Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? last week I asked a similar question :-). In the man page of sssd.conf look for 'timeoute'. There are quite a few settings you can change about the sss_cache. the sss_cache is in a package called sssd-tools now, in the next release it will be part of the sssd main package I have great confidence in IPA now, big part of it is because of this list!! Me too. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 19/11/2012 3:33 AM, Natxo Asenjo wrote: hi, Qing On Sat, Nov 17, 2012 at 8:20 PM, Qing Chang qch...@sri.utoronto.ca wrote: 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? last week I asked a similar question :-). In the man page of sssd.conf look for 'timeoute'. There are quite a few settings you can change about the sss_cache. the sss_cache is in a package called sssd-tools now, in the next release it will be part of the sssd main package I have great confidence in IPA now, big part of it is because of this list!! Me too. thanks, Naxto, I'll do some research on it. Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 11/17/2012 02:20 PM, Qing Chang wrote: On 16/11/2012 12:11 PM, Dmitri Pal wrote: On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri Dmitri, appreciate your prompt response. I having being on this thing for past day and a half, I think I now understand the issues and found fix/workaround for them. 1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a samba mapping request will cause samba to CLEAR sambaLMPassword and sambaNTPassword attributes, yes, not set password to something, but the attributes are wiped out. This may only apply to my situation because I HAVE to use samba 3.0.23d, a ancient version!! Originally when I migrated users from OpenLDAP, sambaPwdLastSet has a none zero value for every account. As users migrated their password properly, the value was not touch. But, if someone's password has to be reset (too short, forgotten) by us admin user using the UI, sambaPwdLastSet is set to 0. This explains why the problem is not wide spread. Fix/workaround: change sambaPwdLastSet to a sensible value after a password reset by admin. Question: is this a designed behavior for IPA? Or does migrate-mode or not make difference? I think you see this: https://fedorahosted.org/freeipa/ticket/3206 This is exactly the ticket I referred to when said: We have seen some issues in this area related to Samba. It is planned for next big release code name Pilsner barrel. We will start working on this release early next year. 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? I have great confidence in IPA now, big part of it is because of this list!! Many thanks, Qing = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 16/11/2012 12:11 PM, Dmitri Pal wrote: On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri Dmitri, appreciate your prompt response. I having being on this thing for past day and a half, I think I now understand the issues and found fix/workaround for them. 1, Samba + IPA: when this attribute sambaPwdLastSet is set to 0, a samba mapping request will cause samba to CLEAR sambaLMPassword and sambaNTPassword attributes, yes, not set password to something, but the attributes are wiped out. This may only apply to my situation because I HAVE to use samba 3.0.23d, a ancient version!! Originally when I migrated users from OpenLDAP, sambaPwdLastSet has a none zero value for every account. As users migrated their password properly, the value was not touch. But, if someone's password has to be reset (too short, forgotten) by us admin user using the UI, sambaPwdLastSet is set to 0. This explains why the problem is not wide spread. Fix/workaround: change sambaPwdLastSet to a sensible value after a password reset by admin. Question: is this a designed behavior for IPA? Or does migrate-mode or not make difference? 2, Dovecot + IPA: it is not an IPA issue but sss cache timeout issue, I read it's 90 min? When a user changes his/her password, the cache usually is not updated, hence problem checking IMAP email with new password. Fix/workaround: \rm /var/lib/sss/db/cache_sri.utoronto.ca.ldb service sssd restart This is really heavy handed, but I can not find the sss_cache utility any where for RHEL 6.3! Question: is there a way to shorten the timeout period? Where can I find sss_cache? I have great confidence in IPA now, big part of it is because of this list!! Many thanks, Qing = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6@rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA weirdness with Samba, Dovecot IMAP and SSHD
On 11/16/2012 10:59 AM, Qing Chang wrote: just migrated all my user from OpenLDAP and MIT Kerberos to IPA. Out of more than 400 users, there are around 10 that have problem accessing Samba or Dovecot IMAP or ssh. They never have problem login to ipa/ipa/ui/login.html. For Dovecot IMAP following error is generated: = Nov 16 10:15:03 dovecot2 auth: pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=uesrid rhost=IP user=userid Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): authentication failure; logname= uid=0 euid=0 tty=dovecot ruser=userid rhost=IP user=useris Nov 16 10:15:03 dovecot2 auth: pam_sss(dovecot:auth): received for user userid: 4 (System error) Hello Qing There are several things to do: 1) Compare entries of the users that login with no problems and users that have problems. There might be some attributes different (absent/present). That might give a hint of what might be wrong. We have seen some issues in this area related to Samba. 2) Can you please enable the higher debug_level in SSSD and provide the SSSD logs + sssd.conf that would help to see what is going on with the user that is failing. 3) Also if you can describe your environment of how all the parts work together and what are the workflows in which you see the problem/issue. I am personally not familiar with Dovecot in details so I assume that Dovecot is configured to use PAM for the authentication and the snippet above is from that authentication. Is this the correct assumption? Thanks Dmitri = For Samba, it appears that a mapping request never gets to Samba server because nothing is logged for a problematic user ID although I have turned on excessive logging. What is really frustrating is that there is no pattern to be found, even my fellow Sysadmin's ID is also in trouble. Also, in his case, he has no problem with Dovecot. For another user ID Samba works but not Dovecot. It looks to me there might be some problem with sssd on the different servers? BTW, for at least one user, creating a brand new account for samba did not work either, while the trick worked for another user:-(. Please shed some light on this. I don't mind opening a case with RedHat support if necessary. Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-server.x86_64 2.2.0-16.el6 @rhel-x86_64-server-6 sssd.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 sssd-client.x86_64 1.8.0-32.el6 @rhel-x86_64-server-6 TIA, Qing ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users