subject:"\[Freeipa\-users\] increase the number of attempts to create \/etc\/krb5.keytab"

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-24 Thread Ask Stack

Thank you.
 

On Tuesday, May 24, 2016 9:56 AM, Rob Crittenden  
wrote:
 

 Ask Stack wrote:
> Sorry for asking the dumb question again. Where are the 389-ds logs? I
> can't find them in /var/log/ .

/var/log/dirsrv/slapd-REALM

What you'll want to look for is the BIND from the client and all results 
for that connection. The errors log tends to just log critical problems 
so it may not have much.

rob

>
>
> On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:
>
>
> Ask Stack wrote:
>  > Rob
>  > Thanks for the reply.
>  > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
>  > errors  and /var/log/krb5kdc.log
>  > Do you know which service is responsible for providing
>  > "/etc/krb5.keytab" to the client?
>
> It uses an LDAP extended operation so 389-ds. Any errors would be in the
> KDC log or, more likely, in the 389-ds logs.
>
> rob
>
>
>  >
>  > On Monday, May 23, 2016 2:57 PM, Rob Crittenden  > wrote:
>  >
>  >
>  > Ask Stack wrote:
>  >
>  >  > My company's ipa-client-install fail very often. Debug logs show the
>  >  > process always failed at getting the /etc/krb5.keytab .
>  >  > Is there a way to modify the script to increase number of attempts to
>  >  > create /etc/krb5.keytab ?
>  >  >
>  >  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to
> obtain
>  >  > host TGT (defaults to 5)." But it comes after setting up the
>  >  > "/etc/krb5.keytab" file.
>  >  > Thanks.
>  >  >
>  >  > server
>  >  > ipa-server-3.0.0-47.el6_7.1.x86_64
>  >  >
>  >  > cleint
>  >  > ipa-client-3.0.0-47.el6_7.2.x86_64
>  >  > ipa-client-3.0.0-50.el6.1.x86_64
>  >  >
>  >  >
>  >  > #SUCCESSFUL ATTEMPT
>  >  >
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  >
>  >  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
>  >  > Certificate subject base is: O=TEST.COM
>  >  >
>  >  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
>  >  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
>  >  > 2016-05-23T14:40:49Z DEBUG stdout=
>  >  > 2016-05-23T14:40:49Z DEBUG stderr=
>  >  >
>  >  >
>  >  >
>  >  > #FAILED ATTEMPT
>  >  >
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  > \n
>  >  >
>  >  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
>  >  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
>  >  > Certificate subject base is: O=TEST.COM
>  >  >
>  >  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
>  >  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
>  >  > 2016-05-23T14:37:08Z DEBUG stdout=
>  >  > 2016-05-23T14:37:08Z DEBUG stderr=
>  >
>  >
>  > There is no retry capability and in some cases would be impossible to
>  > add (the one-time password case). Can you check /var/log/krb5kdc on the
>  > IPA master it connected to, and the 389-ds access and errors logs as
>  > well. Perhaps one of those will have more information on why things
> failed.
>  >
>  > rob
>  >
>  >
>  >
>  >
>
>
>



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-24 Thread Rob Crittenden


Ask Stack wrote:

Sorry for asking the dumb question again. Where are the 389-ds logs? I
can't find them in /var/log/ .


/var/log/dirsrv/slapd-REALM

What you'll want to look for is the BIND from the client and all results 
for that connection. The errors log tends to just log critical problems 
so it may not have much.


rob




On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:


Ask Stack wrote:
 > Rob
 > Thanks for the reply.
 > I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
 > errors  and /var/log/krb5kdc.log
 > Do you know which service is responsible for providing
 > "/etc/krb5.keytab" to the client?

