On 1/9/14 11:15 AM, Jakub Hrozek wrote:
On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
On 1/8/14 5:25 PM, Jakub Hrozek wrote:
On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
I've added a new user using the command "ipa user-add" from the ipa
server.  I can see correct user information when I run the commands
"ipa user-show" and "ipa user-status". However, I cannot see the
user when I run "getent passwd username" or even "id username". When
I run "id username" I get, "no such user".
   I feel this may be an issue with sssd, but I'm not 100% sure.
/etc/nsswitch.conf looks correct.
   Any ideas?

--Ryan

IPA server is CentOS 6 running freeipa version 3.0.0

Hi Ryan,

this indeed sounds like an issue with the SSSD.

Given that you said nsswitch.conf looks OK, can you raise debug_level
(let's start with 5 perhaps) in the [nss] and [domain/] sections,
restart the SSSD and inspect the logs in /var/log/sssd/ for any errors?

Is there anything in the syslog? Some errors, like invalid keytab are
logged to the system logs as well as the SSSD debug logs.


Below is a snip from the sssd log with debug_level=5
This was an ssh attempt to the server.


This log snippet is telling us about problems with keytab:

(Thu Jan  9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]


Perhaps /var/log/sssd/ldap_child.log would have more info?

Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?


Running kinit -k gives the following

kinit: Password incorrect while getting initial credentials

Here is a snip from ldap_child.log
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400): ldap_child started. (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [host/server.csl.local@CSL.LOCAL] (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt integrity check failed (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020): ldap_child_get_tgt_sync failed. (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response] (0x0400): Building response for result [-1765328353] (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400): ldap_child completed successfully


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to