Re: [Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Craig White 
-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Mohler
Sent: Tuesday, September 01, 2015 12:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Ipa add-user non interactively specifying a password.

Hi List,
I'm trying to make a script to add users non interactively with ipa add-user 
and specify a password of testpw

I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= --noprivate 
--shell=/bin/bash
#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= --noprivate 
--shell=/bin/bash
#ipa: error: --password option does not take a value

No Luck.

Any suggestions?
-
I will take it a lot further - salt to taste (and watch the line wraps)...

#!/bin/sh
#
# Script to automate adding users
#
# Updated 12/16/2014
# Craig White
#
CMD1='/usr/bin/ipa user-add'
CMD2='/usr/bin/ipa group-add-member'
TEE='/usr/bin/tee -a'
LOG='/tmp/ipa_users_add.txt'
MAIL='/bin/mailx'
KERB=`klist -s; echo $?`
> $LOG
[[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME LAST_NAME 
EMAIL GROUPS " && echo "   REQUIRED > ^   ^  ^   ^" 
&& echo "You can have many groups separated with just a space"; exit 0 ; }
[[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - Please create 
a valid kerberos ticket by typing 'kinit'"; exit 0 ; }
if [ -z "$EMAIL" ]; then
  echo "You need to add EMAIL to your environment variables - type 'export 
EMAIL=YOUR_EMAIL_ADDRESS' before running this command or better yet, add it to 
your .bash_profile"
  exit 0
fi

$CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG
echo " - - - -" | $TEE $LOG
echo "You must login and change your password" | $TEE $LOG
echo "SSH to some server you have access to" | $TEE $LOG
echo "or" | $TEE $LOG
echo "https://_IPA_SERVER_1_/ipa/ui  OR  https://_IPA_SERVER_2_/ipa/ui; | $TEE 
$LOG
echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - -" | $TEE $LOG
$CMD2 ipausers --users=$1 | $TEE $LOG
if [ -n "$5" ]; then
  $CMD2 $5 --users=$1 | $TEE $LOG
fi
if [ -n "$6" ]; then
  $CMD2 $6 --users=$1 | $TEE $LOG
fi
if [ -n "$7" ]; then
  $CMD2 $7 --users=$1 | $TEE $LOG
fi
if [ -n "$8" ]; then
  $CMD2 $8 --users=$1 | $TEE $LOG
fi
if [ -n "$9" ]; then
  $CMD2 $9 --users=$1 | $TEE $LOG
fi
echo "See attachment for login information" | $MAIL -s 'New Account 
Information' -r $EMAIL -a $LOG $4
/bin/rm -f $LOG

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Chris Mohler 

Thanks Craig!
That's quite a handy reply. It's actually a lot nicer than what I was 
planning to do. I appreciate this a lot.


-Chris


On 09/01/2015 03:33 PM, Craig White wrote:

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Mohler
Sent: Tuesday, September 01, 2015 12:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Ipa add-user non interactively specifying a password.

Hi List,
I'm trying to make a script to add users non interactively with ipa add-user 
and specify a password of testpw

I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= --noprivate 
--shell=/bin/bash
#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= --noprivate 
--shell=/bin/bash
#ipa: error: --password option does not take a value

No Luck.

Any suggestions?
-
I will take it a lot further - salt to taste (and watch the line wraps)...

#!/bin/sh
#
# Script to automate adding users
#
# Updated 12/16/2014
# Craig White
#
CMD1='/usr/bin/ipa user-add'
CMD2='/usr/bin/ipa group-add-member'
TEE='/usr/bin/tee -a'
LOG='/tmp/ipa_users_add.txt'
MAIL='/bin/mailx'
KERB=`klist -s; echo $?`

$LOG

[[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME LAST_NAME EMAIL GROUPS " && echo "   
REQUIRED > ^   ^  ^   ^" && echo "You can have many groups separated with just a space"; 
exit 0 ; }
[[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - Please create a 
valid kerberos ticket by typing 'kinit'"; exit 0 ; }
if [ -z "$EMAIL" ]; then
   echo "You need to add EMAIL to your environment variables - type 'export 
EMAIL=YOUR_EMAIL_ADDRESS' before running this command or better yet, add it to your 
.bash_profile"
   exit 0
fi

$CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG
echo " - - - -" | $TEE $LOG
echo "You must login and change your password" | $TEE $LOG
echo "SSH to some server you have access to" | $TEE $LOG
echo "or" | $TEE $LOG
echo "https://_IPA_SERVER_1_/ipa/ui  OR  https://_IPA_SERVER_2_/ipa/ui; | $TEE 
$LOG
echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - -" | $TEE $LOG
$CMD2 ipausers --users=$1 | $TEE $LOG
if [ -n "$5" ]; then
   $CMD2 $5 --users=$1 | $TEE $LOG
fi
if [ -n "$6" ]; then
   $CMD2 $6 --users=$1 | $TEE $LOG
fi
if [ -n "$7" ]; then
   $CMD2 $7 --users=$1 | $TEE $LOG
fi
if [ -n "$8" ]; then
   $CMD2 $8 --users=$1 | $TEE $LOG
fi
if [ -n "$9" ]; then
   $CMD2 $9 --users=$1 | $TEE $LOG
fi
echo "See attachment for login information" | $MAIL -s 'New Account 
Information' -r $EMAIL -a $LOG $4
/bin/rm -f $LOG


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Alexander Bokovoy 

On Tue, 01 Sep 2015, Chris Mohler wrote:

Hi List,
I'm trying to make a script to add users non interactively with ipa 
add-user and specify a password of testpw


I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: error: --password option does not take a value

No Luck.

