Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Mon, 04 Jul 2016, pgb205 wrote:
Selinux is disabled on the server. However, I managed to fix the problem buy
adding the AD.DOMAIN {}
section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like
[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
this had the desired effect although I am not 100 clear on why this worked.
My theory is that we have multiple domain controllers and of course the
addomain.com forward zone that was configured prior returns a full
list. Only the ports to the one ad.dc.addomain.com server have been
opened between the ipa and ad servers and so when trust command is
executed connection goes to some domain controller that IPA can't
connect to, eventually generating an error. Just a theory for now.
It is a totally plausible theory -- when we do trust-fetch-domains, we
try to use Kerberos authentication against AD DCs. Forcing IPA master to
use specific domain controller via krb5.conf should help here.
Note that you'll need to have a similar stanza on each IPA client as
well because authentication happens directly to AD DCs and SSSD on IPA
clients will have to do the same job using AD user credentials in case
of password logons.
thanks
From: Alexander Bokovoy
To: pgb205
Cc: "bentech4...@gmail.com" ; Freeipa-users
Sent: Friday, July 1, 2016 3:37 AM
Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Thu, 30 Jun 2016, pgb205 wrote:
Ben, do you mind sharing your solution as I am affected by the exact same error
when fetching AD domains.
I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:
# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust
com.redhat.idm.trust.fetch_domains ad.test
where ad.test is your AD root domain.
If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
Selinux is disabled on the server. However, I managed to fix the problem buy
adding the AD.DOMAIN {}
section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like
[realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...}
AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...}
this had the desired effect although I am not 100 clear on why this worked.
My theory is that we have multiple domain controllers and of course the
addomain.com forward zone that was configured prior returns a full list. Only
the ports to the one ad.dc.addomain.com server have been opened between the ipa
and ad servers and so when trust command is executed connection goes to some
domain controller that IPA can't connect to, eventually generating an error.
Just a theory for now.
thanks
From: Alexander Bokovoy
To: pgb205
Cc: "bentech4...@gmail.com" ; Freeipa-users
Sent: Friday, July 1, 2016 3:37 AM
Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Thu, 30 Jun 2016, pgb205 wrote:
>Ben, do you mind sharing your solution as I am affected by the exact same
>error when fetching AD domains.
I'm currently on vacation and don't have access to my lab, but you need
to check if there are any problems with SELinux. 'ipa
trust-fetch-domains' calls out via DBus to another script. It is
functionally equivalent to the following command run as root:
# oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust
com.redhat.idm.trust.fetch_domains ad.test
where ad.test is your AD root domain.
If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this
run will generate a lot of debug information.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day
Where can i find core file of ipa-server?
On 2016-07-01 13:29, Ludwig Krispenz wrote:
please keep the discussion on the mailing list
On 07/01/2016 01:17 PM, Omar AKHAM wrote:
Which package to install ? ipa-debuginfo?
yes
2 other crashes last night, with a different user bind this time :
rawdn = 0x7f620003a200
"uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
dn = 0x7f62000238b0
"uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX"
saslmech = 0x0
cred = {bv_len = 9, bv_val = 0x7f6200034af0
"nw_PA\250\063\065\067"}
be = 0x7f6254941c20
ber_rc =
rc = 0
sdn = 0x7f62000313f0
bind_sdn_in_pb = 1
referral = 0x0
errorbuf = '\000' ...
supported =
pmech =
authtypebuf =
"\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000
\000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\
000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00
0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177",
'\000' , "\002\000\000\000
\305\363Tb\177\000\000\377\377\37
7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177",
'\000'
bind_target_entry = 0x0
On 2016-06-30 18:16, Ludwig Krispenz wrote:
On 06/30/2016 05:54 PM, d...@mdfive.dz wrote:
The crash is random, sometimes the user binds without probleme,
sometimes it bind and there is the error message of ipa plugin
without dirsrv crash. But when it crashes, this user's bind is found
in the new generated core file!
ok, so the user might try or use different passwords. it could be
helpful if you can install the debuginfo for the ipa-server package
and get a new stack. Please post it to teh list, you can X the
credentials in the core, although I think they will not be proper
credentials.
Ludwig
On 2016-06-30 14:50, Ludwig Krispenz wrote:
On 06/30/2016 02:45 PM, Ludwig Krispenz wrote:
On 06/30/2016 02:27 PM, d...@mdfive.dz wrote:
Hi,
Please find strace on a core file : http://pastebin.com/v9cUzau4
the crash is in an IPA plugin, ipa_pwd_extop,
to get a better stack you would have to install also the debuginfo
for ipa-server.
but tje stack matches the error messages you have seen
[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file
encoding.c, line 171]: generating kerberos keys failed [Invalid
argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file
encoding.c,
line 225]: key encryption/encoding failed
they are from the function sin the call stack.
Looks like the user has a password with a \351 char:
cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"}
does the crash always happen with a bind from this user ?
and then someone familiar with this plugin should look into it
Regards
On 2016-06-30 12:13, Ludwig Krispenz wrote:
can you get a core file ?
http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes
On 06/30/2016 11:28 AM, d...@mdfive.dz wrote:
Hi,
The Directory Services crashes several times a day. It's
installed on CentOS 7 VM :
Installed Packages
Name: ipa-server
Arch: x86_64
Version : 4.2.0
# ipactl status
Directory Service: STOPPED
krb5kdc Service: RUNNING
kadmin Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
Before each crash, I have these messages in
/var/log/dirsrv/slapd-X/errors :
[30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key -
[file encoding.c, line 171]: generating kerberos keys failed
[Invalid argument]
[30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file
encoding.c, line 225]: key encryption/encoding failed
Any help?
Best regards
-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat:
Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat:
Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberois FreeIPA Question
Hello, Is it possible to create a kerberos Ticket for a secondary domain ? CentOS 7.2 IPA 4.3.1 My installing, I have a IPAServer for Domain test.com LDAP & Kerberos TEST.COM now i like to include a other Domain new.net Is it possible to have for this domain also a kerberos ticket ? I found a example in a krb5.conf like this [domain_realm] .test.com = TEST.COM .new.net = TEST.COM ... is this possible with FreeIPA ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
