Re: [Freeipa-users] Login hangs / hung task?
Hello, The log files are empty in /var/log/sssd, and the filesystems checked clean after the hard boot. Thanks, Mike On 2013-07-03, at 10:38 AM, Sumit Bose wrote: > On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote: >> Hello, >> >> I tried to login (ssh) to one (of three) freeipa systems running on CentOS >> yesterday without success. >> >> Running 'ssh root@service-2', the server would reply with a password prompt >> and then hang. I went to the system console to discover many of the >> following messages on screen: >> >> Jun 30 service-2 kernel: INFO: task sssd_be:22447 blocked for more >> than 120 seconds. >> Jun 30 service-2 kernel: "echo 0 > >> /proc/sys/kernel/hung_task_timeout_secs" disables this message. >> >> Trying to login on the console, I was able to enter and username, but the >> login process would hang after entering the password. After rebooting the >> system, I see the following in /var/log/messages >> >> Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more >> than 120 seconds. >> Jun 30 00:29:29 service-2 kernel: "echo 0 > >> /proc/sys/kernel/hung_task_timeout_secs" disables this message. >> Jun 30 00:29:29 service-2 kernel: sssd_be D 000e 0 >> 22447 3673 0x0084 >> Jun 30 00:29:29 service-2 kernel: 880827dffce8 0086 >> >> Jun 30 00:29:29 service-2 kernel: >> >> Jun 30 00:29:29 service-2 kernel: 880827255058 880827dfffd8 >> fb88 880827255058 >> Jun 30 00:29:29 service-2 kernel: Call Trace: >> Jun 30 00:29:29 service-2 kernel: [] ? >> ext4_file_open+0x0/0x130 [ext4] >> Jun 30 00:29:29 service-2 kernel: [] >> schedule_timeout+0x215/0x2e0 >> Jun 30 00:29:29 service-2 kernel: [] ? >> nameidata_to_filp+0x54/0x70 >> Jun 30 00:29:29 service-2 kernel: [] ? >> cpumask_next_and+0x29/0x50 >> Jun 30 00:29:29 service-2 kernel: [] >> wait_for_common+0x123/0x180 >> Jun 30 00:29:29 service-2 kernel: [] ? >> default_wake_function+0x0/0x20 >> Jun 30 00:29:29 service-2 kernel: [] >> wait_for_completion+0x1d/0x20 >> Jun 30 00:29:29 service-2 kernel: [] sched_exec+0xdc/0xe0 >> Jun 30 00:29:29 service-2 kernel: [] do_execve+0xe0/0x2c0 >> Jun 30 00:29:29 service-2 kernel: [] sys_execve+0x4a/0x80 >> Jun 30 00:29:29 service-2 kernel: [] stub_execve+0x6a/0xc0 >> >> This sequence of messages is repeated many times. >> >> I did not have any problems logging into the other two freeipa systems on >> the network. The servers are currently used exclusively for freeipa. >> >> Any ideas what may have happened? > > do you see anything in the sssd logs in /var/log/sssd ? ext4_file_open > might indicate that sssd is stuck while trying to open a file. Have you > tried to run a filesystem check? > > bye, > Sumit > >> >> >> rpm -qa | grep ipa >> libipa_hbac-1.9.2-82.7.el6_4.x86_64 >> ipa-admintools-3.0.0-26.el6_4.4.x86_64 >> python-iniparse-0.3.1-2.1.el6.noarch >> ipa-client-3.0.0-26.el6_4.4.x86_64 >> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 >> ipa-server-3.0.0-26.el6_4.4.x86_64 >> ipa-pki-common-theme-9.0.3-7.el6.noarch >> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 >> ipa-python-3.0.0-26.el6_4.4.x86_64 >> ipa-pki-ca-theme-9.0.3-7.el6.noarch >> >> >> Thanks, >> Mike >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Login hangs / hung task?
