On 1/9/14 11:45 AM, Rob Crittenden wrote:
Ryan Chase wrote:
On 1/9/14 11:15 AM, Jakub Hrozek wrote:
On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote:
On 1/8/14 5:25 PM, Jakub Hrozek wrote:
On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote:
I've added a new user using the command "ipa user-add" from the ipa
server. I can see correct user information when I run the commands
"ipa user-show" and "ipa user-status". However, I cannot see the
user when I run "getent passwd username" or even "id username". When
I run "id username" I get, "no such user".
I feel this may be an issue with sssd, but I'm not 100% sure.
/etc/nsswitch.conf looks correct.
Any ideas?
--Ryan
IPA server is CentOS 6 running freeipa version 3.0.0
Hi Ryan,
this indeed sounds like an issue with the SSSD.
Given that you said nsswitch.conf looks OK, can you raise debug_level
(let's start with 5 perhaps) in the [nss] and [domain/] sections,
restart the SSSD and inspect the logs in /var/log/sssd/ for any
errors?
Is there anything in the syslog? Some errors, like invalid keytab are
logged to the system logs as well as the SSSD debug logs.
Below is a snip from the sssd log with debug_level=5
This was an ssh attempt to the server.
This log snippet is telling us about problems with keytab:
(Thu Jan 9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done]
(0x0100): Could not get TGT: 14 [Bad address]
Perhaps /var/log/sssd/ldap_child.log would have more info?
Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ?
Running kinit -k gives the following
kinit: Password incorrect while getting initial credentials
Here is a snip from ldap_child.log
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child started.
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[host/server.csl.local@CSL.LOCAL]
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals
(Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]]
[ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt
integrity check failed
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020):
ldap_child_get_tgt_sync failed.
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response]
(0x0400): Building response for result [-1765328353]
(Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400):
ldap_child completed successfully
So the keytab is bad, strange. You might try this:
# kinit admin
# kvno host/`hostname`
# klist -kt /etc/krb5.keytab
Compare the version number of the service in the keytab vs what kvno
returns. They should be the same. If they are different then that
explains the failure. It would mean though that someone else pulled a
keytab for this host principal so generating a new keytab may break
whatever they did.
If you determine that this is ok you can fetch a new keytab with:
# ipa-getkeytab -s ipa.example.com -p host/`hostname` -k /etc/krb5.keytab
Then restart sssd and things should work.
rob
The version numbers don't match. How would I fix this?
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
