July 2017 - FreeIPA-users - Fedora mailing-lists

IPA to AD trust 4625 NULL SID logon failures
by Andy Thompson 13 Jul '17

13 Jul '17

We are troubleshooting an account lockout issue and came across the error below in the windows DC event logs while investigating. They are appearing in two of our environments, the third is quiet. These are logged several times a minute and are likely unrelated to the lockout issue, but what IPA process could cause this? Running IPA (ipa-server-4.4.0-14.el7_3.7) on RHEL 7.1 An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0x80090302 Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: <IPA server address> Source Port: 35392 Detailed Authentication Information: Logon Process: Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0

2 3

Re: sssd went away, failed to restart
by Jakub Hrozek 13 Jul '17

13 Jul '17

Pavel, I think this looks a bit similar to https://bugzilla.redhat.com/show_bug.cgi?id=1466934 do you agree? Do you have some suggestion to increase the wait timeout in case the services are restarted? On Thu, Jul 13, 2017 at 08:41:58AM +0200, Harald Dunkel wrote: > Hi Jakub, > > it happened again (using sssd 1.15.0). At 18.21 sssd became unavailable. See below > > On Wed, 24 Feb 2016 09:24:47 +0100 > Jakub Hrozek <jhrozek(a)redhat.com> wrote: > > > > > > > Do you think this is OK? Did it try to terminate the unresponsive > > > sssd_be, or did it just try to start a new one and ran into a > > > conflict with the old? > > > > We should have started a new one. Again, I'm speculating, but I /think/ > > that because the system might have been under load, the sssd_be took too > > long to restart and the monitor (sssd itself) gave up on it. Of course, > > it's something we should fix, but without a better idea how to > > reproduce the error in the first place, I'm not sure how to start to be > > honest. > > > > This time nss went away, AFAICS. sssd.log: > > (Mon Jul 10 00:39:27 2017) [sssd] [monitor_hup] (0x0020): Received SIGHUP. > (Mon Jul 10 00:39:27 2017) [sssd] [te_server_hup] (0x0020): Received SIGHUP. Rotating logfiles. > (Wed Jul 12 18:21:31 2017) [sssd] [svc_child_info] (0x0040): Child [1152] exited with code [0] > (Wed Jul 12 18:21:31 2017) [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Wed Jul 12 18:21:32 2017) [sssd] [start_service] (0x0100): Queueing service nss for startup > (Wed Jul 12 18:21:32 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Entering. > (Wed Jul 12 18:21:32 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Adding connection 0x10c4230. > (Wed Jul 12 18:21:32 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Got a connection > (Wed Jul 12 18:21:32 2017) [sssd] [svc_child_info] (0x0040): Child [117466] exited with code [3] > (Wed Jul 12 18:21:32 2017) [sssd] [svc_child_info] (0x0040): Child [1150] exited with code [0] > (Wed Jul 12 18:21:32 2017) [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Wed Jul 12 18:21:32 2017) [sssd] [start_service] (0x0100): Queueing service example.de for startup > (Wed Jul 12 18:21:34 2017) [sssd] [start_service] (0x0100): Queueing service nss for startup > (Wed Jul 12 18:21:34 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Entering. > (Wed Jul 12 18:21:34 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Adding connection 0x10c44a0. > (Wed Jul 12 18:21:34 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Got a connection > (Wed Jul 12 18:21:34 2017) [sssd] [svc_child_info] (0x0040): Child [117468] exited with code [3] > (Wed Jul 12 18:21:34 2017) [sssd] [sbus_dispatch] (0x0080): Connection is not open for dispatching. > (Wed Jul 12 18:21:38 2017) [sssd] [start_service] (0x0100): Queueing service nss for startup > (Wed Jul 12 18:21:38 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Entering. > (Wed Jul 12 18:21:38 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Adding connection 0x10b29b0. > (Wed Jul 12 18:21:38 2017) [sssd] [sbus_server_init_new_connection] (0x0200): Got a connection > (Wed Jul 12 18:21:38 2017) [sssd] [svc_child_info] (0x0040): Child [117469] exited with code [3] > (Wed Jul 12 18:21:38 2017) [sssd] [monitor_restart_service] (0x0010): Process [nss], definitely stopped! > (Wed Jul 12 18:21:38 2017) [sssd] [monitor_quit] (0x0040): Returned with: 1 > (Wed Jul 12 18:21:38 2017) [sssd] [monitor_quit] (0x0020): Terminating [example.de][117467] > (Wed Jul 12 18:21:39 2017) [sssd] [monitor_quit] (0x0020): Child [example.de] exited gracefully > (Wed Jul 12 18:21:39 2017) [sssd] [monitor_quit] (0x0020): Terminating [pac][1156] > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Child [pac] terminated with a signal > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Terminating [ssh][1155] > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Child [ssh] terminated with a signal > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Terminating [pam][1154] > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Child [pam] terminated with a signal > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Terminating [sudo][1153] > (Wed Jul 12 18:21:40 2017) [sssd] [monitor_quit] (0x0020): Child [sudo] exited gracefully > (Wed Jul 12 19:12:37 2017) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. > (Wed