Re: [Freeipa-users] IPA and DNS reverse subnets
On 30/01/17 19:32, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 07:12:10PM +, lejeczek wrote: On 30/01/17 18:28, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Here you got it wrong. IPv4 reverses are split at octet boundary, you cannot have greater granularity. And for sure you cannot mix CIDR addressing (/28) and netblock type. On top of that, “/” is not correct character in DNS. how about this - http://www.zytrax.com/books/dns/ch9/reverse.html - would this not work? Wow. This is first time in my life I see this notation. Nevertheless, I was wrong with my previous email. Having read your link, I found http://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation Is this helpful? meanwhile I had it working partially, delegation to subnets works but not everything. More tampering to do, I'll post more findings later, hopefully. thanks. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and DNS reverse subnets
On Mon, Jan 30, 2017 at 07:12:10PM +, lejeczek wrote: > > > On 30/01/17 18:28, Tomasz Torcz wrote: > > On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: > > > hi everybody > > > > > > I'm having trouble trying to figure out, or in other words make this to > > > work: > > > > > > I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure > > > it > > > I got it right. > > > Host reverse resoling does not seem to right. I have: > > > > > > > > >Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like > > > non-usual, I > > > understand it's how such a reverse subnet should be defined, but not 100% > > > sure. > >Here you got it wrong. IPv4 reverses are split at octet boundary, you > > cannot have greater granularity. And for sure you cannot mix CIDR > > addressing (/28) > > and netblock type. On top of that, “/” is not correct character in DNS. > > how about this - http://www.zytrax.com/books/dns/ch9/reverse.html - would > this not work? Wow. This is first time in my life I see this notation. Nevertheless, I was wrong with my previous email. Having read your link, I found http://www.freeipa.org/page/Howto/DNS_classless_IN-ADDR.ARPA_delegation Is this helpful? -- Tomasz Torcz ,,If you try to upissue this patchset I shall be seeking xmpp: zdzich...@chrome.pl an IP-routable hand grenade.'' -- Andrew Morton (LKML) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and DNS reverse subnets
On 30/01/17 18:28, Tomasz Torcz wrote: On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Here you got it wrong. IPv4 reverses are split at octet boundary, you cannot have greater granularity. And for sure you cannot mix CIDR addressing (/28) and netblock type. On top of that, “/” is not correct character in DNS. how about this - http://www.zytrax.com/books/dns/ch9/reverse.html - would this not work? Your reverse zone is 10.5.10.in-addr.arpa. (IPv6 reverses are split at nibble boundary, FWIW). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA and DNS reverse subnets
On Mon, Jan 30, 2017 at 06:01:03PM +, lejeczek wrote: > hi everybody > > I'm having trouble trying to figure out, or in other words make this to > work: > > I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it > I got it right. > Host reverse resoling does not seem to right. I have: > > > Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I > understand it's how such a reverse subnet should be defined, but not 100% > sure. Here you got it wrong. IPv4 reverses are split at octet boundary, you cannot have greater granularity. And for sure you cannot mix CIDR addressing (/28) and netblock type. On top of that, “/” is not correct character in DNS. Your reverse zone is 10.5.10.in-addr.arpa. (IPv6 reverses are split at nibble boundary, FWIW). -- Tomasz Torcz ,,If you try to upissue this patchset I shall be seeking xmpp: zdzich...@chrome.pl an IP-routable hand grenade.'' -- Andrew Morton (LKML) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA and DNS reverse subnets
hi everybody I'm having trouble trying to figure out, or in other words make this to work: I'm setting up a domain in a subnet like this: 10.5.10.48/28 but not sure it I got it right. Host reverse resoling does not seem to right. I have: Zone name: whale.private. Active zone: TRUE Authoritative nameserver: work1.whale.private. Administrator e-mail address: hostmaster.whale.private. SOA serial: 1485797688 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; Zone name: 28/48.10.5.10.in-addr.arpa. <= this here is like non-usual, I understand it's how such a reverse subnet should be defined, but not 100% sure. Active zone: TRUE Authoritative nameserver: work1.whale.private. Administrator e-mail address: hostmaster SOA serial: 1485790340 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Allow query: any; Allow transfer: none; but: ~]$ host 10.5.10.55 Host 55.10.5.10.in-addr.arpa. not found: 3(NXDOMAIN) and when I try to install a replica: ~]$ ipa-replica-install --setup-dns --no-forwarders --setup-ca Password for admin@WHALE.PRIVATE: ipa : ERRORReverse DNS resolution of address 10.5.10.55 (work1.whale.private) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) I understand it's all in DNS, so.. how to tweak it, to fix it? many thank, L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Needs help understand this timeout issue
