Re: [Freeipa-users] ipactl services running, but auth not working

[Sullivan, Daniel [CRI]]

I understand that there are reports from the client being unable to 
authenticate but what do the actual sssd logs say from the client, and from the 
server?  When the problem occurs just point a client to the DC directly 
(instead of using _srv_ for example).  Have you looked in /var/log/messages or 
ran dmesg on the server?  Maybe something is dying because the system is 
running out of memory.  Is it swapping?  High CPU load?  Is it responding to 
LDAP queries (see my previous email)?

I still don’t know what you are actually trying to do really (i.e. is it just 
password authentication with sssd, are you using smart cards, kerberized 
sessions, is there an AD domain involved, etc?).  IPA is a suite of different 
components that work together having an understanding of what you are doing and 
what your environment looks like is really important if you need help.

Dan

On Feb 3, 2017, at 4:11 PM, pgb205 > 
wrote:

there are reports from multiple clients being unable to authenticate.
ipactl status shows all services as running.
The problem is fixed when I 'ipactl restart'.


From: "Sullivan, Daniel [CRI]" 
>
To: pgb205 >
Cc: Freeipa-users >
Sent: Friday, February 3, 2017 2:47 PM
Subject: Re: [Freeipa-users] ipactl services running, but auth not working

What exactly are you seeing to determine that the server is actually failing?  
Is it not possible that sssd (the client) is timing out?  Will 389ds service an 
LDAP request, i.e. can you run

ldapsearch -D "cn=Directory Manager" -w  -s base -b "cn=config" 
"(objectclass=*)”

What exactly are you trying to do?  Just password authentication to an sssd 
client?  Are you operating in a trusted AD environment?

Dan

On Feb 3, 2017, at 11:26 AM, pgb205 
>>
 wrote:

My problem is with the server itself seemingly not providing services even 
though it claims to do so. would be curious to know what to look at on freeipa 
server or how to inrease logging


From: "Sullivan, Daniel [CRI]" 
>>
To: pgb205 
>>
Cc: Freeipa-users 
>>
Sent: Thursday, February 2, 2017 5:16 PM
Subject: Re: [Freeipa-users] ipactl services running, but auth not working

Have you looked at the sssd logs yet?

Dan

On Feb 2, 2017, at 4:13 PM, pgb205 
>  for more 
info on the project








-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] VERSION: 4.4.0, IPA Replica DOES NOT Work

[deepak dimri]

I am wondering Does IPA Replica as standalone without IPA Master being up
works for you guys? Mine and my collogue IPA setup in our own Dev
environment with VERSION: 4.2 works perfectly fine. but now when we are
moving to staging env we are getting IPA version VERSION: 4.4.0,
API_VERSION: 2.213 installed through yum in centos 7 and replica now DOES
NOT WORK as standalone unit.

We either keep getting GATEWAY_TIMEOUT Error on the browser or its taking
hell lot of time to fetch user and host objects from Replica DS. The moment
we bring up our IPA Server up replica also starts working fine.

I am not sure but unfortunately there is no helpful reply i am getting on
this issue and wondering if any one else is having TIMEOUT issue with
replica with version 4.4?


Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Can too many group memberships for an AD user cause SSSD or IPA problems?

[Jakub Hrozek]

On Fri, Feb 03, 2017 at 09:54:01AM -0500, Chris Dagdigian wrote:
> 
> I've got a case where "id @AD-DOMAIN" hangs forever after partially
> resolving and I think it may because they are in way too many AD groups?

I don't think id should hang totally (at the very least, there is a NSS
timeout that should eventually kick in).

> 
> The 'id' command resolve the user but hangs before completing. There is a
> large amount of group data returned from the AD forest for this user and the
> 'id' command seems to pause/hang right at the 3024th character returned.
> 
> Looking for pointers / tips. I'm thinking the AD user is in way too many
> groups but I don't know if this is a real limit or what the limit may be.
> Any other reason why an 'id' command may start to work but hang before
> completion for an AD-defined user?

I would tail the sssd logs on the client and server to see if the
command really hangs or 'just' processes some super-large group.

Also, see:

https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA replica setup for version 4.4

[deepak dimri]

I am trying to install ipa replica but getting below error when
running ipa-replica-install

i am following below link for ipa 4.4:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/creating-the-replica.html


Run connection check to master
ipa.ipapython.install.cli.install_tool(Replica): ERRORConnection check
failed!
Please fix your network settings according to error messages above


What could be reason for this error?

Thanks,
Deepak
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project