Hi Team,
First of all, many thanks for sssd-13.3 which has finally found its way into RH-6.8. It seems to be first release I can use in my environment without having to use any obscure hacks I hated from the very beginning.
Good work!
I also noticed that this version can (seems like) finally refresh machine account in AD/IPA domain. Unfortunately this does not seem to work for me:
(Wed May 25 09:14:08 2016) [sssd[be[default]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1464246848] (Wed May 25 09:15:08 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Wed May 25 09:15:08 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed
What could be wrong? Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Wed, May 25, 2016 at 07:20:10AM +0000, Ondrej Valousek wrote:
Hi Team,
First of all, many thanks for sssd-13.3 which has finally found its way into RH-6.8. It seems to be first release I can use in my environment without having to use any obscure hacks I hated from the very beginning.
Good work!
I also noticed that this version can (seems like) finally refresh machine account in AD/IPA domain. Unfortunately this does not seem to work for me:
(Wed May 25 09:14:08 2016) [sssd[be[default]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1464246848] (Wed May 25 09:15:08 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Wed May 25 09:15:08 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed
What could be wrong?
Can you in increase the debug_level to 10? This should show some debug messages from adcli as well which might help to determine why it runs into a timeout.
bye, Sumit
Thanks,
Ondrej
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Tried debug_level=0x1FF. Still the same error:
(Wed May 25 10:12:58 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [2]: No such file or directory ...
(Wed May 25 10:13:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Wed May 25 10:13:58 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed
What does "No such file or directory" mean???? Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Ondrej
-----Original Message----- From: Ondrej Valousek [mailto:Ondrej.Valousek@s3group.com] Sent: Wednesday, May 25, 2016 10:33 AM To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
Tried debug_level=0x1FF. Still the same error:
(Wed May 25 10:12:58 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [2]: No such file or directory ...
(Wed May 25 10:13:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Wed May 25 10:13:58 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed
What does "No such file or directory" mean???? Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
LS
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
Please be aware of: https://fedorahosted.org/sssd/ticket/3017 and: https://fedorahosted.org/sssd/ticket/3016
These bugs have either fixes upstream or on review on the sssd-devel list and I would like them to be fixed in the next RHEL-6.8 update as well..
Did not have it installed - why isn't dependancy on it in sssd rpm package? It's only 100Kb package, no big deal :-) It is working now, thanks - will monitor FD leaks.
Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, May 25, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
Please be aware of: https://fedorahosted.org/sssd/ticket/3017 and: https://fedorahosted.org/sssd/ticket/3016
These bugs have either fixes upstream or on review on the sssd-devel list and I would like them to be fixed in the next RHEL-6.8 update as well.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On Wed, May 25, 2016 at 09:51:35AM +0000, Ondrej Valousek wrote:
Did not have it installed - why isn't dependancy on it in sssd rpm package? It's only 100Kb package, no big deal :-) It is working now, thanks - will monitor FD leaks.
Since this is an option feature, it can be disabled in sssd.conf, it should be possible to remove the adcli package if not needed. If it is a dependency in the rpm package it would not be easy to remove it with some package managers.
The patches for the ticket below should make SSSD behave better if adcli is not available by automatically disabling the keytab renewal and a log message asking to install it with this feature is needed.
HTH
bye, Sumit
Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, May 25, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
Please be aware of: https://fedorahosted.org/sssd/ticket/3017 and: https://fedorahosted.org/sssd/ticket/3016
These bugs have either fixes upstream or on review on the sssd-devel list and I would like them to be fixed in the next RHEL-6.8 update as well.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Ok, got it. BTW - is there a plan to support this feature for IPA domain as well? O.
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Wednesday, May 25, 2016 11:58 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 09:51:35AM +0000, Ondrej Valousek wrote:
Did not have it installed - why isn't dependancy on it in sssd rpm package? It's only 100Kb package, no big deal :-) It is working now, thanks - will monitor FD leaks.
Since this is an option feature, it can be disabled in sssd.conf, it should be possible to remove the adcli package if not needed. If it is a dependency in the rpm package it would not be easy to remove it with some package managers.
The patches for the ticket below should make SSSD behave better if adcli is not available by automatically disabling the keytab renewal and a log message asking to install it with this feature is needed.
HTH
bye, Sumit
Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, May 25, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
Please be aware of: https://fedorahosted.org/sssd/ticket/3017 and: https://fedorahosted.org/sssd/ticket/3016
These bugs have either fixes upstream or on review on the sssd-devel list and I would like them to be fixed in the next RHEL-6.8 update as well.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
On 05/25/2016 12:00 PM, Ondrej Valousek wrote:
Ok, got it. BTW - is there a plan to support this feature for IPA domain as well? O.
I am not aware of a specific plan, I do not think we even have a SSSD ticket. Please file a bug/ticket if you need this feature.
In general, we did not see that part as pressing as the AD keytab one, as there are no functional implications on IPA side when the keytab is not rotated. With AD, things may break under certain settings, so that was the first priority.
With SSSD&FreeIPA, you can also rotate the keytab with cron+ipa-getkeytab combo until we have such feature.
HTH, Martin
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Wednesday, May 25, 2016 11:58 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 09:51:35AM +0000, Ondrej Valousek wrote:
Did not have it installed - why isn't dependancy on it in sssd rpm package? It's only 100Kb package, no big deal :-) It is working now, thanks - will monitor FD leaks.
Since this is an option feature, it can be disabled in sssd.conf, it should be possible to remove the adcli package if not needed. If it is a dependency in the rpm package it would not be easy to remove it with some package managers.
The patches for the ticket below should make SSSD behave better if adcli is not available by automatically disabling the keytab renewal and a log message asking to install it with this feature is needed.
HTH
bye, Sumit
Ondrej
-----Original Message----- From: Jakub Hrozek [mailto:jhrozek@redhat.com] Sent: Wednesday, May 25, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
On (25/05/16 08:40), Ondrej Valousek wrote:
Ok, this is probably important: (Wed May 25 10:12:58 2016) [sssd[be[default]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory].
Do you have installed adcli on you machine?
Please be aware of: https://fedorahosted.org/sssd/ticket/3017 and: https://fedorahosted.org/sssd/ticket/3016
These bugs have either fixes upstream or on review on the sssd-devel list and I would like them to be fixed in the next RHEL-6.8 update as well.. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org