Re: [Freeipa-users] IPA Service Restart causes clients to stop working
Jakub, So far I have no logs, unfortunately since this is quite the disruptive activity I am not willing to reproduce. If I get some time I can try to built a replica environment and try it there, but I don't see me having that time. John On 7/7/14, 4:28 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 04:09:24PM -0300, Bruno Henrique Barbosa wrote: I can confirm this, I usually run through this after a power outage on my datacenter... Suddenly my /var/log/secure starts saying invalid user (7) to SSH attempts, SSSD logs empty, and I have to logon and restart sssd on every VM manually. Hello Bruno, see my reply to John, if you can capture the sssd logs, that would be very welcome in tracking down the problem. - Mensagem original - De: John Moyer john.mo...@digitalreasoning.com Para: Jakub Hrozek jhro...@redhat.com, freeipa-users@redhat.com Enviadas: Segunda-feira, 7 de julho de 2014 15:56:18 Assunto: Re: [Freeipa-users] IPA Service Restart causes clients to stop working The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. sssd.conf [domain/digitalreasoning.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = digitalreasoning.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.digitalreasoning.com chpass_provider = ipa ipa_server = _srv_, server1.digitalreasoning.com dns_discovery_domain = digitalreasoning.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = digitalreasoning.com [nss] [pam] [sudo] [autofs] [ssh] [pac] On 7/7/14, 2:19 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: blockquote Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Can you log in as root to the clients and check out /var/log/secure and/or the sssd logs? Do your clients cache credentials? I suspect that when IPA went down, the clients went offline and still haven't re-checked the online status..how long since the IPA server went offline? /blockquote Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] IPA Service Restart causes clients to stop working
Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA Service Restart causes clients to stop working
The /var/log/secure is saying invalid user. When I do a getent passwd $USER I can't get any user from IPA until sssd is restarted. The SSSD logs are completely empty. Below is the sssd.conf if that helps. Also I just had a server that I fixed (by restarting sssd) break again, restarting sssd fixed it again though. sssd.conf [domain/digitalreasoning.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = digitalreasoning.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt ipa_hostname = client.digitalreasoning.com chpass_provider = ipa ipa_server = _srv_, server1.digitalreasoning.com dns_discovery_domain = digitalreasoning.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = digitalreasoning.com [nss] [pam] [sudo] [autofs] [ssh] [pac] On 7/7/14, 2:19 PM, Jakub Hrozek wrote: On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: Hello All, Some of the services in IPA stopped responding and I restarted the service (as I couldn't login to the website or via ssh to any registered hosts). After the restart I could login to the web app, but still no clients. I currently can login to one client that I restarted sssd on. Any suggestions how to fix the rest without having to go to all of them to restart sssd? Can you log in as root to the clients and check out /var/log/secure and/or the sssd logs? Do your clients cache credentials? I suspect that when IPA went down, the clients went offline and still haven't re-checked the online status..how long since the IPA server went offline? Thanks, John Moyer Director, IT Operations -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem finding new users via command line
Rob, That is correct, I just put my ssh key in for that new user and was unable to ssh to one of the nodes registered with IPA. I also logged in as myself (which did work) and then ran getent password new.user and that yielded nothing, but getent password john.moyer yielded all of my information. On 6/17/14, 11:26 AM, Rob Crittenden wrote: John Moyer wrote: Sorry forgot the second part of your question: rpm -qa | grep ipa libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-37.el6.x86_64 It's important that we're comparing apples to apples. Is this a search against the same IPA server or do you have multiple masters? I assume that SSSD isn't seeing these new users either which is what lead you to ldapsearch? You might want to do the same search on a working and non-working box and compare the 389-ds access logs to see if there is anything noticeable. rob John On 6/17/14, 8:30 AM, John Moyer wrote: I'm using ldapsearch. The command I was using was like the one below (edited to protect creds/users). ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b dc=digitalreasoning,dc=com -D uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com -w 'password' uid=first.last # extended LDIF # # LDAPv3 # base dc=digitalreasoning,dc=com with scope subtree # filter: uid=first.last # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 Any help is much appreciated! Thanks, John On 6/16/14, 6:22 PM, Rob Crittenden wrote: John Moyer wrote: Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! What command-line are you using? What rpm version is [free]ipa-python? Do you have multiple masters or is this a single IPA server? rob Thanks, John Moyer Thanks, John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax Thanks, John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem finding new users via command line
Sorry forgot the second part of your question: rpm -qa | grep ipa libipa_hbac-1.9.2-129.el6_5.4.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-37.el6.x86_64 John On 6/17/14, 8:30 AM, John Moyer wrote: I'm using ldapsearch. The command I was using was like the one below (edited to protect creds/users). ldapsearch -x -h ipa.digitalreasoning.com -ZZ -b dc=digitalreasoning,dc=com -D uid=adminuser,cn=users,cn=accounts,dc=digitalreasoning,dc=com -w 'password' uid=first.last # extended LDIF # # LDAPv3 # base dc=digitalreasoning,dc=com with scope subtree # filter: uid=first.last # requesting: ALL # # search result search: 3 result: 0 Success # numResponses: 1 Any help is much appreciated! Thanks, John On 6/16/14, 6:22 PM, Rob Crittenden wrote: John Moyer wrote: Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! What command-line are you using? What rpm version is [free]ipa-python? Do you have multiple masters or is this a single IPA server? rob Thanks, John Moyer Thanks, John Moyer Director, IT Operations 901 N. Stuart St. STE 904A Arlington,VA 22203 703.678.2311 Office 240.460.0023 Cell 703.678.2312 Fax ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem finding new users via command line
Hello All, I'm having a problem querying new users. I can create the user from the webpage no problem, and I can see them afterwards via the webpage. I can then see those users via ipa user-find, as well as a LOCAL ldapsearch, even remotely from apache directory studio. However, if I go to another linux box and do an ldapsearch the new user (only the new user) is not seen in the search. Users created before today work great. Now I did change stuff, I did a yum upgrade last weekend and this was not a problem before I did this. Any help or guidance to make a remove ldapsearch work on new users would be greatly appreciated! Thanks, John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA not Starting after crash
Hello All,
We’ve been running IPA now nicely for a while, and I wrote a script to
run something every minute and that filled the logs and crashed the server. I
cleared the logs and started IPA again.
[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
DIGITALREASONING-COM... already running[ OK ]
PKI-IPA... already running [ OK ]
Failed to read data from Directory Service: Failed to get list of services to
probe status!
Configured hostname ‘blah.digitalreasoning.com' does not match any master
server in LDAP:
No master found because of error: {'matched': 'dc=digitalreasoning,dc=com',
'desc': 'No such object'}
Thanks,
_
John Moyer
Director, IT Operations
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA not Starting after crash
I think I know my problem, back in August I was having performance issues so I
hooked part of my IPA server to RAM disk. I’m assuming looking at the symlink
below that since I’ve rebooted the server that I’m completely out of luck.
This is in this directory : /var/lib/dirsrv/slapd-DIGITALREASONING-COM/
lrwxrwxrwx 1 root root 12 Aug 27 03:21 db - /dev/shm/db/
At this point I just want confirmation that my data is gone. I was doing
backups, but of the disks not the RAM.
Thanks,
_
John Moyer
Director, IT Operations
On Feb 13, 2014, at 2:20 PM, Dmitri Pal d...@redhat.com wrote:
On 02/13/2014 02:12 PM, John Moyer wrote:
This is the error log when I try to start it:
[13/Feb/2014:19:08:28 +] - 389-Directory/1.2.11.15 B2013.357.177
starting up
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set
up under cn=computers, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set
up under cn=groups, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set
up under cn=ng, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set
up under ou=sudoers,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] schema-compat-plugin - warning: no entries set
up under cn=users, cn=compat,dc=digitalreasoning,dc=com
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Unable to
locate shared configuration entry
(cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=digitalreasoning,dc=com)
[13/Feb/2014:19:08:28 +] dna-plugin - dna_parse_config_entry: Invalid
config entry [cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config] skipped
[13/Feb/2014:19:08:28 +] - slapd started. Listening on All Interfaces
port 389 for LDAP requests
[13/Feb/2014:19:08:28 +] - Listening on All Interfaces port 636 for
LDAPS requests
[13/Feb/2014:19:08:28 +] - Listening on
/var/run/slapd-DIGITALREASONING-COM.socket for LDAPI requests
[13/Feb/2014:19:08:30 +] - slapd shutting down - signaling operation
threads
[13/Feb/2014:19:08:30 +] - slapd shutting down - closing down internal
subsystems and plugins
[13/Feb/2014:19:08:30 +] - Waiting for 4 database threads to stop
[13/Feb/2014:19:08:30 +] - All database threads now stopped
[13/Feb/2014:19:08:30 +] - slapd stopped.