Jul 12 19:12:37 2017) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. > > > sssd_nss.log: > (Wed Jul 12 18:21:29 2017) [sssd[nss]] [orderly_shutdown] (0x0010): SIGTERM: killing children > (Wed Jul 12 18:21:32 2017) [sssd[nss]] [sss_dp_init] (0x0010): Failed to connect to monitor services. > (Wed Jul 12 18:21:32 2017) [sssd[nss]] [sss_process_init] (0x0010): fatal error setting up backend connector > (Wed Jul 12 18:21:32 2017) [sssd[nss]] [nss_process_init] (0x0010): sss_process_init() failed > (Wed Jul 12 18:21:34 2017) [sssd[nss]] [sss_dp_init] (0x0010): Failed to connect to monitor services. > (Wed Jul 12 18:21:34 2017) [sssd[nss]] [sss_process_init] (0x0010): fatal error setting up backend connector > (Wed Jul 12 18:21:34 2017) [sssd[nss]] [nss_process_init] (0x0010): sss_process_init() failed > (Wed Jul 12 18:21:38 2017) [sssd[nss]] [sss_dp_init] (0x0010): Failed to connect to monitor services. > (Wed Jul 12 18:21:38 2017) [sssd[nss]] [sss_process_init] (0x0010): fatal error setting up backend connector > (Wed Jul 12 18:21:38 2017) [sssd[nss]] [nss_process_init] (0x0010): sss_process_init() failed > > > domain log: > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=juppschmitz(a)example.de] > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=juppschmitz(a)example.de,cn=users,cn=example.de,cn=sysdb > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0200): Dereferenced entry [cn=helpdesk,cn=roles,cn=accounts,dc=example,dc=de] has no attributes, skipping > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0200): Dereferenced entry [cn=User Administrator,cn=roles,cn=accounts,dc=example,dc=de] has no attributes, skipping > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0200): Dereferenced entry [cn=IT Specialist,cn=roles,cn=accounts,dc=example,dc=de] has no attributes, skipping > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0200): Dereferenced entry [cn=IT Security Specialist,cn=roles,cn=accounts,dc=example,dc=de] has no attributes, skipping > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sdap_parse_deref] (0x0200): Dereferenced entry [cn=Security Architect,cn=roles,cn=accounts,dc=example,dc=de] has no attributes, skipping > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such object](32)[ldb_wait: No such object (32)] > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sysdb_set_entry_attr] (0x0080): Cannot set ts attrs for name=juppschmitz(a)example.de,cn=users,cn=example.de,cn=sysdb > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [dp_pam_handler] (0x0100): Got request with the following data > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): domain: example.de > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): user: juppschmitz(a)example.de > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): service: dovecot > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): tty: dovecot > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): ruser: juppschmitz > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): rhost: 172.19.97.238 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): authtok type: 1 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): newauthtok type: 0 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): priv: 1 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): cli_pid: 117180 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [pam_print_data] (0x0100): logon name: not set > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [be_resolve_server_process] (0x0200): Found address for server ipa2.example.de: [172.19.96.4] TTL 7200 > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ipa2.example.de' as 'working' > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [set_server_common_status] (0x0100): Marking server 'ipa2.example.de' as 'working' > (Wed Jul 12 18:20:48 2017) [sssd[be[example.de]]] [sysdb_set_entry_attr] (0x0200): Entry [name=juppschmitz(a)example.de,cn=users,cn=example.de,cn=sysdb] has set [ts_cache] attrs. > (Wed Jul 12 18:21:29 2017) [sssd[be[example.de]]] [sysdb_set_entry_attr] (0x0200): Entry [name=juppschmitz(a)example.de,cn=users,cn=example.de,cn=sysdb] has set [cache, ts_cache] attrs. > (Wed Jul 12 18:21:29 2017) [sssd[be[example.de]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.EXAMPLE.DE], [2][No such file or directory] > (Wed Jul 12 18:21:29 2017) [sssd[be[example.de]]] [orderly_shutdown] (0x0010): SIGTERM: killing children > (Wed Jul 12 18:21:33 2017) [sssd[be[example.de]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first > (Wed Jul 12 18:21:33 2017) [sssd[be[example.de]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel > (Wed Jul 12 18:21:33 2017) [sssd[be[example.de]]] [sysdb_domain_init_internal] (0x0200): DB File for example.de: /var/lib/sss/db/cache_example.de.ldb > (Wed Jul 12 18:21:33 2017) [sssd[be[example.de]]] [sysdb_domain_init_internal] (0x0200): Timestamp file for example.de: /var/lib/sss/db/timestamps_example.de.ldb > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_example.de,1) > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))]. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [id] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [auth] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [access] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [chpass] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [sudo] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [autofs] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [selinux] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [hostid] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [dp_load_configuration] (0x0100): Using [ipa] provider for [subdomains] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sdap_set_sasl_options] (0x0100): Will look for srvvm01.ac.example.de(a)EXAMPLE.DE in default keytab > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [select_principal_from_keytab] (0x0200): Selected primary: host/srvvm01.ac.example.de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [select_principal_from_keytab] (0x0200): Selected realm: EXAMPLE.DE > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/srvvm01.ac.example.de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to EXAMPLE.DE > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [USER][cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][cn=ng,cn=alt,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_host_search_base set to cn=accounts,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HOST][cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_HBAC][cn=hbac,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_selinux_search_base set to cn=selinux,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SELINUX][cn=selinux,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_subdomains_search_base set to cn=trusts,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_SUBDOMAINS][cn=trusts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_master_domain_search_base set to cn=ad,cn=etc,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_MASTER_DOMAIN][cn=ad,cn=etc,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_ranges_search_base set to cn=ranges,cn=etc,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_RANGES][cn=ranges,cn=etc,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=example,dc=de > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_init_dyndns] (0x0100): Dynamic DNS updates are off. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_auth_options] (0x0100): Option krb5_fast_principal set to host/srvvm01.ac.example.de(a)EXAMPLE.DE > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [ipa_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [check_lifetime] (0x0200): No lifetime configured. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [check_lifetime] (0x0200): No lifetime configured. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_krb5_check_options] (0x0100): No KDC explicitly configured, using defaults. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_krb5_check_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_krb5_check_options] (0x0100): ccache is of type FILE > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [parse_krb5_map_user] (0x0100): krb5_map_user is empty! > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][cn=sudo,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][cn=default,cn=automount,dc=example,dc=de][SUBTREE][] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sssm_ipa_selinux_init] (0x0080): SELinux init handler called but SSSD is built without SSH support, ignoring > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_write_krb5_libdefaults_snippet] (0x0200): File for KRB5 kibdefaults configuration is [/var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [example.de] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_example_de] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [become_user] (0x0200): Trying to become user [0][0]. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [become_user] (0x0200): Already user [0]. > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.EXAMPLE.DE], [2][No such file or directory] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.EXAMPLE.DE], [2][No such file or directory] > (Wed Jul 12 18:21:39 2017) [sssd[be[example.de]]] [orderly_shutdown] (0x0010): SIGTERM: killing children > (Wed Jul 12 19:12:37 2017) [sssd[be[example.de]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first > (Wed Jul 12 19:12:37 2017) [sssd[be[example.de]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel > (Wed Jul 12 19:12:37 2017) [sssd[be[example.de]]] [sysdb_domain_init_internal] (0x0200): DB File for example.de: /var/lib/sss/db/cache_example.de.ldb > (Wed Jul 12 19:12:37 2017) [sssd[be[example.de]]] [sysdb_domain_init_internal] (0x0200): Timestamp file for example.de: /var/lib/sss/db/timestamps_example.de.ldb > > > > > In future we would like to make heavier use of systemd features, we need > > to socket-activate the parts as a first step. Using systemd's watchdog > > would also be nice, but we're not there yet. > > > > Sorry to say, but having "nice" features is irrelevant, if you loose > 1 hour EMail traffic. > > I highly appreciate that there are many many volunteers out there > writing open source software because they like to (I do, too), but in > the office we don't run these servers for fun. > > > Regards > Harri

