Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On Fri, 19 Aug 2016, David Kowis wrote: On 08/16/2016 10:51 PM, Alexander Bokovoy wrote: On Tue, 16 Aug 2016, David Kowis wrote: On 08/15/2016 09:27 PM, David Kowis wrote: On 08/15/2016 08:05 PM, Rob Crittenden wrote: David Kowis wrote: On 08/15/2016 04:33 AM, Petr Spacek wrote: This is weird as LDAP SASL & GSSAPI is pretty standard thing. In any case, you can check server logs or use tcpdump/wireshark and see if the error somes from LDAP server or if it is client side error. That would tell us where to focus. I think I know what's going on, but not why it's going on: https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1088822 This bug lead me to wonder where the directory server was finding it's GSSAPI modules. For some reason dirsrv is looking in /usr/lib/sasl2 for it's sasl modules, when they're actually installed in /usr/lib/i386-linux-gnu/sasl2 A symlink: ln -s /usr/lib/i386-linux-gnu/sasl2 /usr/lib/sasl2 and then suddenly: ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS Should I file a new bug with ubuntu? Did I find some weird i386 only bug that should've been fixed? Please file a bug against CyrusSASL in Ubuntu because it is library's duty to handle own modules -- while it provides sasl_set_path() to application to define where to load modules from, the defaults should be set reasonably. 389-ds does not use sasl_set_path(). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote: > On Tue, 16 Aug 2016, David Kowis wrote: >> On 08/15/2016 09:27 PM, David Kowis wrote: >>> On 08/15/2016 08:05 PM, Rob Crittenden wrote: David Kowis wrote: > On 08/15/2016 04:33 AM, Petr Spacek wrote: >> This is weird as LDAP SASL & GSSAPI is pretty standard thing. >> >> In any case, you can check server logs or use tcpdump/wireshark and >> see if the >> error somes from LDAP server or if it is client side error. >> >> That would tell us where to focus. I think I know what's going on, but not why it's going on: https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/1088822 This bug lead me to wonder where the directory server was finding it's GSSAPI modules. For some reason dirsrv is looking in /usr/lib/sasl2 for it's sasl modules, when they're actually installed in /usr/lib/i386-linux-gnu/sasl2 A symlink: ln -s /usr/lib/i386-linux-gnu/sasl2 /usr/lib/sasl2 and then suddenly: ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: SCRAM-SHA-1 supportedSASLMechanisms: GS2-IAKERB supportedSASLMechanisms: GS2-KRB5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: ANONYMOUS Should I file a new bug with ubuntu? Did I find some weird i386 only bug that should've been fixed? Thanks, David Kowis PS: sorry if this is a repost, I sent it before, but it doesn't seem to be showing up on the list... >> > > Welp, I've got a pile of logs for you: > https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 > > The last few lines are probably the relevant ones. > > [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 > nentries=0 etime=0 > [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND > [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 > > > Something tries to bind with no dn, and then fails I think? No this is typical logging for GSSAPI (minus the error). The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. >> >> Still trying to figure stuff out: >> >> root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h >> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms >> dn: >> SupportedSASLMechanisms: EXTERNAL >> >> >> Should I have more than just EXTERNAL when this happens? How do I debug >> more about what SASL authentication stuff should be there? I'm having a >> great deal of difficulty finding documentation for the 389 directory >> server's SASL configuration. *If* that's even the place I should be >> looking. How can I narrow this down more? > 389-ds does dynamically include all supported SASL mechanisms returned > by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms > were returned by your system SASL library. The attribute > SupportedSASLMechanisms you see in the rootdse query above is read-only: > it only shows which SASL mechanisms 389-ds knows about but you cannot > influence them via this attribute. You need to look at your CyrusSASL > library system configuration. > > What does 'pluginviewer' output show? Here is what Fedora 24 reports > when following packages are installed: > cyrus-sasl-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64 > cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64 > > # pluginviewer Installed and properly configured auxprop mechanisms are: > sasldb > List of auxprop plugins follows > Plugin "sasldb" , API version: 8 > supports store: yes > > Installed and properly configured SASL (server side) mechanisms are: > GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS > Available SASL (server side) mechanisms matching your criteria are: > GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS > List of server plugins follows > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: > WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP > Plugin "gssapiv2" [loaded], API version: 4 > SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no > security flags: > NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH > features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD > Plugin "digestmd5" [loaded], API version: 4 >
