is running sssd and nscd in parallel a better option?
by Harald Dunkel
Hi folks,
I read somewhere that it is not recommended to run nscd to cache
passwd on ipa clients, but I wonder: What if?
I still have the problem that sometimes some sssd components
disappear somehow, e.g. sssd_pam. The logfile on our mail gateway
said
:
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]: Success.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 74
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0010): Reply error.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0080): Client already disconnected
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [pam_dp_process_reply] (0x0080): Client already disconnected
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0020): Performing auto-reconnect
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:28 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
:
:
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 11
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_reply] (0x0200): blen: 26
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_dispatch] (0x0400): SBUS is reconnecting. Deferring.
:
:
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_reconnect] (0x0080): Making reconnection attempt 1 to [unix:path=/var/lib/sss/pipes/private/sbus-dp_aixigo.de]
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_reconnect] (0x0080): Reconnected to [unix:path=/var/lib/sss/pipes/private/sbus-dp_aixigo.de]
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [sbus_conn_register_path] (0x0400): Registering object path /org/freedesktop/sssd/responder with D-Bus connection
(Tue Sep 18 22:34:29 2018) [sssd[pam]] [pam_dp_reconnect_init] (0x0020): Reconnected to the Data Provider.
:
Some EMails were bounced with user unknown at the same time, so I would
guess there is a coincidence. Question is, could nscd be an option here,
providing an additional cache for user accounts? What side effects could
come up?
Platform is Debian 9, sssd is version 1.16.2, nscd version 2.24.
Every helpful comment is highly appreciated.
Regards
Harri
5 years, 7 months
Error installing dnssec-master
by Quan Zhou
Hi,
I'm having a problem setting up dnssec master with freeipa 4.7.0.
An validity error occurs when the `ipa-dns-install --dnssec-master`
was configuration OpenDNSSEC enforcer daemon:
```
Done configuring IPA OpenDNSSEC exporter daemon (ipa-ods-exporter).
Configuring OpenDNSSEC enforcer daemon (ods-enforcerd)
[1/8]: checking status
[2/8]: setting up configuration files
[3/8]: setting up ownership and file mode bits
[4/8]: generating master key
[5/8]: setting up OpenDNSSEC
[error] CalledProcessError: CalledProcessError(Command
['/usr/sbin/ods-enforcer-db-setup', 'setup'] returned non-zero exit
status 1: '/etc/opendnssec/conf.xml:11: element AllowExtraction:
Relax-NG validity error : Element Repository has extra content:
AllowExtraction\n/etc/opendnssec/conf.xml:7: element Repository:
Relax-NG validity error : Element RepositoryList has extra content:
Repository\n/etc/opendnssec/conf.xml:36: element Interval: Relax-NG
validity error : Element Enforcer has extra content: Interval\nError:
unable to load configuration!\n')
Unexpected error - see /var/log/ipaserver-install.log for details:
CalledProcessError: CalledProcessError(Command
['/usr/sbin/ods-enforcer-db-setup', 'setup'] returned non-zero exit
status 1: '/etc/opendnssec/conf.xml:11: element AllowExtraction:
Relax-NG validity error : Element Repository has extra content:
AllowExtraction\n/etc/opendnssec/conf.xml:7: element Repository:
Relax-NG validity error : Element RepositoryList has extra content:
Repository\n/etc/opendnssec/conf.xml:36: element Interval: Relax-NG
validity error : Element Enforcer has extra content: Interval\nError:
unable to load configuration!\n')
```
I've took the liberty of removing complained keys, then the setup went
through but the named-pkcs11 failed to start. Logs follow:
```
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: starting BIND
9.11.3-1ubuntu1.2-Ubuntu (Extended Support Version) <id:a375815>
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: running on Linux x86_64
4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: built with
'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules'
'--libdir=/usr/lib/x86_64-linux-gnu'
'--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
'--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu'
'--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/'
'--enable-threads' '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static' '--with-gost=no'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr'
'--without-lmdb' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no'
'--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa'
'--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-ITBgWn/bind9-9.11.3+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro
-Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: running as: named-pkcs11 -f -u bind
Sep 29 02:21:10 ubuntu named-pkcs11[4796]:
----------------------------------------------------
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: BIND 9 is maintained by
Internet Systems Consortium,
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: corporation. Support and
training for BIND 9 are
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: available at
https://www.isc.org/support
Sep 29 02:21:10 ubuntu named-pkcs11[4796]:
----------------------------------------------------
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: adjusted limit on open
files from 4096 to 1048576
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: found 4 CPUs, using 4 worker threads
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using 3 UDP listeners per interface
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using up to 4096 sockets
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: loading configuration from
'/etc/bind/named.conf'
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: reading built-in trust
anchors from file '/etc/bind/bind.keys'
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: initializing GeoIP Country
(IPv4) (type 1) DB
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GEO-106FREE 20180315 Build
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: initializing GeoIP Country
(IPv6) (type 12) DB
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GEO-106FREE 20180315 Build
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv4) (type 2)
DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv4) (type 6)
DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv6) (type 30)
DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP City (IPv6) (type 31)
DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Region (type 3) DB
not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Region (type 7) DB
not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP ISP (type 4) DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Org (type 5) DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP AS (type 9) DB not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP Domain (type 11) DB
not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: GeoIP NetSpeed (type 10) DB
not available
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using default UDP/IPv4 port
range: [32768, 60999]
