July 2018 - FreeIPA-users - Fedora Mailing-Lists

by Kees Bakker

Hi, This is about the infamous log message WARNING: changelog: entry cache size 2097152B is less than db size 19701760B; We recommend to increase the entry cache size nsslapd-cachememsize. I've searched the Internet, including this mailing list, but I haven't found a sensible FreeIPA solution yet. There was a hint to look at [1], that suggested that I should use ldapmodify. Well OK, but before I do that I want to first see, using ldapsearch, that I can query the current value. I tried this (with proper kinit of course): ldapsearch -Y GSSAPI -b cn=config That didn't show anything useful, nothing with nsslapd-cachememsize. That makes me wonder whether the suggested ldapmodify command is correct for me. My question is basically: what is the recommended FreeIPA way to modify nsslapd-cachememsize? And will the modification automatically replicate from the master to the replica? BTW. My FreeIPA servers (one master and one replica) are running Ubuntu 16.04 [1] https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.... -- Kees

2 years, 7 months

3
9
0 / 0

AD group membership information not enumerated in the cn=compat tree?

by Robert Sturrock

Hello. We are using FreeIPA primarily to connect our Linux fleet efficiently to our organisational AD and it’s working well in that capacity. However, we are investigating a number of different enterprise NAS solutions to provide (kerberized) NFSv4 file services to this fleet. We were hoping to integrate these NAS appliances with IPA by way of the compat tree, since they don’t offer native IPA providers. This works to a point, but I’ve noticed that the compat tree does not seem to enumerate *group membership* for the AD trust users. For example, when I lookup one of my groups with an ldapsearch against one of the the IPA masters I see: dn: cn=lcm-managedlinux@localdomain,cn=groups,cn=compat,dc=ipa,dc=localdomain objectClass: ipaOverrideTarget objectClass: posixGroup objectClass: ipaexternalgroup objectClass: top cn: lcm-managedlinux@localdomain gidNumber: 1388937688 ipaAnchorUUID:: OlNJRDpTLTEtNS0yMS0yMDc4Nzk1NTYxLTQyMzMwMDU2NTctMzI2MTkwNjQ2Mi0xMzc2ODg= I don’t see any ‘memberUid’ attributes, but would expect to see about 8 members. Is this expected behaviour, or is there some additional configuration needed to obtain this functionality? Some searching online brought up these references ('Enable compat tree to provide information about AD users and groups on trust agents’) - https://bugzilla.redhat.com/show_bug.cgi?id=1585020 - https://pagure.io/freeipa/issue/7600 These read very similarly to the behaviour we’re seeing. Regards, Robert.

2 years, 7 months

2
2
0 / 0

AD Integration

by paul mitchell

We currently have a single AD (2016) domain, company.co.uk. The DNS zone file is managed by Active Directory, so all machines (Windows and Linux) are listed in the zone file. Windows users authenticate against AD and Linux users authenticate against a separate NIS server. We are considering replacing NIS with a FreeIPA server. The most important consideration is to maintain the *ix users GUID and UID data that is currently stored on the NIS sever. If this data could be stored in AD, then we probable would not be considering FreeIPA. A typical *ix user workflow is for the user to ssh from their local machine to one of 20 developments servers. The user GUID and UID must be the same regardless of which machine they access. We don’t currently have any username/password synchronisation between AD and NIS so this is not a requirement. It’s clear that enable a trust between FreeIPA and AD, we would need to create a separate IPA domain. I assume all 20 development servers would need to be added to the IPA domain?

2 years, 7 months

2
1
0 / 0

Issues with ipa-replica-install

by Peter Tselios

Hello, I had setup on 2 CentOS 7.5 boxes a FreeIPA Master and a Replica. Currently the master has all services (DNS, CA, KRA) and it's prepared for one-way trust with AD. Unfortunately, I have a lot of issues with the replica! The replica setup was: ipa-replica-install --setup-ca --setup-dns --setup-kra --no-forwarder Although the installation was successful, when I tried to create a Trust with our AD, the AD administrator told me that the replica did not responded to DNS and truly, the DNS was down. Actually, the named-pks11 service was not even enabled on the replica. So, the ipactl restart told me to run the ipa-server-upgrade which I did. The upgrade failed in the KRA section because it could not connect to the MASTER server on port 8443. I didn't have time to investigate further, so, I just removed the replica and re-installed it (with another issue, that will be posted in another thread later), this time without the KRA. My question: If I run the ipa-kra-install, will it REPLICATE the master, or will it create a new KRA server? Unfortunately, I cannot take a backup and test it and I cannot install a second replica (don't ask plz).