On Wed, Jul 03, 2013 at 10:17:19AM -0400, Michael Mercier wrote: > Hello, > > I tried to login (ssh) to one (of three) freeipa systems running on CentOS > yesterday without success. > > Running 'ssh root@service-2', the server would reply with a password prompt > and then hang. I went to the system console to discover many of the > following messages on screen: > > Jun 30 service-2 kernel: INFO: task sssd_be:22447 blocked for more > than 120 seconds. > Jun 30 service-2 kernel: "echo 0 > > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > > Trying to login on the console, I was able to enter and username, but the > login process would hang after entering the password. After rebooting the > system, I see the following in /var/log/messages > > Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more > than 120 seconds. > Jun 30 00:29:29 service-2 kernel: "echo 0 > > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > Jun 30 00:29:29 service-2 kernel: sssd_be D 000e 0 > 22447 3673 0x0084 > Jun 30 00:29:29 service-2 kernel: 880827dffce8 0086 > > Jun 30 00:29:29 service-2 kernel: > > Jun 30 00:29:29 service-2 kernel: 880827255058 880827dfffd8 > fb88 880827255058 > Jun 30 00:29:29 service-2 kernel: Call Trace: > Jun 30 00:29:29 service-2 kernel: [] ? > ext4_file_open+0x0/0x130 [ext4] > Jun 30 00:29:29 service-2 kernel: [] > schedule_timeout+0x215/0x2e0 > Jun 30 00:29:29 service-2 kernel: [] ? > nameidata_to_filp+0x54/0x70 > Jun 30 00:29:29 service-2 kernel: [] ? > cpumask_next_and+0x29/0x50 > Jun 30 00:29:29 service-2 kernel: [] > wait_for_common+0x123/0x180 > Jun 30 00:29:29 service-2 kernel: [] ? > default_wake_function+0x0/0x20 > Jun 30 00:29:29 service-2 kernel: [] > wait_for_completion+0x1d/0x20 > Jun 30 00:29:29 service-2 kernel: [] sched_exec+0xdc/0xe0 > Jun 30 00:29:29 service-2 kernel: [] do_execve+0xe0/0x2c0 > Jun 30 00:29:29 service-2 kernel: [] sys_execve+0x4a/0x80 > Jun 30 00:29:29 service-2 kernel: [] stub_execve+0x6a/0xc0 > > This sequence of messages is repeated many times. > > I did not have any problems logging into the other two freeipa systems on the > network. The servers are currently used exclusively for freeipa. > > Any ideas what may have happened? do you see anything in the sssd logs in /var/log/sssd ? ext4_file_open might indicate that sssd is stuck while trying to open a file. Have you tried to run a filesystem check? bye, Sumit > > > rpm -qa | grep ipa > libipa_hbac-1.9.2-82.7.el6_4.x86_64 > ipa-admintools-3.0.0-26.el6_4.4.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > ipa-client-3.0.0-26.el6_4.4.x86_64 > ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 > ipa-server-3.0.0-26.el6_4.4.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 > ipa-python-3.0.0-26.el6_4.4.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > > Thanks, > Mike > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, Samba and AD
On Wed, 03 Jul 2013, Fred van Zwieten wrote: 1. Do you have the same realms for both IPA and AD? Yes. 2. Do you have exactly same DNS domains for both IPA and AD? Also yes. Because of this we must, for now, maintain 2 seperate DNS implementations: one for AD and one for IPA, because otherwise the service records would name-clash. If I get correctly from the above description, your new RHEL 6.4 server is enrolled into IPA domain, i.e. its host keytab contains keys to the host service coming from IPA KDC. It probably also uses SSSD in both nsswitch and PAM configurations? Correct! Are you planning to use pam_winbind/nss_winbind for the Samba/AD interoperability? I don't know yet. It depends on what works best with this setup. I am not (yet) a Samba wunderguy, so these discussions help me (thanks for that). I'm not sure that this configuration will work flawlessly. If the host is not enrolled to IPA realm, you can easily make it working against AD domain. If you enrolled the host to IPA realm which is exactly same as AD domain, both DNS and krb5.conf collisions will be creating quite serious issues. Basically, it is 'either - either' case. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Login hangs / hung task?
