On Tue, Apr 08, 2014 at 08:27:01AM +0300, Alexander Bokovoy wrote: > On Fri, 04 Apr 2014, Alexander Bokovoy wrote: > >>tevent: Destroying timer event 0x7facb82e9d30 > >>"dcerpc_connect_timeout_handler" > >^^ stopped just short of authenticating to smbd prior to ask it for > >informational policy about the domain. > > > >This means there is some problem in what smbd thinks about your > >admin@UNIX account. > > > >Can you do following: > > > ># for i in /var/log/samba/log.* ; do echo > $i ; done > ># smbcontrol all debug 100 > ># kinit admin@UNIX > ># ipa trust-add sbx.local .... > ># smbcontrol all debug 1 > > > >now archive logs in /var/log/samba/log.* and send them to me privately. > > After several rounds of capturing logs, we've solved the issue by > finding out that IPv6 stack was completely disabled on the machine. > > Even though certain security guides may suggest disabling IPv6 stack > when it is not in use, this suggestion is not very usable. IPv4 and IPv6 > share the same port range on the local side, so it is a recommended > programming practice for networking applications to only open IPv6 > sockets. Standard C library (glibc, for example) handles transparently > both IPv4 and IPv6 cases for the applications. > > Samba and some of other FreeIPA components open their networking sockets > as IPv6 ones. Completely disabling IPv6 stack on the machine causes > these requests to open a socket to fail as kernel will be responding "do > not know this socket address family". > > If your security guidelines require disabling IPv6 address space, please > don't add ipv6.disable=1 to the kernel commandline to disable the whole > IPv6 stack. Instead, use ipv6.disable_ipv6=1. The latter option will > keep the IPv6 stack functional but will not assign IPv6 addresses to any > of your network devices. This is recommended approach for cases when > you don't use IPv6 networking. > > Creating and adding to, for example, /etc/sysctl.d/ipv6.conf will avoid > assigning IPv6 addresses to a specific network interface: > > # Disable IPv6 > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.<interface0>.disable_ipv6 = 1 > > where interface0 is your specialized interface. Note that all we are > requiring is that IPv6 stack is enabled at the kernel level and this > is recommended way to develop networking applications for a long time > already. > > I've updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > and http://www.freeipa.org/page/Deployment_Recommendations with this > information.
Thank you for getting to the bottom of this. Do you think we should check this settings during ipa-adtrust-install or even during ipa-server-install? bye, Sumit > > > -- > / Alexander Bokovoy > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