2 years, 7 months

2
2
0 / 0

Can I automatically add a new host in a location?

by Peter Tselios

Hello, I want to use Foreman and/or AWS to provision hosts that will be registered to my FreeIPA. I have created all the locations that I will use and I have one FreeIPA replica on each location. From the documentation seems that I need to use the ipa-client-install and then use the ipa host-mod to modify the host's location, meaning that I need to modify the permissions the Foreman script created the my user. Is there any other way to automatically add a host in a location?

2 years, 7 months

2
2
0 / 0

Re: Freeipa-client-install - enrolls client/host then crashes

by Rob Crittenden

Miller, Jim via FreeIPA-users wrote: > Hello everyone, > > > > I’m trying to add a CentOS 7 64bit host to our FreeIPA domain. > > > > Client FreeIPA is 4.5.4-10 > > Server FreeIPA is 4.4.0 > > > > Client FreeIPA rpms: > > ipa-common-4.5.4-10.el7.centos.3.noarch > > python-ipaddress-1.0.16-2.el7.noarch > > python2-ipalib-4.5.4-10.el7.centos.3.noarch > > ipa-client-4.5.4-10.el7.centos.3.x86_64 > > ipa-client-common-4.5.4-10.el7.centos.3.noarch > > libipa_hbac-1.16.0-19.el7_5.5.x86_64 > > python-iniparse-0.4-9.el7.noarch > > sssd-ipa-1.16.0-19.el7_5.5.x86_64 > > python2-ipaclient-4.5.4-10.el7.centos.3.noarch > > python-libipa_hbac-1.16.0-19.el7_5.5.x86_64 > > > > The basic steps to reproduce are: > > 1. Populate /etc/krb5.conf for IPA.GENERIC.ZONE realm > > > > 2. kinit admin # for IPA.GENERIC.ZONE > > > > 3. ipa-client-install --mkhomedir --no-ntp --ssh-trust-dns > --enable-dns-updates What is the use-case for doing it this way? What does the KDC log show? /var/log/krb5kdc.log rob > > > > Here’s where the errors start: > > > > Enrolled in IPA realm IPA.GENERIC.ZONE > > Created /etc/ipa/default.conf > > New SSSD config will be created > > Configured sudoers in /etc/nsswitch.conf > > Configured /etc/sssd/sssd.conf > > Configured /etc/krb5.conf for IPA realm IPA.GENERIC.ZONE > > trying https://sl1mmgplidm0001.ipa.generic.zone/ipa/json > > Major (851968): Unspecified GSS failure. Minor code may provide more > information, Minor (2529638972): KDC returned error string: PROCESS_TGS > > The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > > [root@sl1aosplsecweb2 ~]# less /var/log/ipaclient-install.log > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 3628, in main > > install(self) > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 2348, in install > > _install(options) > > File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", > line 2694, in _install > > api.finalize() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 714, > in finalize > > self.__do_if_not_done('load_plugins') > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 421, > in __do_if_not_done > > getattr(self, name)() > > File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 592, > in load_plugins > > for package in self.packages: > > File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 948, > in packages > > ipaclient.remote_plugins.get_package(self), > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", > line 126, in get_package > > plugins = schema.get_package(server_info, client) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 537, in get_package > > schema = Schema(client) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 385, in __init__ > > fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) > > File > "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", > line 397, in _fetch > > client.connect(verbose=False) > > File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in > connect > > conn = self.create_connection(*args, **kw) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in > create_connection > > command([], {}) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call > > return self.__request(name, args) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in > __request > > verbose=self.__verbose >= 3, > > File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request > > return self.single_request(host, handler, request_body, verbose) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 677, in > single_request > > self.get_auth_info() > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 629, in > get_auth_info > > self._handle_exception(e, service=service) > > File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 588, in > _handle_exception > > raise errors.KerberosError(message=unicode(e)) > > > > 2018-07-11T21:39:19Z DEBUG The ipa-client-install command failed, > exception: KerberosError: Major (851968): Unspecified GSS failure. > Minor code may provide more information, Minor (2529638972): KDC > returned error string: PROCESS_TGS > > 2018-07-11T21:39:19Z ERROR Major (851968): Unspecified GSS failure. > Minor code may provide more information, Minor (2529638972): KDC > returned error string: PROCESS_TGS > > 2018-07-11T21:39:19Z ERROR The ipa-client-install command failed. See > /var/log/ipaclient-install.log for more information > > > > If it would help I can attach the entire ipaclient-install.log file > > > > > > Thank you for your help > > --Jim > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... >