Seems like your dna-plugin configuration is corrupted or missing.
The easiest way would be probably to reinit or reinstall replica.
If we want to try to repair we need help from DS team.
Thanks,
_
John Moyer
Director, IT Operations
On Feb 13, 2014, at 2:10 PM, Rob Crittenden rcrit...@redhat.com wrote:
John Moyer wrote:
Hello All,
We’ve been running IPA now nicely for a while, and I wrote a script to
run something every minute and that filled the logs and crashed the
server. I cleared the logs and started IPA again.
[root@ log]# ipactl start
Starting Directory Service
Starting dirsrv:
DIGITALREASONING-COM... already running[ OK ]
PKI-IPA... already running [ OK ]
Failed to read data from Directory Service: Failed to get list of
services to probe status!
Configured hostname ‘blah.digitalreasoning.com
http://blah.digitalreasoning.com' does not match any master server in
LDAP:
No master found because of error: {'matched':
'dc=digitalreasoning,dc=com', 'desc': 'No such object'}
I'd check /var/log/dirsrv/slapd-DIGITALREASONNG-COM/errors to see if there
are any database consistency problems.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
That summary is correct. The only thing I would add is that other applications could easily bring the IPA server to it's knees as well. Our artifact server also did many connections per sec when used, and one person doing a build could bring IPA to it's knees as well. Also, not only would IPA be maxed at 100%, but users would complain that their builds were taking longer than normal (with or without the JIRA sync going, however, it was obviously worse when JIRA was running). Also, my IPA server was a larger/faster server than my LDAP server. So my LDAP server would run circles around IPA even though it was on a smaller machine. LDAP would run at about 10% maybe 15% CPU when the JIRA sync ran. IF you need any other information let me know. Thanks, _ John Moyer Director, IT Operations On Sep 4, 2013, at 8:32 AM, Dmitri Pal d...@redhat.com wrote: On 09/04/2013 08:01 AM, John Moyer wrote: Martin, I apologize there was a large offline conversation between Rich and myself. Rich was kind enough to help me through some of my issues. We did a lot more tests and poking and prodding. We discovered that IPA is not as efficient when dealing with large number of connections. Most of my load inefficiently reconnect to IPA over and over and over and though LDAP can deal with this fairly efficiently, IPA apparently drops to it's knees. A ticket was opened to addressed this issue. https://fedorahosted.org/freeipa/ticket/3892 Thank you for reporting this ticket. Martin is investigating it and trying to see what is the cause. The information mentioned above is missing from the the ticket, thus the question. So to summarize: you identified that the cause of the performance issue is that JIRA makes a lot of parallel connections to LDAP server and IPA is slow processing bind operations thus clients that do a lot of connections can experience a low performance. Martin, I wonder if we can have a test that would just do a lot of binds. There are a lot of plugins and one of the recent ones is the OTP one. I wonder if we do too much during bind when OTP is not enabled (by default). Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Sep 4, 2013, at 3:44 AM, Martin Kosek mko...@redhat.com wrote: On 08/30/2013 11:08 PM, John Moyer wrote: Well IPA has machine entries on some test clusters that I'm rolling IPA out on (20 machines maybe) but the user base is the same (about 80 ~ 100) accounts with maybe 40 to 50 groups? I've stood up a clone of the jira server along with IPA. I cleared my logs and then did the sync and ran the log analyzer on it. These stats are pretty much ONLY for that jira sync I don't have any other connections pointed to it. Start of Log:30/Aug/2013:15:57:13 End of Log: 30/Aug/2013:16:01:14 Processed Log Time: Hours, 4 Minutes, 1 Seconds Restarts: 1 Total Connections:824 SSL Connections: 824 Peak Concurrent Connections: 6 Total Operations: 1806 Total Results:1805 Overall Performance: 99.9% Searches: 968(4.02/sec) (241.00/min) Modifications:5 (0.02/sec) (1.24/min) Adds: 0 (0.00/sec) (0.00/min) Deletes: 0 (0.00/sec) (0.00/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:833(3.46/sec) (207.39/min) Proxied Auth Operations: 0 Persistent Searches: 1 Internal Operations: 0 Entry Operations: 0 Extended Operations: 0 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 0 Entire Search Base Queries: 0 Unindexed Searches: 1 This looks like a promising way to find out the reason, thanks John. However, I see just one unindexed search. Is the access log complete? Previously I see that the sync takes 900 seconds/15 minutes, but there is only 4 minutes the access log. Note that it it may take some time until the log is dumped. I think it would be also useful to run the analyzer with -ula flags as Rob suggested earlier to find out the unindexed searches (if any). What I find interesting is that JIRA does a lot of LDAP BINDs. Can the problem be in longer BINDs than with than expected (compared to for example plain LDAP servers)? Performance-wise, it would be I think better if JIRA does just one BIND and run all the LDAP searches the established
Re: [Freeipa-users] IPA Load Problems?
Sure, just let me know what needs to be run/applied. I've already rolled back to LDAP, so if the fix looks like it works I can then roll it out again. Thanks, _ John Moyer Director, IT Operations On Sep 4, 2013, at 9:12 AM, Dmitri Pal d...@redhat.com wrote: On 09/04/2013 08:53 AM, John Moyer wrote: That summary is correct. The only thing I would add is that other applications could easily bring the IPA server to it's knees as well. Yes this is what I meant. It is not only JIRA. Any client that creates a lot of connections can cause problems. Our artifact server also did many connections per sec when used, and one person doing a build could bring IPA to it's knees as well. Also, not only would IPA be maxed at 100%, but users would complain that their builds were taking longer than normal (with or without the JIRA sync going, however, it was obviously worse when JIRA was running). Also, my IPA server was a larger/faster server than my LDAP server. So my LDAP server would run circles around IPA even though it was on a smaller machine. LDAP would run at about 10% maybe 15% CPU when the JIRA sync ran. IF you need any other information let me know. No this seems to be enough. Thank you. Would you be willing to test a fix if one is provided? Thanks Dmitri Thanks, _ John Moyer Director, IT Operations On Sep 4, 2013, at 8:32 AM, Dmitri Pal d...@redhat.com wrote: On 09/04/2013 08:01 AM, John Moyer wrote: Martin, I apologize there was a large offline conversation between Rich and myself. Rich was kind enough to help me through some of my issues. We did a lot more tests and poking and prodding. We discovered that IPA is not as efficient when dealing with large number of connections. Most of my load inefficiently reconnect to IPA over and over and over and though LDAP can deal with this fairly efficiently, IPA apparently drops to it's knees. A ticket was opened to addressed this issue. https://fedorahosted.org/freeipa/ticket/3892 Thank you for reporting this ticket. Martin is investigating it and trying to see what is the cause. The information mentioned above is missing from the the ticket, thus the question. So to summarize: you identified that the cause of the performance issue is that JIRA makes a lot of parallel connections to LDAP server and IPA is slow processing bind operations thus clients that do a lot of connections can experience a low performance. Martin, I wonder if we can have a test that would just do a lot of binds. There are a lot of plugins and one of the recent ones is the OTP one. I wonder if we do too much during bind when OTP is not enabled (by default). Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Sep 4, 2013, at 3:44 AM, Martin Kosek mko...@redhat.com wrote: On 08/30/2013 11:08 PM, John Moyer wrote: Well IPA has machine entries on some test clusters that I'm rolling IPA out on (20 machines maybe) but the user base is the same (about 80 ~ 100) accounts with maybe 40 to 50 groups? I've stood up a clone of the jira server along with IPA. I cleared my logs and then did the sync and ran the log analyzer on it. These stats are pretty much ONLY for that jira sync I don't have any other connections pointed to it. Start of Log:30/Aug/2013:15:57:13 End of Log: 30/Aug/2013:16:01:14 Processed Log Time: Hours, 4 Minutes, 1 Seconds Restarts: 1 Total Connections:824 SSL Connections: 824 Peak Concurrent Connections: 6 Total Operations: 1806 Total Results:1805 Overall Performance: 99.9% Searches: 968(4.02/sec) (241.00/min) Modifications:5 (0.02/sec) (1.24/min) Adds: 0 (0.00/sec) (0.00/min) Deletes: 0 (0.00/sec) (0.00/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:833(3.46/sec) (207.39/min) Proxied Auth Operations: 0 Persistent Searches: 1 Internal Operations: 0 Entry Operations: 0 Extended Operations: 0 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 0 Entire Search Base Queries: 0 Unindexed Searches: 1 This looks like a promising way to find out the reason, thanks John. However, I see just one unindexed search. Is the access log
Re: [Freeipa-users] IPA Load Problems?
