On Mon, 2012-01-30 at 10:02 -0500, Dan Scott wrote: > On Mon, Jan 30, 2012 at 09:46, Stephen Gallagher <[email protected]> wrote: > > On Mon, 2012-01-30 at 09:41 -0500, Dan Scott wrote: > >> Hi, > >> > >> On Mon, Jan 30, 2012 at 08:19, Stephen Gallagher <[email protected]> > >> wrote: > >> > On Fri, 2012-01-27 at 15:00 -0500, Dan Scott wrote: > >> >> On Fri, Jan 27, 2012 at 13:17, Stephen Gallagher <[email protected]> > >> >> wrote: > >> >> > On Fri, 2012-01-27 at 17:57 +0100, Jakub Hrozek wrote: > >> >> >> On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote: > >> >> >> > Hi, > >> >> >> > > >> >> >> > On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher > >> >> >> > <[email protected]> wrote: > >> >> >> > > On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote: > >> >> >> > >> Hi, > >> >> >> > >> > >> >> >> > >> I have a Fedora 16 client running > >> >> >> > >> sssd-client-1.6.4-1.fc16.x86_64. > >> >> >> > >> > >> >> >> > >> When I run, e.g. id djscott, I do not get the names of the > >> >> >> > >> groups: > >> >> >> > >> > >> >> >> > >> -bash-4.2$ id djscott > >> >> >> > >> uid=768(djscott) gid=1002(legacy-group) > >> >> >> > >> groups=1002(legacy-group),1134,1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111 > >> >> >> > >> > >> >> >> > >> Is this because they have low GIDs? (These were migrated over > >> >> >> > >> from my > >> >> >> > >> old FreeIPA 1 installation and I'd rather not re-number them > >> >> >> > >> all). > >> >> >> > >> > >> >> >> > >> Can someone help me to figure out how to retrieve the group > >> >> >> > >> names? > >> >> >> > >> This is working fine on the Fedora 15 clients (sssd-1.5.x). > >> >> >> > > > >> >> >> > > > >> >> >> > > This looks to me like you didn't migrate all of the groups. GIF > >> >> >> > > 1002 and > >> >> >> > > 789600001 are both reporting the names correctly, so clearly the > >> >> >> > > client > >> >> >> > > is able to access the FreeIPA server and retrieve groups. > >> >> >> > > >> >> >> > It's working fine with Fedora 15 clients, so I think that the > >> >> >> > groups > >> >> >> > were migrated OK. > >> >> >> > > >> >> >> > > Please try the following and report the results: > >> >> >> > > > >> >> >> > > getent group 1134 > >> >> >> > > > >> >> >> > > and also > >> >> >> > > getent group <groupname> > >> >> >> > > > >> >> >> > > where <groupname> is the name that is SUPPOSED to match GID 1134. > >> >> >> > > >> >> >> > I've just realised that once I've manually looked up the group > >> >> >> > using > >> >> >> > the name, the id command is 'fixed': > >> >> >> > > >> >> >> > [root@newton ~]# getent group 1134 > >> >> >> > [root@newton ~]# getent group svn-wfdb-swig-matlab > >> >> >> > svn-wfdb-swig-matlab:*:1134:ikaro,djscott > >> >> >> > [root@newton ~]# getent group 1134 > >> >> >> > svn-wfdb-swig-matlab:*:1134:ikaro,djscott > >> >> >> > [root@newton ~]# id djscott > >> >> >> > uid=768(djscott) gid=1002(legacy-group) > >> >> >> > groups=1002(legacy-group),1134(svn-wfdb-swig-matlab),1130,1118,1103,1108,1113,789600001(ipausers),1102,1109,1129,1111 > >> >> >> > > >> >> >> > The initial getent returned no data. But the group info seems OK > >> >> >> > once > >> >> >> > I've done one lookup. > >> >> >> > > >> >> >> > >> >> >> That's weird, id runs getgrgid() on each of the returned group GIDs > >> >> >> > >> >> > > >> >> > I know what's going on here. It was a stupid glibc screw-up in Fedora > >> >> > 16. Remove the line starting with "initgroups: " from > >> >> > your /etc/nsswitch.conf file. > >> >> > > >> >> > See https://bugzilla.redhat.com/show_bug.cgi?id=751450 for more > >> >> > details. > >> >> > >> >> Thanks for the info, but I don't have that line in my nsswitch.conf > >> >> file. These servers were upgraded from F15, and I can see the line in > >> >> the /etc/nsswitch.conf.rpmnew files. > >> >> > >> >> Clearing the SSSD cache doesn't seem to have helped. I'm still getting > >> >> the same problem. It's even reverted back to the original list of IDs. > >> >> Only my primary group and 'ipausers' (the only one in the high ID > >> >> range) show up properly. > >> >> > >> >> Thanks, > >> >> > >> >> Dan > >> > > >> > Are you running nscd by any chance? That could be interacting poorly. > >> > >> Nope, nscd isn't running. > >> > >> > Other than that, could you please set debug_level = 7 in your > >> > [domain/DOMAINNAME] section of /etc/sssd/sssd.conf and restart SSSD? > >> > Then try the 'id' command again and take a look > >> > at /var/log/sssd/sssd_DOMAINNAME.log > >> > >> Log file is attached (email only to you, not the list). Possibly a > >> problem with the keytab? > >> > >> Thanks, > >> > >> Dan
(Mon Jan 30 09:59:46 2012) [sssd[be[DOMAIN]]] [sdap_get_generic_ext_done] (6): Search result: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection (Mon Jan 30 09:59:46 2012) [sssd[be[DOMAIN]]] [sdap_get_generic_ext_done] (2): Unexpected result from ldap: Server is unwilling to perform(53), Simple Paged Results Search already in progress on this connection You're hitting a 389 DS bug: https://fedorahosted.org/389/ticket/260 Re-adding the list (not including private data).
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
