On Thu, 2014-01-09 at 12:00 -0500, Ryan Chase wrote: > > On 1/9/14 11:45 AM, Rob Crittenden wrote: > > Ryan Chase wrote: > >> On 1/9/14 11:15 AM, Jakub Hrozek wrote: > >>> On Thu, Jan 09, 2014 at 10:14:20AM -0500, Ryan Chase wrote: > >>>> On 1/8/14 5:25 PM, Jakub Hrozek wrote: > >>>>> On Wed, Jan 08, 2014 at 03:12:35PM -0500, Ryan Chase wrote: > >>>>>> I've added a new user using the command "ipa user-add" from the ipa > >>>>>> server. I can see correct user information when I run the commands > >>>>>> "ipa user-show" and "ipa user-status". However, I cannot see the > >>>>>> user when I run "getent passwd username" or even "id username". When > >>>>>> I run "id username" I get, "no such user". > >>>>>> I feel this may be an issue with sssd, but I'm not 100% sure. > >>>>>> /etc/nsswitch.conf looks correct. > >>>>>> Any ideas? > >>>>>> > >>>>>> --Ryan > >>>>>> > >>>>>> IPA server is CentOS 6 running freeipa version 3.0.0 > >>>>> > >>>>> Hi Ryan, > >>>>> > >>>>> this indeed sounds like an issue with the SSSD. > >>>>> > >>>>> Given that you said nsswitch.conf looks OK, can you raise debug_level > >>>>> (let's start with 5 perhaps) in the [nss] and [domain/] sections, > >>>>> restart the SSSD and inspect the logs in /var/log/sssd/ for any > >>>>> errors? > >>>>> > >>>>> Is there anything in the syslog? Some errors, like invalid keytab are > >>>>> logged to the system logs as well as the SSSD debug logs. > >>>>> > >>>> > >>>> Below is a snip from the sssd log with debug_level=5 > >>>> This was an ssh attempt to the server. > >>>> > >>> > >>> This log snippet is telling us about problems with keytab: > >>> > >>>> (Thu Jan 9 09:52:45 2014) [sssd[be[csl.local]]] [sdap_kinit_done] > >>>> (0x0100): Could not get TGT: 14 [Bad address] > >>> > >>> > >>> Perhaps /var/log/sssd/ldap_child.log would have more info? > >>> > >>> Can you kinit with your keytab (kinit -k or kinit -k host/$(hostname)) ? > >>> > >> > >> Running kinit -k gives the following > >> > >> kinit: Password incorrect while getting initial credentials > >> > >> Here is a snip from ldap_child.log > >> (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400): > >> ldap_child started. > >> (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] > >> [ldap_child_get_tgt_sync] (0x0100): Principal name is: > >> [host/[email protected]] > >> (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] > >> [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > >> (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] > >> [ldap_child_get_tgt_sync] (0x0100): Will canonicalize principals > >> (Thu Jan 9 11:31:37 2014) [[sssd[ldap_child[2932]]]] > >> [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: Decrypt > >> integrity check failed > >> (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0020): > >> ldap_child_get_tgt_sync failed. > >> (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [prepare_response] > >> (0x0400): Building response for result [-1765328353] > >> (Thu Jan 9 11:31:38 2014) [[sssd[ldap_child[2932]]]] [main] (0x0400): > >> ldap_child completed successfully > > > > So the keytab is bad, strange. You might try this: > > > > # kinit admin > > # kvno host/`hostname` > > # klist -kt /etc/krb5.keytab > > > > Compare the version number of the service in the keytab vs what kvno > > returns. They should be the same. If they are different then that > > explains the failure. It would mean though that someone else pulled a > > keytab for this host principal so generating a new keytab may break > > whatever they did. > > > > If you determine that this is ok you can fetch a new keytab with: > > > > # ipa-getkeytab -s ipa.example.com -p host/`hostname` -k /etc/krb5.keytab > > > > Then restart sssd and things should work. > > > > rob > > > > The version numbers don't match. How would I fix this?
Using the ipa-getkeytab command mentioned above. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
