Re: [Freeipa-users] LDAP based autofs map redundancy
Hello, To add to previous mail, I have noticed this: I had two IPA, hydrogen and lithium. lithium died and will be resetting another soon after I find why the setup isn't redundant with one IPA. But this line seem to be a lead Working: ipa_server = _srv_, hydrogen.eng.example.com Failing: ipa_server = _srv_, lithium.eng.example.com Have read on that format and seem fine from the reading. To add on that, DNS records seem to be fine too. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> SRV _ldap._ tcp.eng.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;_ldap._tcp.eng.example.com.IN SRV ;; ANSWER SECTION: _ldap._tcp.eng.example.com. 86400 INSRV 0 100 389 hydrogen.eng.example.com. _ldap._tcp.eng.example.com. 86400 INSRV 0 100 389 lithium.eng.example.com. ;; AUTHORITY SECTION: eng.example.com.86400 IN NS hydrogen.eng.example.com. eng.example.com.86400 IN NS lithium.eng.example.com. ;; ADDITIONAL SECTION: lithium.eng.example.com. 1200 INA 192.168.20.3 hydrogen.eng.example.com. 1200 IN A 192.168.20.1 ;; Query time: 1 msec ;; SERVER: 192.168.20.1#53(192.168.20.1) ;; WHEN: Tue Mar 14 18:32:44 2017 ;; MSG SIZE rcvd: 200 What could I be missing? Regards, William On 5 March 2017 at 14:59, William Muriithiwrote: > Jakub, > > >> > >> It does look though like kerberos is not affected as all systems can > >> authenticate fine, so looks like its autofs issue alone > >> > >> This is the error I am noticing on the logs. > >> > >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map > source(s). > >> Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > >> Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > > > > I guess /etc/nsswitch.conf uses ldap for automount and not sssd? > > > Actually no. We are using SSSD > > Just checked to confirm and looks like below: > > services: files sss > netgroup: files sss > publickey: nisplus > automount: sss files > aliases:files nisplus > sudoers: files sss > > Regards, > William > *** > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP based autofs map redundancy
On Sun, Mar 05, 2017 at 02:59:39PM -0500, William Muriithi wrote: > Jakub, > > >> > >> It does look though like kerberos is not affected as all systems can > >> authenticate fine, so looks like its autofs issue alone > >> > >> This is the error I am noticing on the logs. > >> > >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map > >> source(s). > >> Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > >> Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: > >> lookup(ldap): Unable to bind to the LDAP server: (default), error > >> Can't contact LDAP server > > > > I guess /etc/nsswitch.conf uses ldap for automount and not sssd? > > > Actually no. We are using SSSD > > Just checked to confirm and looks like below: > > services: files sss > netgroup: files sss > publickey: nisplus > automount: sss files > aliases:files nisplus > sudoers: files sss Then I suspect automounter used to use the ldap module and then was not restarted after nsswitch.conf was set to include sss. Because the error messages like include error messages directly from libldap and I wouldn't expect to see those with sssd.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP based autofs map redundancy
Jakub, >> >> It does look though like kerberos is not affected as all systems can >> authenticate fine, so looks like its autofs issue alone >> >> This is the error I am noticing on the logs. >> >> Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map >> source(s). >> Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: >> lookup(ldap): Unable to bind to the LDAP server: (default), error >> Can't contact LDAP server >> Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: >> lookup(ldap): Unable to bind to the LDAP server: (default), error >> Can't contact LDAP server > > I guess /etc/nsswitch.conf uses ldap for automount and not sssd? > Actually no. We are using SSSD Just checked to confirm and looks like below: services: files sss netgroup: files sss publickey: nisplus automount: sss files aliases:files nisplus sudoers: files sss Regards, William *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] LDAP based autofs map redundancy
On Thu, Mar 02, 2017 at 03:28:38PM -0500, William Muriithi wrote: > Afternoon, > > > I have noticed that even when a network has two IPA for redundancy, > autofs don't seem to be able to take advantage of the remaining IPA > should one of the IPA goes down. > > Is this a know issue with LDAP based maps or is it a configuration > that need to be adjusted. By the way, only about half of the systems > are affected and I have noticed they have this on sssd.conf > > > ipa_server = _srv_, hydrogen.eng.example.com > > It does look though like kerberos is not affected as all systems can > authenticate fine, so looks like its autofs issue alone > > This is the error I am noticing on the logs. > > Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map > source(s). > Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: > lookup(ldap): Unable to bind to the LDAP server: (default), error > Can't contact LDAP server > Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: > lookup(ldap): Unable to bind to the LDAP server: (default), error > Can't contact LDAP server I guess /etc/nsswitch.conf uses ldap for automount and not sssd? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] LDAP based autofs map redundancy
Afternoon, I have noticed that even when a network has two IPA for redundancy, autofs don't seem to be able to take advantage of the remaining IPA should one of the IPA goes down. Is this a know issue with LDAP based maps or is it a configuration that need to be adjusted. By the way, only about half of the systems are affected and I have noticed they have this on sssd.conf ipa_server = _srv_, hydrogen.eng.example.com It does look though like kerberos is not affected as all systems can authenticate fine, so looks like its autofs issue alone This is the error I am noticing on the logs. Mar 2 14:18:29 platinum automount[2887]: key "brad" not found in map source(s). Mar 2 14:19:18 platinum automount[2887]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server Mar 2 14:19:21 platinum automount[2887]: bind_ldap_simple: lookup(ldap): Unable to bind to the LDAP server: (default), error Can't contact LDAP server Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project