent vanilla Kerberos trusts, or the quite likely scenario where an external collaboration domain is separated from corporate AD by a firewall. (e.g., institutional AD can provide authentication via trust for users on the corporate network, but not attributes). Case two would represent authentication sources such as SAML. Views would need to be the mechanism by which the gateway caches attributes in FreeIPA (after inspecting SAML assertions). Finally, one functional requirement for views may be that the view needs to support a many-to-one authentication method to identity attributes mapping. For instance, an employee sitting at their desk may log into their server in the collaboration network via SSO (hence, their AD account). Soon this same user may also walk over to the console on the collaboration network and need to use some other Ipsilon-gateway-enabled credentials. These two credentials may need to be mapped to a single user identity. This may not be functionality which needs to be implemented first, but it does perhaps suggest that krbPrincipal may not always be single valued. This may be something which deserves an honorable mention on the RFE page as it impacts the assumptions coders can make. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem finding new users via command line
Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! Thanks, John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] named's LDAP connection hangs
Hi! Thanks for the instructions. I have configured KRB5_TRACE as described. I will send logs as soon as we encounter the problem again. Could take a week or two though. Thank you for your help! Best regards, Thomas On Mon, Jun 16, 2014 at 1:54 PM, Petr Spacek pspa...@redhat.com wrote: On 16.6.2014 09:41, Thomas Raehalme wrote: Hi, We have a problem with IPA going out of service every now and then. There seems to be two kinds of situations: 1) The connection between named and dirsrv fails. Named can resolve external names but the domain managed by IPA does not resolve any names. named cannot be stopped. After killing the process and restarting the issue is resolved. 2) Sometimes the situation is more severe and also dirsrv is unresponsive. The solution then seems to be restarting both named and dirsrv (individually or through the 'ipa' service). Regarding #1 the file /var/log/messages contains the following: Jun 16 03:22:23 ipa named[7295]: received control channel command 'reload' Jun 16 03:22:23 ipa named[7295]: loading configuration from '/etc/named.conf' Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv4 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: using default UDP/IPv6 port range: [1024, 65535] Jun 16 03:22:23 ipa named[7295]: sizing zone task pool based on 6 zones Jun 16 03:22:23 ipa named[7295]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) Jun 16 03:22:23 ipa named[7295]: bind to LDAP server failed: Local error The reload is triggered by logrotate. For some reason authentication fails, and the IPA domain is no longer resolvable. I haven't discovered a pattern how often these problems occur. Maybe once a week or two. FreeIPA master running on CentOS 6.5 has been configured with the default settings. In addition a single replica has been added. Any ideas where I should look for the source of the problem? I have heard about this problem but nobody managed to reproduce the problem. Please: - configure KRB5_TRACE variable as described on https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/NamedCannotStart#a1. Gathersymptoms - restart named - send me logs when it happens again. Thank you! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- *Thomas Raehalme* *CTO, teknologiajohtaja* Mobile +358 40 545 0605 *Codecenter Oy* Väinönkatu 26 A, 4th Floor 40100 JYVÄSKYLÄ, Finland Tel. +358 10 322 0040 www.codecenter.fi *Codecenter - Tietojärjestelmiä ymmärrettävästi* ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem finding new users via command line
On 06/16/2014 04:20 PM, John Moyer wrote: Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! We really need more than that to help. Please give more details about the client and versions you use. May be you have different replicas and the communication is broken between them and the client access the other replica? Thanks, John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem finding new users via command line
John Moyer wrote: Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! What command-line are you using? What rpm version is [free]ipa-python? Do you have multiple masters or is this a single IPA server? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
