Re: [Freeipa-users] LDAP based autofs map redundancy

2017-03-14 Thread William Muriithi 
Hello,

To add to previous mail, I have noticed this:

I had two IPA, hydrogen and lithium.   lithium died and will be resetting
another soon after I find why the setup isn't redundant with one IPA.  But
this line seem to be a lead

Working:
ipa_server = _srv_, hydrogen.eng.example.com

Failing:
ipa_server = _srv_, lithium.eng.example.com

Have read on that format and seem fine from the reading.  To add on that,
DNS records seem to be fine too.


; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> SRV _ldap._
tcp.eng.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;_ldap._tcp.eng.example.com.IN  SRV

;; ANSWER SECTION:
_ldap._tcp.eng.example.com. 86400 INSRV 0 100 389
hydrogen.eng.example.com.
_ldap._tcp.eng.example.com. 86400 INSRV 0 100 389
lithium.eng.example.com.

;; AUTHORITY SECTION:
eng.example.com.86400   IN  NS  hydrogen.eng.example.com.
eng.example.com.86400   IN  NS  lithium.eng.example.com.

;; ADDITIONAL SECTION:
lithium.eng.example.com. 1200 INA   192.168.20.3
hydrogen.eng.example.com. 1200 IN   A   192.168.20.1

;; Query time: 1 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
;; WHEN: Tue Mar 14 18:32:44 2017
;; MSG SIZE  rcvd: 200


What could I be missing?

Regards,
William


On 5 March 2017 at 14:59, William Muriithi 
wrote:

> Jakub,
>
> >>
> >> It does look though like kerberos is not affected as all systems can
> >> authenticate fine, so looks like its autofs issue alone
> >>
> >> This is the error I am noticing on the logs.
> >>
> >> Mar  2 14:18:29 platinum automount[2887]: key "brad" not found in map
> source(s).
> >> Mar  2 14:19:18 platinum automount[2887]: bind_ldap_simple:
> >> lookup(ldap): Unable to bind to the LDAP server: (default), error
> >> Can't contact LDAP server
> >> Mar  2 14:19:21 platinum automount[2887]: bind_ldap_simple:
> >> lookup(ldap): Unable to bind to the LDAP server: (default), error
> >> Can't contact LDAP server
> >
> > I guess /etc/nsswitch.conf uses ldap for automount and not sssd?
> >
> Actually no.  We are using SSSD
>
> Just checked to confirm and looks like below:
>
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount: sss files
> aliases:files nisplus
> sudoers: files sss
>
> Regards,
> William
> ***
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP based autofs map redundancy

2017-03-05 Thread Jakub Hrozek 
On Sun, Mar 05, 2017 at 02:59:39PM -0500, William Muriithi wrote:
> Jakub,
> 
> >>
> >> It does look though like kerberos is not affected as all systems can
> >> authenticate fine, so looks like its autofs issue alone
> >>
> >> This is the error I am noticing on the logs.
> >>
> >> Mar  2 14:18:29 platinum automount[2887]: key "brad" not found in map 
> >> source(s).
> >> Mar  2 14:19:18 platinum automount[2887]: bind_ldap_simple:
> >> lookup(ldap): Unable to bind to the LDAP server: (default), error
> >> Can't contact LDAP server
> >> Mar  2 14:19:21 platinum automount[2887]: bind_ldap_simple:
> >> lookup(ldap): Unable to bind to the LDAP server: (default), error
> >> Can't contact LDAP server
> >
> > I guess /etc/nsswitch.conf uses ldap for automount and not sssd?
> >
> Actually no.  We are using SSSD
> 
> Just checked to confirm and looks like below:
> 
> services:   files sss
> netgroup:   files sss
> publickey:  nisplus
> automount: sss files
> aliases:files nisplus
> sudoers: files sss

Then I suspect automounter used to use the ldap module and then was
not restarted after nsswitch.conf was set to include sss. Because the
error messages like include error messages directly from libldap and I
wouldn't expect to see those with sssd..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP based autofs map redundancy

2017-03-05 Thread William Muriithi 
Jakub,

>>
>> It does look though like kerberos is not affected as all systems can
>> authenticate fine, so looks like its autofs issue alone
>>
>> This is the error I am noticing on the logs.
>>
>> Mar  2 14:18:29 platinum automount[2887]: key "brad" not found in map 
>> source(s).
>> Mar  2 14:19:18 platinum automount[2887]: bind_ldap_simple:
>> lookup(ldap): Unable to bind to the LDAP server: (default), error
>> Can't contact LDAP server
>> Mar  2 14:19:21 platinum automount[2887]: bind_ldap_simple:
>> lookup(ldap): Unable to bind to the LDAP server: (default), error
>> Can't contact LDAP server
>
> I guess /etc/nsswitch.conf uses ldap for automount and not sssd?
>
Actually no.  We are using SSSD

Just checked to confirm and looks like below:

services:   files sss
netgroup:   files sss
publickey:  nisplus
automount: sss files
aliases:files nisplus
sudoers: files sss

Regards,
William
***

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] LDAP based autofs map redundancy

2017-03-02 Thread Jakub Hrozek 
On Thu, Mar 02, 2017 at 03:28:38PM -0500, William Muriithi wrote:
> Afternoon,
> 
> 
> I have noticed that even when a network has two IPA for redundancy,
> autofs don't seem to be able to take advantage of the remaining IPA
> should one of the IPA goes down.
> 
> Is this a know issue with LDAP based maps or is it a configuration
> that need to be adjusted. By the way, only about half of the systems
> are affected and I have noticed they have this on sssd.conf
> 
> 
> ipa_server = _srv_, hydrogen.eng.example.com
> 
> It does look though like kerberos is not affected as all systems can
> authenticate fine, so looks like its autofs issue alone
> 
> This is the error I am noticing on the logs.
> 
> Mar  2 14:18:29 platinum automount[2887]: key "brad" not found in map 
> source(s).
> Mar  2 14:19:18 platinum automount[2887]: bind_ldap_simple:
> lookup(ldap): Unable to bind to the LDAP server: (default), error
> Can't contact LDAP server
> Mar  2 14:19:21 platinum automount[2887]: bind_ldap_simple:
> lookup(ldap): Unable to bind to the LDAP server: (default), error
> Can't contact LDAP server

I guess /etc/nsswitch.conf uses ldap for automount and not sssd?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] LDAP based autofs map redundancy

2017-03-02 Thread William Muriithi 
Afternoon,


I have noticed that even when a network has two IPA for redundancy,
autofs don't seem to be able to take advantage of the remaining IPA
should one of the IPA goes down.

Is this a know issue with LDAP based maps or is it a configuration
that need to be adjusted. By the way, only about half of the systems
are affected and I have noticed they have this on sssd.conf


ipa_server = _srv_, hydrogen.eng.example.com

It does look though like kerberos is not affected as all systems can
authenticate fine, so looks like its autofs issue alone

This is the error I am noticing on the logs.

Mar  2 14:18:29 platinum automount[2887]: key "brad" not found in map source(s).
Mar  2 14:19:18 platinum automount[2887]: bind_ldap_simple:
lookup(ldap): Unable to bind to the LDAP server: (default), error
Can't contact LDAP server
Mar  2 14:19:21 platinum automount[2887]: bind_ldap_simple:
lookup(ldap): Unable to bind to the LDAP server: (default), error
Can't contact LDAP server

Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project