It was our opinion that it wasn't an index issue. I cleared the logs from the IPA server, and then just ran a JIRA sync with the server. I gave Rich the log file from my IPA for that sync. I can't find the exact conversation, but we determined that JIRA was connecting to LDAP some 1000 times or so to do the sync. The logs didn't show but one search done that didn't have an index which is why we concluded it wasn't an index issue. Thanks, _ John Moyer Director, IT Operations On Sep 4, 2013, at 9:51 AM, Martin Kosek mko...@redhat.com wrote: Ah, ok. One of the reasons why I was poking to this thread is exactly this ticket. It does not contain much information _what exactly_ is making IPA performance poor - whether it is missing indices (which ones?) or some issue in IPA plugins during binds, etc. Without more information, we do not know what to fix, what to improve. Martin On 09/04/2013 02:01 PM, John Moyer wrote: Martin, I apologize there was a large offline conversation between Rich and myself. Rich was kind enough to help me through some of my issues. We did a lot more tests and poking and prodding. We discovered that IPA is not as efficient when dealing with large number of connections. Most of my load inefficiently reconnect to IPA over and over and over and though LDAP can deal with this fairly efficiently, IPA apparently drops to it's knees. A ticket was opened to addressed this issue. https://fedorahosted.org/freeipa/ticket/3892 Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Sep 4, 2013, at 3:44 AM, Martin Kosek mko...@redhat.com wrote: On 08/30/2013 11:08 PM, John Moyer wrote: Well IPA has machine entries on some test clusters that I'm rolling IPA out on (20 machines maybe) but the user base is the same (about 80 ~ 100) accounts with maybe 40 to 50 groups? I've stood up a clone of the jira server along with IPA. I cleared my logs and then did the sync and ran the log analyzer on it. These stats are pretty much ONLY for that jira sync I don't have any other connections pointed to it. Start of Log:30/Aug/2013:15:57:13 End of Log: 30/Aug/2013:16:01:14 Processed Log Time: Hours, 4 Minutes, 1 Seconds Restarts: 1 Total Connections:824 SSL Connections: 824 Peak Concurrent Connections: 6 Total Operations: 1806 Total Results:1805 Overall Performance: 99.9% Searches: 968(4.02/sec) (241.00/min) Modifications:5 (0.02/sec) (1.24/min) Adds: 0 (0.00/sec) (0.00/min) Deletes: 0 (0.00/sec) (0.00/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:833 (3.46/sec) (207.39/min) Proxied Auth Operations: 0 Persistent Searches: 1 Internal Operations: 0 Entry Operations: 0 Extended Operations: 0 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 0 Entire Search Base Queries: 0 Unindexed Searches: 1 This looks like a promising way to find out the reason, thanks John. However, I see just one unindexed search. Is the access log complete? Previously I see that the sync takes 900 seconds/15 minutes, but there is only 4 minutes the access log. Note that it it may take some time until the log is dumped. I think it would be also useful to run the analyzer with -ula flags as Rob suggested earlier to find out the unindexed searches (if any). What I find interesting is that JIRA does a lot of LDAP BINDs. Can the problem be in longer BINDs than with than expected (compared to for example plain LDAP servers)? Performance-wise, it would be I think better if JIRA does just one BIND and run all the LDAP searches the established connection. But I do not know if it can be configured this way. Rich, Rob, I am wondering if the slow up is not really caused by the binds, we have several DS plugins tied to the BIND operation, it may be useful to analyze if they do not take too long. Martin signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres 2. objecclass eq 3. uid pres Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 1:13 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there any way to see what fields are index'ed? $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' Your best bet is to use the logconv.pl tool to examine your logs. rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax
Re: [Freeipa-users] IPA Load Problems?
If objectclass eq is already indexed how are these on my top unindexed list? Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third and fourth entry? I apologize if I'm way off as I am new to the intricacies of LDAP indexing. Thanks, _ John Moyer Director, IT Operations On Aug 30, 2013, at 3:41 PM, Rich Megginson rmegg...@redhat.com wrote: On 08/30/2013 01:31 PM, John Moyer wrote: Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres No, do not create this one 2. objectclass eq This should already be indexed 3. uid pres I suppose the UI might be doing this search? Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer
Re: [Freeipa-users] IPA Load Problems?
I'm sorry that was my top unique filter list not my unindexed list. Please disregard my last email. Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 30, 2013, at 3:47 PM, John Moyer john.mo...@digitalreasoning.com wrote: If objectclass eq is already indexed how are these on my top unindexed list? Wouldn't objectclass eq cover this (objectclass=inetorgperson)? and the third and fourth entry? I apologize if I'm way off as I am new to the intricacies of LDAP indexing. Thanks, _ John Moyer Director, IT Operations On Aug 30, 2013, at 3:41 PM, Rich Megginson rmegg...@redhat.com wrote: On 08/30/2013 01:31 PM, John Moyer wrote: Rob or anyone else, So while struggling along on this server I just grabbed the logs off it and ran that log program with the options you suggested. There are a lot of unindexed requests. These are the top issues I've removed the one username that showed up. So just to double check what I'm thinking. I need to create three indexes 1. objectclass pres No, do not create this one 2. objectclass eq This should already be indexed 3. uid pres I suppose the UI might be doing this search? Please let me know if I'm reading this correctly or if I'm way off? 7337(objectclass=inetorgperson) 4597(objectclass=*) 4560((objectclass=inetorgperson)(uid=senior.developer.login)) 307 (objectclass=krbticketpolicyaux) 292 (uid=*) Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 28, 2013, at 11:40 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? I'd start with https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#Managing_Indexes-About_Indexes Note that you'll want to create the same index on all hosts. This configuration is not replicated. You can see the ones we create in /usr/share/ipa/indices.ldif and /usr/share/ipa/updates/20-indices.update rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds
Re: [Freeipa-users] IPA Load Problems?
So this method of search logs is great, and it shows some indexes that would likely highly increase efficiency with my usage. So, are there instructions how to do that? or do you know off hand how to do that? Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 4:45 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? There are a slew of options you can provide to logconv.pl. I typically use logconv.pl -ula /var/log/dirsrv/slapd-EXAMPLE-COM/access when doing search analysis. rob Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 1:13 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there any way to see what fields are index'ed? $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' Your best bet is to use the logconv.pl tool to examine your logs. rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office:703.678.2311 Mobile:240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 10:36 AM, John Moyer john.mo...@digitalreasoning.com wrote: That looks like the output I just got shown below: dn: cn=mapping tree,cn=config dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=meToipa2.example.com,cn=replica,cn=dc\3Dexample\ 2Cdc\3Dcom,cn=mapping tree,cn=config nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 10:14 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Ok, so we tried to implement this again, and as soon as we put on a server that authenticates heavily the IPA came to it's knees again. This time I was able to watch it closely and try to troubleshoot a lot more, and also know exactly what server caused it (Mercurial with help of bamboo). This runs fine on a normal old openldap servers. The user is logging in very quickly and each time it logs in I can see in the logs that the krbLastsuccessfullogin parameter (or whatever it is called) is updated over and over and over
Re: [Freeipa-users] IPA Load Problems?
