January 2018 - FreeIPA-users - Fedora mailing-lists

How to re-initialize replication
by William Muriithi 15 Jan '18

15 Jan '18

Hello, I shot myself on the foot the other day by keeping one of the IPA server down too long during redundancy testing. Now, it can't sync with the peer. Luckily, its not the cert server so I am suspecting I can get it working by reinitializing it. However, that isn't working, and I am getting the error below. [root@hydrogen ~]# ipa-replica-manage re-initialize --from lithium.eng.example.com [ldaps://lithium.eng.example.com:636] reports: Update failed! Status: [2 Replication error acquiring replica: excessive clock skew] Now, before I do further change, I am wondering if someone has faced this problem before and what would the next step. According to google, this seem to be my only solution, but looks a bit scarily. http://directory.fedoraproject.org/docs/389ds/howto/howto-fix-and-reset-tim… Would there be any other better option from your experience? [15/Jan/2018:07:27:58.296415297 -0500] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [15/Jan/2018:07:27:58.296988661 -0500] - INFO - slapd_daemon - Listening on /var/run/slapd-ENG-EXAMPLE-COM.socket for LDAPI requests [15/Jan/2018:07:28:02.794968170 -0500] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 7568166, limit - 86400 [15/Jan/2018:07:28:02.796095907 -0500] - ERR - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTolithium.eng.example.com" (lithium:389): Fatal error - too much time skew between replicas! [15/Jan/2018:07:28:02.799804827 -0500] - ERR - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=meTolithium.eng.example.com" (lithium:389): Incremental update failed and requires administrator action [15/Jan/2018:07:28:03.400808361 -0500] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=eng,dc=example,dc=com [15/Jan/2018:07:28:03.401704265 -0500] - ERR - schema-compat-plugin - Finished plugin initialization. [15/Jan/2018:07:28:25.023819558 -0500] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 7568268, limit - 86400 [15/Jan/2018:07:28:25.025929954 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=28 op=5 repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier RUV [15/Jan/2018:07:28:25.026528807 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=28 op=5 replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error: excessive clock skew [15/Jan/2018:07:28:25.107953782 -0500] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 7568269, limit - 86400 [15/Jan/2018:07:28:25.137884951 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=29 op=5 repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier RUV [15/Jan/2018:07:28:25.138620189 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=29 op=5 replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error: excessive clock skew [15/Jan/2018:07:28:25.204301158 -0500] - ERR - csngen_adjust_time - Adjustment limit exceeded; value - 7568270, limit - 86400 [15/Jan/2018:07:28:25.205578413 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=30 op=5 repl="dc=eng,dc=example,dc=com": Excessive clock skew from supplier RUV [15/Jan/2018:07:28:25.206115922 -0500] - ERR - NSMMReplicationPlugin - multimaster_extop_StartNSDS50ReplicationRequest - conn=30 op=5 replica="dc=eng,dc=example,dc=com": Unable to acquire replica: error: excessive clock skew Regards, William

1 0

setting sudo rule for root
by Kat 15 Jan '18

15 Jan '18

Trying to setup a sudo rule for a small group of users to have "sudo su -" on all hosts, and then use !authenticate, but can't seem to make it work. Any docs on doing this? thanks K

2 1

Centos7.4: users not seeing password expired notifications
by Johan Vermeulen 15 Jan '18

15 Jan '18

Hello All, We run some 200 Centos7/Mate laptops, since last year they authenticate against freeipa. Lightdm/Mate are installed using epel repo. On Centos7.3/Lightdm 1.10.6-4.el7 things were al right, when a password expired, users would get the passwd expired field, the "new password" field en warnings if the made a mistake. Since upgrading to Centos7.4/Lightdm 1.25.0-1.el7 things go terribly wrong. Users very often get no warning if a password expired, just an authentication failure. Or they get no message at all. If at that point you got to tty....and log in you do get the warnings on the command line. The log files /var/log/secure also give clear password expired messages, only the user sees nothing. This is a big problem because users cannot login and cannot work without interventions. Many thanks for any help. Greetings, J.

4 13

help : Enrolled a FreeIPA client but unable to login to it via SSH
by Aravindh Sampathkumar 15 Jan '18

