Re: [Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
On 04/08/2014 03:32 AM, Alexander Bokovoy wrote: On Tue, 08 Apr 2014, Sumit Bose wrote: On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote: On Fri, 04 Apr 2014, Alexander Bokovoy wrote: >>tevent: Destroying timer event 0x7facb82e9d30 >>"dcerpc_connect_timeout_handler" >^^ stopped just short of authenticating to smbd prior to ask it for >informational policy about the domain. > >This means there is some problem in what smbd thinks about your >admin@UNIX account. > >Can you do following: > ># for i in /var/log/samba/log.* ; do echo > $i ; done ># smbcontrol all debug 100 ># kinit admin@UNIX ># ipa trust-add sbx.local ># smbcontrol all debug 1 > >now archive logs in /var/log/samba/log.* and send them to me privately. After several rounds of capturing logs, we've solved the issue by finding out that IPv6 stack was completely disabled on the machine. Even though certain security guides may suggest disabling IPv6 stack when it is not in use, this suggestion is not very usable. IPv4 and IPv6 share the same port range on the local side, so it is a recommended programming practice for networking applications to only open IPv6 sockets. Standard C library (glibc, for example) handles transparently both IPv4 and IPv6 cases for the applications. Samba and some of other FreeIPA components open their networking sockets as IPv6 ones. Completely disabling IPv6 stack on the machine causes these requests to open a socket to fail as kernel will be responding "do not know this socket address family". If your security guidelines require disabling IPv6 address space, please don't add ipv6.disable=1 to the kernel commandline to disable the whole IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices. This is recommended approach for cases when you don't use IPv6 networking. Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid assigning IPv6 addresses to a specific network interface: # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf..disable_ipv6 = 1 where interface0 is your specialized interface. Note that all we are requiring is that IPv6 stack is enabled at the kernel level and this is recommended way to develop networking applications for a long time already. I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and http://www.freeipa.org/page/Deployment_Recommendations with this information. Thank you for getting to the bottom of this. Do you think we should check this settings during ipa-adtrust-install or even during ipa-server-install? I think we should do both. Should we file a ticket? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
On Tue, 08 Apr 2014, Sumit Bose wrote: On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote: On Fri, 04 Apr 2014, Alexander Bokovoy wrote: >>tevent: Destroying timer event 0x7facb82e9d30 >>"dcerpc_connect_timeout_handler" >^^ stopped just short of authenticating to smbd prior to ask it for >informational policy about the domain. > >This means there is some problem in what smbd thinks about your >admin@UNIX account. > >Can you do following: > ># for i in /var/log/samba/log.* ; do echo > $i ; done ># smbcontrol all debug 100 ># kinit admin@UNIX ># ipa trust-add sbx.local ># smbcontrol all debug 1 > >now archive logs in /var/log/samba/log.* and send them to me privately. After several rounds of capturing logs, we've solved the issue by finding out that IPv6 stack was completely disabled on the machine. Even though certain security guides may suggest disabling IPv6 stack when it is not in use, this suggestion is not very usable. IPv4 and IPv6 share the same port range on the local side, so it is a recommended programming practice for networking applications to only open IPv6 sockets. Standard C library (glibc, for example) handles transparently both IPv4 and IPv6 cases for the applications. Samba and some of other FreeIPA components open their networking sockets as IPv6 ones. Completely disabling IPv6 stack on the machine causes these requests to open a socket to fail as kernel will be responding "do not know this socket address family". If your security guidelines require disabling IPv6 address space, please don't add ipv6.disable=1 to the kernel commandline to disable the whole IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices. This is recommended approach for cases when you don't use IPv6 networking. Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid assigning IPv6 addresses to a specific network interface: # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf..disable_ipv6 = 1 where interface0 is your specialized interface. Note that all we are requiring is that IPv6 stack is enabled at the kernel level and this is recommended way to develop networking applications for a long time already. I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and http://www.freeipa.org/page/Deployment_Recommendations with this information. Thank you for getting to the bottom of this. Do you think we should check this settings during ipa-adtrust-install or even during ipa-server-install? I think we should do both. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote: > On Fri, 04 Apr 2014, Alexander Bokovoy wrote: > >>tevent: Destroying timer event 0x7facb82e9d30 > >>"dcerpc_connect_timeout_handler" > >^^ stopped just short of authenticating to smbd prior to ask it for > >informational policy about the domain. > > > >This means there is some problem in what smbd thinks about your > >admin@UNIX account. > > > >Can you do following: > > > ># for i in /var/log/samba/log.* ; do echo > $i ; done > ># smbcontrol all debug 100 > ># kinit admin@UNIX > ># ipa trust-add sbx.local > ># smbcontrol all debug 1 > > > >now archive logs in /var/log/samba/log.* and send them to me privately. > > After several rounds of capturing logs, we've solved the issue by > finding out that IPv6 stack was completely disabled on the machine. > > Even though certain security guides may suggest disabling IPv6 stack > when it is not in use, this suggestion is not very usable. IPv4 and IPv6 > share the same port range on the local side, so it is a recommended > programming practice for networking applications to only open IPv6 > sockets. Standard C library (glibc, for example) handles transparently > both IPv4 and IPv6 cases for the applications. > > Samba and some of other FreeIPA components open their networking sockets > as IPv6 ones. Completely disabling IPv6 stack on the machine causes > these requests to open a socket to fail as kernel will be responding "do > not know this socket address family". > > If your security guidelines require disabling IPv6 address space, please > don't add ipv6.disable=1 to the kernel commandline to disable the whole > IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will > keep the IPv6 stack functional but will not assign IPv6 addresses to any > of your network devices. This is recommended approach for cases when > you don't use IPv6 networking. > > Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid > assigning IPv6 addresses to a specific network interface: > > # Disable IPv6 > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf..disable_ipv6 = 1 > > where interface0 is your specialized interface. Note that all we are > requiring is that IPv6 stack is enabled at the kernel level and this > is recommended way to develop networking applications for a long time > already. > > I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > and http://www.freeipa.org/page/Deployment_Recommendations with this > information. Thank you for getting to the bottom of this. Do you think we should check this settings during ipa-adtrust-install or even during ipa-server-install? bye, Sumit > > > -- > / Alexander Bokovoy > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [SOLVED] Unable to establish trust with FreeIPA and Active Directory
On Fri, 04 Apr 2014, Alexander Bokovoy wrote: tevent: Destroying timer event 0x7facb82e9d30 "dcerpc_connect_timeout_handler" ^^ stopped just short of authenticating to smbd prior to ask it for informational policy about the domain. This means there is some problem in what smbd thinks about your admin@UNIX account. Can you do following: # for i in /var/log/samba/log.* ; do echo > $i ; done # smbcontrol all debug 100 # kinit admin@UNIX # ipa trust-add sbx.local # smbcontrol all debug 1 now archive logs in /var/log/samba/log.* and send them to me privately. After several rounds of capturing logs, we've solved the issue by finding out that IPv6 stack was completely disabled on the machine. Even though certain security guides may suggest disabling IPv6 stack when it is not in use, this suggestion is not very usable. IPv4 and IPv6 share the same port range on the local side, so it is a recommended programming practice for networking applications to only open IPv6 sockets. Standard C library (glibc, for example) handles transparently both IPv4 and IPv6 cases for the applications. Samba and some of other FreeIPA components open their networking sockets as IPv6 ones. Completely disabling IPv6 stack on the machine causes these requests to open a socket to fail as kernel will be responding "do not know this socket address family". If your security guidelines require disabling IPv6 address space, please don't add ipv6.disable=1 to the kernel commandline to disable the whole IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will keep the IPv6 stack functional but will not assign IPv6 addresses to any of your network devices. This is recommended approach for cases when you don't use IPv6 networking. Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid assigning IPv6 addresses to a specific network interface: # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf..disable_ipv6 = 1 where interface0 is your specialized interface. Note that all we are requiring is that IPv6 stack is enabled at the kernel level and this is recommended way to develop networking applications for a long time already. I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup and http://www.freeipa.org/page/Deployment_Recommendations with this information. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users