Craig T wrote:
Hi,

I tried letting the client install go and it does eventually finish, however 
SSSD_NSS queries don't work.
See errors below;

----------------------------------------------------------------------
[root@chtvm-centos-6 /]# ipa-client-install
Discovery was successful!
Hostname: chtvm-centos-6.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: chtvm-389.example.com
BaseDN: dc=example,dc=com

Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for ad...@example.com:

Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
SSSD enabled
Kerberos 5 enabled
Unable to find 'admin' user with 'getent passwd admin'!
Recognized configuration: SSSD
NTP enabled
Client configuration complete.

-------------------------------------------------------------------------------------------------------------------------
File: /var/log/sssd/sssd_nss.log
(Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
-------------------------------------------------------------------------------------------------------------------------
File: /var/log/sssd/sssd_pam.log
(Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
(Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
-------------------------------------------------------------------------------------------------------------------------
Debug Version:
File: /var/log/sssd/sssd_nss.log
(Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is 
reconnecting. Deferring.
(Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0
(Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is 
reconnecting. Deferring.
(Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making 
reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/   
private/sbus-dp_example.com]
(Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open 
connection: name=org.freedesktop.DBus.Error.       NoServer, message=Failed to 
connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection 
refused
(Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not 
reconnect to example.com provider.
-------------------------------------------------------------------------------------------------------------------------

Can you see if there are any SELinux AVCs (/var/log/audit/audit.log)?

Is the messagebus service running?



"getent passwd admin" returns no result at all.

That is expected if sssd can't connect.

rob



Regards,

Craig

On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote:
Craig T wrote:
I can really see how you came to that conclusion, I'm not sure if I'll get the 
luxury of choice, due to the servers in our environment. Centos 6.1 could be 
updated enough, so we might just have to wait for that.

I would think the version you have would work fine.

What it is doing is testing to be sure that nss is working as
expected. It can take some time for sssd to come up, connect to the
IPA server, etc, so we loop and try several times (IIRC 5 in your
version) to look up a known remote user (admin).

If it never does successfully get the admin user you should get an
error that nss_ldap can't be configured (yeah, I know, we're using
sssd. We fixed this). If you aren't getting this message and the
client otherwise seems to be installing ok then things are fine.

rob



cya

Craig

On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote:
On Tue, November 29, 2011 01:52, Craig T wrote:
Hi,


I was getting a lot of errors with the default ipa-client for Centos 6.0, so 
I've upgraded Centos
6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but 
seems to stall
right at the end of the ipa-client-install command.

Current Spec;
Server:
RHEL 6.2 Beta
ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 
ipa-server-2.1.1-4.el6.x86_64
  ipa-server-selinux-2.1.1-4.el6.x86_64

Client:
Centos 6.0 x64
ipa-client-2.1.1-4.el6.x86_64


Just an odd error during the "ipa-client-install" command, the installer seems 
to pause on
kerberos; [root@server-centos-6 ~]# ipa-client-install
Discovery was successful!
Hostname: server-centos-6.example.com
Realm: example.com
DNS Domain: example.com
IPA Server: server-389.example.com
BaseDN: dc=example,dc=com



Continue to configure the system with these values? [no]: yes
User authorized to enroll computers: admin
Password for ad...@example.com:


Enrolled in IPA realm example.com
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm example.com
SSSD enabled
Kerberos 5 enabled



When run in debug mode it shows this;
Kerberos 5 enabled
root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= 
root        : DEBUG
stderr= root        : DEBUG    args=getent passwd admin root        : DEBUG    
stdout= root
   :
DEBUG    stderr=
root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= 
root        : DEBUG
stderr= root        : DEBUG    args=getent passwd admin root        : DEBUG    
stdout= root
   :
DEBUG    stderr=



Advice anyone?



I found CentOS to be too far behind, so I started using Scientific Linux 6.1 
with latest packages
>from RHEL 6.2 beta for clients instead.

I found the IPA server was easiest to test using Fedora 15.

For production, wait for RHEL 6.2. It's not far away now. :)


Regards,
Siggi



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to