15 Jan '18

Hello list. I'm a new user of FreeIPA trying to use it to manage SSH user authentication in a cluster of CentOS machines. I built a server dedicated to run FreeIPA server and have successfully set it up. I'm able to get the web UI from it, and everything seems as expected based on the docs. I tried to enroll a CentOS 7 client to the new FreeIPA server so that I can login to this client via SSH using the user accounts I created on the FreeIPA server. This is where I hit a roadblock. The freeipa-client install went as per the docs, but I'm unable to login via SSH. Note: My FreeIPA server is in a different domain than the client. and the server and client are served by different DNS servers. FreeIPA server: freeipa1.nghpc.dk served by a DNS server ns1.nghpc.dk resolves to an internal ip address 10.x.x.x reverse lookup is also successful. FreeIPA client: c10b01.ctrl.ghpc.dk served by a DNS server dns.ghpc.dk resolves to an internal ip address 10.x.x.x reverse lookup is successful. Added an additional DNS A record to the freeipa server and the client can successfully resolve freeipa1.nghpc.dk Trying to login to the newly enrolled client: localmachine > ssh admin@c10b01 Password: Password: Password: It keeps repeating the password prompts in spite of supplying the correct password. No meaningful errors thrown either. On the client, here is how the krb5.conf looks like: cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = NGHPC.DK dns_lookup_realm = false dns_lookup_kdc = false rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] NGHPC.DK = { kdc = freeipa1.nghpc.dk:88 master_kdc = freeipa1.nghpc.dk:88 admin_server = freeipa1.nghpc.dk:749 kpasswd_server = freeipa1.nghpc.dk:464 default_domain = nghpc.dk pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .nghpc.dk = NGHPC.DK nghpc.dk = NGHPC.DK c10b01.ctrl.ghpc.dk = NGHPC.DK .ctrl.ghpc.dk = NGHPC.DK ctrl.ghpc.dk = NGHPC.DK I do not see any errors in any of the logs at /var/log/ and /var/log/sssd/ However, if I'm logged in as root on the client box, I can see that the users I created on FreeIPA exist and are accessible. [root@c10b01 ~]# id nasampath uid=29756(nasampath) gid=1517 groups=1517 [root@c10b01 ~]# id admin uid=1768600000(admin) gid=1768600000(admins) groups=1768600000(admins) I can su into them fine. but not login as them over SSH. I'm lost trying to troubleshoot this. Appreciate any help figuring out where to look to understand what is going on.. Thanks, -- Aravindh Sampathkumar aravindh(a)fastmail.com

3 2

ERR - attrlist_replace - attr_replace
by Harald Dunkel 15 Jan '18

15 Jan '18

Hi folks, /var/log/messages includes tons of error messages like Jan 15 07:34:56 ipa1 ns-slapd: [15/Jan/2018:07:34:56.684472891 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.421020416 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.431938703 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:58 ipa1 ns-slapd: [15/Jan/2018:07:34:58.444161918 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa3.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.005555395 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.010930343 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:34:59 ipa1 ns-slapd: [15/Jan/2018:07:34:59.014371119 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.078732745 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.085465505 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.088906212 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa2.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.259716279 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.270409631 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. Jan 15 07:35:00 ipa1 ns-slapd: [15/Jan/2018:07:35:00.273799363 +0100] - ERR - attrlist_replace - attr_replace (nsslapd-referral, ldap://ipa4.example.de:389/dc%3Dexample%2Cdc%3Dde) failed. I already found https://access.redhat.com/solutions/2741521, cleaned up the "dangling RUVs" and rebootet the servers. What is ns-slapd trying to tell me? Every helpful comment is highly appreciated Harri

2 2

Error ipa-replica-install on LXC (was The ipa-replica-install command failed, exception: ValidationError: invalid 'dnszoneidnsname': only master zones can contain records)
by Alex Corcoles 12 Jan '18

12 Jan '18

Hi, I have reproduced the problem on the LXC container. The full debug log is at: https://gist.github.com/alexpdp7/b3d7fd48660a1ffb78cb64fd5dc34476 The bit failing is: [root@ctipa ~]# ipa-replica-install -v -n ipa.pdp7.net -P alex -w $pw --mkhomedir ... ipa : DEBUG [11/22]: configuring Gssproxy [11/22]: configuring Gssproxy ipa : DEBUG Starting external process ipa : DEBUG args=/usr/sbin/selinuxenabled ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr= ipa : DEBUG Starting external process ipa : DEBUG args=/bin/systemctl restart gssproxy.service ipa : DEBUG Process finished, return code=1 ipa : DEBUG stdout= ipa : DEBUG stderr=A dependency job for gssproxy.service failed. See 'journalctl -xe' for details. ipa : DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output)) CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa : DEBUG [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 [error] CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 368, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 392, in execute for _nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 658, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner exc_handler(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 463, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for _nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 617, in main replica_install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1440, in install ca_file=cafile) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 166, in install_http subject_base=config.subject_base, master_fqdn=config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 190, in create_instance self.start_creation() File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line 242, in configure_gssproxy services.knownservices.gssproxy.restart() File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 322, in restart capture_output, wait) File "/usr/lib/python2.7/site-packages/ipaplatform/base/services.py", line 310, in _restart_base skip_output=not capture_output) File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 512, in run raise CalledProcessError(p.returncode, arg_string, str(output)) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): DEBUG The ipa-replica-install command failed, exception: CalledProcessError: Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/bin/systemctl restart gssproxy.service' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Cheers, Álex On Tue, Jan 9, 2018 at 7:45 PM, Martin Basti via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote: > do you have a traceback in log? I'm curious where exactly this happened, > what is your FreeIPA version? > > [1] > I haven't install FreeIPA in LXC, but I'm happy user of FreeIPA running in > LXC :-) So it should work > > 2018-01-09 11:40 GMT+01:00 Alex Corcoles via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org>: > >> Hi Marti, >> >> On Tue, Jan 9, 2018 at 12:46 AM, Martin Basti via FreeIPA-users < >> freeipa-users(a)lists.fedorahosted.org> wrote: >> >>> it looks that replica is trying to add records to your forward zone. >>> What is the hostname of the replica? >>> >> >> Yeah, it's xxx.h2.int.pdp7.net, which is within the forwarded zone. >> >> I have a dnsmasq acting as DHCP/DNS server in h2.int.pdp7.net to provide >> automatic network configuration to VMs. It's a non-routable network, so I'm >> not sure what the right setup would be. >> >> 1. what is not working on lxc? >>> >> >> It was something about GSSAPI or something like that, I'll try to >> reproduce and start a new thread about that- but I guess it's more of an >> LXC problem (ideally I would like to run my replica on LXC so it consumes >> less RAM, but I can live with a full VM). >> >> Cheers, >> >> Álex >> >> 2018-01-07 12:20 GMT+01:00 Alex Corcoles via FreeIPA-users < >> freeipa-users(a)lists.fedorahosted.org>: >> >>> Hi, >>> >>> I'm labbing a FreeIPA environment for personal use, and I'm getting that >>> while bringing up a replica. >>> >>> I set up my first freeipa-server instance on a cheap VPS on a public IP, >>> intend on making it publicly accessible so I can always authenticate my >>> laptop even on wild public networks. >>> >>> I'm adding the replica as a VM(1) on a Proxmox VE, on a private network >>> with VPN connectivity to the first public freeipa-server, but I'm getting: >>> >>> 2018-01-06T20:56:04Z DEBUG The ipa-replica-install command failed, >>> exception: ValidationError: invalid 'dnszoneidnsname': only master zones >>> can contain records >>> >>> . I'm trying to create the replica with CA and DNS, and I had set up DNS >>> forwarding to the internal DNS on the Proxmox system with: >>> >>> $ ipa dnsforwardzone-add h2.int.pdp7.net --forwarder=10.42.42.1 >>> $ ipa dnsforwardzone-add --name-from-ip=10.42.42.0/24 >>> --forwarder=10.42.42.1 --forward-policy=only >>> >>> on the first server (I run dnsmasq on Proxmox VE, 10.42.42.0/24 - >>> h2.int.pdp7.net is the network it manages), and I guess that's messing >>> with the replica, but I'm not sure how to troubleshoot this. >>> >>> Thoughts? Ideas? >>> >>> Thanks, >>> >>> Álex >>> >>> (1) I can't seem to create a freeipa-replica on an LXC container. Is >>> this something that can be discussed here or should I take it to LXC? >>> >>> -- >>> ___ >>> {~._.~} >>> ( Y ) >>> ()~*~() mail: alex at corcoles dot net >>> (_)-(_) http://alex.corcoles.net/ >>> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo >>> rahosted.org >>> >>> >> >> >> -- >> S pozdravom Martin Bašti. >> >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo >>> rahosted.org >>> >>> >> >> >> -- >> ___ >> {~._.~} >> ( Y ) >> ()~*~() mail: alex at corcoles dot net >> (_)-(_) http://alex.corcoles.net/ >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo >> rahosted.org >> >> > > > -- > S pozdravom Martin Bašti. > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/

