third client wont authenticate either.... So I guess its a problem around the install script if not selinux
regards ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 11 March 2011 11:06 a.m. To: Stephen Gallagher; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA While installing my third client selinux popped up a warning it was blocking access to krb5....so Im wondering if the reason teh install of the client is failing is due to selinux? regards ________________________________________ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stephen Gallagher [sgall...@redhat.com] Sent: Friday, 11 March 2011 4:31 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to authenticate a client user against IPA -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/10/2011 10:10 AM, Simo Sorce wrote: > ----- Original Message ----- >> Steven Jones wrote: >>> Ok, >>> >>> However I cant LDAP/Ipa authenticate still....on either >>> client.......... >>> >>> So what next? >> >> sssd handles logins, you can try turning up the log level on that >> (though I suspect it wasn't the reboot that fixed this but >> restarting sssd). > > If sssd was never used before then what was needed was a restart of > the services using it (sshd, gdm), as nsswitch.conf is never re-read > by glibc, you can't use the new users until those services are > restarted after nsswitch.conf is modified. > > I think we also offer to restart the client after ipa-client-install > exactly as a way to restart all services that may depend on picking > up this change. That reboot is not necessary if you manually restart > all services after that, but if you don't than you better do a reboot > as we suggest. > >> As part of ipa-client-install sssd is restarted and tested via >> 'getent passwd admin'. This should be visible in >> /var/log/ipaclient-install.log. Did this command succeed? > > Even if this succeed, authentication via gdm or ssh can still fail > until the services are restarted. > > Just pointing out this fact as a help point for other users testing > ipa-client-install in future. FYI, while this might be an issue for sshd, GDM actually has a workaround for this and doesn't need a restart. GDM just forks and exec's the 'id' command instead of calling getpwent directly. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq =CC82 -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