Any suggestions?

Read the help :)
$ ipa help user-add|grep --  --password
 --passwordPrompt to set the user password

E.g. --password option does not take *any* parameter, it *prompts* to
enter the password and expects standard input to provide the password. 


In the first example you added a parameter after --password and since
--password does not consume anything, it was considered as another
argument but 'ipa user-add' indeed takes a single argument, thus an
error.

In the second example you are explicitly forcing --password to take some
parameter and is told that it does not accept anything, just like help
is saying.

What you want can be achieved like this:

$ cat /my/password/file | ipa user-add username --first=firstname 
--last=lastname --password

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Chris Mohler 

Hi List,
I'm trying to make a script to add users non interactively with ipa 
add-user and specify a password of testpw


I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= --noprivate 
--shell=/bin/bash

#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= --noprivate 
--shell=/bin/bash

#ipa: error: --password option does not take a value

No Luck.

Any suggestions?

Thanks






--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Chris Mohler 

Thanks Alexander,

I tried the help but there were only two choices. Specify a password 
interactively --password, or randomly generate one with --random. I 
agree with you the errors in the output are expected I was just hoping 
for some undocumented magic.


Piping the output from cat into the password prompt is a great idea and 
does fix the issue I was having. It's not really intuitive but still 
makes me wonder why I didn't think of that.


Anyhow I changed it up a bit with
echo testpw | ipa user-add username --first=firstname --last=lastname 
--password --gidnumber= --noprivate --shell=/bin/bash


And it totally works.

Thank you again.

-Chris



On 09/01/2015 03:39 PM, Alexander Bokovoy wrote:

On Tue, 01 Sep 2015, Chris Mohler wrote:

Hi List,
I'm trying to make a script to add users non interactively with ipa 
add-user and specify a password of testpw


I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: error: --password option does not take a value

No Luck.

Any suggestions?

Read the help :)
$ ipa help user-add|grep --  --password
 --passwordPrompt to set the user password

E.g. --password option does not take *any* parameter, it *prompts* to
enter the password and expects standard input to provide the password.
In the first example you added a parameter after --password and since
--password does not consume anything, it was considered as another
argument but 'ipa user-add' indeed takes a single argument, thus an
error.

In the second example you are explicitly forcing --password to take some
parameter and is told that it does not accept anything, just like help
is saying.

What you want can be achieved like this:

$ cat /my/password/file | ipa user-add username --first=firstname 
--last=lastname --password




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ipa add-user non interactively specifying a password.

2015-09-01 Thread Janelle 
You could use --random instead of --password, which will force a nice 10 
char random PW that can be captured and sent to your user.


~J

On 9/1/15 12:54 PM, Chris Mohler wrote:

Thanks Craig!
That's quite a handy reply. It's actually a lot nicer than what I was 
planning to do. I appreciate this a lot.


-Chris


On 09/01/2015 03:33 PM, Craig White wrote:

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Mohler

Sent: Tuesday, September 01, 2015 12:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Ipa add-user non interactively specifying a 
password.


Hi List,
I'm trying to make a script to add users non interactively with ipa 
add-user and specify a password of testpw


I tried:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: ERROR: command 'user_add' takes at most 1 argument

and this:

ipa user-add username --first=firstname --last=lastname 
--homedir=/home/username --password=testpw --gidnumber= 
--noprivate --shell=/bin/bash

#ipa: error: --password option does not take a value

No Luck.

Any suggestions?
-
I will take it a lot further - salt to taste (and watch the line 
wraps)...


#!/bin/sh
#
# Script to automate adding users
#
# Updated 12/16/2014
# Craig White
#
CMD1='/usr/bin/ipa user-add'
CMD2='/usr/bin/ipa group-add-member'
TEE='/usr/bin/tee -a'
LOG='/tmp/ipa_users_add.txt'
MAIL='/bin/mailx'
KERB=`klist -s; echo $?`

$LOG
[[ -n "$4" ]] || { echo "Usage: ipa_user_add.sh LOGIN FIRST_NAME 
LAST_NAME EMAIL GROUPS " && echo "   REQUIRED > ^   
^  ^   ^" && echo "You can have many groups separated 
with just a space"; exit 0 ; }
[[ $KERB == "0" ]] || { echo "Your kerberos ticket has expired - 
Please create a valid kerberos ticket by typing 'kinit'"; exit 0 ; }

if [ -z "$EMAIL" ]; then
   echo "You need to add EMAIL to your environment variables - type 
'export EMAIL=YOUR_EMAIL_ADDRESS' before running this command or 
better yet, add it to your .bash_profile"

   exit 0
fi

$CMD1 $1 --first=$2 --last=$3 --random --email=$4 | $TEE $LOG
echo " - - - -" | $TEE $LOG
echo "You must login and change your password" | $TEE $LOG
echo "SSH to some server you have access to" | $TEE $LOG
echo "or" | $TEE $LOG
echo "https://_IPA_SERVER_1_/ipa/ui  OR 
https://_IPA_SERVER_2_/ipa/ui; | $TEE $LOG
echo " - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - -" | $TEE $LOG

