[Freeipa-users] LDAPSearch - Email Address
Hi All, Hopefully this is quite a simple oversight and that someone might be able to steer me in the correct direction. I’ve setup a postfix server and I’m trying to do a ldap lookup on the relay_recipients_map to my FreeIPA server 4.1.3 to query the attribute mail or email to find the users email address. The problem is when I do an ldapsearch and try to search for the attribute mail or email it doesn’t exist. If I add an email address to another attribute like the title as you can see below and do a ldap lookup from postfix on the attribute title it all works fine and yes the email address attribute is set in FreeIPA under the user. Any ideas? output from the ldapsearch: # mark, users, accounts, example.com dn: uid=mark,cn=users,cn=accounts,dc=example,dc=com title: m...@example.com gidNumber: 44121 uidNumber: 44121 sn: Grinceri givenName: Mark uid: mark homeDirectory: /home/mark gecos: Mark Grinceri initials: MG manager: uid=admin,cn=users,cn=accounts,dc=example,dc=com loginShell: /bin/bash objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipauserauthtypeclass objectClass: ipauser cn: Mark Grinceri displayName: Mark Grinceri-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] passwords
On 05/23/2015 10:21 PM, Janelle wrote: I have a question regarding passwords. It seems IPA does a very nice job of generating random passwords. Thanks! Is there a way to use that feature without actually setting it on a user? Something akin to pwgen? Thank you ~Janelle There is no explicit script to do , there was no demand or value so far. You would need to call for that functionality yourself in a python script. This works for me with FreeIPA 4.1 for example: # python -c from ipalib import api; api.bootstrap(); api.finalize(); from ipalib.plugins.user import user_pwdchars; from ipapython.ipautil import ipa_generate_password; print ipa_generate_password(user_pwdchars) dIbhUAM3puoA If you have a vision/idea why/how/when FreeIPA could be used as a Password generated, please feel free to file RFE (and send patches :-) Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Replicate hung
On 05/25/2015 12:45 AM, Bill Graboyes wrote: Hi List, I have been digging around on this system that hung for the past hour or two trying to figure out why dirserv seemed to be hung. It was not using resources, nor was there any information in any of the log files (dirserv, sssd, etc), it was just stopped. I was unable to run ipactl and get any response. The server would not even reboot cleanly (I had to power it off). Of note that there didn't seem to be any problems with systems accessing via sssd, but systems that were accessing via direct ldap connections, the connection would just hang. OS and Version information: CentOS Linux release 7.1.1503 (Core) ipa-server-4.1.0-18.el7.centos.3.x86_64 Hello, I would suggesting starting with providing the information asked for in the 389 DS FAQ: http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-hangs Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please try again. Password attempts are logged with Authentication Failure in /var/log/secure May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) I have two test users adminuser and auser. I've tried various things with auser involving kadmin.local to attempt to change the kerberos password and ipa user-mod auser --principal-expiration=2012-01-01Z to try and force the user keytab to be invalid in the hope that it would be recreated, but this hasn't had any impact apart from slightly different errors in /var/log/krb5kdc.log (see below). I've also tried replacing the keytab by using ipa-getkeytab -p host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s localhost to create a new one and then copy it over /etc/krb5.keytab, but this also didn't have any impact. Can anyone tell me what I need to do to make ssh password authentication work on an newly created ipamaster with ipa populated via ipa-restore ? The VM is RHEL7.1 with the following versions of ipa-server and ipa-client installed. Many thanks Bob Name: ipa-server Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 4.2 M Repo: installed From repo : rhel-7-server-rpms Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: ipa-client Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 440 k Repo: installed From repo : rhel-7-server-rpms Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.128.159: error decoding FAST: unknown client for unknown server, Decrypt integrity check failed while handling ap-request armor May 23 12:09:20 ipa004.test.jackland.uk krb5kdc[2724](info): closing down fd 11 May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.16.128.159: NEEDED_PREAUTH: host/ipa004.test.jackland...@test.jackland.uk for krbtgt/test.jackland...@test.jackland.uk, Additional pre-authentication required May 23 12:10:19 ipa004.test.jackland.uk krb5kdc[2724](info): closing down fd 11 May 23 12:10:19
[Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
Hi All, we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC, SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients (ex. putty) to Linux client machines (Centos 6). Password authentication works, just gssapi fails. Actually, there is one scenario where SSH GSSAPI authentication works - when connecting to FreeIPA master or replica (trust were established here), but not to FreeIPA host clients. Important sections of configuration files (servers/clients): /etc/ssh/sshd_config: GSSAPIAuthentication yes KerberosAuthentication yes /etc/krb5.conf: auth_to_local = RULE:[1:$1 at $0](^.* at WINDOWS.DOMAIN$)s/ at WINDOWS.DOMAIN/ at windows.domain/ auth_to_local = DEFAULT BTW. after I log in by password to linux client machine I can use gssapi within the same host by ssh-ing in a loop to the localhost, so locally GSSAPI works here. Is there something I missed? Any help would be greatly appreciated. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web interface session timeout
Hi All, Is there any way we can change web interface session timeout? I am using form based auth. /lm -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-backup and ipa-restore
Good, thanks for confirmation. I filed Bugzilla to add this information to the IPA guide: https://bugzilla.redhat.com/show_bug.cgi?id=1224682 Please feel free to add any useful information you would like to see in the guide to the Bugzilla comment. Thank you, Martin On 05/25/2015 11:00 AM, Bob Hinton wrote: Hi Martin, Yes. This fixes the problem on a newly recreated ipamaster - it didn't work on the one I'd been playing around with. So the complete rebuild sequence was... 1) On old ipamaster VM ipa004 (did this on 22/05/2015) login as an admin user with sudo to root access sudo -i ipa-backup tar cvfPz ipa004_backups_22052015.tgz /var/lib/ipa/backup scp ipa004_backups_22052015.tgz to a backup system, destroy old ipamaster VM 2) Recreate ipamaster VM (identical configuration to original) From backup system - scp ipa004_backups_22052015.tgz admin@ipa004: ssh admin@ipa004 su (enter root password - no users with sudo access exist yet) tar xvfPz ipa004_backups_22052015.tgz ipa-restore ipa-full-2015-05-22-17-28-01 systemctl stop sssd rm -f /var/lib/sss/db/* systemctl start sssd Many thanks Bob On 25/05/2015 07:10, Martin Kosek wrote: On 05/23/2015 01:51 PM, Bob Hinton wrote: Hello, I've been trying to rebuild an ipamaster by using ipa-backup, destroying and recreating the ipamaster VM then using ipa-restore on the rebuilt master. Most functions of the newly built master work. Logging-in via ssh with keys works but using passwords produces Permission denied, please try again. Password attempts are logged with Authentication Failure in /var/log/secure May 23 12:17:10 ipa004 sshd[6374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:10 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:17 ipa004 sshd[6374]: pam_sss(sshd:auth): received for user auser: 7 (Authentication failure) May 23 12:17:20 ipa004 sshd[6374]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=auser May 23 12:17:32 ipa004 sshd[6382]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:33 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.50.1 user=adminuser May 23 12:17:38 ipa004 sshd[6382]: pam_sss(sshd:auth): received for user adminuser: 7 (Authentication failure) I have two test users adminuser and auser. I've tried various things with auser involving kadmin.local to attempt to change the kerberos password and ipa user-mod auser --principal-expiration=2012-01-01Z to try and force the user keytab to be invalid in the hope that it would be recreated, but this hasn't had any impact apart from slightly different errors in /var/log/krb5kdc.log (see below). I've also tried replacing the keytab by using ipa-getkeytab -p host/ipa004.test.jackland...@test.jackland.uk -k temp.keytab -s localhost to create a new one and then copy it over /etc/krb5.keytab, but this also didn't have any impact. Can anyone tell me what I need to do to make ssh password authentication work on an newly created ipamaster with ipa populated via ipa-restore ? The VM is RHEL7.1 with the following versions of ipa-server and ipa-client installed. Many thanks Bob Name: ipa-server Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 4.2 M Repo: installed From repo : rhel-7-server-rpms Summary : The IPA authentication server URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Name: ipa-client Arch: x86_64 Version : 4.1.0 Release : 18.el7_1.3 Size: 440 k Repo: installed
Re: [Freeipa-users] SSH GSSAPI + FreeIPA with Windows 2008 Trust
