Re: [Freeipa-users] GSSAPI for second hop (SSH)
"Jason B. Nance"writes: > I have a FreeIPA 4.4.0 setup with Active Directory trusts. Users > connecting to Linux servers from their domain-joined workstations are > not required to enter a password for the first connection. However, > if they attempt to ssh to a second Linux machine from the first they > are being prompted for a password. What is the output if they klist on the first machine they SSH to? signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
Rakesh Rajasekharanwrites: > one more question I was curious is.. when does the krb5kdc.log get entries > . .. I mean is it only when someone makes an attempt to login to a server > that the log file krb5kdc.log on the IPA master gets updated or there are > other scenarios as well It's controlled by /etc/kdc.conf ; take a look at the "[logging]" section in `man 5 kdc.conf` for more information. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
Rakesh Rajasekharanwrites: >> Great, glad it's fixed! Are these VMs? If not, you may wish to >> (re?)configure automatic syncing. > > yes these are AWS instances. How do I reconfigure auto syncing . Is > there a documentation I can follow. During install of the IPA server, it will set up an NTP server (unless you ask it not to). During enrollment of each IPA client, it will configure NTP against that server (unless you ask it not to). Disabling it is the -N flag in both cases. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Kerberos Clock Skew too great
Rakesh Rajasekharanwrites: > There were about 1500 hosts that were alerting for "clock skew" and the > issue went away only after I did a resync using ntpdate on all those hosts Great, glad it's fixed! Are these VMs? If not, you may wish to (re?)configure automatic syncing. > Is it possible that so many higher number of minor offsets adds up and > causes it. Coz from the individual offset it looks much below the 5min limit Not as such, if I understand you correctly? This should only be a problem between any two machines that need to communicate (including the freeipa KDC). > Or, is there a way to tell whats the offset limit its actually looking for. 5 minutes almost certainly. The parameter to configure it is "clockskew" in the config files, but I don't think IPA touches that. Hope that helps, --Robbie signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Would fixing hosts file break kerberos
William Muriithiwrites: > I just noticed that I used inappropriate way of setting up my hosts > files and I am planning to make a fix. I am however worried this may > break Kerberos. Should this change be of concern and have anyone made > the changes before? It will depend on what you named the host in the KDC and what your DNS/canonicalization options are. Any breakage will not be permanant; try it, see if it works, and if not, revert it. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd
Rakesh Rajasekharanwrites: > Thanks Robbie for the inputs.. the load should not have been high as I > have around 4000 clients with 160 users which should be manageable > > However, I saw a lot of clock skew too great errors in my > krb5kdc.log... however I haven't been able to verify if those were > genuine... > > Can too many clock skew errors take down the kerberos service.. Too much load of any kind will take down the service, but clock skew problems shouldn't be particularly resource intensive. Depending on your client behavior, they may cause retries, which will mean about twice as much traffic as normal, if memory serves. You'll want to fix the clock skew problem regardless. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Fwd: Re: Increase ListenBacklog for httpd
Rakesh Rajasekharanwrites: > On Mon, Sep 12, 2016 at 10:13 AM, Rakesh Rajasekharan > > > wrote: > > sorry I guess I did not put the question correctly > > I wanted to know .. like we have the ListenBacklog for apache to > basically define the number of connections it can handle.. do we > have some thing similar for our krb5kdc service.. as the SYN floodin > at 88 looks like krb5kdc service is not able to handle sudden spurt > in connections or the number of connections are more than it could > handle.. > > So, would be great if I could know how many connection it can > support at any given time ..most of the times I see this error while > i add clients to IPA master.. so if thers a known limit , I could > first check netstat to see how many connections I have at any point > and if its below the limit only then setup ipa-client-install We intentionally do not have such a parameter in krb5. We call listen(5) internally, but please note this is probably not the parameter you want to be able to tune. The listen() backlog is the number of connections that are waiting to be accept()ed by the process. They sit in the kernel, not receiving SYNACK. This number does not count connections that the process - here krb5kdc - has accept()ed and is currently processing. If you're truly seeing connections faster than they can be accept()ed, you have a load problem that tuning this parameter likely won't fix. You should probably configure replicas: krb5 will fall back if the connection is refused from one kdc to the next configured one. This will result in faster operation for your users than waiting on an enormous listen() backlog will as well. A tunable for the listen value may be added in the future, but is not available at the present time. signature.asc Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project