$CMD2 ipausers --users=$1 | $TEE $LOG
if [ -n "$5" ]; then
   $CMD2 $5 --users=$1 | $TEE $LOG
fi
if [ -n "$6" ]; then
   $CMD2 $6 --users=$1 | $TEE $LOG
fi
if [ -n "$7" ]; then
   $CMD2 $7 --users=$1 | $TEE $LOG
fi
if [ -n "$8" ]; then
   $CMD2 $8 --users=$1 | $TEE $LOG
fi
if [ -n "$9" ]; then
   $CMD2 $9 --users=$1 | $TEE $LOG
fi
echo "See attachment for login information" | $MAIL -s 'New Account 
Information' -r $EMAIL -a $LOG $4

/bin/rm -f $LOG




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-client on aws (amazon linux)

2015-09-01 Thread Gustavo Mateus 
Hi,

Does anyone have an updated list of packages or installation steps to get
the ipa-client properly installed on an Amazon Linux (2015.03.1 to be more
precise).

I plan to use Red Hat as my ipa-server but the clients need to be Amazon
Linux.

Thanks,

Gustavo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable

2015-09-01 Thread Yogesh Sharma 
Even the users details are not coming:

[root@btservice-mysql-prd-ng2-01 sssd]# id vg4381
id: vg4381: No such user
[root@btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381
[root@btservice-mysql-prd-ng2-01 sssd]#


*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma  wrote:

> Hi,
>
> We are getting below error while user try to do sudo, while it work for
> old users.
>
>
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client
> disconnected!
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400):
> Client connected!
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Received client version [1].
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
> Offered version [1].
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'vg4381' matched without domain, user is vg4381
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'vg4381' matched without domain, user is vg4381
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting default options for [vg4381] from []
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x40bc10:3:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400):
> Creating request for [klikpay.int][3][1][name=vg4381]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
> (0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback]
> (0x0020): Unable to get information from Data Provider
> Error: 1, 11, Offline
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
> Returning info for user [vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
> Retrieving default options for [vg4381] from [klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x407380:0:1:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400):
> Creating SUDOers request for [klikpay.int][7][vg4381][1]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
> (0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x40bc10:3:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information
> from Data Provider
> Error: 1, 11, Resource temporarily unavailable
> Will try to return what we have in cache
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
> [(&(objectClass=sudoRule)(|(name=defaults)))]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
> (0x0400): Returning 0 rules for [@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
> Deleting request: [0x407380:0:1:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'vg4381' matched without domain, user is vg4381
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
> (0x0200): name 'vg4381' matched without domain, user is vg4381
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
> (0x0200): Requesting rules for [vg4381] from []
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
> Requesting info about [vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
> Issuing request for [0x40bc10:3:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400):
> Creating request for [klikpay.int][3][1][name=vg4381]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
> (0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int]
> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]

Re: [Freeipa-users] Troubles with extending FreeIPA Web UI to fit my environment

2015-09-01 Thread Petr Vobornik 

On 08/27/2015 05:17 AM, Mateusz Małek wrote:

Hi everyone,

We're trying to adjust FreeIPA to our environment... quite a bit. Here
are some bullet points:

1. User home directory location is dependent on user primary group and
its value should be autogenerated on user creation.
2. User administrator should be able to select user account type (its
primary group) in some user-friendly way from pre-determined list of
possible choices - without the need to remember GID number associated
with each account type.
3. Passwords need to be generated automatically, so user administrator
won't be required to invent them for every single user. It should appear
on-screen after user account creation.
4. If username was not provided, it should also be generated using some
pre-determined method. It also should be shown after creating new user.
5. Some user accounts have an expiration date and need to be renewed
every year. User administrator should be able to extend user account
validity with single mouse-click in Web UI (with additional click for
confirmation prompt, probably).
6. Many user account attributes are not in use in our environment - they
should be hidden in Web UI to avoid confusion (for example job title in
search view).

And probably the most important thing: *all these things have to been
done without modifying files installed from RPM package* - we are using
ipa-server from CentOS 7 repositories and we don't want things to break
on update.

Point 1 was easy one - we used additional script in ipalib/plugins and
user_add.register_pre_callback to hook into user account creation
process. We also use this hook to assign gidNumber based on "User class"
specified in account creation form in Web UI (point 2).
Unfortunately, I have trouble with point 4 - uid attribute is specified
in takes_params with default_from=lambda givenname, sn: givenname[0] +
sn and when hook gets called, entry is already filled with this default
value. How can I override this behavior? Is it at least possible to
distinguish (in hook code) between value generated using default_from
and value manually typed into account creation form? (It seems that
default value is also checked for duplicates before calling hook - this
still needs to be overriden, as it will prevent our usernames generator
from even getting called.)