Ok, so we tried to implement this again, and as soon as we put on a server that authenticates heavily the IPA came to it's knees again. This time I was able to watch it closely and try to troubleshoot a lot more, and also know exactly what server caused it (Mercurial with help of bamboo). This runs fine on a normal old openldap servers. The user is logging in very quickly and each time it logs in I can see in the logs that the krbLastsuccessfullogin parameter (or whatever it is called) is updated over and over and over in the changelog (/var/lib/dirsrv/slapd-$instanceid/db) those logs are filling VERY quickly and then disappear fairly quickly as well. Issue 1: This is causing severe disk latency which obviously slows everything down wait times were around 25%+ Issue 2: These changes need to be replicated to my slave server thus adding to the mess My question is, why does the IPA server fail to keep up with the load when the openLDAP server didn't have an issue. Indexes? I'm running the following: CentOS release 6.4 (Final) 389-ds-base-1.2.11.15-20.el6_4.x86_64 389-ds-base-libs-1.2.11.15-20.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 So I've implemented this server anyway (against my better judgement with these issues and just made the user that logs into mercurial a local user instead of IPA). Also note before I did that for fun I implemented a RAM disk to put the change logs on, and that dropped the wait time to 0 (except bursts where it would raise to 30 to write the access log) but the CPU drove to 100% trying to keep up with the load. I have also killed the replication as well. Any help would be appreciated. Thanks, _ John Moyer Director, IT Operations On Aug 7, 2013, at 4:08 PM, John Moyer john.mo...@digitalreasoning.com wrote: Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 6, 2013, at 10:57 AM, Rich Megginson rmegg...@redhat.com wrote: On 08/05/2013 09:17 PM, John Moyer wrote: Hello, So I've been preparing my infrastructure for a big change from an older openldap system to a nice new IPA server. I have a redundant secondary server and snapshots taken daily. I populated all my user data into IPA, and gave the users a week to set a password. They all did this and the big switch was this past weekend. We had done previous tests on each server and it all worked. We switched this past weekend and it worked great. This morning a light load hit it (since I've only put a small fraction of our servers on it about 15) and the primary came to it's knees. What platform? What version of ipa? What version of 389-ds-base? What was the nature of the load? Search requests? Update requests? Updates from replication? The logconv.pl tool can be used to analyze the 389-ds-base access logs. During this time of the load, are there any errors in the errors log? Processor spiked, and logs started to fill (didn't fill at this point). I'm not sure what you mean by logs started to fill (didn't fill at this point). I then decided it's probably a glitch (I'm an optimist) so I restarted IPA services. They all restarted except for named which crashed (which then caused everything to stop). I looked and now the disk was full. Which directory contained the files that caused the disk to become full? /var/log? /var/lib? Somewhere else? So I trash the logs (had no easy place to put them at the time which I regret now) and I restart the services again. What do you mean by trash the logs? IPA fully crashes now (didn't even start the DIRSRV for my domain). Which component of IPA is crashing? If it is dirsrv that is refusing to start, is it crashing? What's in /var/log/dirsrv/slapd-*/errors? If it is crashing, we will need a core file and/or stack trace - see http://port389.org/wiki/FAQ#Debugging_Crashes So here are my questions: 1. Any idea what caused this? Any performance issues that have been seen? It could be almost anything given the above information. 2. Are the connection settings for IPA good out of the box? I ask because in RHDS (in the first versions I used) the default connection timeouts were a MAJOR issue, How so? Details? I used to run a network of 400
Re: [Freeipa-users] IPA Load Problems?
That looks like the output I just got shown below: dn: cn=mapping tree,cn=config dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=meToipa2.example.com,cn=replica,cn=dc\3Dexample\ 2Cdc\3Dcom,cn=mapping tree,cn=config nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 10:14 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Ok, so we tried to implement this again, and as soon as we put on a server that authenticates heavily the IPA came to it's knees again. This time I was able to watch it closely and try to troubleshoot a lot more, and also know exactly what server caused it (Mercurial with help of bamboo). This runs fine on a normal old openldap servers. The user is logging in very quickly and each time it logs in I can see in the logs that the krbLastsuccessfullogin parameter (or whatever it is called) is updated over and over and over in the changelog (/var/lib/dirsrv/slapd-$instanceid/db) those logs are filling VERY quickly and then disappear fairly quickly as well. Issue 1: This is causing severe disk latency which obviously slows everything down wait times were around 25%+ Issue 2: These changes need to be replicated to my slave server thus adding to the mess My question is, why does the IPA server fail to keep up with the load when the openLDAP server didn't have an issue. Indexes? I'm running the following: CentOS release 6.4 (Final) 389-ds-base-1.2.11.15-20.el6_4.x86_64 389-ds-base-libs-1.2.11.15-20.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 So I've implemented this server anyway (against my better judgement with these issues and just made the user that logs into mercurial a local user instead of IPA). Also note before I did that for fun I implemented a RAM disk to put the change logs on, and that dropped the wait time to 0 (except bursts where it would raise to 30 to write the access log) but the CPU drove to 100% trying to keep up with the load. I have also killed the replication as well. Any help would be appreciated. krblastsuccessfulauth should be excluded from replication, though I guess that doesn't prevent it from ending up in the changelog. You can confirm that they are excluded by searching the agreements: $ ldapsearch -LLL -x -b 'cn=mapping tree,cn=config' -D 'cn=directory manager' -W nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeListTotal They should look like: nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount rob signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
Is there any way to see what fields are index'ed? Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 10:36 AM, John Moyer john.mo...@digitalreasoning.com wrote: That looks like the output I just got shown below: dn: cn=mapping tree,cn=config dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=meToipa2.example.com,cn=replica,cn=dc\3Dexample\ 2Cdc\3Dcom,cn=mapping tree,cn=config nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 10:14 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Ok, so we tried to implement this again, and as soon as we put on a server that authenticates heavily the IPA came to it's knees again. This time I was able to watch it closely and try to troubleshoot a lot more, and also know exactly what server caused it (Mercurial with help of bamboo). This runs fine on a normal old openldap servers. The user is logging in very quickly and each time it logs in I can see in the logs that the krbLastsuccessfullogin parameter (or whatever it is called) is updated over and over and over in the changelog (/var/lib/dirsrv/slapd-$instanceid/db) those logs are filling VERY quickly and then disappear fairly quickly as well. Issue 1: This is causing severe disk latency which obviously slows everything down wait times were around 25%+ Issue 2: These changes need to be replicated to my slave server thus adding to the mess My question is, why does the IPA server fail to keep up with the load when the openLDAP server didn't have an issue. Indexes? I'm running the following: CentOS release 6.4 (Final) 389-ds-base-1.2.11.15-20.el6_4.x86_64 389-ds-base-libs-1.2.11.15-20.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-client-3.0.0-26.el6_4.4.x86_64 libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 So I've implemented this server anyway (against my better judgement with these issues and just made the user that logs into mercurial a local user instead of IPA). Also note before I did that for fun I implemented a RAM disk to put the change logs on, and that dropped the wait time to 0 (except bursts where it would raise to 30 to write the access log) but the CPU drove to 100% trying to keep up with the load. I have also killed the replication as well. Any help would be appreciated. krblastsuccessfulauth should be excluded from replication, though I guess that doesn't prevent it from ending up in the changelog. You can confirm that they are excluded by searching the agreements: $ ldapsearch -LLL -x -b 'cn=mapping tree,cn=config' -D 'cn=directory manager' -W nsDS5ReplicatedAttributeList nsDS5ReplicatedAttributeListTotal They should look like: nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount rob signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Load Problems?