It uses an LDAP extended operation so 389-ds. Any errors would be in the
KDC log or, more likely, in the 389-ds logs.

rob


 >
 > On Monday, May 23, 2016 2:57 PM, Rob Crittenden > wrote:
 >
 >
 > Ask Stack wrote:
 >
 >  > My company's ipa-client-install fail very often. Debug logs show the
 >  > process always failed at getting the /etc/krb5.keytab .
 >  > Is there a way to modify the script to increase number of attempts to
 >  > create /etc/krb5.keytab ?
 >  >
 >  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to
obtain
 >  > host TGT (defaults to 5)." But it comes after setting up the
 >  > "/etc/krb5.keytab" file.
 >  > Thanks.
 >  >
 >  > server
 >  > ipa-server-3.0.0-47.el6_7.1.x86_64
 >  >
 >  > cleint
 >  > ipa-client-3.0.0-47.el6_7.2.x86_64
 >  > ipa-client-3.0.0-50.el6.1.x86_64
 >  >
 >  >
 >  > #SUCCESSFUL ATTEMPT
 >  >
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  >
 >  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
 >  > Certificate subject base is: O=TEST.COM
 >  >
 >  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
 >  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
 >  > 2016-05-23T14:40:49Z DEBUG stdout=
 >  > 2016-05-23T14:40:49Z DEBUG stderr=
 >  >
 >  >
 >  >
 >  > #FAILED ATTEMPT
 >  >
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  > \n
 >  >
 >  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
 >  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
 >  > Certificate subject base is: O=TEST.COM
 >  >
 >  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
 >  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
 >  > 2016-05-23T14:37:08Z DEBUG stdout=
 >  > 2016-05-23T14:37:08Z DEBUG stderr=
 >
 >
 > There is no retry capability and in some cases would be impossible to
 > add (the one-time password case). Can you check /var/log/krb5kdc on the
 > IPA master it connected to, and the 389-ds access and errors logs as
 > well. Perhaps one of those will have more information on why things
failed.
 >
 > rob
 >
 >
 >
 >





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-24 Thread Ask Stack

Sorry for asking the dumb question again. Where are the 389-ds logs? I can't 
find them in /var/log/ .  

On Monday, May 23, 2016 5:10 PM, Rob Crittenden  wrote:
 

 Ask Stack wrote:
> Rob
> Thanks for the reply.
> I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
> errors  and /var/log/krb5kdc.log
> Do you know which service is responsible for providing
> "/etc/krb5.keytab" to the client?

It uses an LDAP extended operation so 389-ds. Any errors would be in the 
KDC log or, more likely, in the 389-ds logs.

rob

>
> On Monday, May 23, 2016 2:57 PM, Rob Crittenden  wrote:
>
>
> Ask Stack wrote:
>
>  > My company's ipa-client-install fail very often. Debug logs show the
>  > process always failed at getting the /etc/krb5.keytab .
>  > Is there a way to modify the script to increase number of attempts to
>  > create /etc/krb5.keytab ?
>  >
>  > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
>  > host TGT (defaults to 5)." But it comes after setting up the
>  > "/etc/krb5.keytab" file.
>  > Thanks.
>  >
>  > server
>  > ipa-server-3.0.0-47.el6_7.1.x86_64
>  >
>  > cleint
>  > ipa-client-3.0.0-47.el6_7.2.x86_64
>  > ipa-client-3.0.0-50.el6.1.x86_64
>  >
>  >
>  > #SUCCESSFUL ATTEMPT
>  >
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  >
>  > Keytab successfully retrieved and stored in: /etc/krb5.keytab
>  > Certificate subject base is: O=TEST.COM
>  >
>  > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
>  > 2016-05-23T14:40:49Z DEBUG args=kdestroy
>  > 2016-05-23T14:40:49Z DEBUG stdout=
>  > 2016-05-23T14:40:49Z DEBUG stderr=
>  >
>  >
>  >
>  > #FAILED ATTEMPT
>  >
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  > \n
>  >
>  > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
>  > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
>  > Certificate subject base is: O=TEST.COM
>  >
>  > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
>  > 2016-05-23T14:37:08Z DEBUG args=kdestroy
>  > 2016-05-23T14:37:08Z DEBUG stdout=
>  > 2016-05-23T14:37:08Z DEBUG stderr=
>
>
> There is no retry capability and in some cases would be impossible to
> add (the one-time password case). Can you check /var/log/krb5kdc on the
> IPA master it connected to, and the 389-ds access and errors logs as
> well. Perhaps one of those will have more information on why things failed.
>
> rob
>
>
>
>



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-23 Thread Rob Crittenden

Ask Stack wrote:

Rob
Thanks for the reply.
I didn't find anything obvious in /var/log/dirsrv/slapd-/access and
errors  and /var/log/krb5kdc.log
Do you know which service is responsible for providing
"/etc/krb5.keytab" to the client?