For points 3, 5, 6 and to limit available choices in 2, we need to plug
into Web UI. Samples at https://pvoborni.fedorapeople.org/plugins/
provided us with some basic info how to write plugins.


Glad to read that the plugin support is used. Especially in this scale.

I'd like to ask you for a feedback. What are the main things that would 
make extending IPA easier for you?


 I've copied

pre-minified freeipa/user.js file and turned it into a plugin.
However, I face some issues when I register my module under different
entity name instead of overriding user (I want to keep original user
module available)


Just curious, why do you want to keep the original user entity object?

 - reg.entity.register({type: 'new-user', spec:

exp.entity_spec}); - I get "IPA Error 3004: MaxArgumentError: command
'user_find' takes at most 1 argument".



It seems that check if (that.entity !== that.managed_entity) in
freeipa/search.js fails (condition is true), which causes
managed_entity_pkey_prefix function to return [""] instead of [] -
object inspection shows both entity and managed_entity refer to user
entity, but probably these are two different JS objects (and thats why
they are considered different). Am I doing something wrong or is it some
bug?


There is no claim that it should  work so I would say that it is a 
limitation of original design and unfinished refactoring than a bug. The 
code can be improved to support multiple entity objects for the same IPA 
object but I'm worried that it can break something else.


Maybe simple comparison by an entity name would help.



Best regards
Mateusz Małek

Intelligent Information Systems Group
Department of Computer Science
AGH University of Science and Technology, Kraków, Poland


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] stubborn old replicas

2015-09-01 Thread Janelle 

On 8/28/15 8:17 AM, Vaclav Adamec wrote:
You could try this (RH recommended way). It works for me better than 
cleanallruv.pl  as this sometimes leads to 
ldap freeze)


unable to decode: {replica 30} 5548fa20001e 
5548fa20001e unable to decode: {replica 26} 
5548a9a8001a 5548a9a8001a


for all of them, on-by-one:

ldapmodify -x -D "cn=directory manager" -w XXX dn: 
cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config 
changetype: modify replace: nsds5task nsds5task: CLEANRUV30  + 



On Fri, Aug 28, 2015 at 4:55 PM, Guillermo Fuentes 
> wrote:


Hi Janelle,

Using the cleanallruv.pl  tool was the only
way I was able to get ride of the "unable to decode: {replica x}"
entries.

This is how I used it, cleaning a replica ID at a time:
# For replica id: 40
cleanallruv.pl  -v -D "cn=directory
manager" -w - -b 'dc=example,dc=com' -r 40

Note that the "-w -"​ will make the tool prompt you for the
directory manager password.

Hope this helps,
Guillermo​


On Thu, Aug 27, 2015 at 10:27 AM, Janelle
> wrote:

On 8/27/15 1:05 AM, thierry bordaz wrote:

On 08/27/2015 09:41 AM, Ludwig Krispenz wrote:


On 08/27/2015 09:08 AM, Martin Kosek wrote:

On 08/26/2015 05:31 PM, Simo Sorce wrote:

On Wed, 2015-08-26 at 06:36 -0700, Janelle wrote:

Hello all,

My biggest problem is losing replicas and then trying to
delete the
entries and rebuild them. Here is a perfect example, I
simply can't get
rid of these  (see below). I have tried (of course after
the ORIGINAL
"ipa-replica-manage del hostname --force --clean":

ipa-replica-manage clean-ruv 25

ldapmodify... with:
dn: cn=clean 25, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: 25
cn: clean 25

And yet nothing works. Any suggestions? This is perhaps
the most
frustrating part about maintaining IPA.

~J

unable to decode: {replica 12} 5588dc2e000c
559f3de60004000c
unable to decode: {replica 14} 5587aa8d000e
5587aa8d0003000e
unable to decode: {replica 16} 5588f58f0010
55bb7b0800050010
unable to decode: {replica 25} 55a4887b0019
55a4924200040019
unable to decode: {replica 29} 55d199a50001001d
55d199a50001001d
unable to decode: {replica 3} 5587c5c30003
55b8a04900010003
unable to decode: {replica 5} 55cc82ab041d0005
55cc82ab041d0005

Have you tried restarting DS before trying to clean the ruv ?

I run in a similar problem in a test install recently, and
I got better
results that way. The bug is known to the DS people and
they are working
to get out patches that fix the root issue.

Simo.

CCing DS folks. Wasn't there a recent DS fix that was
supposed to improve the
RUV situation?

Looking at 389 DS Trac, I see some interesting RUV fixes in
1.3.4.x releases:


https://fedorahosted.org/389/query?summary=~RUV=closed=milestone=id=summary=status=owner=type=priority=milestone




I see that 389-ds-base-1.3.4.3 is already in Fedora 22+,
does the RUV issue
happen there?

it should not, and I think Thierry verified the fix.
The problem we resolved and which we think is the core of
the corrupted RUV was that the cleanallruv task did only
purge the RUV, but dit not purge the changelog. If
cleanallruv was run and the server had a disorderly shutdown
(crash or abort when shutdown was hanging) then at restart
the changelog RUV was rebuilt from the data in the changelog
and if it contained a csn from cleaned RIDs this was added
to the RUV (but the reference to the server was lost and so
the url part is missing from this RUV.
The fix now does remove all references to the cleaned RID
from the changelog and the problem should not reoccur with
RIDs cleaned with the fix, of course th echangelog can still
can contain references to RIDs cleaned before the fix - and
if no changelog trimming is configured this is what will
happen. So, even after the fix old RUVs could pop up and
have to be (finally) cleaned.