4 9

Help please - Need to install Freeipa client on Fedora 14 talking to FreeIPA server 4.5.0
by Aravindh Sampathkumar 12 Jan '18

12 Jan '18

Hello list, I'm trying to move from NIS to FreeIPA for authentication in a cluster.I already setup FreeIPA server running version 4.5.0 on CentOS 7 and it works good. I've got a few Centos 7 and Fedora 23 clients talking to it all good. We have a few legacy nodes that *fedora 14* and *fedora 20* and I'm not allowed to replace the nodes just yet. I would like for them to be able to talk to the same FreeIPA server as well. I tried to install freeIPA client, but with no success. Appreciate any help/tips with getting the latest freeipa-client installed and running on fedora 14. I tried to install "ipa-client" available in Fedora 11 updates repository.. root@c04b13 ~]# yum install ipa-client ... ---> Package ipa-client.x86_64 0:1.2.2-6.fc14 set to be installed --> Finished Dependency Resolution Dependencies Resolved ... Processing delta metadata Package(s) data still to download: 48 k ipa-client-1.2.2-6.fc14.x86_64.rpm | 48... Running Transaction Installing : ipa-client-1.2.2-6.fc14.x86_64Installed: ipa-client.x86_64 0:1.2.2-6.fc14 Complete! [root@c04b13 ~]# ipa-client-install DNS discovery failed to determine your DNS domain Please provide the domain name of your IPA server (ex: example.com): freeipa1.nghpc.dkDNS discovery failed to find the IPA Server Please provide your IPA server name (ex: ipa.example.com): freeipa1.nghpc.dkFailed to verify that freeipa1.nghpc.dk is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. The same ipa-client-install works just fine on a Fedora 23 box on the same network.My question: Is there a way to get the latest FreeIPA-client package installed on this old fedora 14 box? I tried to download the rpm file from (http://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything…) and install it using yum --nogpgcheck localinstall freeipa-client-4.6.1-4.fc28.x86_64.rpm But, it only throws dependancy errors as in the attached console log. Any ideas about how I can get the freeipa-client package on f14? Thanks, -- Aravindh Sampathkumar aravindh(a)fastmail.com

2 1

FreeIPA NFS Automount with Kerberos troubleshooting help needed
by jcccb 12 Jan '18

12 Jan '18

> jcccb via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> writes: > > > Well this is the source of the problem, isn't it? I don't think NFS > brought up GSSAPI support. > > Thanks, > --Robbie then its an APPARMOR related problem i guess thought i fixed this error with systemctl restart rpc-gssd and why is the auto.home working correctly?

