Re: [Freeipa-users] cannot add posix group or user
On 04/20/2017 03:05 PM, Cox, Jason wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, April 19, 2017 4:27 PM To: Cox, Jason (U.S. Person) ; freeipa- us...@redhat.com Subject: Re: [Freeipa-users] cannot add posix group or user Cox, Jason wrote: Hi all, I had to reinstall my IPA setup, so I’m using 4.4 and am learning the newer domain levels and topology features. I’ve installed 3 servers. I promoted one of the replicas to master and demoted the original master to replica according to the documentation. According to what documentation? Note that they are all masters, some may just run different services and only one has a few duties (like CRL generation). Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master And here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca Yes, I was referring to CRL master And yes, I failed to continue reading https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ to find what I needed to know concerning the id ranges. Sorry about that. I ran into an issue with the original master no longer replicating, so I performed an ipa-server-install –uninstall and removed the host/server from IPA. This is the where the problem started. I re-setup the replica using ipa-client-install and then ipa-replica-install, and had no errors reported in the output. I then went into Web UI and setup replication agreements using the topology graph page between the new replica and the previous replica (the master/new replica agreements being setup by the replica install script). I then attempted to add a posix group account and got an operational error message. This caused ldap to crash on the server I was interfacing with. If you are getting a core it would be very enlightening to get a stack trace from that (you'll need to install the debuginfo package to get any really useful data out of it). I haven't had to get a core file from a systemd service before, so I did it the wrong way, but this is what I managed to get: >From journalctl: *** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0 *** Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: = Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(+0x7c503)[0x7fbd4522c503] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0] Apr 19 17:13:56 server1 ns-slapd[1892]: /usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5] Apr 19 17:13:56 server1 ns-slapd[1892]: /lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d] >From an eventual core and gdb (and not from the same crash as the journalctl output): (gdb) bt #0 __GI___libc_free (mem=0x41) at malloc.c:2929 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 #3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at ldap/servers/slapd/modify.c:390 #4 0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90, op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627 #5 connection_threadmain () at ldap/servers/slapd/connection.c:1759 #6 0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so #7 0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at pthread_create.c:308 #8 0x7f87f58f873d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Hi, This is looking like the heap corruption and this backstack is unfortunately not enough to identify if it is a known/fixed one or not. This part of code (do_modify) was not recently changed regarding heap corruption and I would rather expect this thread to be the victim than responsible of it. What 389-ds version are you running ? We fixed recently a bug that could be the root cause (of course not 100% sure). Did you update 389-ds to the most recent one ? Do you manage to reproduce this crash ? For heap corruption, you may use valgrind but it could be too impacting for production performance. regards thierry (gdb) bt full #0 __GI___libc_free (mem=0x41) at malloc.c:2929 ar_ptr = p = hook = 0x0 #1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at memory.c:180 i = #2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at free.c:94 i = #3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7
Re: [Freeipa-users] cannot add posix group or user
Cox, Jason wrote: > >> Thank you. > Setting the id ranges manually fixed my problem. Great, glad you're up and running again. I forwarded the stack trace to the 389-ds developers, thanks for that. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] cannot add posix group or user
> -Original Message-
> From: Rob Crittenden [mailto:rcrit...@redhat.com]
> Sent: Wednesday, April 19, 2017 4:27 PM
> To: Cox, Jason (U.S. Person) ; freeipa-
> us...@redhat.com
> Subject: Re: [Freeipa-users] cannot add posix group or user
>
> Cox, Jason wrote:
> > Hi all,
> >
> >
> >
> > I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
> > newer domain levels and topology features.
> >
> > I’ve installed 3 servers.
> >
> > I promoted one of the replicas to master and demoted the original
> > master to replica according to the documentation.
>
> According to what documentation?
>
> Note that they are all masters, some may just run different services and only
> one has a few duties (like CRL generation).
>
Here: https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
And here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-roles.html#server-roles-promote-to-ca
Yes, I was referring to CRL master
And yes, I failed to continue reading
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/
to find what I needed to know concerning the id ranges. Sorry about that.
> > I ran into an issue with the original master no longer replicating, so
> > I performed an ipa-server-install –uninstall and removed the
> > host/server from IPA.
>
> This is the where the problem started.
>
> >
> > I re-setup the replica using ipa-client-install and then
> > ipa-replica-install, and had no errors reported in the output.
> >
> > I then went into Web UI and setup replication agreements using the
> > topology graph page between the new replica and the previous replica
> > (the master/new replica agreements being setup by the replica install
> > script).
> >
> >
> >
> > I then attempted to add a posix group account and got an operational
> > error message. This caused ldap to crash on the server I was
> > interfacing with.
>
> If you are getting a core it would be very enlightening to get a stack trace
> from that (you'll need to install the debuginfo package to get any really
> useful data out of it).