On Mon, 25 May 2015, crony wrote: Hi All, we have setup FreeIPA 4.1 (Centos 7) Trust with Windows 2008R2. All (HBAC, SUDO) works pretty well except SSH SSO using GSSAPI from Windows AD clients (ex. putty) to Linux client machines (Centos 6). Password authentication works, just gssapi fails. Do you have have anything in the SSH server logs when using high enough debug level? SSH GSSAPI (single sign-on) should just work fine. On contrary, delegation or forwarding of credentials (i.e. Kerberos TGT from AD side being available after login to SSH server) should not work unless ok-as-delegate flag is set on the host principal -- see 'ipa host-mod --ok-as-delegate=TRUE'. So what exactly is not working: 1. Logging in without entering a password from AD-joined Windows station with PuTTY? 2. Logging in without the password works but no Kerberos ticket available in the shell? 3. Logging in always requires password and then Kerberos ticket is not available in the shell? 4. Something else? Actually, there is one scenario where SSH GSSAPI authentication works - when connecting to FreeIPA master or replica (trust were established here), but not to FreeIPA host clients. Important sections of configuration files (servers/clients): /etc/ssh/sshd_config: GSSAPIAuthentication yes KerberosAuthentication yes Remove 'KerberosAuthentication yes', you don't want it to be used, only GSSAPI. /etc/krb5.conf: auth_to_local = RULE:[1:$1 at $0](^.* at WINDOWS.DOMAIN$)s/ at WINDOWS.DOMAIN/ at windows.domain/ auth_to_local = DEFAULT You don't need to specify auth_to_local rules in krb5.conf in RHEL 7.1 because we now have this filled in by SSSD. As you are claiming FreeIPA 4.1 is in use, it means CentOS 7.1, thus SSSD automatically contributing auth_to_local plugin. BTW. after I log in by password to linux client machine I can use gssapi within the same host by ssh-ing in a loop to the localhost, so locally GSSAPI works here. This is expected and is by design. Is there something I missed? Any help would be greatly appreciated. Answer my questions above, I suspect all you need is to mark the host principal as available for delegation. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ubuntu dns discovery
On 22.5.2015 22:00, Johnny Tan wrote: On Fri, May 22, 2015 at 3:14 PM, Martin Basti mba...@redhat.com wrote: On 22/05/15 18:05, Johnny Tan wrote: Our servers run CentOS-6.6 and ipa-server-3.0.0-42.el6.centos.x86_64 Our CentOS clients (also 6.6) join the domain seamlessly. Our Ubuntu 14.04 LTS clients, however, don't seem to be able to auto-discover domain, realm, or IPA servers: ``` dpkg -l | grep freeipa ii freeipa-client 3.3.4-0ubuntu3.1 amd64FreeIPA centralized identity framework -- client /usr/sbin/ipa-client-install --mkhomedir --no-ntp --no-sudo --unattended --hostname testing-ubuntu001.pp --principal admin --password xx --debug /usr/sbin/ipa-client-install was invoked with options: {'domain': None, 'force': False, 'krb5_offline_passwords': True, 'primary': False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': True, 'conf_sshd': True, 'conf_ntp': False, 'on_master': False, 'ntp_server': None, 'ca_cert_file': None, 'principal': 'admin', 'keytab': None, 'hostname': 'testing-ubuntu001.pp', 'no_ac': False, 'unattended': True, 'sssd': True, 'trust_sshfp': False, 'dns_updates': False, 'mkhomedir': True, 'conf_ssh': True, 'force_join': False, 'server': None, 'prompt_password': False, 'permit': False, 'debug': True, 'preserve_sssd': False, 'uninstall': False} missing options might be asked for interactively later Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' [IPA Discovery] Starting IPA discovery with domain=None, servers=None, hostname=testing-ubuntu001.pp Start searching for LDAP SRV record in pp (domain of the hostname) and its sub-domains Search DNS for SRV record of _ldap._tcp.pp DNS record not found: EmptyLabel Start searching for LDAP SRV record in .pp (search domain from /etc/resolv.conf) and its sub-domains Search DNS for SRV record of _ldap._tcp..pp DNS record not found: EmptyLabel Already searched pp; skipping No LDAP server found No LDAP server found Unable to discover domain, not provided on command line Installation failed. Rolling back changes. IPA client is not configured on this system. ``` Yet on the same client: ``` root@testing-ubuntu001:~# dig srv _ldap._tcp.pp +short 0 100 389 production-ipa003.pp. 0 100 389 production-ipa001.pp. 0 100 389 production-ipa002.pp. ``` Why can't ipa-client-install discover those SRV records? johnny Hello, this is weird, DNS record not found: EmptyLabel, this error returns python-dns when empty label is used in domain name. And here is empty label - _ldap._tcp..pp (two dots). But that doubled dot is not on line above and the error is the same, interesting. Aha! It seems our configuration management system is populating `search` in /etc/resolv.conf with .pp rather than pp. If I manually change that, it now works! Thank you. Martin, do you see in code why it did not work before? We should fix that (assuming that we are able to find the root cause :-). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Restore deleted RBAC Rules?