1 0

FreeIPA NFS Automount with Kerberos troubleshooting help needed
by jcccb 12 Jan '18

12 Jan '18

"getent passwd" gave me on all maschines the same results some logs from the NFS Server= journalctl: Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:37:14 nfs_server sssd_be[216]: GSSAPI client step 2 Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 14:52:14 nfs_server sssd_be[216]: GSSAPI client step 2 Jan 12 14:52:38 nfs_server systemd[1]: Stopping RPC security service for NFS client and server... Jan 12 14:52:38 nfs_server systemd[1]: Starting Preprocess NFS configuration... Jan 12 14:52:38 nfs_server systemd[1]: Started Preprocess NFS configuration. Jan 12 14:52:38 nfs_server systemd[1]: Starting RPC security service for NFS client and server... Jan 12 14:52:38 nfs_server systemd[1]: Started RPC security service for NFS client and server. Jan 12 14:54:29 nfs_server systemd[1]: Starting RPC bind service... Jan 12 14:54:29 nfs_server systemd[1]: Started RPC bind service. Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:07:14 nfs_server sssd_be[216]: GSSAPI client step 2 Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 1 Jan 12 15:22:14 nfs_server sssd_be[216]: GSSAPI client step 2 Jan 12 15:25:12 nfs_server systemd[1]: Reached target Host and Network Name Lookups. Jan 12 15:25:12 nfs_server systemd[1]: Starting Host and Network Name Lookups. Jan 12 15:25:12 nfs_server systemd[1]: Starting Kernel Module supporting RPCSEC_GSS... Jan 12 15:25:12 nfs_server systemd[1]: Starting Preprocess NFS configuration... Jan 12 15:25:12 nfs_server systemd[1]: auth-rpcgss-module.service: main process exited, code=exited, status=1/FAILURE Jan 12 15:25:12 nfs_server systemd[1]: Failed to start Kernel Module supporting RPCSEC_GSS. Jan 12 15:25:12 nfs_server systemd[1]: Unit auth-rpcgss-module.service entered failed state. Jan 12 15:25:12 nfs_server systemd[1]: auth-rpcgss-module.service failed. Jan 12 15:25:12 nfs_server systemd[1]: Started Preprocess NFS configuration. Jan 12 15:25:12 nfs_server systemd[1]: Starting NFSv4 ID-name mapping service... Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS Mount Daemon... Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS status monitor for NFSv2/3 locking.... Jan 12 15:25:12 nfs_server rpc.statd[505]: Version 1.3.0 starting Jan 12 15:25:12 nfs_server rpc.statd[505]: Flags: TI-RPC Jan 12 15:25:12 nfs_server systemd[1]: Started NFSv4 ID-name mapping service. Jan 12 15:25:12 nfs_server rpc.mountd[507]: Version 1.3.0 starting Jan 12 15:25:12 nfs_server systemd[1]: Started NFS Mount Daemon. Jan 12 15:25:12 nfs_server systemd[1]: Started NFS status monitor for NFSv2/3 locking.. Jan 12 15:25:12 nfs_server systemd[1]: Starting NFS server and services... Jan 12 15:25:12 nfs_server systemd[1]: Started NFS server and services. Jan 12 15:25:12 nfs_server systemd[1]: Starting Notify NFS peers of a restart... Jan 12 15:25:12 nfs_server sm-notify[513]: Version 1.3.0 starting Jan 12 15:25:12 nfs_server sm-notify[513]: Already notifying clients; Exiting! Jan 12 15:25:12 nfs_server systemd[1]: Started Notify NFS peers of a restart. Jan 12 15:26:11 nfs_server systemd[1]: Stopping RPC security service for NFS client and server... Jan 12 15:26:11 nfs_server systemd[1]: Starting Preprocess NFS configuration... Jan 12 15:26:11 nfs_server systemd[1]: Started Preprocess NFS configuration. Jan 12 15:26:11 nfs_server systemd[1]: Starting RPC security service for NFS client and server... Jan 12 15:26:11 nfs_server systemd[1]: Started RPC security service for NFS client and server. i have to do an systemctl restart rpc-gssd in the nfs_server after a reboot otherwise its not even working with my home automount folders like mentioned in my first post. after the restart i can access the "public" and my personal "home" folder mounted from nfs_server:/home/& on the client at /home/ipa/username so everythings fine with the auto.home map as far as i can tell would be nice to fix this little anyoance anyways so i dont need to restart this servbice everytime manually after a reboot on the ubuntu_client= Jan 12 14:47:11 ubuntu_client apparmor[89]: /etc/init.d/apparmor: 256: /etc/init.d/apparmor: cannot open /sys/kernel/security/apparmor/.ns_stacked: Permission denied Jan 12 14:47:11 ubuntu_client apparmor[89]: * Not starting AppArmor in container Jan 12 14:47:11 ubuntu_client apparmor[89]: ...done. Jan 12 14:47:11 ubuntu_client systemd[1]: Started AppArmor initialization. Jan 12 14:47:11 ubuntu_client systemd[1]: networking.service: Failed to reset devices.list: Operation not permitted ...skipping... Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530876737280 finished, switching from 5 to 7 Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /- Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: got thid 140530981533440 path /home/ipa stat 0 Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530981533440 finished, switching from 5 to 7 Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /home/ipa Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: got thid 140530865141504 path /storage stat 0 Jan 12 16:45:43 ubuntu_client automount[615]: expire_cleanup: sigchld: exp 140530865141504 finished, switching from 5 to 7 Jan 12 16:45:43 ubuntu_client automount[615]: st_shutdown: state 5 path /storage Jan 12 16:45:43 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-- Jan 12 16:45:43 ubuntu_client automount[615]: shut down path /- Jan 12 16:45:44 ubuntu_client automount[615]: umount_multi: path /home/ipa incl 0 Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /home/ipa/public Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /home/ipa/username Jan 12 16:45:44 ubuntu_client automount[615]: umounted indirect mount /home/ipa Jan 12 16:45:44 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-home-ipa Jan 12 16:45:44 ubuntu_client automount[615]: shut