Re: [Freeipa-users] ipa trust-fetch-domains failing.
On Mon, 04 Jul 2016, pgb205 wrote: Selinux is disabled on the server. However, I managed to fix the problem buy adding the AD.DOMAIN {} section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like [realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...} AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...} this had the desired effect although I am not 100 clear on why this worked. My theory is that we have multiple domain controllers and of course the addomain.com forward zone that was configured prior returns a full list. Only the ports to the one ad.dc.addomain.com server have been opened between the ipa and ad servers and so when trust command is executed connection goes to some domain controller that IPA can't connect to, eventually generating an error. Just a theory for now. It is a totally plausible theory -- when we do trust-fetch-domains, we try to use Kerberos authentication against AD DCs. Forcing IPA master to use specific domain controller via krb5.conf should help here. Note that you'll need to have a similar stanza on each IPA client as well because authentication happens directly to AD DCs and SSSD on IPA clients will have to do the same job using AD user credentials in case of password logons. thanks From: Alexander BokovoyTo: pgb205 Cc: "bentech4...@gmail.com" ; Freeipa-users Sent: Friday, July 1, 2016 3:37 AM Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. On Thu, 30 Jun 2016, pgb205 wrote: Ben, do you mind sharing your solution as I am affected by the exact same error when fetching AD domains. I'm currently on vacation and don't have access to my lab, but you need to check if there are any problems with SELinux. 'ipa trust-fetch-domains' calls out via DBus to another script. It is functionally equivalent to the following command run as root: # oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test where ad.test is your AD root domain. If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this run will generate a lot of debug information. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa trust-fetch-domains failing.
Selinux is disabled on the server. However, I managed to fix the problem buy adding the AD.DOMAIN {} section to my krb5.conf in addition to IPA.DOMAIN {}. So it now looks like [realms]IPA.DOMAIN{master_kdc=ipa.dc.ipadomain:portauth_kdc=ipa.dc.ipadomain:port...} AD.DOMAIN{master_kdc=ad.dc.addomain:portauth_kdc=ad.dc.addomain:port...} this had the desired effect although I am not 100 clear on why this worked. My theory is that we have multiple domain controllers and of course the addomain.com forward zone that was configured prior returns a full list. Only the ports to the one ad.dc.addomain.com server have been opened between the ipa and ad servers and so when trust command is executed connection goes to some domain controller that IPA can't connect to, eventually generating an error. Just a theory for now. thanks From: Alexander BokovoyTo: pgb205 Cc: "bentech4...@gmail.com" ; Freeipa-users Sent: Friday, July 1, 2016 3:37 AM Subject: Re: [Freeipa-users] ipa trust-fetch-domains failing. On Thu, 30 Jun 2016, pgb205 wrote: >Ben, do you mind sharing your solution as I am affected by the exact same >error when fetching AD domains. I'm currently on vacation and don't have access to my lab, but you need to check if there are any problems with SELinux. 'ipa trust-fetch-domains' calls out via DBus to another script. It is functionally equivalent to the following command run as root: # oddjob_request -s com.redhat.idm.trust -o / -i com.redhat.idm.trust com.redhat.idm.trust.fetch_domains ad.test where ad.test is your AD root domain. If you add 'log level = 100' in /usr/share/ipa/smb.conf.empty, then this run will generate a lot of debug information. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA (directory service) Crash several times a day