2 1

can not restart httpd service after certificate renewal
by karl.forner＠gmail.com 13 Jul '17

13 Jul '17

Hello, Today I realized that the https certificate for my freeipa web ui has expired. I tried to renew it using: #ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful So it seemed to went well. I tried to restart ipa but it failed: # ipactl start Starting Directory Service Starting krb5kdc Service Starting kadmin Service Starting named Service Starting ipa_memcached Service Starting httpd Service Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. Failed to start httpd Service Shutting down What went wrong ? I'm running in a freeipa-server docker on a linux server... It is quite a big deal since I can not run my master freeipa anymore even from a backup ! Thanks. logs === # systemctl status httpd.service * httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service) Drop-In: /usr/lib/systemd/system/httpd.service.d `-abc.conf Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST; 3min 52s ago Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, status=0/SUCCESS) Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS) Main PID: 28717 (code=exited, status=1/FAILURE) Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP Server. and (excerpt from journalctl -xe) -- The start-up result is done. Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28918:604682378 (system bus name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28932:604682393 (system bus na me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit systemd-hwdb -update.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot add dependency job, ignoring: Unit dev-hugepages.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot add dependency job, ignoring: Unit ldconfig.service is mas ked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add dependency job, ignoring: Unit swap.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit sys-fs-fus e-connections.mount is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add dependency job, ignoring: Unit local-fs.target is maske d. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: systemd-update-done.service: Cannot add dependency job, ignoring: Unit systemd-upda te-done.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add dependency job, ignoring: Unit slices.target is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot add dependency job, ignoring: Unit dnf-makecache.timer is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: Unit fedora-a utorelabel-mark.service is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket is masked. Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has begun starting up. Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: sending notifies (serial 1499786955) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone quartzbio.com/IN: loaded serial 1499786955 Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f ailed to load) Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: not found Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa : INFO KDC proxy enabled Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has failed. -- -- The result is failed. Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered failed state. Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with result 'exit-code'. Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered Authentication Agent for unix-process:28932:604682393 (system bus name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (disconnected from bus) Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered Authentication Agent for unix-process:28944:604682474 (system bus na me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC... -- Subject: Unit krb5kdc.service has begun shutting down -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

4 7

still unable to renew certificates - deep trouble
by Karl Forner 12 Jul '17

12 Jul '17

Hello, I'm getting desperate, I'm still unable to fix my expired certificates on my freeIPA master. Summary: - I discovered that my web ui SSL certificate had expired. - the certificate lives in /etc/httpd/alias, is named Server-Cert - for some reason, it is not tracked by ipa-getcert list - from the web-ui, Authentication --> certificates fail: - IPA Error 4301: CertificateOperationError - Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error) - I tried to set the system time back in time -> was unable to get kinit credentials (revoked) - I tried to set certmonger to track the expired certificate: - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt - status from ipa-getcert list: - ca-error: Unable to determine principal name for signing request. - I followed some instructions to manually renew the certificates. - at one point I need ipa cert-request to sign the request. - but the ipa cert commands do not work, e.g. - ipa cert-find ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O= QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.) ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) What could/should I do !?!? Is is possible to manually renew the certificate using only certutil ? Thanks for any help. Karl P.S this runs in a freeipa-server docker container.

2 2

FreeIPA-users mailing list archive broken?
by John Morris 12 Jul '17

12 Jul '17

Seems the mailing list archives stopped working in mid-May: https://www.redhat.com/archives/freeipa-users/ John

2 1

Re: Newbie - Cannot get FreeIPA client authentication working.
by Patrick McHale 12 Jul '17

