On 1/9/14 11:15 AM, Jakub Hrozek wrote:
On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
On 1/8/14 5:25 PM, Jakub Hrozek wrote:
On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
I've added a new user using the command "ipa user-add" from the ipa
server. I can see correct user information when I run the commands
"ipa user-show" and "ipa user-status". However, I cannot see the
user when I run "getent passwd username" or even "id username". When
I run "id username" I get, "no such user".
I feel this may be an issue with sssd, but I'm not 100% sure.
/etc/nsswitch.conf looks correct.
Any ideas?
--Ryan
IPA server is CentOS 6 running freeipa version 3.0.0
Hi Ryan,
this indeed sounds like an issue with the SSSD.
Given that you said nsswitch.conf looks OK, can you raise debug_level
(let's start with 5 perhaps) in the [nss] and [domain/] sections,
restart the SSSD and inspect the logs in /var/log/sssd/ for any errors?
Is there anything in the syslog? Some errors, like invalid keytab are
logged to the system logs as well as the SSSD debug logs.
Below is a snip from the sssd log with debug_level=5
This was an ssh attempt to the server.
This log snippet is telling us about problems with keytab:
(Thu Jan 9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]
Perhaps /var/log/sssd/ldap_child.log would have more info?
Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?
Running kinit -k gives the following
kinit: Password incorrect while getting initial credentials
Here is a snip from ldap_child.log
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child started.
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/[email protected]]
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
integrity check failed
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response]
(0x0400): Building response for result [-1765328353]
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child completed successfully
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