The other source is that

[Freeipa-users] CA replicas different views???

2015-09-01 Thread Janelle 

Hello,

I am very confused. I have a couple of data centers and as expected, I 
have setup CA replicas in each DC. However, this is what makes me 
nervous/afraid of my configs. In one data  center, which sitting on a 
master and issuing:


(as seen from ipa006.example.com)
ipa-csreplica-manage list

I see

ipa002.example.com: master

BUT as seen from ipa010.example.com

ipa002.example.com: CA not configured

How is this possible???

~Janelle

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] CA replicas different views???

2015-09-01 Thread Rob Crittenden 

Janelle wrote:

Hello,

I am very confused. I have a couple of data centers and as expected, I
have setup CA replicas in each DC. However, this is what makes me
nervous/afraid of my configs. In one data  center, which sitting on a
master and issuing:

(as seen from ipa006.example.com)
ipa-csreplica-manage list

I see

ipa002.example.com: master

BUT as seen from ipa010.example.com

ipa002.example.com: CA not configured

How is this possible???

~Janelle



It may be an indication of a replication problem. This data is stored in 
cn=masters,cn=ipa,cn=etc,$SUFFIX


It looks for cn=CA for a given host to see if it has the service 
configured. I would start by looking in that subtree on both hosts.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replicas unresponsive with increasing file descriptors

2015-09-01 Thread Ludwig Krispenz 


On 09/01/2015 04:39 PM, Andrew E. Bruno wrote:

A few months ago we had a replica failure where the system ran out of file
descriptors and the slapd database was corrupted:

https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html

We now monitor file descriptor counts on our replicas and last night we
had 2 of our 3 replicas fail and become completely unresponsive. Trying
to kinit on the replica resulted in:

[user@ipa-master]$ kinit
kinit: Generic error (see e-text) while getting initial credentials


Snippet from the /var/log/dirsrv/slapd-[domain]/errors:

[31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: 
Attempting to release replica, but unable to receive endReplication extended operation 
response from the replica. Error -5 (Timed out)
[31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental 
protocol: event backoff_timer_expired should not occur in state start_backoff
[31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.

The access logs were filling up with:

[31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 
10.106.14.29 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 
10.104.9.137 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 
10.104.16.19 to 10.113.14.30
[31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 
10.111.11.30 to 10.113.14.30
[31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 
10.113.27.115 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 
10.111.8.116 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 
10.113.25.40 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 
10.106.14.27 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 
10.111.10.141 to 10.113.14.30
[31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 
10.104.14.27 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 
10.106.13.132 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 
10.113.25.11 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 
10.104.15.11 to 10.113.14.30
[31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 
10.104.7.136 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 
10.113.24.23 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 
10.106.12.105 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 
10.104.16.41 to 10.113.14.30
[31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 
10.104.16.4 to 10.113.14.30
[31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 
10.111.8.12 to 10.113.14.30
[31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 
10.111.8.17 to 10.113.14.30



Seems like clients were connecting to the replicas but file descriptors were
not getting released. Our monitoring showed increasing file descriptor counts
on both

[Freeipa-users] replicas unresponsive with increasing file descriptors

2015-09-01 Thread Andrew E. Bruno 
A few months ago we had a replica failure where the system ran out of file
descriptors and the slapd database was corrupted:

https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html

We now monitor file descriptor counts on our replicas and last night we
had 2 of our 3 replicas fail and become completely unresponsive. Trying
to kinit on the replica resulted in:

[user@ipa-master]$ kinit
kinit: Generic error (see e-text) while getting initial credentials


Snippet from the /var/log/dirsrv/slapd-[domain]/errors:

[31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: 
Attempting to release replica, but unable to receive endReplication extended 
operation response from the replica. Error -5 (Timed out)
[31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental 
protocol: event backoff_timer_expired should not occur in state start_backoff
[31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.
[31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer 
(Timed out). Will retry later.

The access logs were filling up with:

[31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 
10.106.14.29 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 
10.104.9.137 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 
10.104.16.19 to 10.113.14.30
[31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 
10.111.11.30 to 10.113.14.30
[31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 
10.113.27.115 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 
10.111.8.116 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 
10.113.25.40 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 
10.106.14.27 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 
10.111.10.141 to 10.113.14.30
[31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 
10.104.14.27 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 
10.106.13.132 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 
10.113.25.11 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 
10.104.15.11 to 10.113.14.30
[31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 
10.104.7.136 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 
10.113.24.23 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 
10.106.12.105 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 
10.104.16.41 to 10.113.14.30
[31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 
10.104.16.4 to 10.113.14.30
[31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 
10.111.8.12 to 10.113.14.30
[31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 
10.111.8.17 to 10.113.14.30



Seems like clients were connecting to the replicas but file descriptors were
not getting released. Our monitoring showed increasing file descriptor counts
on both replicas (the FD counts are normally ~600):

Re: [Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable

2015-09-01 Thread Yogesh Sharma 
Hi,

This is fixed. On digging more found that my resolv.conf was updated and it
was not able to find the domain. Fixing the resolv.conf with right
nameserver, fixed the issue.