I have had to deal with the symptoms you describe, never with 730 groups though. Based on my experience doing a lookup for a user in an AD trusted domain is a resource intensive process on the server. I’d first start by taking a look at your logs to see if the lookup is failing on the server or on the client. The logs should be able to tell you this. My suspicion is that the timeout is actually occurring on the server. If the timeout is occurring on the server, I would start by increasing one or both of these values: ldap_opt_timeout ldap_search_timeout If that doesn’t work I’d take look to see if the 389 server is under high load when you are performing this operation. The easiest way I have found to do this is to just execute an LDAP query directly against the IPA server when you are performing an id lookup, for example: ldapsearch -D "cn=Directory Manager" -w -s base -b "cn=config" "(objectclass=*)” If the LDAP server is not responsive you probably need to increase the number of worker threads for 389ds. Also, you might want to disable referrals, check out the man pages for this; ldap_referrals = false Also, FWIW, if you crank up debug logging on the sssd client, you should be able to see the amount of seconds of timeout assigned to the operation, and witness the fact that the operation is actually timing out by inspecting the logs themselves. The logs can get a little verbose but the data is there. Dan On Jan 30, 2017, at 4:00 AM, Troels Hansen> wrote: Hi there I'm trying to debug on a strange IPA timeout issue. Its SSSD 1.14, IPA 4.4, RHEL 7.3. 2 IPA servers in AD trust. Besides being a bit slow on groups membership lookups on users with a moderate number of Groups, there are some users with a HUGE amount of nested groups. A server just installed, thereby having clean cache: # time id shja id: shja: no such user real0m12.107s user0m0.000s sys 0m0.007s Hmm, lets try again: # sss_cache -E && systemctl restart sssd # time id shja id: shja: no such user real0m58.016s user0m0.001s sys 0m0.005s Hmm.. # sss_cache -E && systemctl restart sssd # time id shja ...about 30% of the users Groups are returned real5m16.840s user0m0.010s sys 0m0.019s Next lookup is pretty fast and returns all Groups (about 730). # time id shja real0m7.670s user0m0.028s sys 0m0.066s A few questions. The first times id seems to bail out and report no such user after whet seems to be a random amount of time. Then is actually starts fetching groups it fetches a portion of the Groups, and the last try it fetches all groups. It looks like IPA is starting a thread running in backgroups, filling the cache and this continues after the failed lookup? Shouldn't SSSD be able to use the cache from the the SSSD on the IPA server? In this example the IPA server had full cache of the user and groups but the time it took to do the lookup indicates its still traversing the AD? sssd.conf is pretty default: full_name_format = %1$s set on SSSD client. On IPA server this is added (no full_name_format): ignore_group_members = True ldap_purge_cache_timeout = 0 ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] caching of lookups / performance problem
Hi, I have another question about sssd performance. I’m having a difficult time doing a regularly performant ‘ls -l’ operation against /home, a mounted NFS share of all of our users home directories. There are 667 entries in this folder, and all of them have IDs that are resolvable via freeipa/sssd. We are using an AD trusted domain. It is clear to me why an initial invocation of this lookup should take some time (populating the local ldb cache). And it does. Usually around 5-10 minutes, but sometimes longer. After the initial lookups are complete, the output of ‘ls -l' renders fine, and I can inspect the local filesystem cache using ldbsearch and see that it is populated. The issue is that if I wait a while, or restart sssd, it appears that I have to go through all of these lookups again to render the directory listing. I am trying to find an optimal configuration for sssd.conf that will allow a performant ‘ls -l’ listing of a directory with a large number of different id numbers assigned to filesystem objects to always return results immediately from the local cache (after an initial invocation of this command for any given directory). I think basically what I want is to have the ldb cache always ‘up-to-date’, or at least have sssd willing to immediately dump what it has without having to do a bunch of lookups while blocking the ‘ls -l’ thread. If possible, whatever solution implemented should also survive a restart of the sssd process. In short, aside from an initial invocation, I never want ‘ls -l’ to take more than a few seconds. The issue described above is somewhat problematic because it appears to cause contention on the sssd process effectively allowing a user doing ls -l /home to inadvertently degrade system performance for another user. So far I have tried: 1) Implementing 'enumeration = true' for the [domain] section . This seems to have no impact. It might be worthwhile to note that we are using an AD trusted domain. 2) Using the refresh_expired_interval configuration for the [domain] section I have read the following two documents in a decent level of detail: https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/ https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/ It almost seems to me like the answer to this would be to keep the LDB cache valid indefinitely (step 4 on https://jhrozek.wordpress.com/2015/03/11/anatomy-of-sssd-user-lookup/). Presumably this is a problem that somebody has seen before. Would somebody be able to advise on the best way to deal with this? I appreciate your help. Thank you, Dan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Needs help understand this timeout issue