Wow, this is quite insightful, this is the output from that, it looks like there aren't many unindexed searches (319 doesn't seem like a lot to me at least). Do you have any suggestions from this output? Start of Log:27/Aug/2013:02:36:08 End of Log: 27/Aug/2013:12:17:15 Processed Log Time: 9 Hours, 41 Minutes, 7 Seconds Restarts: 2 Total Connections:45224 SSL Connections: 44735 Peak Concurrent Connections: 76 Total Operations: 132568 Total Results:132737 Overall Performance: 100.0% Searches: 61318 (1.76/sec) (105.52/min) Modifications:277(0.01/sec) (0.48/min) Adds: 10 (0.00/sec) (0.02/min) Deletes: 12 (0.00/sec) (0.02/min) Mod RDNs: 0 (0.00/sec) (0.00/min) Compares: 0 (0.00/sec) (0.00/min) Binds:62143 (1.78/sec) (106.94/min) Proxied Auth Operations: 0 Persistent Searches: 3 Internal Operations: 0 Entry Operations: 0 Extended Operations: 8808 Abandoned Requests: 0 Smart Referrals Received: 0 VLV Operations: 0 VLV Unindexed Searches: 0 SORT Operations: 353 Entire Search Base Queries: 106 Unindexed Searches: 319 FDs Taken:45262 FDs Returned: 45210 Highest FD Taken: 139 Broken Pipes: 0 Connections Reset By Peer:0 Resource Unavailable: 0 Binds:62143 Unbinds: 44539 LDAP v2 Binds: 2 LDAP v3 Binds: 62141 SSL Client Binds:0 Failed SSL Client Binds: 0 SASL Binds: 1466 1458 GSSAPI 8 EXTERNAL Directory Manager Binds: 10 Anonymous Binds: 1476 Other Binds: 60657 Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 1:13 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Is there any way to see what fields are index'ed? $ ldapsearch -LLL -D 'cn=directory manager' -W -x -b 'cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' Your best bet is to use the logconv.pl tool to examine your logs. rob Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax: 703.678.2312 www.digitalreasoning.com On Aug 27, 2013, at 10:36 AM, John Moyer john.mo...@digitalreasoning.com wrote: That looks like the output I just got shown below: dn: cn=mapping tree,cn=config dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=meToipa2.example.com,cn=replica,cn=dc\3Dexample\ 2Cdc\3Dcom,cn=mapping tree,cn=config nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount Thanks, _ John Moyer Director, IT Operations On Aug 27, 2013, at 10:14 AM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Ok, so we tried to implement this again, and as soon as we put on a server that authenticates heavily the IPA came to it's knees again. This time I was able to watch it closely and try to troubleshoot a lot more, and also know exactly what server caused it (Mercurial with help of bamboo). This runs fine on a normal old openldap servers. The user is logging in very quickly and each time it logs in I can see in the logs that the krbLastsuccessfullogin parameter (or whatever it is called) is updated over and over and over in the changelog (/var/lib/dirsrv/slapd-$instanceid/db) those logs are filling VERY quickly and then disappear fairly quickly as well. Issue 1: This is causing severe disk latency which obviously slows everything down wait times were around 25%+ Issue 2: These changes need to be replicated to my slave server thus adding to the mess My question is, why does the IPA server fail to keep up with the load when the openLDAP server didn't have an issue. Indexes? I'm running the following: CentOS release 6.4 (Final) 389-ds-base-1.2.11.15-20.el6_4.x86_64 389-ds-base-libs-1.2.11.15-20.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme
[Freeipa-users] IPA Load Problems?
Hello, So I've been preparing my infrastructure for a big change from an older openldap system to a nice new IPA server. I have a redundant secondary server and snapshots taken daily. I populated all my user data into IPA, and gave the users a week to set a password. They all did this and the big switch was this past weekend. We had done previous tests on each server and it all worked. We switched this past weekend and it worked great. This morning a light load hit it (since I've only put a small fraction of our servers on it about 15) and the primary came to it's knees. Processor spiked, and logs started to fill (didn't fill at this point). I then decided it's probably a glitch (I'm an optimist) so I restarted IPA services. They all restarted except for named which crashed (which then caused everything to stop). I looked and now the disk was full. So I trash the logs (had no easy place to put them at the time which I regret now) and I restart the services again. IPA fully crashes now (didn't even start the DIRSRV for my domain). So here are my questions: 1. Any idea what caused this? Any performance issues that have been seen? 2. Are the connection settings for IPA good out of the box? I ask because in RHDS (in the first versions I used) the default connection timeouts were a MAJOR issue, I used to run a network of 400 servers and I had to set the time-outs to 30sec which made my servers run really really well, but if I used the 60 min defaults they also would come to their knees. Is there a buried setting like this? (However, I must admit there didn't seem like there were a lot of connections like when I had the issue with the 400 servers years ago). Also is there an easy place to set log rotation settings? (If it's log rotate just let me know, I just don't want to step on an internal app rotate). Thanks, _ John Moyer Director, IT Operations signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] exporting ldap certificate
Peter, Did you get this to work, I know this is an old thread, but where did you put those java parameters? I am trying to get GADS to work for my IPA server and think this is my problem. Thanks, _ John Moyer On May 7, 2013, at 4:37 AM, Peter Brown rendhal...@gmail.com wrote: On 7 May 2013 16:50, Martin Kosek mko...@redhat.com wrote: On 05/07/2013 04:51 AM, Peter Brown wrote: On 6 May 2013 17:07, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: I am glad you made it working. Just for the record, CRL and OCSP revocation URIs in FreeIPA v3.1 were flawed, there are relevant fixes in FreeIPA 3.2 that will make it working again. Thanks for the heads up Martin. I will likely upgrade to 3.2 once Fedora 19 is released. I am going to assume my 3.1 clients will be compatible? Yes, this is a correct assumption. BTW we are just in a process of testing and releasing FreeIPA 3.1.4 bugfixing release for Fedora 18 which will also contain the CRL/OCSP URI fixes (will happen this week). Any help with testing 3.1.4 when it is released is appreciated. Awesome. I shall install them and let you know how I go. Martin More information can be found out in FreeIPA.org wiki: http://www.freeipa.org/page/V3/Single_OCSP_and_CRL_in_certs Relevant upstream ticket: https://fedorahosted.org/freeipa/ticket/3552 Martin On 04/29/2013 06:59 AM, Peter Brown wrote: I finally got this to work. I managed to get an error message that told me it couldn't check the revocation of the certificates against a crl. I tried to find out how to tell java where to find that crl but I these discovered these options instead to tell java to not check a crl. -Dcom.sun.net.ssl.checkRevocation=false -Dcom.sun.security.enableCRLDP=false On 26 April 2013 18:30, Petr Viktorin pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com mailto:pvikt...@redhat.com wrote: Hello, On 04/26/2013 07:22 AM, Peter Brown wrote: Hi everyone. I am attempting to get Google Apps to sync with FreeIPA and I am having problems getting the sync utility to talk to freeipa. It complains about the ssl cert. I have it setup so it only accepts ssl or tls encrypted connections and I don't want to turn that off. I have imported the ca cert using the jre's keytool but it still refuses to connect. I am getting the impression I need to import the ssl cert for the ldap server into it as well. The CA cert (/etc/ipa/ca.crt) should be enough, it signs all the other certs. Make sure you import it with the right trust level (SSL certificate signing). Unfortunately I don't know about jre's keytool so I can't be more specific. I have no idea which certificate that is and I have no idea how to export it. Do not do this. You should only explicitly trust the CA cert. For example, if you trust the certs explicitly you'd have to re-import them one by one when they are renewed. Can someone please tell me how to do this? If you really want to: There are two certs, one for httpd (Web UI, XMLRPC JSON APIs), and one for the LDAP server. To export the httpd server certificate (to PEM): $ certutil -L -d /etc/httpd/alias -n Server-Cert -a To export the directory server certificate (to PEM): $ certutil -L -d /etc/dirsrv/slapd-$INSTANCE___NAME/ -n Server-Cert -a But again, you don't need this for what you're trying to do. -- Petrł ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob, Sorry for the late response I tried the following [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Class 2 Certification Authority - ValiCert, Inc. -t CT,, [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. -t CT,, [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA certutil: certificate is valid After this I tried to add a machine and got the same error: [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: server.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Any additional suggestions? Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 2:09 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, -- I'm still getting the following when I try to restart the dirsrv: /etc/init.d/dirsrv restart Shutting down dirsrv: EXAMPLE-COM...[ OK ] PKI-IPA... [ OK ] Starting dirsrv: EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.) [ OK ] PKI-IPA... [ OK ] You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well. I'm also getting the following when I try to add a server to IPA: ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: ip-10-133-38-119.ec2.internal Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob, I think you had me look at that already. This is the output from certutil on that: [root@ ~]# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, Dmitri, This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert. Thanks, _ John Moyer Director, IT Operations On Jun 10, 2013, at 2:30 PM, Dmitri Pal d...