karlmdavis / justdavis-ansible Goto Github PK

The LDAP server is configured to require authentication. I've gone back and forth on this, but I think it's probably for the best. However, that means that ldapsearch, nss_updatedb ldap, etc. won't work without a Kerberos ticket:

$ sudo /usr/sbin/nss_updatedb ldap
Failed to enumerate nameservice: Connection reset by peer
passwd... nameservice unavailable.
$ ldapsearch
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)

The right way to fix this is:

1. Create a Kerberos principal that Ansible can use when not running against eddings, e.g. ansible.
2. Use that principal to create a host keytab via kadmin on all workstations.
   • Probably not strictly necessary, but still a good idea.
3. Use that principal to create an nss_updatedb service keytab on all workstations.
4. Fix my cron job and other nss_updatedb usage to use that service keytab.

https://help.sonatype.com/display/NXRM3/System+Requirements#SystemRequirements-AdequateFileHandleLimits

This is resolved in https://github.com/savoirfairelinux/ansible-nexus3-oss, but that fix hasn't been released. Whatever release comes out after 1.7.1 (from 2017-05) should have it. Here's the fix: savoirfairelinux/ansible-nexus3-oss#17

Was just running into this:

$ /usr/bin/ldapsearch -H ldaps://justdavis.com -x -b dc=justdavis,dc=com -d 1
ldap_url_parse_ext(ldaps://justdavis.com)
ldap_create
ldap_url_parse_ext(ldaps://justdavis.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP justdavis.com:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 96.86.32.137:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
TLS: peer cert untrusted or revoked (0x402)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Went away as soon as I restarted slapd. I'm pretty sure that it's just that when the LE certs are renewed, slapd needs to reload them.

I find myself getting prompted to authenticate as the non-LDAP local user account whenever I try to run admin actions in Gnome, e.g. connect to a wireless network.

I think this is a polkit thing: https://wiki.archlinux.org/index.php/Polkit. I suspect that adding my user to the sudo group may work around the problem.

Seems that Samba is coming up before the private ethernet interface, and so isn't listening to it after a reboot. Restarting smbd after each reboot works around the problem.

Just saw this in the RPS zone: the serial number had an extra character due to a typo, the zone didn't load, but the role thought everything was peachy.