While installing  my third client selinux popped up a warning it was blocking 
access to krb5....so Im wondering if the reason teh install of the client is 
failing is due to selinux?


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Stephen Gallagher [sgall...@redhat.com]
Sent: Friday, 11 March 2011 4:31 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA

Hash: SHA1

On 03/10/2011 10:10 AM, Simo Sorce wrote:
> ----- Original Message -----
>> Steven Jones wrote:
>>> Ok,
>>> However I cant LDAP/Ipa authenticate still....on either
>>> client..........
>>> So what next?
>> sssd handles logins, you can try turning up the log level on that
>> (though I suspect it wasn't the reboot that fixed this but
>> restarting sssd).
> If sssd was never used before then what was needed was a restart of
> the services using it (sshd, gdm), as nsswitch.conf is never re-read
> by glibc, you can't use the new users until those services are
> restarted after nsswitch.conf is modified.
> I think we also offer to restart the client after ipa-client-install
> exactly as a way to restart all services that may depend on picking
> up this change. That reboot is not necessary if you manually restart
> all services after that, but if you don't than you better do a reboot
> as we suggest.
>> As part of ipa-client-install sssd is restarted and tested via
>> 'getent passwd admin'. This should be visible in
>> /var/log/ipaclient-install.log. Did this command succeed?
> Even if this succeed, authentication via gdm or ssh can still fail
> until the services are restarted.
> Just pointing out this fact as a help point for other users testing
> ipa-client-install in future.

FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to