@redhat.com wrote: On 06/10/2013 02:17 PM, John Moyer wrote: I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log. [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Is this the same issue we are discussing on the devel list? The intermediate CA case? Thanks, _ John Moyer Director, IT Operations On Jun 10, 2013, at 9:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Rob, Sorry for the late response I tried the following [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Class 2 Certification Authority - ValiCert, Inc. -t CT,, [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. -t CT,, [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA certutil: certificate is valid After this I tried to add a machine and got the same error: [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: server.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Any additional suggestions? Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 2:09 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, -- I'm still getting the following when I try to restart the dirsrv: /etc/init.d/dirsrv restart Shutting down dirsrv: EXAMPLE-COM...[ OK ] PKI-IPA... [ OK ] Starting dirsrv: EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.) [ OK ] PKI-IPA... [ OK ] You need to apply these trust changes to /etc/dirsrv/slap-EXAMPLE-COM as well. I'm also getting the following when I try to add a server to IPA: ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: ip-10-133-38-119.ec2.internal Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. The client installer downloads the CA cert from LDAP, so make sure you have the GoDaddy CA in LDAP. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob, Do you mean doing this? If not let me know. [root@pki]# ls -la total 32 drwxr-xr-x 8 root root 4096 Jun 10 20:23 . drwxr-xr-x 90 root root 4096 Jun 10 18:05 .. drwxr-xr-x 6 root root 4096 Mar 4 22:22 CA drwxr-xr-x 2 root root 4096 Jul 11 2012 java lrwxrwxrwx 1 root root 24 Jun 10 20:23 nssdb - /usr/lib64/libnssckbi.so drwxr-xr-x 2 root root 4096 Jun 10 18:05 nssdb.orig drwxr-xr-x 2 root root 4096 Mar 21 15:19 rpm-gpg drwx-- 2 root root 4096 Feb 22 05:07 rsyslog drwxr-xr-x 5 root root 4096 Mar 21 15:18 tls After I did that I tried to enroll this system and got the same error. The cert that is in the /etc/ipa/ca.crt is the same as the one that is on the server which is the CA Cert gotten from godaddy. You also had me change this into a der version of the Cert (using openssl) and jam that into the Directory server. Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On Jun 10, 2013, at 4:19 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Rob, I think you had me look at that already. This is the output from certutil on that: [root@ ~]# certutil -d /etc/httpd/alias -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, What certificate does the client have in /etc/ipa/ca.crt? Is it either one of these? Can you try linking libnssckbi.so to /etc/pki/nssdb on the client prior to enrollment? rob Dmitri, This is the same issue I've been having for a while, other things were wrong before all of them stemmed from putting in the Godaddy signed cert. Thanks, _ John Moyer Director, IT Operations On Jun 10, 2013, at 2:30 PM, Dmitri Pal d...@redhat.com wrote: On 06/10/2013 02:17 PM, John Moyer wrote: I don't know if this helps, but this is the log I'm getting from the IPA server's apache error log. [Mon Jun 10 17:14:52 2013] [error] SSL Library Error: -12195 Peer does not recognize and trust the CA that issued your certificate Is this the same issue we are discussing on the devel list? The intermediate CA case? Thanks, _ John Moyer Director, IT Operations On Jun 10, 2013, at 9:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Rob, Sorry for the late response I tried the following [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Class 2 Certification Authority - ValiCert, Inc. -t CT,, [root@etc]# certutil -M -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. -t CT,, [root@etc]# certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n MyIPA certutil: certificate is valid After this I tried to add a machine and got the same error: [root@~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: server.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Any additional suggestions? Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 2:09 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, -- I'm still getting the following when I try to restart the dirsrv: /etc/init.d/dirsrv restart Shutting down dirsrv: EXAMPLE-COM...[ OK ] PKI-IPA... [ OK ] Starting dirsrv: EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Petr, I changed both the host file (actually did that before emailing) and now I have changed the DNS manually in LDAP. I restart ipa and it still fails on DNS startup. It says the following (after I manually start everything else) May 29 13:16:15 ip- named[9076]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' May 29 13:16:15 ip- named[9076]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ec2.inter...@example.com not found in Kerberos database) May 29 13:16:15 ip- named[9076]: bind to LDAP server failed: Local error May 29 13:16:15 ip- named[9076]: loading configuration: failure May 29 13:16:15 ip- named[9076]: exiting (due to fatal error) Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 4:11 AM, Petr Spacek pspa...@redhat.com wrote: On 29.5.2013 07:42, John Moyer wrote: Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.) 2. This is on an AWS machine, and when I rebooted the internal IP of the machine changed. I'm not sure if there are values in the Directory Server that would have that internal IP in there which would cause a problem. The external IP and DNS have stayed the same and I've tried to have all install values match the external IP or external name for this exact reason. 3. The named service will no longer start, here are the errors getting put in the /var/log/messages May 29 05:31:01 ip-10-1-3-5 named[5592]: sizing zone task pool based on 6 zones May 29 05:31:01 ip-10-1-3-5 named[5592]: /etc/named.conf:12: no forwarders seen; disabling forwarding May 29 05:31:01 ip-10-1-3-5 named[5592]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind' May 29 05:31:19 ip-10-1-3-5 named[5592]: Failed to init credentials (Cannot contact any KDC for realm 'EXAMPLE.COM') May 29 05:31:19 ip-10-1-3-5 named[5592]: loading configuration: failure May 29 05:31:19 ip-10-1-3-5 named[5592]: exiting (due to fatal error) Any help in a right direction or theory to a right direction would be much appreciated! Problems 2 and 3 might be caused by incorrect IP address in /etc/hosts and IPA DNS. Please correct content of /etc/hosts, start IPA and then correct IP addresses in IPA DNS. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
John, I see the following when I ran that first command. sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.,, MyIPACTu,Cu,u So being that I have no fear (or am just real dumb, I really feel it's just both) I used that command and got this error after hitting enter to continue: sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q enter' to abort, or enter to continue: ERROR: Failed to add module ca_certs. Probable cause : Unknown PKCS #11 error.. I then did the first command again (to see what I messed up) and it looks identical as shown below: sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.,, MyIPACTu,Cu,u Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 8:36 AM, John Dennis jden...@redhat.com wrote: On 05/29/2013 01:42 AM, John Moyer wrote: Yea I replaced both certs, however, in my troubleshooting I've found more I'll say symptoms or potential problems, which may stem from this or be independent from it. 1. Showing this error message on restarting the service: EXAMPLE-COM...[29/May/2013:05:30:58 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.) The error is saying the CA which signed your new cert is either unknown or untrusted. Trusted CA's must be in the NSS database which is being referenced, which in this case I believe is /etc/httpd/alias. By default we don't add other root CA's to this database so you'll have to add it. To see what is in the database do this: sudo certutil -d /etc/httpd/alias -L -h internal FWIW the -h internal means to also examine any preloaded CA's that may have been added with modutil. If CA the signed your cert is one of the standard trusted ones you can add the entire set of trusted CA's with modutil % sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias But that's a big hammer, you might be better off just manually just adding the CA that signed your cert and adding trust for it. Examples can be found here: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Rob, MyIPA I believe was installed by IPA. I did everything you suggested, the below is what it looks like now. certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI MyIPAu,u,u Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. CT,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.CT,, -- I'm still getting the following when I try to restart the dirsrv: /etc/init.d/dirsrv restart Shutting down dirsrv: EXAMPLE-COM...[ OK ] PKI-IPA... [ OK ] Starting dirsrv: EXAMPLE-COM...