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/16/2016 10:51 PM, Alexander Bokovoy wrote: > On Tue, 16 Aug 2016, David Kowis wrote: >> On 08/15/2016 09:27 PM, David Kowis wrote: >>> On 08/15/2016 08:05 PM, Rob Crittenden wrote: David Kowis wrote: > On 08/15/2016 04:33 AM, Petr Spacek wrote: >> This is weird as LDAP SASL & GSSAPI is pretty standard thing. >> >> In any case, you can check server logs or use tcpdump/wireshark and >> see if the >> error somes from LDAP server or if it is client side error. >> >> That would tell us where to focus. >> > > Welp, I've got a pile of logs for you: > https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 > > The last few lines are probably the relevant ones. > > [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 > nentries=0 etime=0 > [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND > [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 > > > Something tries to bind with no dn, and then fails I think? No this is typical logging for GSSAPI (minus the error). The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. >> >> Still trying to figure stuff out: >> >> root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h >> localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms >> dn: >> SupportedSASLMechanisms: EXTERNAL >> >> >> Should I have more than just EXTERNAL when this happens? How do I debug >> more about what SASL authentication stuff should be there? I'm having a >> great deal of difficulty finding documentation for the 389 directory >> server's SASL configuration. *If* that's even the place I should be >> looking. How can I narrow this down more? > 389-ds does dynamically include all supported SASL mechanisms returned > by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms > were returned by your system SASL library. The attribute > SupportedSASLMechanisms you see in the rootdse query above is read-only: > it only shows which SASL mechanisms 389-ds knows about but you cannot > influence them via this attribute. You need to look at your CyrusSASL > library system configuration. > > What does 'pluginviewer' output show? root@freeipavm:/var/log# dpkg -l | grep sasl ii libsasl2-2:i386 2.1.26.dfsg1-14build1 i386 Cyrus SASL - authentication abstraction library ii libsasl2-modules:i3862.1.26.dfsg1-14build1 i386 Cyrus SASL - pluggable authentication modules ii libsasl2-modules-db:i386 2.1.26.dfsg1-14build1 i386 Cyrus SASL - pluggable authentication modules (DB) ii libsasl2-modules-gssapi-mit:i386 2.1.26.dfsg1-14build1 i386 Cyrus SASL - pluggable authentication modules (GSSAPI) ii libsasl2-modules-ldap:i386 2.1.26.dfsg1-14build1 i386 Cyrus SASL - pluggable authentication modules (LDAP) ii sasl2-bin2.1.26.dfsg1-14build1 i386 Cyrus SASL - administration programs for SASL users database # saslpluginviewer Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 8 supports store: yes Installed and properly configured SASL (server side) mechanisms are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS Available SASL (server side) mechanisms matching your criteria are: SCRAM-SHA-1 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS List of server plugins follows Plugin "scram" [loaded],API version: 4 SASL mechanism: SCRAM-SHA-1, best SSF: 0, supports setpass: yes security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|MUTUAL_AUTH features: PROXY_AUTHENTICATION|CHANNEL_BINDING Plugin "gs2" [loaded], API version: 4 SASL mechanism: GS2-IAKERB, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING Plugin "gs2" [loaded], API version: 4 SASL mechanism: GS2-KRB5, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|GSS_FRAMING|CHANNEL_BINDING Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism:
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On Tue, 16 Aug 2016, David Kowis wrote: On 08/15/2016 09:27 PM, David Kowis wrote: On 08/15/2016 08:05 PM, Rob Crittenden wrote: David Kowis wrote: On 08/15/2016 04:33 AM, Petr Spacek wrote: This is weird as LDAP SASL & GSSAPI is pretty standard thing. In any case, you can check server logs or use tcpdump/wireshark and see if the error somes from LDAP server or if it is client side error. That would tell us where to focus. Welp, I've got a pile of logs for you: https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 The last few lines are probably the relevant ones. [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 Something tries to bind with no dn, and then fails I think? No this is typical logging for GSSAPI (minus the error). The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. Still trying to figure stuff out: root@freeipavm:/var/log/dirsrv/slapd-DARK-KOW-IS# ldapsearch -h localhost -p 389 -x -b "" -s base -LLL SupportedSASLMechanisms dn: SupportedSASLMechanisms: EXTERNAL Should I have more than just EXTERNAL when this happens? How do I debug more about what SASL authentication stuff should be there? I'm having a great deal of difficulty finding documentation for the 389 directory server's SASL configuration. *If* that's even the place I should be looking. How can I narrow this down more? 389-ds does dynamically include all supported SASL mechanisms returned by CyrusSASL library. If you only get EXTERNAL, it means NO mechanisms were returned by your system SASL library. The attribute SupportedSASLMechanisms you see in the rootdse query above is read-only: it only shows which SASL mechanisms 389-ds knows about but you cannot influence them via this attribute. You need to look at your CyrusSASL library system configuration. What does 'pluginviewer' output show? Here is what Fedora 24 reports when following packages are installed: cyrus-sasl-2.1.26-26.2.fc24.x86_64 cyrus-sasl-md5-2.1.26-26.2.fc24.x86_64 cyrus-sasl-plain-2.1.26-26.2.fc24.x86_64 cyrus-sasl-gssapi-2.1.26-26.2.fc24.x86_64 