down path /home/ipa Jan 12 16:45:44 ubuntu_client automount[615]: umount_multi: path /storage incl 0 Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/software Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/media Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/downloads Jan 12 16:45:44 ubuntu_client automount[615]: rm_unwanted_fn: removing directory /storage/data Jan 12 16:45:44 ubuntu_client automount[615]: umounted indirect mount /storage Jan 12 16:45:44 ubuntu_client automount[615]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-storage Jan 12 16:45:44 ubuntu_client automount[615]: shut down path /storage Jan 12 16:45:44 ubuntu_client automount[615]: autofs stopped Jan 12 16:45:44 ubuntu_client systemd[1]: Stopped Automounts filesystems on demand. Jan 12 16:45:44 ubuntu_client systemd[1]: autofs.service: Failed to reset devices.list: Operation not permitted Jan 12 16:45:44 ubuntu_client systemd[1]: Starting Automounts filesystems on demand... Jan 12 16:45:44 ubuntu_client automount[825]: Starting automounter version 5.1.2, master map /etc/auto.master Jan 12 16:45:44 ubuntu_client automount[825]: using kernel protocol version 5.02 Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master file /etc/auto.master Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null) Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master dir /etc/auto.master.d Jan 12 16:45:44 ubuntu_client automount[825]: lookup(dir): dir map /etc/auto.master.d missing or not readable Jan 12 16:45:44 ubuntu_client automount[825]: lookup(file): failed to read included master map dir:/etc/auto.master.d Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_master: lookup(file): read entry +auto.master Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_master: reading master sss auto.master Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null) Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /- Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-- Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.direct Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null) Jan 12 16:45:44 ubuntu_client automount[825]: lookup_read_map: lookup(sss): getautomntent_r: No such file or directory Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /- Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /storage Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-storage Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.storage Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null) Jan 12 16:45:44 ubuntu_client automount[825]: mounted indirect on /storage with timeout 300, freq 75 seconds Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /storage Jan 12 16:45:44 ubuntu_client automount[825]: ghosting enabled Jan 12 16:45:44 ubuntu_client automount[825]: master_do_mount: mounting /home/ipa Jan 12 16:45:44 ubuntu_client automount[825]: automount_path_to_fifo: fifo name /var/run/autofs.fifo-home-ipa Jan 12 16:45:44 ubuntu_client automount[825]: lookup_nss_read_map: reading map sss auto.home Jan 12 16:45:44 ubuntu_client automount[825]: do_init: parse(sun): init gathered global options: (null) Jan 12 16:45:44 ubuntu_client automount[825]: mounted indirect on /home/ipa with timeout 300, freq 75 seconds Jan 12 16:45:44 ubuntu_client automount[825]: st_ready: st_ready(): state = 0 path /home/ipa Jan 12 16:45:44 ubuntu_client automount[825]: ghosting enabled Jan 12 16:45:44 ubuntu_client systemd[1]: Started Automounts filesystems on demand. after an systemctl restart autofs the sssd_autfs.log looks like I think also i have the automount setup like u suggested @Tony Brian Albers ? root@ubuntu_client:~# automount -m lookup_nss_read_master: reading master file /etc/auto.master do_init: parse(sun): init gathered global options: (null) lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d lookup_nss_read_master: reading master dir /etc/auto.master.d lookup(dir): dir map /etc/auto.master.d missing or not readable lookup(file): failed to read included master map dir:/etc/auto.master.d lookup_read_master: lookup(file): read entry +auto.master lookup_nss_read_master: reading master sss auto.master do_init: parse(sun): init gathered global options: (null) autofs dump map information =========================== global options: none configured Mount point: /- source(s): lookup_nss_read_map: reading map sss auto.direct do_init: parse(sun): init gathered global options: (null) lookup_read_map: lookup(sss): getautomntent_r: No such file or directory instance type(s): sss map: auto.direct no keys found in map Mount point: /storage source(s): lookup_nss_read_map: reading map sss auto.storage do_init: parse(sun): init gathered global options: (null) instance type(s): sss map: auto.storage software | -fstype=nfs4,rw,no_root_squash,sec=krb5,soft,rsize=8192,wsize=8192 nfs_server.ipa.mydomain.example:/storage/software data | -fstype=nfs4,rw,no_root_squash,sec=krb5,soft,rsize=8192,wsize=8192 nfs_server.ipa.mydomain.example:/storage/data downloads | nfs_server.ipa.mydomain.example:/storage/downloads media | nfs_server.ipa.mydomain.example:/storage/media Mount point: /home/ipa source(s): lookup_nss_read_map: reading map sss auto.home do_init: parse(sun): init gathered global options: (null) instance type(s): sss map: auto.home * | nfs_server.ipa.mydomain.example:/home/& public | nfs_server.ipa.mydomain.example:/home/public i played a bit with the storage mount options, wich options would be recommended whole kerberos is working fine with no errors at the ipa server no selinux active at the ubuntu client or at the nfs server freeipa client since both are proxmox lxc containers and apparmor is watching them instead a problem here? but why are some mounts then work like they should and some not? freeipa-server is an fedora27 with selinux active but i cant see any errors in the logs while restarting autofs service so far