Hello, I tried to login (ssh) to one (of three) freeipa systems running on CentOS yesterday without success. Running 'ssh root@service-2', the server would reply with a password prompt and then hang. I went to the system console to discover many of the following messages on screen: Jun 30 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Trying to login on the console, I was able to enter and username, but the login process would hang after entering the password. After rebooting the system, I see the following in /var/log/messages Jun 30 00:29:29 service-2 kernel: INFO: task sssd_be:22447 blocked for more than 120 seconds. Jun 30 00:29:29 service-2 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Jun 30 00:29:29 service-2 kernel: sssd_be D 000e 0 22447 3673 0x0084 Jun 30 00:29:29 service-2 kernel: 880827dffce8 0086 Jun 30 00:29:29 service-2 kernel: Jun 30 00:29:29 service-2 kernel: 880827255058 880827dfffd8 fb88 880827255058 Jun 30 00:29:29 service-2 kernel: Call Trace: Jun 30 00:29:29 service-2 kernel: [] ? ext4_file_open+0x0/0x130 [ext4] Jun 30 00:29:29 service-2 kernel: [] schedule_timeout+0x215/0x2e0 Jun 30 00:29:29 service-2 kernel: [] ? nameidata_to_filp+0x54/0x70 Jun 30 00:29:29 service-2 kernel: [] ? cpumask_next_and+0x29/0x50 Jun 30 00:29:29 service-2 kernel: [] wait_for_common+0x123/0x180 Jun 30 00:29:29 service-2 kernel: [] ? default_wake_function+0x0/0x20 Jun 30 00:29:29 service-2 kernel: [] wait_for_completion+0x1d/0x20 Jun 30 00:29:29 service-2 kernel: [] sched_exec+0xdc/0xe0 Jun 30 00:29:29 service-2 kernel: [] do_execve+0xe0/0x2c0 Jun 30 00:29:29 service-2 kernel: [] sys_execve+0x4a/0x80 Jun 30 00:29:29 service-2 kernel: [] stub_execve+0x6a/0xc0 This sequence of messages is repeated many times. I did not have any problems logging into the other two freeipa systems on the network. The servers are currently used exclusively for freeipa. Any ideas what may have happened? rpm -qa | grep ipa libipa_hbac-1.9.2-82.7.el6_4.x86_64 ipa-admintools-3.0.0-26.el6_4.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch ipa-client-3.0.0-26.el6_4.4.x86_64 ipa-server-selinux-3.0.0-26.el6_4.4.x86_64 ipa-server-3.0.0-26.el6_4.4.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.7.el6_4.x86_64 ipa-python-3.0.0-26.el6_4.4.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch Thanks, Mike ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, Samba and AD
1. Do you have the same realms for both IPA and AD? Yes. 2. Do you have exactly same DNS domains for both IPA and AD? Also yes. Because of this we must, for now, maintain 2 seperate DNS implementations: one for AD and one for IPA, because otherwise the service records would name-clash. If I get correctly from the above description, your new RHEL 6.4 server is enrolled into IPA domain, i.e. its host keytab contains keys to the host service coming from IPA KDC. It probably also uses SSSD in both nsswitch and PAM configurations? Correct! Are you planning to use pam_winbind/nss_winbind for the Samba/AD interoperability? I don't know yet. It depends on what works best with this setup. I am not (yet) a Samba wunderguy, so these discussions help me (thanks for that). Fred On Wed, Jul 3, 2013 at 11:11 AM, Alexander Bokovoy wrote: > On Wed, 03 Jul 2013, Fred van Zwieten wrote: > >Hi there, > > > >We have an IPA domain and an AD domain with the exact same domain name. > >This was set up like this because we had the idea at the time that we > >wanted to migrate all AD to IPA. This is still the long term goal, but we > >need to postpone that. > > > >All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to > >provision a new RHEL64 server who must run a Samba Server which must be > >member of the AD domain. > > > >Questions: > > > >1. If this possible? > >2. Will the fact that both IPA and AD have the same name be a problem? > > > >I did some preliminary looking around and found the file /etc/krb5.conf as > >a possible problem point. > It would help to explain a bit more about your setup. > > 1. Do you have the same realms for both IPA and AD? > 2. Do you have exactly same DNS domains for both IPA and AD? > > If I get correctly from the above description, your new RHEL 6.4 server > is enrolled into IPA domain, i.e. its host keytab contains keys to > the host service coming