*Best Regards,*

*__*

*Yogesh Sharma*
*Email: yks0...@gmail.com  | Web: www.initd.in
 *

*RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*

   



On Tue, Sep 1, 2015 at 5:54 PM, Yogesh Sharma  wrote:

> Even the users details are not coming:
>
> [root@btservice-mysql-prd-ng2-01 sssd]# id vg4381
> id: vg4381: No such user
> [root@btservice-mysql-prd-ng2-01 sssd]# getent passwd vg4381
> [root@btservice-mysql-prd-ng2-01 sssd]#
>
>
> *Best Regards,*
>
> *__*
>
> *Yogesh Sharma*
> *Email: yks0...@gmail.com  | Web: www.initd.in
>  *
>
> *RHCE, VCE-CIA, RACKSPACE CLOUD U Certified*
>
>    
> 
> 
>
> On Tue, Sep 1, 2015 at 5:05 PM, Yogesh Sharma  wrote:
>
>> Hi,
>>
>> We are getting below error while user try to do sudo, while it work for
>> old users.
>>
>>
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client
>> disconnected!
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400):
>> Client connected!
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Received client version [1].
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
>> Offered version [1].
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'vg4381' matched without domain, user is vg4381
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'vg4381' matched without domain, user is vg4381
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
>> (0x0200): Requesting default options for [vg4381] from []
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
>> Issuing request for [0x40bc10:3:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg]
>> (0x0400): Creating request for [klikpay.int][3][1][name=vg4381]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
>> (0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback]
>> (0x0020): Unable to get information from Data Provider
>> Error: 1, 11, Offline
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
>> Requesting info about [vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
>> Returning info for user [vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
>> Retrieving default options for [vg4381] from [klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
>> Issuing request for [0x407380:0:1:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg]
>> (0x0400): Creating SUDOers request for [klikpay.int][7][vg4381][1]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
>> (0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
>> Deleting request: [0x40bc10:3:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_dp_callback] (0x0020): Unable to get information
>> from Data Provider
>> Error: 1, 11, Resource temporarily unavailable
>> Will try to return what we have in cache
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_query_cache] (0x0200): Searching sysdb with
>> [(&(objectClass=sudoRule)(|(name=defaults)))]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]]
>> [sudosrv_get_sudorules_from_cache] (0x0400): Returning 0 rules for
>> [@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
>> Deleting request: [0x407380:0:1:vg4...@klikpay.int]
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200): name 'vg4381' matched without domain, user is vg4381
>> (Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
>> (0x0200):

[Freeipa-users] FreeIPA Sudo Error: Resource temporarily unavailable

2015-09-01 Thread Yogesh Sharma 
Hi,

We are getting below error while user try to do sudo, while it work for old
users.


(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [client_recv] (0x0200): Client
disconnected!
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [accept_fd_handler] (0x0400):
Client connected!
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'vg4381' matched without domain, user is vg4381
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'vg4381' matched without domain, user is vg4381
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting default options for [vg4381] from []
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40bc10:3:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400):
Creating request for [klikpay.int][3][1][name=vg4381]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback]
(0x0020): Unable to get information from Data Provider
Error: 1, 11, Offline
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving default options for [vg4381] from [klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x407380:0:1:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_sudoers_msg] (0x0400):
Creating SUDOers request for [klikpay.int][7][vg4381][1]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x407380:0:1:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x40bc10:3:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_dp_callback]
(0x0020): Unable to get information from Data Provider
Error: 1, 11, Resource temporarily unavailable
Will try to return what we have in cache
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with [(&(objectClass=sudoRule)(|(name=defaults)))]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_from_cache]
(0x0400): Returning 0 rules for [@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x407380:0:1:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'vg4381' matched without domain, user is vg4381
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_parse_name_for_domains]
(0x0200): name 'vg4381' matched without domain, user is vg4381
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_cmd_parse_query_done]
(0x0200): Requesting rules for [vg4381] from []
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x40bc10:3:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_get_account_msg] (0x0400):
Creating request for [klikpay.int][3][1][name=vg4381]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x40bc10:3:vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_check_user_dp_callback]
(0x0020): Unable to get information from Data Provider
Error: 1, 11, Offline
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0200):
Requesting info about [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_user] (0x0400):
Returning info for user [vg4...@klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_rules] (0x0400):
Retrieving rules for [vg4381] from [klikpay.int]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache]
(0x0200): Searching sysdb with
[(&(objectClass=sudoRule)(|(sudoUser=ALL)(name=defaults)(sudoUser=vg4381)(sudoUser=#465600011)(sudoUser=%dbausers)(sudoUser=%vg4381)(sudoUser=+*))(&(dataExpireTimestamp<=1441107001)))]
(Tue Sep  1 17:00:01 2015) [sssd[sudo]] [sss_dp_issue_request]