2 1

Re: ns-slapd hangs for 2-3 minutes, then resumes.
by Guillermo Fuentes 12 Jan '18

12 Jan '18

Hi list, Just closing the loop on this one. This issue finally got resolved for us after installing the latest FreeIPA update available for CentOS 7: OS version: CentOS Linux release 7.4.1708 (Core) ipa-server-trust-ad-4.5.0-22.el7.centos.x86_64 ipa-common-4.5.0-22.el7.centos.noarch sssd-ipa-1.15.2-50.el7_4.8.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 ipa-server-4.5.0-22.el7.centos.x86_64 ipa-client-common-4.5.0-22.el7.centos.noarch ipa-server-dns-4.5.0-22.el7.centos.noarch ipa-python-compat-4.5.0-22.el7.centos.noarch ipa-server-common-4.5.0-22.el7.centos.noarch 389-ds-base-libs-1.3.6.1-24.el7_4.x86_64 389-ds-base-snmp-1.3.6.1-24.el7_4.x86_64 389-ds-base-1.3.6.1-24.el7_4.x86_64 pki-ca-10.4.1-17.el7_4.noarch pki-tools-10.4.1-17.el7_4.x86_64 pki-server-10.4.1-17.el7_4.noarch pki-kra-10.4.1-17.el7_4.noarch pki-base-10.4.1-17.el7_4.noarch pki-base-java-10.4.1-17.el7_4.noarch pki-symkey-10.4.1-17.el7_4.x86_64 Many thanks for such a great product! Guillermo On Mon, Jul 18, 2016 at 2:37 PM, Guillermo Fuentes <guillermo.fuentes@ modernizingmedicine.com> wrote: > Hi all, > > Did any ipa/sssd developer had a chance to take a look at this issue? > > Updating to the latest version available for CentOS 7 didn't fix it: > ipa-debuginfo-4.2.0-15.0.1.el7_2.6.1.x86_64 > ipa-python-4.2.0-15.0.1.el7.centos.17.x86_64 > ipa-server-dns-4.2.0-15.0.1.el7.centos.17.x86_64 > sssd-ipa-1.13.0-40.el7_2.9.x86_64 > python-libipa_hbac-1.13.0-40.el7_2.9.x86_64 > ipa-admintools-4.2.0-15.0.1.el7.centos.17.x86_64 > ipa-server-4.2.0-15.0.1.el7.centos.17.x86_64 > libipa_hbac-1.13.0-40.el7_2.9.x86_64 > ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.17.x86_64 > ipa-client-4.2.0-15.0.1.el7.centos.17.x86_64 > > 389-ds-base-libs-1.3.4.0-32.el7_2.x86_64 > 389-ds-base-1.3.4.0-32.el7_2.x86_64 > 389-ds-base-debuginfo-1.3.4.0-30.el7_2.x86_64 > > > Please let me know if you need more information or how I can help to get > it fixed. > > Thanks so much, > Guillermo > > > On Mon, Jun 13, 2016 at 6:30 PM, Rich Megginson <rmeggins(a)redhat.com> > wrote: > >> On 06/13/2016 01:13 PM, Guillermo Fuentes wrote: >> >>> Hi Rich, >>> >>> After I started running the stack traces, the problem hasn't happen as >>> frequently as it use to but today I was able to get the stack traces. >>> As they aren't similar I'll send them over to you in a separate email. >>> >>> This is what I did to start the stack traces (CentOS 7): >>> # yum install -y --enablerepo=base-debuginfo 389-ds-base-debuginfo >>> ipa-debuginfo slapi-nis-debuginfo nspr-debuginfo >>> # yum install -y gdb >>> # systemctl stop ipa.service ; sleep 10; systemctl start ipa.service >>> # mkdir -p /var/log/stacktraces >>> >>> Setup crontab to run the following every minute: >>> gdb -ex 'set confirm off' -ex 'set pagination off' -ex 'thread apply >>> all bt full' -ex 'quit' /usr/sbin/ns-slapd `pidof ns-slapd` > >>> /var/log/stacktraces/stacktrace.`date +%s`.txt 2>&1 >>> >> >> It looks similar to https://fedorahosted.org/389/ticket/48341 but you >> already have that fix. >> >> One of the problems is that ids_sasl_check_bind acquires the connection >> lock and holds it for a very long time, which causes the main loop to block >> on that connection, which is similar to the above problem, and also similar >> to https://fedorahosted.org/389/ticket/48882. Basically, anything which >> holds the connection c_mutex lock too long can hang the server. In your >> case, this stack trace: >> >> poll sss_cli_make_request_nochecks sss_cli_check_socket >> sss_pac_make_request sssdpac_verify krb5int_authdata_verify >> rd_req_decoded_opt krb5_rd_req_decoded kg_accept_krb5 >> krb5_gss_accept_sec_context_ext krb5_gss_accept_sec_context >> gss_accept_sec_context gssapi_server_mech_step sasl_server_step >> sasl_server_start ids_sasl_check_bind do_bind connection_dispatch_operation >> _pt_root start_thread clone >> >> I'm not sure if this particular situation is known/fixed. Perhaps there >> is a way to make the poll() called by sss_cli_make_request_nochecks() >> have a smaller timeout? >> >> Does this look familiar to any ipa/sssd developer? >> >> >> >>> Thank you so much for your help, >>> >>> Guillermo >>> >>> >>> >>> >>> >>> >>> On Wed, Jun 1, 2016 at 6:52 PM, Guillermo Fuentes >>> <guillermo.fuentes(a)modernizingmedicine.com> wrote: >>> >>>> I'm now taking stack traces every minute and waiting