from IPA KDC. It probably also uses SSSD in both > nsswitch and PAM configurations? Are you planning to use > pam_winbind/nss_winbind for the Samba/AD interoperability? > > You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD > uses by containing Samba to use separate krb5.conf. You'll need to add > > KRB5_CONFIG=/path/to/specific/krb5.conf > > to the files that are sources during start up of smbd/winbindd/nmbd. > > However, there will be certain problem with pam_winbind since it does > not allow to redefine krb5.conf. > > -- > / Alexander Bokovoy > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] FreeIPA as Samba 4 Backend
On Wed, 03 Jul 2013, Arthur wrote: 28.06.2013 18:57, Simo Sorce пишет: On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote: Hi everyone, I am new to this mailing list. At the moment I would like to migrate all of my users from Microsoft Active Directory to Open Source, and what I have in mind is getting it into Samba 4. In extending the functionality of it, I decided to intergrate FreeIPA as the backend to Samba 4. I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but I don't know where are the new reference. Herewith I would seek advise on how to go for my mission. Sorry to foil your plans but FreIPa cannot be used as an LDAP backend to Samba4. We abandoned that path a few years ago as it became clear it was highly unlikely it would work. What we've done is that we change our integratioj strategy and introduced cross-realm trusts that would with Active Directory. In the future this should work also with Samba4, but Samba4 code base currently lacks support for cross-forest trusts. Simo. Does it mean, that I can not make cross-realm trust between IPA-server & Samba4-server at this time? No, you cannot achieve cross-realm trust with Samba AD DC right now. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, Samba and AD
On Wed, 03 Jul 2013, Fred van Zwieten wrote: Hi there, We have an IPA domain and an AD domain with the exact same domain name. This was set up like this because we had the idea at the time that we wanted to migrate all AD to IPA. This is still the long term goal, but we need to postpone that. All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to provision a new RHEL64 server who must run a Samba Server which must be member of the AD domain. Questions: 1. If this possible? 2. Will the fact that both IPA and AD have the same name be a problem? I did some preliminary looking around and found the file /etc/krb5.conf as a possible problem point. It would help to explain a bit more about your setup. 1. Do you have the same realms for both IPA and AD? 2. Do you have exactly same DNS domains for both IPA and AD? If I get correctly from the above description, your new RHEL 6.4 server is enrolled into IPA domain, i.e. its host keytab contains keys to the host service coming from IPA KDC. It probably also uses SSSD in both nsswitch and PAM configurations? Are you planning to use pam_winbind/nss_winbind for the Samba/AD interoperability? You can avoid hitting conflicting /etc/krb5.conf for both IPA and AD uses by containing Samba to use separate krb5.conf. You'll need to add KRB5_CONFIG=/path/to/specific/krb5.conf to the files that are sources during start up of smbd/winbindd/nmbd. However, there will be certain problem with pam_winbind since it does not allow to redefine krb5.conf. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA, Samba and AD
Hi there, We have an IPA domain and an AD domain with the exact same domain name. This was set up like this because we had the idea at the time that we wanted to migrate all AD to IPA. This is still the long term goal, but we need to postpone that. All our RHEL62 and RHEL64 servers are IPA clients. Now, we want to provision a new RHEL64 server who must run a Samba Server which must be member of the AD domain. Questions: 1. If this possible? 2. Will the fact that both IPA and AD have the same name be a problem? I did some preliminary looking around and found the file /etc/krb5.conf as a possible problem point. Thanks for thinking along! Fred Seeing, contrary to popular wisdom, isn’t believing. It’s where belief stops, because it isn’t needed any more.. (Terry Pratchett) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