Is it possible to restore deleted RBAC rules that were deleted from Permissions and Privileges? -- Striker -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica
Hi! Please how do I restore data to a freshly reinstalled IPA server from an existing CA-less replica that has had replication agreements removed? Both servers are running rhel 6.6 with ipa-server versions 3.0.0 ( For some reason the IPA servers do not upgrade beyond this version). I have been searching for information from RHEL knowledgebase and from the FreeIPA site but I do not find information that exactly matches my situation. I am grateful for any assistance in this. Thanks! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Freeipa Replicate hung
On 05/25/2015 12:24 AM, Martin Kosek wrote: On 05/25/2015 12:45 AM, Bill Graboyes wrote: Hi List, I have been digging around on this system that hung for the past hour or two trying to figure out why dirserv seemed to be hung. It was not using resources, nor was there any information in any of the log files (dirserv, sssd, etc), it was just stopped. I was unable to run ipactl and get any response. The server would not even reboot cleanly (I had to power it off). Of note that there didn't seem to be any problems with systems accessing via sssd, but systems that were accessing via direct ldap connections, the connection would just hang. OS and Version information: CentOS Linux release 7.1.1503 (Core) ipa-server-4.1.0-18.el7.centos.3.x86_64 Hello, I would suggesting starting with providing the information asked for in the 389 DS FAQ: http://directory.fedoraproject.org/docs/389ds/FAQ/faq.html#debugging-hangs Martin For IPA, you will also need to do: debuginfo-install ipa-server slapi-nis -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
How i can use a single backend for a email deployment in such scenario ? Since i am using forest trust, therefore users are not present in one place. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] OSX login very slow
Hello, I'm using OSX 10.10.3 (Yosemite) and I've followed the Freeipa/OSX guide at linsec.ca. I can do the following with very fast response time: - id ipauser on osx host - klist/kdestroy/kinit a ticket - ssh via SSO to ipaserver with this ticket - ping osxhost osxhost.local from ipaserver - lookup users in OSX directory app - IPA server has green light in OSX network account server The thing that fails for me is login from OSX login window. Well, it doesn't fail but it took 12 minutes for an IPA user to login. Any ideas what to look for? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Single mail deployment i an FreeIPA-WindowsAD scenario.
Any ideas how to overcome this? Winsync may be a better approach for us instead of cross-trust.Regards 2015-05-25 13:06 GMT-04:00 Carlos Raúl Laguna carlosla1...@gmail.com: How i can use a single backend for a email deployment in such scenario ? Since i am using forest trust, therefore users are not present in one place. Regards -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Haunted servers?