Re: [Freeipa-users] GSSAPI authentication for libvirt VNC

2015-09-01 Thread Brendan Kearney 

On 08/30/2015 12:49 PM, Marin Bernard wrote:

Hi,

I followed the instructions from freeipa.org (
https://www.freeipa.org/page/Libvirt_with_VNC_Consoles) to make libvirt
and VNC use GSSAPI authentication with FreeIPA. The libvirt part works
fine: I'm able to SSO the KVM host using TCP + SASL. However, I'm
unable to get a VNC connection to any guest: both virt-manager and virt
-viewer fail. The former speaks about a "closed or refused connection",
and the latter just closes.


On the KVM host, each VNC login attempt adds the following record to
the systemd journal:

qemu-kvm[3202]: GSSAPI server step 1


On the host, libvirt starts qemu-kvm with a SASL VNC, which seems
correct to me:

# ps -aux | grep qemu-kvm

 -vnc 0.0.0.0:0,sasl 


QEMU may read the VNC keytab

$ ls -l /etc/qemu/
total 4
-rw---. 1 qemu root 458 30 août  15:48 krb5.tab


Contents of /etc/sasl2/qemu-kvm.conf (comments removed)

mech_list: gssapi
keytab: /etc/qemu/krb5.tab


The client seems to grab correct tickets:

$ klist
Ticket cache: KEYRING:persistent:121541:krb_ccache_jjD9A46
Default principal: ma...@cloud.olivarim.com

Valid starting   Expires  Service principal
30/08/2015 16:11:22  31/08/2015 15:34:53  vnc/nice-hkvm-ctrl-01
.core.nice.cloud.olivarim@cloud.olivarim.com
30/08/2015 16:08:12  31/08/2015 15:34:53  libvirt/nice-hkvm-ctr
l-01.core.nice.cloud.olivarim@cloud.olivarim.com

KVM Host is Centos 7.2, up to date.

FreeIPA server is Centos 7.2, up to date, with FreeIPA 4.1.0 rev.
18.el7.centos.4

Client is Fedora 22, up to date.

I tried to disable both the firewall and SELinux but it did not change
anything.

Do you have any clues ?

Thanks!

Marin.


my /etc/sasl2/qemu.conf (note the different file name, may be relevant*):

mech_list: gssapi
keytab: /etc/qemu/qemu.keytab
sasldb_path: /etc/qemu/passwd.db
auxprop_plugin: sasldb

my /etc/sasl2/libvirt.conf:

mech_list: gssapi
keytab: /etc/libvirt/libvirt.keytab

my /etc/qemu/qemu.keytab file has the principal used/needed for VNC 
(vnc/host.domain.tld@REALM).  you can check yours with "klist -Kket 
/path/to/qemu.keytab"


my /etc/libvirt/libvirt.keytab file has the principal used/needed for 
virt-manager or virsh console (libvirt/host.domain.tld@REALM). you can 
check your with "klist -Kket /path/to/libvirt.keytab"


* the name of the file in /etc/sasl2/ is tied to the name of the 
application.  find the sysadmin.html page for Cyrus-SASL-libs, which states:


By default, the Cyrus SASL library reads it's options from 
/usr/lib/sasl2/App.conf (where "App" is the application defined name of 
the application). For instance, Sendmail reads it's configuration from 
"/usr/lib/sasl2/Sendmail.conf" and the sample server application 
included with the library looks in "/usr/lib/sasl2/sample.conf".


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] replicas unresponsive with increasing file descriptors

2015-09-01 Thread Andrew E. Bruno 
On Tue, Sep 01, 2015 at 05:03:10PM +0200, Ludwig Krispenz wrote:
> 
> On 09/01/2015 04:39 PM, Andrew E. Bruno wrote:
> >A few months ago we had a replica failure where the system ran out of file
> >descriptors and the slapd database was corrupted:
> >
> >https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html
> >
> >We now monitor file descriptor counts on our replicas and last night we
> >had 2 of our 3 replicas fail and become completely unresponsive. Trying
> >to kinit on the replica resulted in:
> >
> >[user@ipa-master]$ kinit
> >kinit: Generic error (see e-text) while getting initial credentials
> >
> >
> >Snippet from the /var/log/dirsrv/slapd-[domain]/errors:
> >
> >[31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: 
> >Attempting to release replica, but unable to receive endReplication extended 
> >operation response from the replica. Error -5 (Timed out)
> >[31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental 
> >protocol: event backoff_timer_expired should not occur in state start_backoff
> >[31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >[31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - 
> >agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
> >receive the response for a startReplication extended operation to consumer 
> >(Timed out). Will retry later.
> >
> >The access logs were filling up with:
> >
> >[31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 
> >10.106.14.29 to 10.113.14.30
> >[31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 
> >10.104.9.137 to 10.113.14.30
> >[31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 
> >10.104.16.19 to 10.113.14.30
> >[31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 
> >10.111.11.30 to 10.113.14.30
> >[31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 
> >10.113.27.115 to 10.113.14.30
> >[31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 
> >10.111.8.116 to 10.113.14.30
> >[31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 
> >10.113.25.40 to 10.113.14.30
> >[31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 
> >10.106.14.27 to 10.113.14.30
> >[31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 
> >10.111.10.141 to 10.113.14.30
> >[31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 
> >10.104.14.27 to 10.113.14.30
> >[31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 
> >10.106.13.132 to 10.113.14.30
> >[31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 
> >10.113.25.11 to 10.113.14.30
> >[31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 
> >10.104.15.11 to 10.113.14.30
> >[31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 
> >10.104.7.136 to 10.113.14.30
> >[31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 
> >10.113.24.23 to 10.113.14.30
> >[31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 
> >10.106.12.105 to 10.113.14.30
> >[31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 
> >10.104.16.41 to 10.113.14.30
> >[31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 
> >10.104.16.4 to 10.113.14.30
> >[31/Aug/2015:17:13:35 -0400]