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: using default UDP/IPv6 port
range: [32768, 60999]
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv6 interfaces, port 53
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv4 interface
lo, 127.0.0.1#53
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: listening on IPv4 interface
ens3, 136.243.101.250#53
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: generating session key for
dynamic DNS
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: sizing zone task pool based
on 5 zones
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: none:103: 'max-cache-size
90%' - setting to 7178MB (out of 7976MB)
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: set up managed keys zone
for view _default, file '/var/cache/bind/dynamic/managed-keys.bind'
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: loading DynDB instance
'ipa' driver '/usr/lib/bind/ldap.so'
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 10.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
16.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
17.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
18.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
19.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
20.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
21.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
22.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
23.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
24.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
25.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
26.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
27.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
28.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
29.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
30.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
31.172.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
168.192.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
64.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
65.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
66.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
67.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
68.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
69.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
70.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
71.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
72.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
73.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
74.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
75.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
76.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
77.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
78.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
79.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
80.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
81.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
82.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
83.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
84.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
85.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
86.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
87.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
88.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
89.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
90.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
91.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
92.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
93.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
94.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
95.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
96.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
97.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
98.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
99.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
100.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
101.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
102.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
103.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
104.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
105.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
106.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
107.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
108.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
109.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
110.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
111.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
112.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
113.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
114.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
115.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
116.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
117.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
118.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
119.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
120.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
121.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
122.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
123.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
124.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
125.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
126.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
127.100.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
254.169.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
2.0.192.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
100.51.198.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
113.0.203.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: D.F.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 8.E.F.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: 9.E.F.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: A.E.F.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone: B.E.F.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: automatic empty zone:
EMPTY.AS112.ARPA
Sep 29 02:21:10 ubuntu named-pkcs11[4796]:
../../../lib/dns-pkcs11/view.c:962: REQUIRE(view->zonetable != ((void
*)0)) failed, back trace
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #0 0x55bdc918fcd0 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #1 0x7f1b8b33f7fa in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #2 0x7f1b8bd512ea in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #3 0x55bdc91ada87 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #4 0x55bdc9171793 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #5 0x55bdc91ba319 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #6 0x55bdc91bbf43 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #7 0x7f1b8b366b59 in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #8 0x7f1b8a8e06db in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: #9 0x7f1b8a01488f in ??
Sep 29 02:21:10 ubuntu named-pkcs11[4796]: exiting (due to assertion failure)
Sep 29 02:21:10 ubuntu systemd[1]: bind9-pkcs11.service: Main process
exited, code=killed, status=6/ABRT
Sep 29 02:21:10 ubuntu systemd[1]: bind9-pkcs11.service: Failed with
result 'signal'.