[29/May/2013:16:46:47 +] - SSL alert: CERT_VerifyCertificateNow: verify certificate failed for cert MyIPA of family cn=RSA,cn=encryption,cn=config (Netscape Portable Runtime error -8172 - Peer's certificate issuer has been marked as not trusted by the user.) [ OK ] PKI-IPA... [ OK ] I'm also getting the following when I try to add a server to IPA: ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: ip-10-133-38-119.ec2.internal Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _ John Moyer Director, IT Operations On May 29, 2013, at 12:20 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: John, I see the following when I ran that first command. sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.,, MyIPACTu,Cu,u So being that I have no fear (or am just real dumb, I really feel it's just both) I used that command and got this error after hitting enter to continue: sudo modutil -add ca_certs -libfile libnssckbi.so -dbdir /etc/httpd/alias WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q enter' to abort, or enter to continue: ERROR: Failed to add module ca_certs. Probable cause : Unknown PKCS #11 error.. I then did the first command again (to see what I messed up) and it looks identical as shown below: sudo certutil -d /etc/httpd/alias -L -h internal Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Go Daddy Secure Certification Authority - The Go Daddy Group, Inc. ,, Go Daddy Class 2 Certification Authority - ValiCert, Inc.,, MyIPACTu,Cu,u These trust flags look really strange. What is MyIPA, is that your server certificate? It should have a trust of u,u,u if it is: certutil -M -d /etc/httpd/alias -n MyIPA -t u,u,u The other two are clearly CAs and should be trusted as so. For each one I'd do: certutil -M -d /etc/httpd/alias -n 'nickname' -t CT,, You can test the trust with: certutil -V -u V -d /etc/httpd/alias -n MyIPA I'm guessing that you'll need to do something similar in /etc/dirsrv/slapd-YOUR-INSTANCE. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this: dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacert cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH Then I ran the following: ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D cn=Directory Manager -W -f /root/change-settings.ldif and I get the following error: Enter LDAP Password: modifying entry cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com ldap_modify: Object class violation (65) additional info: attribute cacert not allowed Anyone have any ideas? Thanks, _ John Moyer Director, IT Operations On May 24, 2013, at 3:53 AM, Martin Kosek mko...@redhat.com wrote: On 05/23/2013 07:37 PM, John Moyer wrote: So I found this page and followed it. The http daemon works great (no longer complains about not being the cert for my URL. However, now I can't bind anymore servers to my IPA server. The current servers enrolled before I did this work great (and I can login using my IPA credentials). However, I just can't add anymore. Does anyone have any ideas? I tried removing the certs and that made it so I can't start httpd (so I put the cert back). http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Thanks, _ John Moyer Hi John, I see that Dmitri and Rob already try to help you with this configuration. I would just like to note that the page you refer to may not be fully up to date (was not touched since 2010). I added instructions to revisit the page in the ticket that Rob created: https://fedorahosted.org/freeipa/ticket/3641 As for your issue, I do not know if you are still installing a new server or updating a running one. If installing a new one, you may be interested in FreeIPA version 3.2.0 which is being introduced in Fedora 19 and which revisited the way we install without CA (i.e. with custom ldap/http certs). This is a design page with more information: http://www.freeipa.org/page/V3/CA-less_install Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
So I did that, and it executed perfectly (went back and checked that it did indeed replace the value as expected). I got on the machine I was trying to add and got this: root@ ~]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: blah.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... The CA cert available from the IPA server does not match the local certificate available at /etc/ipa/ca.crt Existing CA cert: Subject: CN=Certificate Authority,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Valid From: Wed Mar 02 18:52:05 2013 UTC Valid Until: Sun Mar 02 18:52:05 2033 UTC Retrieved CA cert: Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com Issuer: serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US Valid From: Thu Dec 01 14:57:49 2011 UTC Valid Until: Sun Dec 01 14:57:49 2013 UTC Cannot obtain CA certificate 'ldap://server.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Then I tried to change the local machine's /etc/ipa/ca.crt to match the server. I then got this: [root@]# ipa-client-install --domain=example.com --server=server.example.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: blah.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _ John Moyer Director, IT Operations On May 24, 2013, at 3:11 PM, Rob Crittenden rcrit...@redhat.com wrote: John Moyer wrote: So unfortunately a rebuild would be less than optimal for me, lots of servers and users. So I've tried Dmitri's idea of ldapi and I got the access to LDAP now, however I may be going about this entire thing wrong. I created an LDIF file that looks like this: dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacert cacert: NEWKEY_ksljdfkljadfkljalksdjfaBLAHBLAH Then I ran the following: ldapmodify -x -H ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket -D cn=Directory Manager -W -f /root/change-settings.ldif and I get the following error: Enter LDAP Password: modifying entry cn=cacert,cn=ipa,cn=etc,dc=digitalreasoning,dc=com ldap_modify: Object class violation (65) additional info: attribute cacert not allowed The attribute you want is caCertificate. What you need to do is convert your CA cert from PEM format to DER: openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform DER Then use this ldif: dn: cn=cacert,cn=ipa,cn=etc,dc=example,dc=com changetype: modify replace: cacertificate;binary cacertificate;binary: file:///tmp/ca.der That should do it. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Installing a Godaddy Cert with ipa-server-certinstall
Dmitri, Here are the corresponding answers, thanks for the quick response. 1. ipa-client-3.0.0-26.el6_4.2.x86_64 2. [root@ ~]# ipa-client-install --domain=digitalreasoning.com --server=ipa1.corp.digitalreasoning.com --realm=EXAMPLE.COM -p builduser -w BLAH -U Hostname: client.example.com Realm: EXAMPLE.COM DNS Domain: example.com IPA Server: server.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates Installation failed. Rolling back changes. IPA client is not configured on this system. 3. 2013-05-23T17:45:16Z DEBUG args=kinit buildu...@example.com 2013-05-23T17:45:16Z DEBUG stdout=Password for buildu...@example.com: 2013-05-23T17:45:16Z DEBUG stderr= 2013-05-23T17:45:16Z DEBUG trying to retrieve CA cert via LDAP from ldap://server.example.com 2013-05-23T17:45:16Z DEBUG Existing CA cert and Retrieved CA cert are identical 2013-05-23T17:45:16Z DEBUG args=/usr/sbin/ipa-join -s server.example.com -b dc=example,dc=com 2013-05-23T17:45:16Z DEBUG stdout= 2013-05-23T17:45:16Z DEBUG stderr=libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2013-05-23T17:45:16Z ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates 2013-05-23T17:45:16Z ERROR Installation failed. Rolling back changes. 2013-05-23T17:45:16Z ERROR IPA client is not configured on this system. Thanks, _ John Moyer Director, IT Operations Digital Reasoning Systems, Inc. john.mo...@digitalreasoning.com Office: 703.678.2311 Mobile: 240.460.0023 Fax:703.678.2312 www.digitalreasoning.com On May 23, 2013, at 2:50 PM, Dmitri Pal d...@redhat.com wrote: On 05/23/2013 01:37 PM, John Moyer wrote: So I found this page and followed it. The http daemon works great (no longer complains about not being the cert for my URL. However, now I can't bind anymore servers to my IPA server. The current servers enrolled before I did this work great (and I can login using my IPA credentials). However, I just can't add anymore. Does anyone have any ideas? I tried removing the certs and that made it so I can't start httpd (so I put the cert back). http://freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users We need more info: 1) What version of the client? 2) What is the output of the ipa-client-install? 3) What the client install log contains? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] automember issues
Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Yep, enrolledby is what I'm using, but I have been adding them manually since it hasn't been working. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] automember issues
I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrix.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ Thanks, _ John Moyer
Re: [Freeipa-users] automember issues