cyrus-sasl-lib-2.1.26-26.2.fc24.x86_64 # pluginviewer Installed and properly configured auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 8 supports store: yes Installed and properly configured SASL (server side) mechanisms are: GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS Available SASL (server side) mechanisms matching your criteria are: GSS-SPNEGO GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN ANONYMOUS List of server plugins follows Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSS-SPNEGO, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD|SUPPORTS_HTTP Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|DONTUSE_USERPASSWD Plugin "digestmd5" [loaded], API version: 4 SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH features: PROXY_AUTHENTICATION|SUPPORTS_HTTP Plugin "crammd5" [loaded],API version: 4 SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT features: SERVER_FIRST Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS|PASS_CREDENTIALS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "anonymous" [loaded], API version: 4 SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no security flags: NO_PLAINTEXT features: WANT_CLIENT_FIRST|DONTUSE_USERPASSWD Installed and properly configured SASL (client side) mechanisms are: GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS Available SASL (client side) mechanisms matching your criteria are: GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 LOGIN PLAIN ANONYMOUS List of client plugins follows Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSS-SPNEGO, best SSF: 56 security flags:
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/15/2016 08:05 PM, Rob Crittenden wrote: > David Kowis wrote: >> On 08/15/2016 04:33 AM, Petr Spacek wrote: >>> This is weird as LDAP SASL & GSSAPI is pretty standard thing. >>> >>> In any case, you can check server logs or use tcpdump/wireshark and >>> see if the >>> error somes from LDAP server or if it is client side error. >>> >>> That would tell us where to focus. >>> >> >> Welp, I've got a pile of logs for you: >> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 >> >> The last few lines are probably the relevant ones. >> >> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl >> version=3 mech=GSSAPI >> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 >> nentries=0 etime=0 >> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND >> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 >> >> >> Something tries to bind with no dn, and then fails I think? > > No this is typical logging for GSSAPI (minus the error). > > The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus > SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. > > rob searched for gssapi: libsasl2-modules-gssapi-mit/xenial,now 2.1.26.dfsg1-14build1 i386 [installed,automatic] Cyrus SASL - pluggable authentication modules (GSSAPI) Pretty sure that's the equivalent package on ubuntu # dpkg -L libsasl2-modules-gssapi-mit /. /usr /usr/lib /usr/lib/i386-linux-gnu /usr/lib/i386-linux-gnu/sasl2 /usr/lib/i386-linux-gnu/sasl2/libscram.so.2.0.25 /usr/lib/i386-linux-gnu/sasl2/libgs2.so.2.0.25 /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so.2.0.25 /usr/share /usr/share/lintian /usr/share/lintian/overrides /usr/share/lintian/overrides/libsasl2-modules-gssapi-mit /usr/share/doc /usr/share/doc/libsasl2-modules-gssapi-mit /usr/share/doc/libsasl2-modules-gssapi-mit/copyright /usr/lib/i386-linux-gnu/sasl2/libgs2.so.2 /usr/lib/i386-linux-gnu/sasl2/libscram.so /usr/lib/i386-linux-gnu/sasl2/libgs2.so /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so.2 /usr/lib/i386-linux-gnu/sasl2/libscram.so.2 /usr/lib/i386-linux-gnu/sasl2/libgssapiv2.so /usr/share/doc/libsasl2-modules-gssapi-mit/changelog.Debian.gz /usr/share/doc/libsasl2-modules-gssapi-mit/NEWS.Debian.gz python-gssapi is also installed. -- David Kowis PS: Sorry Rob for sending it directly, I derped in the mail client signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
David Kowis wrote: On 08/15/2016 04:33 AM, Petr Spacek wrote: This is weird as LDAP SASL & GSSAPI is pretty standard thing. In any case, you can check server logs or use tcpdump/wireshark and see if the error somes from LDAP server or if it is client side error. That would tell us where to focus. Welp, I've got a pile of logs for you: https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 The last few lines are probably the relevant ones. [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 Something tries to bind with no dn, and then fails I think? No this is typical logging for GSSAPI (minus the error). The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/15/2016 04:33 AM, Petr Spacek wrote: > This is weird as LDAP SASL & GSSAPI is pretty standard thing. > > In any case, you can check server logs or use tcpdump/wireshark and see if the > error somes from LDAP server or if it is client side error. > > That would tell us where to focus. > Welp, I've got a pile of logs for you: https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0 The last few lines are probably the relevant ones. [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97 nentries=0 etime=0 [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1 Something tries to bind with no dn, and then fails I think? -- David Kowis signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 15.8.2016 03:29, David Kowis wrote:
> On 08/14/2016 07:57 PM, David Kowis wrote:
>> On 08/14/2016 02:31 PM, David Kowis wrote:
>>> Perhaps someone else has had this error before, or maybe just knows what
>>> I need to do?