```
--
Regards,
Quan Zhou
F2999657195657205828D56F35F9E5CDBD86324B
quanzhou822(a)gmail.com
5 years, 7 months
Can't install CA from replica file - Failed to import EncryptedPrivateKeyInfo to token
by H. Frenzel
Hi,
I tried to install a CA to the 2nd master a replicafile which was
created on the 1st master (with self-signed CA), with fails with:
ipa : DEBUG stderr=TokenException: Failed to import
EncryptedPrivateKeyInfo to token: (-8152) The key does not support the
requested operation.
What could be wrong here? - Please find the detailed debug log of
ipa-ca-install as attachment.
Thx & b/r
H.
5 years, 7 months
Migrating named from bind to flat files
by Jonathon Jenkins
Greetings,
I have a set-up that has many Freeipa servers throughout various regions,
acting as DNS servers throughout these regions.
To set the stage, I, along with my colleagues, are competent in FreeIPA
administration, but we're not ldap experts. We've had a couple scenarios
wherein changes to our IPA environment (adding/removing a host, additions
of zones, etc) have caused momentary DNS outages.
In addition, we are concerned about LDAP issues that could cause named to
not function - we've already gone through an isolated incident where slapd
took a significant amount of time to start, during which that host was
running named, but was not serving any addresses.
For these and many more reasons we'd feel more comfortable running named
from flat files that pull DNS updates from FreeIPA.
My question to the group is whether there will be any impacts to the
FreeIPA system if we convert named to use files rather than bind as a
backend. Ideally, we'd like to avoid creating new machines to function as
DNS servers and just convert the existing FreeIPA servers to use files for
named.
Any comments or questions on the above approach would be welcome - thanks
for your time.
Best,
Jon
5 years, 7 months
Auto-mounted Home-Directory
by Ronald Wimmer
The home directories of several servers in our company are IPA
automounted. About a week ago, this mechanism stopped working properly
on one server. The directory still gets mounted automatically but the
permissions are nobody:nobody.
I thought restarting idmapd or automount could solve the problem.
Neither did. Then I rebooted the machine hoping it could fix things.
That did not help either.
What steps do I need to take in order to find out what the problem is?
Regards,
Ronald
5 years, 7 months
Catching an EmptyModlist exception in Python
by Kristian Petersen
I am working on a script that as part of its function modifies some user
attributes. However, this gets run a few times at the beginning of a
semester since people add and drop classes sometimes before the deadline
prevents that. Because of this situation, some people have no modification
to be made when the API call goes out and FreeIPA throws the EmptyModlist
exception. For some reason I can't catch it with anything but catch all
exception. I need to catch it and just have the script proceed like
nothing really happened if no modification is made.
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry
5 years, 7 months
Handling 2fa in non-web services
by Adam Bishop
Is there a built in/supported means of bypassing 2fa for non-kerberized services?
I'm in the last stages of migrating away from Active Directory, but have a few systems that do not integrate well with 2fa because they do not cache credentials in any useful form:
* Our enterprise WiFi (would prompt for a new credential every time the device roams to a new AP)
* Our Jabber IM service (would prompt for a password every time the computer wakes from sleep)
* Our IMAP mail service (would prompt for a password every time the connection drops due to idle)
I know Google use application specific passwords to mitigate this ( https://support.google.com/mail/answer/185833?hl=en ), which would be better than bypassing 2fa but I don't believe there's a mechanism to do this built into FreeIPA.
Any suggestions on how I could handle these services?
Many thanks,
Adam Bishop
5 years, 7 months
email
by Anush Jayan
anush(a)matchpointgps.com
Regards,
*Anush Jayan *
*Devops Engineer*
*TRACKPOINT GPS PVT. LTD.*
5 years, 8 months
Automatic Group Membership for AD Users
by Peter Tselios
Hello,
My FreeIPA (4.5.4) has a cross-forest trust with the AD of the company.
The requirement I have is to automatically add some AD Groups in the IdM Sudoers groups.
The documentation implies that this is possible only for the synchronized AD Users. Is that true?
If not, can I just create an automember rule that will include specific AD groups in the Sudoers membership?
If yes, what is the alternative I have?
5 years, 8 months