12 Jul '17

Thanks Callum for your advice so far, I am now able to login to the client via the FreeIPA server authentication. I am having trouble getting sudo access working properly. I have followed the guide you mentioned but I still cannot sudo into the client. I have opened up everything under the created “sudo rule” but I am still not able to log in with sudo priviledges. So, as a test I have selected these commands within the “sudo rules” but no success here. Who – Anyone Access this host – Anyhost Run Commands – Any Command *From the command line* [root@ipa ~]# ipa sudorule-show sudo Rule name: sudo Enabled: TRUE User category: all Host category: all Command category: all RunAs User category: all RunAs Group category: all Sudo Option: !authenticate Would be grateful for some advice, I am missing something here. Regards *Patrick McHale* *Network and Systems Administrator* *Infrastructure team* *NZX REGULATED INFRASTRUCTURE & OPERATIONS* *NZX Limited* Level 1, NZX Centre, 11 Cable Street PO Box 2959 Wellington 6140 New Zealand DDI: +64 4 495 2884 Mobile: +64 27 405 8340 www.nzx.com [image: https://nzx.com/files/static/email_signatures/nzx-logo-email.png]

2 1

Understanding an AD Trust
by erricg＠gmail.com 12 Jul '17

12 Jul '17

We're planning an IdM implementation where we have several data centers over a large geographic location. We're following the Red Hat guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht… and are interested in having the "tight cell" replication strategy with indirect authentication based on a one-way trust from AD. What I do not yet understand is multiple servers in different data centers with a single trust (realm). That is, do we need to run ipa trust-add on multiple servers? Further, would this be on each server in the cell, or would it be only for the trust controller?

2 1

Modify default dirsrv/LDAP certificate (add SAN)
by David Goudet 11 Jul '17

11 Jul '17

Hi, I am using FreeIPAv4, some of clients products does not support LDAP failover so i am configuring LDAP loadbalancer based on KeepAlived to do LDAP stream fail-over. I have two FreeIPA server (ds01.xxx & ds02.xxx) and i added one new FreeIPA service LDAP/ldapha.xxx which have two IPs (ds01 & ds02) in DNS Alias entry. Everything works as excepted except TLS certificate verification on client side: required Hostname from client is ldapha.xxx, stream is load balanced by KeepAlive on ds01 or ds02 and certificate provided by ds01 or ds02 does not include ldapha.xxx => TLS handshake failed. nssdb certificate request: Request ID 'yyy': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxx/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: xxxx subject: CN=ds02.xxxx expires: 2019-03-24 13:33:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv xxxx track: yes auto-renew: yes ipa-getcert resubmit -i yyy -D ds02.xxxx -D ldapha.xxx Add new SAN in default LDAP certificate in nssdb is possible with command above but is it recommended/supported? When FreeIPA software will be updated is this SAN configuration will be persistent? What is the best/recommended solution to cover this need? Thank you for your help -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574

2 4

Setting up "Trust" without AD Admin credentials?
by joerg.georgi＠bt.com 11 Jul '17

11 Jul '17

Hi everyone, first post, hope the question is not too dumb and this is the right list. I’m trying to use IPA in the way the RHEL Windows Integration Guide describes it in the one-way-trust setup (indirect integration, using AD for auth, IPA for policies). However, I’m hitting a wall since at one point you have to provide AD Admin credentials (setting up the agreement) which I don’t have/won’t have. Question: Are there other ways to get the (almost) same result w/o having admin access to AD? * Some 2 years back Dmitri Dal made a comment here which seems to point into that direction https://pagure.io/freeipa/issue/4546 but I wasn’t able to find anything in the official documentation or elsewhere and that issue has been closed as fixed. As of now I only see recreating all the users/groups from AD in IPA w/o any connectivity in between as one option, which would be ok but not very elegant and users have to deal with another password. Is it possible to use SSSD with AD as auth/idprovider and IPA for policies (something like shown in the modern integration option image here but with policies fetched from IPA: http://rhelblog.redhat.com/2015/02/04/overview-of-direct-integration-option… thanks, jgeo

3 2

ipa-domainlevel set 1 failed
by Jan Karásek 11 Jul '17

11 Jul '17

Hello, I'm having trouble to set the IPA domain level to 1. When I run the command: ipa domainlevel-set 1 ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have to be resolved. At the moment we have just two IPA server. I have tried to uninstall all replicas, keeping only first ipa master, but the same error occurred. While running only one IPA server without any replica, I used ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain level. OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14. First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3. This is described in RHBA-2017:0089-1 Previously, if an Identity Management (IdM) upgrade ran simultaneously on multiple servers, replication conflict entries were sometimes generated in the "cn=topology" subtree. So if I understand it right, there is a new check implemented which prevents raising domain level when this happens. So my question is what can I do to get rid of "conflict entries" and raise domain level ? Thanks, Jan Karásek

3 3

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2017