Re: [Freeipa-users] GSSAPI for second hop (SSH)

2017-03-03 Thread Robbie Harwood 
"Jason B. Nance"  writes:

> I have a FreeIPA 4.4.0 setup with Active Directory trusts.  Users
> connecting to Linux servers from their domain-joined workstations are
> not required to enter a password for the first connection.  However,
> if they attempt to ssh to a second Linux machine from the first they
> are being prompted for a password.

What is the output if they klist on the first machine they SSH to?


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

2017-01-23 Thread Robbie Harwood 
Rakesh Rajasekharan  writes:

> one more question I was curious is.. when does the krb5kdc.log get entries
> . .. I mean is it only when someone makes an attempt to login to a server
> that the log file  krb5kdc.log on the IPA master gets updated or there are
> other scenarios as well

It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section in
`man 5 kdc.conf` for more information.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

2017-01-19 Thread Robbie Harwood 
Rakesh Rajasekharan  writes:

>> Great, glad it's fixed!  Are these VMs?  If not, you may wish to
>> (re?)configure automatic syncing.
>
> yes these are AWS instances. How do I reconfigure auto syncing . Is
> there a documentation I can follow.

During install of the IPA server, it will set up an NTP server (unless
you ask it not to).  During enrollment of each IPA client, it will
configure NTP against that server (unless you ask it not to).  Disabling
it is the -N flag in both cases.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos Clock Skew too great

2017-01-09 Thread Robbie Harwood 
Rakesh Rajasekharan  writes:

> There were about 1500 hosts that were alerting for "clock skew" and the
> issue went away only after I did a resync using ntpdate on all those hosts

Great, glad it's fixed!  Are these VMs?  If not, you may wish to
(re?)configure automatic syncing.

> Is it possible that so many higher number of minor offsets adds up and
> causes it. Coz from the individual offset it looks much below the 5min limit

Not as such, if I understand you correctly?  This should only be a
problem between any two machines that need to communicate (including the
freeipa KDC).

> Or, is there a way to tell whats the offset limit its actually looking for.

5 minutes almost certainly.  The parameter to configure it is
"clockskew" in the config files, but I don't think IPA touches that.

Hope that helps,
--Robbie


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Would fixing hosts file break kerberos

2016-11-17 Thread Robbie Harwood 
William Muriithi  writes:

> I just noticed that I used inappropriate way of setting up my hosts
> files and I am planning to make a fix.  I am however worried this may
> break Kerberos.  Should this change be of concern and have anyone made
> the changes before?

It will depend on what you named the host in the KDC and what your
DNS/canonicalization options are.

Any breakage will not be permanant; try it, see if it works, and if not,
revert it.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd

2016-09-22 Thread Robbie Harwood 
Rakesh Rajasekharan  writes:

> Thanks Robbie for the inputs.. the load should not have been high as I
> have around 4000 clients with 160 users which should be manageable
>
> However, I saw a lot of clock skew too great errors in my
> krb5kdc.log...  however I haven't been able to verify if those were
> genuine...
>
> Can too many clock skew errors take down the kerberos service..

Too much load of any kind will take down the service, but clock skew
problems shouldn't be particularly resource intensive.  Depending on
your client behavior, they may cause retries, which will mean about
twice as much traffic as normal, if memory serves.

You'll want to fix the clock skew problem regardless.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd

2016-09-19 Thread Robbie Harwood 
Rakesh Rajasekharan  writes:

> On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan
> >
> wrote:
>
> sorry I guess I did not put the question correctly
>
> I wanted to know .. like we have the ListenBacklog for apache to
> basically define the number of connections it can handle.. do we
> have some thing similar for our krb5kdc service.. as the SYN floodin
> at 88 looks like krb5kdc service is not able to handle sudden spurt
> in connections or the number of connections are more than it could
> handle..
>
> So, would be great if I could know how many connection it can
> support at any given time ..most of the times I see this error while
> i add clients to IPA master.. so if thers a known limit , I could
> first check netstat to see how many connections I have at any point
> and if its below the limit only then setup ipa-client-install

We intentionally do not have such a parameter in krb5.  We call
listen(5) internally, but please note this is probably not the parameter
you want to be able to tune.

The listen() backlog is the number of connections that are waiting to be
accept()ed by the process.  They sit in the kernel, not receiving
SYNACK.  This number does not count connections that the process - here
krb5kdc - has accept()ed and is currently processing.

If you're truly seeing connections faster than they can be accept()ed,
you have a load problem that tuning this parameter likely won't fix.
You should probably configure replicas: krb5 will fall back if the
connection is refused from one kdc to the next configured one.  This
will result in faster operation for your users than waiting on an
enormous listen() backlog will as well.

A tunable for the listen value may be added in the future, but is not
available at the present time.


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project