Where can i find core file of ipa-server? On 2016-07-01 13:29, Ludwig Krispenz wrote: please keep the discussion on the mailing list On 07/01/2016 01:17 PM, Omar AKHAM wrote: Which package to install ? ipa-debuginfo? yes 2 other crashes last night, with a different user bind this time : rawdn = 0x7f620003a200 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" dn = 0x7f62000238b0 "uid=XXX,cn=users,cn=accounts,dc=XXX,dc=XX" saslmech = 0x0 cred = {bv_len = 9, bv_val = 0x7f6200034af0 "nw_PA\250\063\065\067"} be = 0x7f6254941c20 ber_rc = rc = 0 sdn = 0x7f62000313f0 bind_sdn_in_pb = 1 referral = 0x0 errorbuf = '\000' ... supported = pmech = authtypebuf = "\000\000\000\000\000\000\000\000\370\030\002\000b\177\000\000\360\030\002\000b\177\000\000\320\030\002\000b\177\000\000\001\000 \000\000\000\000\000\000\250\311\377+b\177\000\000\320\352\377+b\177\000\000\200\376\002\000b\177\000\000\262\202\211Rb\177\000\000\260\311\377+b\177\ 000\000\000\000\000\000\000\000\000\000&\272\200Rb\177\000\000\000\000\000\000\000\000\000\000<\224\204Rb\177\000\000\260\311\377+b\177\000\000\000\00 0\000\000\000\000\000\000\210\311\377+b\177\000\000\250\311\377+b\177", '\000' , "\002\000\000\000 \305\363Tb\177\000\000\377\377\37 7\377\377\377\377\377\320\030\002\000b\177\000\000\000\000\000\000\000\000\000\000~a\003\000b\177", '\000' bind_target_entry = 0x0 On 2016-06-30 18:16, Ludwig Krispenz wrote: On 06/30/2016 05:54 PM, d...@mdfive.dz wrote: The crash is random, sometimes the user binds without probleme, sometimes it bind and there is the error message of ipa plugin without dirsrv crash. But when it crashes, this user's bind is found in the new generated core file! ok, so the user might try or use different passwords. it could be helpful if you can install the debuginfo for the ipa-server package and get a new stack. Please post it to teh list, you can X the credentials in the core, although I think they will not be proper credentials. Ludwig On 2016-06-30 14:50, Ludwig Krispenz wrote: On 06/30/2016 02:45 PM, Ludwig Krispenz wrote: On 06/30/2016 02:27 PM, d...@mdfive.dz wrote: Hi, Please find strace on a core file : http://pastebin.com/v9cUzau4 the crash is in an IPA plugin, ipa_pwd_extop, to get a better stack you would have to install also the debuginfo for ipa-server. but tje stack matches the error messages you have seen [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed they are from the function sin the call stack. Looks like the user has a password with a \351 char: cred = {bv_len = 15, bv_val = 0x7fc7880013a0 "d\351sertification"} does the crash always happen with a bind from this user ? and then someone familiar with this plugin should look into it Regards On 2016-06-30 12:13, Ludwig Krispenz wrote: can you get a core file ? http://www.port389.org/docs/389ds/FAQ/faq.html#debug_crashes On 06/30/2016 11:28 AM, d...@mdfive.dz wrote: Hi, The Directory Services crashes several times a day. It's installed on CentOS 7 VM : Installed Packages Name: ipa-server Arch: x86_64 Version : 4.2.0 # ipactl status Directory Service: STOPPED krb5kdc Service: RUNNING kadmin Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful Before each crash, I have these messages in /var/log/dirsrv/slapd-X/errors : [30/Jun/2016:09:35:19 +0100] ipapwd_encrypt_encode_key - [file encoding.c, line 171]: generating kerberos keys failed [Invalid argument] [30/Jun/2016:09:35:19 +0100] ipapwd_gen_hashes - [file encoding.c, line 225]: key encryption/encoding failed Any help? Best regards -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Kerberois FreeIPA Question
Hello, Is it possible to create a kerberos Ticket for a secondary domain ? CentOS 7.2 IPA 4.3.1 My installing, I have a IPAServer for Domain test.com LDAP & Kerberos TEST.COM now i like to include a other Domain new.net Is it possible to have for this domain also a kerberos ticket ? I found a example in a krb5.conf like this [domain_realm] .test.com = TEST.COM .new.net = TEST.COM ... is this possible with FreeIPA ? Thanks for a answer -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project