for it to hang >>>> again to check it. It happens usually under load but it's >>>> unpredictable. Must likely tomorrow. >>>> GUILLERMO FUENTES >>>> SR. SYSTEMS ADMINISTRATOR >>>> >>>> 561-880-2998 x1337 >>>> >>>> guillermo.fuentes(a)modmed.com >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Jun 1, 2016 at 2:03 PM, Rich Megginson <rmeggins(a)redhat.com> >>>> wrote: >>>> >>>>> On 06/01/2016 10:37 AM, Guillermo Fuentes wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> We are experiencing a similar issue like the one discussed in the >>>>>> following thread but we are running FreeIPA 4.2 on CentOS 7.2: >>>>>> https://www.redhat.com/archives/freeipa-users/2015-February/ >>>>>> msg00205.html >>>>>> >>>>> >>>>> Are your stack traces similar? >>>>> >>>>> >>>>> LDAP service stops responding to queries (hangs). LDAP connections on >>>>>> the server climb sometimes up to 10 times the normal amount and load >>>>>> goes to 0. Then, the connections start to drop until they get to a >>>>>> normal level and the LDAP service starts to respond to queries again. >>>>>> This happens in between 3-5 minutes: >>>>>> >>>>>> Time,LDAP conn, Opened files(ns-slapd), File >>>>>> Desc(ns-slapd),Threads(ns-slapd),Load1,Load5,Load15 >>>>>> 8:54:03,101,353,216,142,0.43,0.20,0.16 >>>>>> 8:55:02,108,359,221,142,0.19,0.18,0.15 >>>>>> 8:56:03,110,361,224,142,0.07,0.15,0.14 >>>>>> 8:57:14,117,383,246,142,0.15,0.16,0.15 >>>>>> 8:58:04,276,371,234,142,0.05,0.13,0.14 >>>>>> 8:59:05,469,371,234,142,0.02,0.11,0.13 >>>>>> 9:00:08,719,371,234,142,0.01,0.09,0.12 >>>>>> 9:01:18,1060,371,234,142,0.00,0.07,0.12 >>>>>> 9:02:10,742,371,233,142,0.10,0.09,0.12 >>>>>> 9:03:06,365,372,235,142,0.13,0.10,0.13 >>>>>> 9:04:04,262,379,242,142,0.87,0.29,0.19 >>>>>> 9:05:02,129,371,233,142,0.51,0.31,0.20 >>>>>> 9:06:03,126,377,240,142,0.42,0.33,0.22 >>>>>> 9:07:03,125,377,238,142,0.17,0.27,0.21 >>>>>> >>>>>> Nothing is logged in the errors log file of the server having the >>>>>> problem (ipa1 as an example). >>>>>> In the replicas this is logged: >>>>>> 8:59:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>>>> (ipa1:389): Unable to receive the response for a startReplication >>>>>> extended operation to consumer (Timed out). Will retry later. >>>>>> 9:01:05 -0400] NSMMReplicationPlugin - agmt="cn=meToipa1.example.com" >>>>>> (ipa1:389): Unable to receive the response for a startReplication >>>>>> extended operation to consumer (Timed out). Will retry later. >>>>>> >>>>>> Nothing is logged in the access log file until after ns-slapd starts >>>>>> responding again: >>>>>> ... >>>>>> 8:57:00 -0400] conn=12384 fd=234 slot=234 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 8:57:00 -0400] conn=12385 fd=235 slot=235 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 8:57:00 -0400] conn=12386 fd=236 slot=236 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 8:57:00 -0400] conn=12387 fd=237 slot=237 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 8:57:00 -0400] conn=10384 op=1227 EXT oid="2.16.840.1.113730.3.5.12" >>>>>> name="replication-multimaster-extop" >>>>>> 8:57:00 -0400] conn=12324 op=8 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 8:57:00 -0400] conn=8838 op=2545 EXT oid="2.16.840.1.113730.3.5.12" >>>>>> name="replication-multimaster-extop" >>>>>> 8:57:00 -0400] conn=8838 op=2545 RESULT err=0 tag=120 nentries=0 >>>>>> etime=0 >>>>>> 8:57:00 -0400] conn=10384 op=1227 RESULT err=0 tag=120 nentries=0 >>>>>> etime=0 >>>>>> 8:57:00 -0400] conn=12382 op=-1 fd=170 closed - B1 >>>>>> 8:57:00 -0400] conn=12383 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 8:57:00 -0400] conn=12384 op=-1 fd=234 closed - B1 >>>>>> 8:57:00 -0400] conn=12385 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 8:57:00 -0400] conn=12383 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 8:57:00 -0400] conn=12386 op=-1 fd=236 closed - B1 >>>>>> 8:57:00 -0400] conn=12385 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 8:57:00 -0400] conn=12387 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 8:57:00 -0400] conn=12387 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 8:57:00 -0400] conn=12385 op=1 BIND dn="" method=sasl version=3 >>>>>> mech=GSSAPI >>>>>> 8:57:00 -0400] conn=12387 op=1 BIND dn="" method=sasl version=3 >>>>>> mech=GSSAPI >>>>>> 8:57:00 -0400] conn=12385 op=1 RESULT err=14 tag=97 nentries=0 >>>>>> etime=0, SASL bind in progress >>>>>> 8:57:00 -0400] conn=12383 op=1 BIND dn="" method=sasl