Hi there I'm trying to debug on a strange IPA timeout issue. Its SSSD 1.14, IPA 4.4, RHEL 7.3. 2 IPA servers in AD trust. Besides being a bit slow on groups membership lookups on users with a moderate number of Groups, there are some users with a HUGE amount of nested groups. A server just installed, thereby having clean cache: # time id shja id: shja: no such user real 0m12.107s user 0m0.000s sys 0m0.007s Hmm, lets try again: # sss_cache -E && systemctl restart sssd # time id shja id: shja: no such user real 0m58.016s user 0m0.001s sys 0m0.005s Hmm.. # sss_cache -E && systemctl restart sssd # time id shja ...about 30% of the users Groups are returned real 5m16.840s user 0m0.010s sys 0m0.019s Next lookup is pretty fast and returns all Groups (about 730). # time id shja real 0m7.670s user 0m0.028s sys 0m0.066s A few questions. The first times id seems to bail out and report no such user after whet seems to be a random amount of time. Then is actually starts fetching groups it fetches a portion of the Groups, and the last try it fetches all groups. It looks like IPA is starting a thread running in backgroups, filling the cache and this continues after the failed lookup? Shouldn't SSSD be able to use the cache from the the SSSD on the IPA server? In this example the IPA server had full cache of the user and groups but the time it took to do the lookup indicates its still traversing the AD? sssd.conf is pretty default: full_name_format = %1$s set on SSSD client. On IPA server this is added (no full_name_format): ignore_group_members = True ldap_purge_cache_timeout = 0 ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal, ignore_group_members, ldap_purge_cache_timeout -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sudo sometimes doesn't work
On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote: > EL7.3 > Users are in active directory via AD trust with IPA server > > sudo is configured via files - users in our default "nwra" group can run > certain sudo commands, e.g.: > > Cmnd_Alias WAKEUP = /sbin/ether-wake * > %nwra,%visitor,%ivm ALL=NOPASSWD: WAKEUP > > However, sometimes when I run sudo /sbin/ether-wake I get prompted for my > password. Other times it works fine. I've attached some logs from failed > attempt. So the sudo command is successfull in the end, it 'just' prompts for a password? I think the sudo logs would be the most important part here, see: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO there is a section called ' a) How do I get sudo logs?' that explains how to generate them.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] be_pam_handler_callback Backend returned: (3, 4, ) [Internal Error (System error)]
On 01/27/2017 12:51 PM, Harald Dunkel wrote: Hi Thierry, On 01/26/17 16:55, thierry bordaz wrote: Those entries are managed entries and it is not possible to delete them from direct ldap command. A solution proposed by Ludwig is not first make them unmanaged: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de changetype: modify modify: objectclass delete: mepManagedEntry cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de changetype: modify modify: objectclass delete: mepManagedEntry Then retry to delete them. It should work for the first one but unsure it will succeed for the second one. I am not sure about this "managed" thing. This sounds like some kind of external influence. How can I make sure that removing these entries doesn't break something? Is the original entry managed in the same way as the duplicate? Regards Harri Hello Harri, sorry for this late answer. I understand your concern and in fact it is difficult to anticipate a potential bad impact of this cleanup. However,I think it is safe to get rid of the following entry. Before doing so you may check it exists cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de that is managedBy the ipaservers_hostgoups. dn: cn=ipaservers+nsuniqueid=109be304-ccd911e6-a5b3d0c8-d8da17db,cn=ng,cn=alt,dc=example,dc=de mepManagedBy: cn=ipaservers,cn=hostgroups,cn=accounts,dc=example,dc=de objectClass: mepManagedEntry If you are willing to remove that entry you need to remove the mepmanagedEntry oc. So you need to remove the mepManagedBy and oc in the same operation Regarding the following entry dn: cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de objectClass: mepOriginEntry mepManagedEntry: cn=ipaservers,cn=ng,cn=alt,dc=example,dc=de You may want to check if it exists an entry it manages, looking for "(mepManagedBy= cn=ipaservers+nsuniqueid=109be302-ccd911e6-a5b3d0c8-d8da17db,cn=hostgroups,cn=accounts,dc=example,dc=de )". If it exists none, you should be able to remove it. Also I think working on ipabak, you should be able to do some tests on the cleanup instance to validate everything is working fine. regards thierry -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project