>
I haven't had to get a core file from a systemd service before, so I did it the
wrong way, but this is what I managed to get:
>From journalctl:
*** Error in `/usr/sbin/ns-slapd': free(): invalid pointer: 0x7fbcd82f5fb0
***
Apr 19 17:13:56 server1 ns-slapd[1892]: === Backtrace: =
Apr 19 17:13:56 server1 ns-slapd[1892]:
/lib64/libc.so.6(+0x7c503)[0x7fbd4522c503]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/lib64/libldap_r-2.4.so.2(ldap_mods_free+0x81)[0x7fbd46ba1a11]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/usr/lib64/dirsrv/libslapd.so.0(do_modify+0x7e0)[0x7fbd479f96a0]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/usr/sbin/ns-slapd(+0x1b9e0)[0x7fbd47ee29e0]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/lib64/libnspr4.so(+0x289bb)[0x7fbd45bd89bb]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/lib64/libpthread.so.0(+0x7dc5)[0x7fbd45578dc5]
Apr 19 17:13:56 server1 ns-slapd[1892]:
/lib64/libc.so.6(clone+0x6d)[0x7fbd452a773d]
>From an eventual core and gdb (and not from the same crash as the journalctl
>output):
(gdb) bt
#0 __GI___libc_free (mem=0x41) at malloc.c:2929
#1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at
memory.c:180
#2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at
free.c:94
#3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at
ldap/servers/slapd/modify.c:390
#4 0x7f87f85339e0 in connection_dispatch_operation (pb=0x7f87b4ff0a90,
op=0x7f87f931bf80, conn=0x7f87d82d0768) at ldap/servers/slapd/connection.c:627
#5 connection_threadmain () at ldap/servers/slapd/connection.c:1759
#6 0x7f87f62299bb in _pt_root () from /lib64/libnspr4.so
#7 0x7f87f5bc9dc5 in start_thread (arg=0x7f87b4ff1700) at
pthread_create.c:308
#8 0x7f87f58f873d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:113
(gdb) bt full
#0 __GI___libc_free (mem=0x41) at malloc.c:2929
ar_ptr =
p =
hook = 0x0
#1 0x7f87f6fca24c in ber_memvfree_x (vec=0x7f876c00a900, ctx=0x0) at
memory.c:180
i =
#2 0x7f87f71f2a11 in ldap_mods_free (mods=0x7f876c001fb0, freemods=1) at
free.c:94
i =
#3 0x7f87f804a6a0 in do_modify (pb=pb@entry=0x7f87b4ff0a90) at
ldap/servers/slapd/modify.c:390
operation = 0x7f87f931bf80
smods = {mods = 0x0, num_elements = 0, num_mods = 0, iterator = 0,
free_mods = 0}
ber =
tag =
len = 18446744073709551615
normalized_mods = 0x7f876c001fb0
Re: [Freeipa-users] cannot add posix group or user
Cox, Jason wrote: > Hi all, > > > > I had to reinstall my IPA setup, so I’m using 4.4 and am learning the > newer domain levels and topology features. > > I’ve installed 3 servers. > > I promoted one of the replicas to master and demoted the original master > to replica according to the documentation. According to what documentation? Note that they are all masters, some may just run different services and only one has a few duties (like CRL generation). > I ran into an issue with the original master no longer replicating, so I > performed an ipa-server-install –uninstall and removed the host/server > from IPA. This is the where the problem started. > > I re-setup the replica using ipa-client-install and then > ipa-replica-install, and had no errors reported in the output. > > I then went into Web UI and setup replication agreements using the > topology graph page between the new replica and the previous replica > (the master/new replica agreements being setup by the replica install > script). > > > > I then attempted to add a posix group account and got an operational > error message. This caused ldap to crash on the server I was interfacing > with. If you are getting a core it would be very enlightening to get a stack trace from that (you'll need to install the debuginfo package to get any really useful data out of it). > > I performed an ‘ipactl restart’ on the affected server and attempted > again with the same issue. > > I tried adding a non-posix group and it was successful. > > > > I found the dirsrv logs and see the error ‘dna-plugin - dna_pre_op: no > more values available!!’ which lead me to > https://www.redhat.com/archives/freeipa-users/2014-February/msg00247.html > > > > Performing the ldapserch I see: > > dnaMaxValue is 1100 > > dnaNextValue is 1101 > > dnaThreshold is 500 Right. A master only gets a range when it needs one. In this case it needed one after the master holding the entire range went away. > I also did ‘ipa idrange-find’, which shows: > > > > --- > > 1 range matched > > --- > > Range name: MYDOMAIN.COM_id_range > > First Posix ID of the range: 194600 > > Number of IDs in the range: 20 > > Range type: local domain range > > > > Number of entries returned 1 > > > > > > > > So now my question is what do I need to change to fix the issue? > > I can do the ldapmodify to adjust the dnaMaxValue, but I don’t know what > I should be adjusting the idrange to? > > I’d like to keep the idrange the same and just adjust the dnaMaxValue, > so would I need to change dnaMaxValue to 20? See https://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