2 years, 7 months

1
0
0 / 0

Maximum number of sessions reached?

by Greg Gilbert

Hi all, I'm getting a maximum number of sessions message from FreeIPA: Failed to create session: Maximum number of sessions (8192) reached, refusing further sessions. I think it's causing this error when any server tries to enroll itself: Cannot connect to the server due to generic error: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) Installation failed. Rolling back changes. Unenrolling client from IPA server Any ideas? Do I need to just restart FreeIPA every so often to reset sessions or something? Thanks, Greg

2 years, 7 months

1
0
0 / 0

unable to connect two replicas: Connection unsuccessful, xxxx is an IPA Server, but it might be unknown, foreign or previously deleted one.

by Karl Forner

Hi again, I tried to connect two of my replicas, but could not: Executed from replica2: `ipa-replica-manage connect -v replica1.example.com replica2.example.com` Connection unsuccessful: replica2.example.com is an IPA Server, but it might be unknown, foreign or previously deleted one. If I invert the order: `ipa-replica-manage connect -v replica2.example.com replica1.example.com` Connection unsuccessful: replica1.example.com is an IPA Server, but it might be unknown, foreign or previously deleted one. I get the same output when executed from other freeIPA servers (e.g. from the CRL). One potential important information: `ipa-replica-manage dnarange-show` -> crl.example.com: 134000170-134050499 replica1.example.com: 134050501-134100499 replica2.example.com: No range set What is the problem ? What should I do ? Thanks.

2 years, 7 months

1
4
0 / 0

Add SAN attributes to certificate at sign time

by vitenbergd＠gmail.com

Hello, everyone I've got problem similar to: https://serverfault.com/questions/253960/adding-subject-alternate-names-s... So, there is a HP crypto device for which i should issue certificate (via FreeIPA CA), it allows you to generate CSR, and there is no access to private key/or some kind of cmdline interface. But internal divice's CSR generation mechanism allows you to add only CommonName and there is no support for SAN. And i want to ask if there is a way to add SAN attributes during certificate issue process on FreeIPA. Several thoughts from serverfault answers: 1) Edit existing CSR, add SAN hostnames (cause CSR was signed by private key, it will be now invalid), force FreeIPA not to check signature. 2) Extract FreeIPA private key and maybe use some 3rd party tools to issue certificate with edited CSR (p. #1) 3) Edit FreeIPA CA/PKI subsystem options to add SAN attributes (somehow?) at sign time Have a good day! D. Vitenberg