So I must have looked at the wrong server name, I just tried to add 4 more servers and none of them worked. Anymore ideas? The target is specified by the rule name test-group is the target. Thanks, _ John Moyer On Apr 30, 2013, at 2:25 PM, Dmitri Pal d...@redhat.com wrote: On 04/30/2013 02:17 PM, JR Aquino wrote: On Apr 30, 2013, at 11:12 AM, John Moyer john.mo...@digitalreasoning.com wrote: I tried adding it in addition to the current rule and that didn't work. I then deleted the old rule to only leave the rule with the full name (uid=build,cn=users,cn=accounts,dc=example,dc=com) and that didn't work either. This is the new output of that command you had me run earlier: ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=uid=build,cn=users,cn=accounts,dc=example,dc=com Number of entries returned 1 Interesting. What about if you just do something silly like: .*build.* Nathan... I believe the plugin is set to expect string values... how does it handle a DN such as the enrolled by above? Don't you need to specify target group? It might be that the filter is working but it is not placing it anywhere because nothing is specifying where to place it. Thanks, _ John Moyer On Apr 30, 2013, at 2:07 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 11:02 AM, John Moyer john.mo...@digitalreasoning.com wrote: It comes back with a ton of stuff the row you are probably interested in is this one: enrolledby: uid=build,cn=users,cn=accounts,dc=example,dc=com Bingo! Ok, try to adjust your automember rule. Delete your previous inclusive regex, and replace it with uid=build,cn=users,cn=accounts,dc=example,dc=com See if that does the trick Thanks, _ John Moyer On Apr 30, 2013, at 1:57 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:52 AM, John Moyer john.mo...@digitalreasoning.com wrote: Not a problem, here is the output ipa automember-find --type=hostgroup --- 1 rules matched --- Automember Rule: test-group Inclusive Regex: enrolledby=build Number of entries returned 1 interesting. When you do an: ipa host-show test-hostname.example.com --all --raw Does it clearly show that enrolledby=build? Thanks, _ John Moyer On Apr 30, 2013, at 1:48 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 10:43 AM, John Moyer john.mo...@digitalreasoning.com wrote: One thing to add is that this build user only has the following access: Host Administrators Host enrollment Would he need more access to do the membership? My original thought was that technically the user is not doing the addition to the group it's the system technically doing it so there shouldn't be a permissions issue. The user's roles shouldn't really matter to the best of my knowledge (Nathan Kinder may need to refresh my memory), but the 389 plugin, should be catching the insertion of the new object, then match the watched-attribute, and execute the hostgroup assignment based upon the rights of the plugin rather than that of the user. Would it be possible to ask you to do an automember-find --type=hostgroup on the CLI and send it back to the thread? If we are missing something or if we have any bugs in there, we need to get them identified and fixed. Thanks, _ John Moyer On Apr 30, 2013, at 1:21 PM, JR Aquino jr.aqu...@citrix.com wrote: On Apr 30, 2013, at 9:30 AM, John Moyer john.mo...@digitalreasoning.commailto:john.mo...@digitalreasoning.com wrote: Anyone have any suggestions to using the auto member function in IPA? I've tried to set it up so if a server is enrolled by a user called build then it should add it to a specific server group. I put in an inclusive rule and the expression is just build, but it doesn't work. Do I need to specify more than just build in the expression area? That -should- be enough to catch new hosts that are built by the 'build' user. Can you verify that the Attribute you are matching on is: enrolledby ? Keeping your head in the cloud ~ Jr Aquino | Sr. Information Security Specialist GXPN | GIAC Exploit Researcher and Advanced Penetration Tester GCIH | GIAC Certified Incident Handler GWAPT | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2
Re: [Freeipa-users] sudo / sssd integration problems
I had sudo issues similar to this, I can't remember the exact fix. I have the following two things in my notes. The second command would obviously need you to add the people you want to be able to sudo to the admins group after you add this. yum install ipa-client fprintd-pam -y echo %admins ALL=(ALL) NOPASSWD: ALL /etc/sudoers Thanks, _ John Moyer On Mar 21, 2013, at 11:27 PM, Brian Cook bc...@redhat.com wrote: Running F18 and following the instructions here: http://jhrozek.fedorapeople.org/sssd/1.9.1/man/sssd-sudo.5.html When I try to run sudo -l as any user I get the following error: bash-4.2$ sudo -l sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine? Nothing particularly interesting in the log with debug at 5. Can someone point me in the right direction? Thanks, Brian sssd.conf: [domain/example.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipadevel.example.com chpass_provider = ipa ipa_server = ipadevel.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipadevel.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipadevel.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.com [nss] [pam] [sudo] debug_level=5 [autofs] [ssh] [pac] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] sudo / sssd integration problems
Sorry that's all I have in my notes. I'm sure others will have ideas. Sorry I couldn't be more help. Thanks, _ John Moyer On Mar 21, 2013, at 11:50 PM, Brian Cook bc...@redhat.com wrote: Those packages are installed. The second part is against what I am trying to accomplish. My sudo rule is already created in IPA. I just need SSSD to fetch it. Thanks, Brian On Mar 21, 2013, at 8:37 PM, John Moyer john.mo...@digitalreasoning.com wrote: I had sudo issues similar to this, I can't remember the exact fix. I have the following two things in my notes. The second command would obviously need you to add the people you want to be able to sudo to the admins group after you add this. yum install ipa-client fprintd-pam -y echo %admins ALL=(ALL) NOPASSWD: ALL /etc/sudoers Thanks, _ John Moyer On Mar 21, 2013, at 11:27 PM, Brian Cook bc...@redhat.com wrote: Running F18 and following the instructions here: http://jhrozek.fedorapeople.org/sssd/1.9.1/man/sssd-sudo.5.html When I try to run sudo -l as any user I get the following error: bash-4.2$ sudo -l sudo: Unable to dlopen /usr/lib64/libsss_sudo.so: (null) sudo: Unable to initialize SSS source. Is SSSD installed on your machine? Nothing particularly interesting in the log with debug at 5. Can someone point me in the right direction? Thanks, Brian sssd.conf: [domain/example.com] debug_level = 5 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipadevel.example.com chpass_provider = ipa ipa_server = ipadevel.example.com ldap_tls_cacert = /etc/ipa/ca.crt sudo_provider = ldap ldap_uri = ldap://ipadevel.example.com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/ipadevel.example.com ldap_sasl_realm = EXAMPLE.COM krb5_server = ipadevel.example.com [sssd] services = nss, pam, ssh, sudo config_file_version = 2 domains = example.com [nss] [pam] [sudo] debug_level=5 [autofs] [ssh] [pac] ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Mail Challenge Password Reset
Is there a mail challenge 3rd party tool that allows for users to change their own passwords if they don't know their password? Something like PWM for LDAP? https://code.google.com/p/pwm/ I've been looking around and no one seems to have done this yet, but wanted to yield to this group before giving up hope. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Allow IPA Join and remove only
Question: I am trying to reduce the rights to an account so that it can only add and remove machines from the IPA server. It will be used for scripts to run as this user to bind machines that are stood up adhoc to the IPA server, and then clean them up after they are ready for shutdown. However, I don't want users that are allowed this access to be able to do much else (like remove my account or any of my engineers accounts). I was wondering if anyone had any words of wisdom on how to do this before I started doing guess and check research (since a few google search have yielded nothing). Thanks, _ John Moyer Digital Reasoning Systems, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Cannot obtain CA Certificate
Sorry for the late response, so I tried this, and it changed the error to the following: Synchronizing time with KDC... Joining realm failed: HTTP response code is 401, not 200 Installation failed. Rolling back changes. Looking at debug this is what I see: HTTP/1.1 401 Authorization Required Date: Tue, 26 Feb 2013 16:54:21 GMT Server: Apache/2.2.15 (CentOS) * gss_init_sec_context() failed: : Server krbtgt/c...@example.com not found in Kerberos database WWW-Authenticate: Negotiate Last-Modified: Wed, 23 Jan 2013 22:16:50 GMT ETag: 4627-740-4d3fc0cfd7880 Accept-Ranges: bytes Content-Length: 1856 Connection: close Content-Type: text/html; charset=UTF-8 Thanks, _ John Moyer On Feb 19, 2013, at 6:35 AM, Jan-Frode Myklebust janfr...@tanso.net wrote: ipa : ERRORCannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. FYI, I have this same issue when enrolling RHEL5 clients. Have been doing this as a workaround: wget -O /etc/ipa/ca.crt http://ipa1.example.com/ipa/config/ca.crt ipa-client-install --no-ntp --mkhomedir --ca-cert-file=/etc/ipa/ca.crt -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Cannot obtain CA Certificate
Hello all, I am having an issue using IPA 2.2.0. I am trying to put together a proof of concept set of systems. I've stood up 2 servers on AWS. One is the server one is the client. I am using CentOS 6 to do all this testing on, with the default IPA packages provided from CentOS. I had a fully operational proof of concept finished fully scripted to be built without issues. I shutdown and started these as needed to show to people to get approval for the project. The other day the client stopped enrolling to the IPA server, I have no idea why I assume a patch pushed out broke something since it is a fully scripted install. It does get the most recent patches each time I stand it up so it definitely would pull any new patches that came out. After investigating I am getting this error when I try to manually enroll the client. I haven't been able to find any reference to this error anywhere on the net. Any help would be greatly appreciated! Let me know if any additional details are needed. PLEASE NOTE: Everything below has been sanitized [root@client ~]# ipa-client-install --domain=example.com --server=ipa1.example.com --realm=EXAMPLE.COM --configure-ssh --configure-sshd -p ipa-bind -w blah -U DNS domain 'example.com' is not configured for automatic KDC address lookup. KDC address will be set to fixed value. Discovery was successful! Hostname: client.ec2.internal Realm: EXAMPLE.COM DNS Domain: digitalreasoning.com IPA Server: ipa1.example.com BaseDN: dc=example,dc=com Synchronizing time with KDC... ipa : ERRORCannot obtain CA certificate 'ldap://ipa1.example.com' doesn't have a certificate. Installation failed. Rolling back changes. IPA client is not configured on this system. Thanks, _ John Moyer ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