On 5/24/15 3:12 AM, Janelle wrote: And just like that, my haunted servers have all returned. I am going to just put a gun to my head and be done with it. :-( Why do things run perfectly and then suddenly ??? Logs show little to nothing, mostly because the servers are so busy, they have already rotated out. unable to decode {replica 16} 5535647200030010 5535647200030010 unable to decode {replica 22} 55371e9e0016 553eec6400040016 unable to decode {replica 23} 5545d61f00020017 555432430017 unable to decode {replica 24} 554d53d30018 554d54a400020018 unable to decode {replica 25} 554d78bf0019 555af30200040019 unable to decode {replica 9} 55402c3900030009 55402c3900030009 Don't know what to do anymore. At my wit's end.. ~J So things are getting more interesting. Still trying to find the leaking server(s). here is what I mean by that. As you see, I continue to find these -- BUT, notice a new symptom -- replica 9 does NOT show any other data - it is blank? unable to decode {replica 16} 5535647200030010 5535647200030010 unable to decode {replica 22} 55371e9e0016 553eec6400040016 unable to decode {replica 24} 554d53d300010018 554d54a400020018 unable to decode {replica 25} 554d78bf00020019 555af30200040019 unable to decode {replica 9} Now, if I delete these from a server using the ldapmodify method - they go away briefly, but then if I restart the server, they come back. Let me try to explain -- given a number of servers, say 8, if I user ldapmodify to delete from 1 of those, they seem to go away from maybe 4 of them -- but if I wait a few minutes, it is almost as though replication is re-adding these bad replicas from the servers that I have NOT deleted them from. So my question is simple - is there something in the logs I can look for that would indicate the SOURCE of these bogus entries? Is the replica 9 with NO extra data any indication of something I could look for? I am not willing to give up easily (as you might have already guessed) and I am determined to find the cause of these. I know we need more logs, but with all the traffic, the logs rollover within a few hours, and if the problem is happening at 3am for example, I am not able to track it down because the logs have rolled. Back to my investigations. ~J -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any thoughts on sssd_sudo memory usage ?
With higher debug level I see that sssd sudo trying to resolve local account (for nagios monitoring) Vasek On Tue, May 26, 2015 at 6:39 AM, Vaclav Adamec vaclav.ada...@suchy-zleb.cz wrote: ps -eo pid,cmd,size,rss | grep sssd_sudo 1533 /usr/libexec/sssd/sssd_sudo 4245972 4247700 and huge amount of this (trying again and again): (Tue May 26 06:35:47 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Tue May 26 06:35:47 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call but other servers in same datacenter looks ok in the same time, but later this error was visible also on others, it's just question of time. On Mon, May 25, 2015 at 7:41 AM, Lukas Slebodnik lsleb...@redhat.com wrote: On (25/05/15 07:30), Vaclav Adamec wrote: Hi, after last update I see this: PID USERPR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 5918 root 20 0 4413m 4.1g 1596 S 2.8 35.4 31:12.72 sssd_sudo sssd-common-1.11.6-30.el6_6.4.x86_64 on CentOS release 6.6 final (up2date) restart, sync + swap cleanup and in less then 24h I get same memory usage. Could you draw a graph of sssd_sudo memory usage? or at least gather data (ps -eo pid,cmd,size,rss | grep sssd_sudo) Can you see any errors in sssd_sudo log after enabling verbose logging? https://fedorahosted.org/sssd/wiki/Troubleshooting#SSSDdebuglogs LS -- -- May the fox be with you ... /\ (~( ) ) /\_/\ (_=---_(@ @) ( \ / /|/\|\ V -- -- May the fox be with you ... /\ (~( ) ) /\_/\ (_=---_(@ @) ( \ / /|/\|\ V -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Any thoughts on sssd_sudo memory usage ?
On (26/05/15 06:44), Vaclav Adamec wrote: With higher debug level I see that sssd sudo trying to resolve local account (for nagios monitoring) There was/is a bug which does not respect filter_user in sudo provider https://fedorahosted.org/sssd/ticket/2625. (It's already fixed in fedora = 22) It would be a workaround for you. On Tue, May 26, 2015 at 6:39 AM, Vaclav Adamec vaclav.ada...@suchy-zleb.cz wrote: ps -eo pid,cmd,size,rss | grep sssd_sudo 1533 /usr/libexec/sssd/sssd_sudo 4245972 4247700 and huge amount of this (trying again and again): (Tue May 26 06:35:47 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback] (0x0040): Could not look up the user [2]: No such file or directory (Tue May 26 06:35:47 2015) [sssd[sudo]] [sudosrv_get_user] (0x0080): No results for getpwnam call but other servers in same datacenter looks ok in the same time, but later this error was visible also on others, it's just question of time. I assume you have sssd-1.11 because such bug was fixed in sssd-1.12 https://git.fedorahosted.org/cgit/sssd.git/commit/?id=09579ae252c181c7884defc0612c36108f6cf509 You can test with my pre-release of sssd-1.12.5 https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12-latest/ (It already contains fix for #2625) LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project