2 years, 7 months

2
3
0 / 0

Client authentication against trusted AD broken

by Mike Conner

I've seen similar situations in other threads, but searching for a solution hasn't proven fruitful so far; please point me in the right direction! I've configured an ipa server with a trusted AD domain and both lookups and authentication are working on the server (I can getent and id AD users, and can ssh to the server as an AD user.) On the client side, however, only lookups are working. I can getent and id AD users, but can't authenticate as one. Here's a section of the sssd_cs.domain.dom.log from an authentication attempt. The obvious red flag is: (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain cs.domain.dom is Active (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain domain.dom is Inactive But I'm unsure how to troubleshoot. LOG: (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sbus_dispatch] (0x4000): dbus conn: 0x55911dd26920 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sbus_dispatch] (0x4000): Dispatching. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.pamHandler on path /org/freedesktop/sssd/dataprovider (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_pam_handler] (0x0100): Got request with the following data (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): domain: domain.dom (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): user: username(a)domain.dom (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): service: sshd (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): tty: ssh (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): ruser: (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): rhost: IP.ADDR (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): priv: 1 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): cli_pid: 1096 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [pam_print_data] (0x0100): logon name: not set (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #4]: New request. Flags [0000]. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain cs.domain.dom is Active (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain domain.dom is Inactive (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_auth_queue_send] (0x1000): Wait queue of user [username(a)domain.dom] is empty, running request [0x55911dd133f0] immediately. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain cs.domain.dom is Active (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain domain.dom is Inactive (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_setup] (0x4000): No mapping for: username(a)domain.dom (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd31600 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd316c0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd31600 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd316c0 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd31600 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd2da90 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd2db50 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd2da90 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd2db50 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd2da90 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [get_server_status] (0x1000): Status of server 'ipa.cs.domain.dom' is 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [get_port_status] (0x1000): Port status of port 0 for server 'ipa.cs.domain.dom' is 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [get_server_status] (0x1000): Status of server 'ipa.cs.domain.dom' is 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [be_resolve_server_process] (0x0200): Found address for server ipa.cs.domain.dom: [IP.ADDR] TTL 86400 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ipa_resolve_callback] (0x0400): Constructed uri 'ldap://ipa.cs.domain.dom' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_g504pM] (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_g504pM] (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sss_domain_get_state] (0x1000): Domain domain.dom is Inactive (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_auth_resolve_done] (0x2000): Subdomain domain.dom is inactive, will proceed offline (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [1097] (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [child_handler_setup] (0x2000): Signal handler set up for pid [1097] (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [write_pipe_handler] (0x0400): All data has been sent! (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [read_pipe_handler] (0x0400): EOF received, client finished (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [parse_krb5_child_response] (0x1000): child response [0][3][46]. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_WORKING. Called from: ../src/providers/krb5/krb5_auth.c: krb5_auth_done: 1093 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'ipa.cs.domain.dom' as 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [set_server_common_status] (0x0100): Marking server 'ipa.cs.domain.dom' as 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'ipa.cs.domain.dom' as 'working' (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_mod_ccname] (0x4000): Save ccname [FILE:/tmp/krb5cc_1326822197_QIfZhR] for user [username(a)domain.dom]. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd60a00 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd12a30 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd60a00 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd12a30 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd60a00 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sysdb_set_entry_attr] (0x0200): Entry [name=username(a)domain.dom,cn=users,cn=domain.dom,cn=sysdb] has set [ts_cache] attrs. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd12af0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd12bb0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd12af0 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd12bb0 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd12af0 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd29c80 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd29d40 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd29c80 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd29d40 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd29c80 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x55911dd57ee0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x55911dd29ea0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Running timer event 0x55911dd57ee0 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Destroying timer event 0x55911dd29ea0 "ltdb_timeout" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): Ending timer event 0x55911dd57ee0 "ltdb_callback" (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sysdb_cache_auth] (0x4000): Offline credentials expiration is [0] days. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [check_failed_login_attempts] (0x4000): Failed login attempts [0], allowed failed login attempts [0], failed login delay [5]. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [sysdb_cache_auth] (0x0100): Cached credentials not available. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0) (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_auth_cache_creds] (0x0020): Offline authentication failed (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [check_wait_queue] (0x1000): Wait queue for user [username(a)domain.dom] is empty. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x55911dd133f0] done. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #4]: Request handler finished [0]: Success (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #4]: Receiving request data. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #4]: Request removed. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #4]: Sending result [6][domain.dom] (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [child_sig_handler] (0x1000): Waiting for child [1097]. (Thu Jul 5 11:31:44 2018) [sssd[be[cs.domain.dom]]] [child_sig_handler] (0x0100): child [1097] finished successfully. Thanks for any help!

2 years, 7 months

4
9
0 / 0

2021

2020

2019

2018

2017

FreeIPA-users July 2018