>>
>> Digging through the mailing list, I only find this guy:
>> https://www.redhat.com/archives/freeipa-devel/2014-October/msg00480.html
>>
>> Seems someone had the exact same problem I did almost two years ago, and
>> didn't post about their solution, if they got any solution.
>
> Narrowed it down a bit further:
>
>
> Aug 14 20:27:24 freeipavm ipa-dnskeysyncd[31211]: ipa: WARNING: session
> memcached servers not running
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: ipa : INFO
> LDAP bind...
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: Traceback (most recent
> call last):
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
> "/usr/lib/ipa/ipa-dnskeysyncd", line 92, in
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]:
> ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
> "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 932, in
> sasl_interactive_bind_s
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: res =
> self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
> "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 900, in
> _apply_method_s
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: return
> func(self,*args,**kwargs)
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
> "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 244, in
> sasl_interactive_bind_s
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: return
> self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
> "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in
> _ldap_call
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: result =
> func(*args,**kwargs)
> Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]:
> ldap.STRONG_AUTH_NOT_SUPPORTED: {'info': 'sasl mechanism not supported',
> 'desc': 'Authentication method not supported'}
> Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Main
> process exited, code=exited, status=1/FAILURE
> Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Unit
> entered failed state.
> Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Failed
> with result 'exit-code'.
>
>
> Seems this service doesn't start with the sasl mechanism not supported.
>
> Does anyone know what's missing, or how I can get further information?
> Is it the LDAP server, or am I missing a sasl lib for python? Maybe a
> configuration file?
This is weird as LDAP SASL & GSSAPI is pretty standard thing.
In any case, you can check server logs or use tcpdump/wireshark and see if the
error somes from LDAP server or if it is client side error.
That would tell us where to focus.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/14/2016 07:57 PM, David Kowis wrote:
> On 08/14/2016 02:31 PM, David Kowis wrote:
>> Perhaps someone else has had this error before, or maybe just knows what
>> I need to do?
>
> Digging through the mailing list, I only find this guy:
> https://www.redhat.com/archives/freeipa-devel/2014-October/msg00480.html
>
> Seems someone had the exact same problem I did almost two years ago, and
> didn't post about their solution, if they got any solution.
Narrowed it down a bit further:
Aug 14 20:27:24 freeipavm ipa-dnskeysyncd[31211]: ipa: WARNING: session
memcached servers not running
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: ipa : INFO
LDAP bind...
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: Traceback (most recent
call last):
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
"/usr/lib/ipa/ipa-dnskeysyncd", line 92, in
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]:
ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 932, in
sasl_interactive_bind_s
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: res =
self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 900, in
_apply_method_s
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: return
func(self,*args,**kwargs)
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 244, in
sasl_interactive_bind_s
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: File
"/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in
_ldap_call
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]: result =
func(*args,**kwargs)
Aug 14 20:27:26 freeipavm ipa-dnskeysyncd[31211]:
ldap.STRONG_AUTH_NOT_SUPPORTED: {'info': 'sasl mechanism not supported',
'desc': 'Authentication method not supported'}
Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Unit
entered failed state.
Aug 14 20:27:26 freeipavm systemd[1]: ipa-dnskeysyncd.service: Failed
with result 'exit-code'.
Seems this service doesn't start with the sasl mechanism not supported.
Does anyone know what's missing, or how I can get further information?
Is it the LDAP server, or am I missing a sasl lib for python? Maybe a
configuration file?
--
David Kowis
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to set up freeIPA on a fresh ubuntu 16.04.1 install
On 08/14/2016 02:31 PM, David Kowis wrote: > Perhaps someone else has had this error before, or maybe just knows what > I need to do? Digging through the mailing list, I only find this guy: https://www.redhat.com/archives/freeipa-devel/2014-October/msg00480.html Seems someone had the exact same problem I did almost two years ago, and didn't post about their solution, if they got any solution. -- David Kowis > > Thanks in advance! > > -- > David Kowis > > > > signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