version=3 >>>>>> mech=GSSAPI >>>>>> 8:57:00 -0400] conn=10384 op=1228 EXT oid="2.16.840.1.113730.3.5.5" >>>>>> name="Netscape Replication End Session" >>>>>> 8:57:00 -0400] conn=10384 op=1228 RESULT err=0 tag=120 nentries=0 >>>>>> etime=0 >>>>>> 8:57:00 -0400] conn=12383 op=1 RESULT err=14 tag=97 nentries=0 >>>>>> etime=0, SASL bind in progress >>>>>> 9:02:00 -0400] conn=12388 fd=170 slot=170 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12389 fd=234 slot=234 SSL connection from >>>>>> 172.20.0.24 to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12390 fd=236 slot=236 connection from local to >>>>>> /var/run/slapd-EXAMPLE-COM.socket >>>>>> 9:02:00 -0400] conn=12391 fd=238 slot=238 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12392 fd=239 slot=239 SSL connection from >>>>>> 172.20.0.24 to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12393 fd=240 slot=240 connection from local to >>>>>> /var/run/slapd-EXAMPLE-COM.socket >>>>>> 9:02:00 -0400] conn=12394 fd=241 slot=241 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12395 fd=242 slot=242 SSL connection from >>>>>> 172.20.0.24 to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12396 fd=243 slot=243 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12397 fd=244 slot=244 SSL connection from >>>>>> 172.20.0.24 to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12398 fd=245 slot=245 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12400 fd=247 slot=247 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> 9:02:00 -0400] conn=12401 fd=248 slot=248 connection from 172.20.0.1 >>>>>> to 172.20.2.45 >>>>>> ... >>>>>> 9:02:00 -0400] conn=12390 op=0 BIND dn="" method=sasl version=3 >>>>>> mech=GSSAPI >>>>>> 9:02:00 -0400] conn=12388 op=-1 fd=170 closed - B1 >>>>>> 9:02:00 -0400] conn=12393 op=0 BIND dn="" method=sasl version=3 >>>>>> mech=GSSAPI >>>>>> 9:02:00 -0400] conn=12391 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 9:02:00 -0400] conn=12394 op=-1 fd=241 closed - B1 >>>>>> 9:02:00 -0400] conn=12391 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 9:02:00 -0400] conn=12396 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 9:02:00 -0400] conn=12396 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 9:02:00 -0400] conn=12398 op=-1 fd=245 closed - B1 >>>>>> 9:02:00 -0400] conn=12400 op=0 SRCH base="" scope=0 >>>>>> filter="(objectClass=*)" attrs="supportedSASLMechanisms >>>>>> defaultnamingcontext namingContexts schemanamingcontext saslrealm" >>>>>> 9:02:00 -0400] conn=12400 op=0 RESULT err=0 tag=101 nentries=1 etime=0 >>>>>> 9:02:00 -0400] conn=12401 op=-1 fd=248 closed - B1 >>>>>> 9:02:00 -0400] conn=12391 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>>> 9:02:00 -0400] conn=12396 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>>> 9:02:00 -0400] conn=12400 op=1 ABANDON targetop=NOTFOUND msgid=1 >>>>>> 9:02:00 -0400] conn=12391 op=2 UNBIND >>>>>> 9:02:00 -0400] conn=12396 op=2 UNBIND >>>>>> 9:02:00 -0400] conn=12391 op=2 fd=238 closed - U1 >>>>>> 9:02:00 -0400] conn=12396 op=2 fd=243 closed - U1 >>>>>> 9:02:00 -0400] conn=12400 op=2 UNBIND >>>>>> 9:02:00 -0400] conn=12400 op=2 fd=247 closed - U1 >>>>>> ... >>>>>> >>>>>> >>>>>> Environment: >>>>>> # cat /etc/redhat-release >>>>>> CentOS Linux release 7.2.1511 (Core) >>>>>> >>>>>> # rpm -qa ipa* >>>>>> ipa-server-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> ipa-python-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> ipa-admintools-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> ipa-server-trust-ad-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> ipa-client-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> ipa-server-dns-4.2.0-15.0.1.el7.centos.6.1.x86_64 >>>>>> >>>>>> # rpm -qa 389* >>>>>> 389-ds-base-libs-1.3.4.0-30.el7_2.x86_64 >>>>>> 389-ds-base-1.3.4.0-30.el7_2.x86_64 >>>>>> >>>>>> We have 4 FreeIPA servers with replication working fine between them. >>>>>> ipa1 is handling LDAP authentication for +400 clients and has been >>>>>> tunned as recommended per >>>>>> >>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Direct >>>>>> ory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html >>>>>> >>>>>> Is this a known issue? >>>>>> Any idea what can be causing ns-slapd to hang? >>>>>> >>>>>> Thanks in advance! >>>>>> >>>>>> Guillermo >>>>>> >>>>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >> >> >

1 0

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users January 2018