It uses an LDAP extended operation so 389-ds. Any errors would be in the 
KDC log or, more likely, in the 389-ds logs.

rob

On Monday, May 23, 2016 2:57 PM, Rob Crittenden  wrote:

Ask Stack wrote:

 > My company's ipa-client-install fail very often. Debug logs show the
 > process always failed at getting the /etc/krb5.keytab .
 > Is there a way to modify the script to increase number of attempts to
 > create /etc/krb5.keytab ?
 >
 > I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
 > host TGT (defaults to 5)." But it comes after setting up the
 > "/etc/krb5.keytab" file.
 > Thanks.
 >
 > server
 > ipa-server-3.0.0-47.el6_7.1.x86_64
 >
 > cleint
 > ipa-client-3.0.0-47.el6_7.2.x86_64
 > ipa-client-3.0.0-50.el6.1.x86_64
 >
 >
 > #SUCCESSFUL ATTEMPT
 >
 > \n
 > \n
 > \n
 > \n
 > \n
 > \n
 >
 > Keytab successfully retrieved and stored in: /etc/krb5.keytab
 > Certificate subject base is: O=TEST.COM
 >
 > 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
 > 2016-05-23T14:40:49Z DEBUG args=kdestroy
 > 2016-05-23T14:40:49Z DEBUG stdout=
 > 2016-05-23T14:40:49Z DEBUG stderr=
 >
 >
 >
 > #FAILED ATTEMPT
 >
 > \n
 > \n
 > \n
 > \n
 > \n
 > \n
 >
 > ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
 > ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
 > Certificate subject base is: O=TEST.COM
 >
 > 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
 > 2016-05-23T14:37:08Z DEBUG args=kdestroy
 > 2016-05-23T14:37:08Z DEBUG stdout=
 > 2016-05-23T14:37:08Z DEBUG stderr=

There is no retry capability and in some cases would be impossible to
add (the one-time password case). Can you check /var/log/krb5kdc on the
IPA master it connected to, and the 389-ds access and errors logs as
well. Perhaps one of those will have more information on why things failed.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-23 Thread Ask Stack

RobThanks for the reply. 
I didn't find anything obvious in /var/log/dirsrv/slapd-/access and errors  and 
/var/log/krb5kdc.log Do you know which service is responsible for providing  
"/etc/krb5.keytab" to the client?


On Monday, May 23, 2016 2:57 PM, Rob Crittenden  wrote:
 

 Ask Stack wrote:
> My company's ipa-client-install fail very often. Debug logs show the
> process always failed at getting the /etc/krb5.keytab .
> Is there a way to modify the script to increase number of attempts to
> create /etc/krb5.keytab ?
>
> I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
> host TGT (defaults to 5)." But it comes after setting up the
> "/etc/krb5.keytab" file.
> Thanks.
>
> server
> ipa-server-3.0.0-47.el6_7.1.x86_64
>
> cleint
> ipa-client-3.0.0-47.el6_7.2.x86_64
> ipa-client-3.0.0-50.el6.1.x86_64
>
>
> #SUCCESSFUL ATTEMPT
>
> \n
> \n
> \n
> \n
> \n
> \n
>
> Keytab successfully retrieved and stored in: /etc/krb5.keytab
> Certificate subject base is: O=TEST.COM
>
> 2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
> 2016-05-23T14:40:49Z DEBUG args=kdestroy
> 2016-05-23T14:40:49Z DEBUG stdout=
> 2016-05-23T14:40:49Z DEBUG stderr=
>
>
>
> #FAILED ATTEMPT
>
> \n
> \n
> \n
> \n
> \n
> \n
>
> ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
> ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
> Certificate subject base is: O=TEST.COM
>
> 2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
> 2016-05-23T14:37:08Z DEBUG args=kdestroy
> 2016-05-23T14:37:08Z DEBUG stdout=
> 2016-05-23T14:37:08Z DEBUG stderr=