Re: [Freeipa-users] replicas unresponsive with increasing file descriptors

2015-09-01 Thread Rich Megginson 

On 09/01/2015 09:20 AM, Andrew E. Bruno wrote:

On Tue, Sep 01, 2015 at 05:03:10PM +0200, Ludwig Krispenz wrote:

On 09/01/2015 04:39 PM, Andrew E. Bruno wrote:

A few months ago we had a replica failure where the system ran out of file
descriptors and the slapd database was corrupted:

https://www.redhat.com/archives/freeipa-users/2015-June/msg00389.html

We now monitor file descriptor counts on our replicas and last night we
had 2 of our 3 replicas fail and become completely unresponsive. Trying
to kinit on the replica resulted in:

[user@ipa-master]$ kinit
kinit: Generic error (see e-text) while getting initial credentials


Snippet from the /var/log/dirsrv/slapd-[domain]/errors:

[31/Aug/2015:17:14:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Warning: 
Attempting to release replica, but unable to receive endReplication extended operation 
response from the replica. Error -5 (Timed out)
[31/Aug/2015:17:16:39 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:18:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:20:42 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:22:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:24:47 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Incremental 
protocol: event backoff_timer_expired should not occur in state start_backoff
[31/Aug/2015:17:26:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.
[31/Aug/2015:17:28:50 -0400] NSMMReplicationPlugin - 
agmt="cn=meTosrv-m14-30.cbls.ccr.buffalo.edu" (srv-m14-30:389): Unable to 
receive the response for a startReplication extended operation to consumer (Timed out). 
Will retry later.

The access logs were filling up with:

[31/Aug/2015:17:13:17 -0400] conn=1385990 fd=449 slot=449 connection from 
10.106.14.29 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385991 fd=450 slot=450 connection from 
10.104.9.137 to 10.113.14.30
[31/Aug/2015:17:13:18 -0400] conn=1385992 fd=451 slot=451 connection from 
10.104.16.19 to 10.113.14.30
[31/Aug/2015:17:13:21 -0400] conn=1385993 fd=452 slot=452 connection from 
10.111.11.30 to 10.113.14.30
[31/Aug/2015:17:13:24 -0400] conn=1385994 fd=453 slot=453 connection from 
10.113.27.115 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385995 fd=454 slot=454 connection from 
10.111.8.116 to 10.113.14.30
[31/Aug/2015:17:13:27 -0400] conn=1385996 fd=514 slot=514 connection from 
10.113.25.40 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385997 fd=515 slot=515 connection from 
10.106.14.27 to 10.113.14.30
[31/Aug/2015:17:13:29 -0400] conn=1385998 fd=516 slot=516 connection from 
10.111.10.141 to 10.113.14.30
[31/Aug/2015:17:13:30 -0400] conn=1385999 fd=528 slot=528 connection from 
10.104.14.27 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386000 fd=529 slot=529 connection from 
10.106.13.132 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386001 fd=530 slot=530 connection from 
10.113.25.11 to 10.113.14.30
[31/Aug/2015:17:13:31 -0400] conn=1386002 fd=531 slot=531 connection from 
10.104.15.11 to 10.113.14.30
[31/Aug/2015:17:13:32 -0400] conn=1386003 fd=533 slot=533 connection from 
10.104.7.136 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386004 fd=534 slot=534 connection from 
10.113.24.23 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386005 fd=535 slot=535 connection from 
10.106.12.105 to 10.113.14.30
[31/Aug/2015:17:13:33 -0400] conn=1386006 fd=536 slot=536 connection from 
10.104.16.41 to 10.113.14.30
[31/Aug/2015:17:13:34 -0400] conn=1386007 fd=537 slot=537 connection from 
10.104.16.4 to 10.113.14.30
[31/Aug/2015:17:13:35 -0400] conn=1386008 fd=538 slot=538 connection from 
10.111.8.12 to 10.113.14.30
[31/Aug/2015:17:13:36 -0400] conn=1386009 fd=539 slot=539 connection from 
10.111.8.17 to 10.113.14.30



Seems like clients were connecting to the replicas