On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote: > On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > >> An interesting problem has popped up and I am not sure where the issue > >> lies. Users logging in are presented with "cannot find name for user ID" > >> etc. etc. for all groups they are a member of > >> > >> id returns nothing but the numbers, and a getent passwd <username> > >> returns nothing, when running as the user. > >> > >> However, as root a getent passwd <username> works. > >> > >> I am taking a look through logs and haven't found much so far, another > >> user experienced a similar issue and a ipa-client-install --uninstall > >> and reinstall (this is starting to feel like windows :) did the trick > >> for them, however it has not solved the issue for me. > >> > >> I have also cleared the sssd cache, and given that process a kick to no > >> avail. > >> > >> Firewall rules have not changed, and I assume the ipa-client-install > >> process would have failed if a firewall issue was present. > >> > >> After increasing sssd logging levels I see a lot of requests for the > >> user in the sssd logs, but no returns, not that I know if the logging is > >> supposed to log the return. > >> > >> This is on a RHEL 5.8 client: > >> ipa-client-2.1.3-2.el5_8 > >> sssd-1.5.1-49.el5_8.1 > >> > >> Connecting to a RHEL 6.3 IPA server. > >> > >> Any ideas? > >> > >> -Erinn > >> > > > > Hi Erinn, > > > > The requests for the user you saw were only in the sssd_nss log or did > > they make it to the sssd_$domain.log as well? Can you paste sanitized > > contents of both, please? > > > > I can't think of a reason to make lookups work only as root, that's > > really strange. Can you check for AVC denials? Can you also check the > > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yeah I can confirm this for certain now, take a look below: > > erinn@numbersix ~ $ ls -l /etc/nsswitch.conf > -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf > erinn@numbersix ~ $ sudo yum -y update sudo > > Loaded plugins: rhnplugin, security > Skipping security plugin, no data > Setting up Update Process > Resolving Dependencies > Skipping security plugin, no data > --> Running transaction check > ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated > --> Finished Dependency Resolution > > Dependencies Resolved > > ================================================================================ > Package Arch Version Repository > Size > ================================================================================ > Updating: > sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5 > 359 k > > Transaction Summary > ================================================================================ > Install 0 Package(s) > Upgrade 1 Package(s) > > Total size: 359 k > Downloading Packages: > Running rpm_check_debug > Running Transaction Test > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > Updating : sudo > 1/2 > Cleanup : sudo > 2/2 > > Updated: > sudo.x86_64 0:1.7.2p1-14.el5_8.2 > > > Complete! > erinn@numbersix ~ $ ls -l /etc/nsswitch.conf > -rw------- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf > > So it appears the latest sudo update is causing this issue, I am > uncertain whether this is intentional or not at this point (probably > not), but it is the cause, and it sure does make things messy for IPA. I > have filed a support case. > > -Erinn >
You were a victim of https://bugzilla.redhat.com/show_bug.cgi?id=846631 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users