There is no retry capability and in some cases would be impossible to 
add (the one-time password case). Can you check /var/log/krb5kdc on the 
IPA master it connected to, and the 389-ds access and errors logs as 
well. Perhaps one of those will have more information on why things failed.

rob



  -- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-23 Thread Rob Crittenden


Ask Stack wrote:

My company's ipa-client-install fail very often. Debug logs show the
process always failed at getting the /etc/krb5.keytab .
Is there a way to modify the script to increase number of attempts to
create /etc/krb5.keytab ?

I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain
host TGT (defaults to 5)." But it comes after setting up the
"/etc/krb5.keytab" file.
Thanks.

server
ipa-server-3.0.0-47.el6_7.1.x86_64

cleint
ipa-client-3.0.0-47.el6_7.2.x86_64
ipa-client-3.0.0-50.el6.1.x86_64


#SUCCESSFUL ATTEMPT

\n
\n
\n
\n
\n
\n

Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=TEST.COM

2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:40:49Z DEBUG args=kdestroy
2016-05-23T14:40:49Z DEBUG stdout=
2016-05-23T14:40:49Z DEBUG stderr=



#FAILED ATTEMPT

\n
\n
\n
\n
\n
\n

ipa-getkeytab: ../../../libraries/libldap/extended.c:177:
ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
Certificate subject base is: O=TEST.COM

2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:37:08Z DEBUG args=kdestroy
2016-05-23T14:37:08Z DEBUG stdout=
2016-05-23T14:37:08Z DEBUG stderr=


There is no retry capability and in some cases would be impossible to 
add (the one-time password case). Can you check /var/log/krb5kdc on the 
IPA master it connected to, and the 389-ds access and errors logs as 
well. Perhaps one of those will have more information on why things failed.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

2016-05-23 Thread Ask Stack

My company's ipa-client-install fail very often. Debug logs show the process 
always failed at getting the /etc/krb5.keytab .
Is there a way to modify the script to increase number of attempts to create 
/etc/krb5.keytab ?
I noticed "--kinit-attempts=KINIT_ATTEMPTS, number of attempts to obtain host 
TGT (defaults to 5)." But it comes after setting up the "/etc/krb5.keytab" 
file. 
Thanks.

server
ipa-server-3.0.0-47.el6_7.1.x86_64

cleint
ipa-client-3.0.0-47.el6_7.2.x86_64
ipa-client-3.0.0-50.el6.1.x86_64


#SUCCESSFUL ATTEMPT

\n
\n
\n
\n
\n
\n

Keytab successfully retrieved and stored in: /etc/krb5.keytab
Certificate subject base is: O=TEST.COM

2016-05-23T14:40:49Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:40:49Z DEBUG args=kdestroy
2016-05-23T14:40:49Z DEBUG stdout=
2016-05-23T14:40:49Z DEBUG stderr=



#FAILED ATTEMPT

\n
\n
\n
\n
\n
\n

ipa-getkeytab: ../../../libraries/libldap/extended.c:177: 
ldap_parse_extended_result: Assertion `res != ((void *)0)' failed.
Certificate subject base is: O=TEST.COM

2016-05-23T14:37:08Z INFO Enrolled in IPA realm TEST.COM
2016-05-23T14:37:08Z DEBUG args=kdestroy
2016-05-23T14:37:08Z DEBUG stdout=
2016-05-23T14:37:08Z DEBUG stderr=

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

Re: [Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

[Freeipa-users] increase the number of attempts to create /etc/krb5.keytab

7 matches

Site Navigation

Mail list logo

Footer information