On 10/27/2014 07:38 PM, Craig White wrote:


RHEL 6.5 -- new install

ipa-server-3.0.0-42.el6.x86_64

389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin

[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin

admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before.

Partial from /etc/sssd/sssd.conf

[domain/stt.local]

cache_credentials = True

krb5_store_password_if_offline = True

ipa_domain = stt.local

id_provider = ipa

auth_provider = ipa

access_provider = ipa

ipa_hostname = ipa001nadev01.stt.local

chpass_provider = ipa

ipa_server = ipa001nadev01.stt.local

ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]

services = nss, sudo, pam, ssh

config_file_version = 2

domains = stt.local

debug_level = 6

Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands?

What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.


Please check on master:
1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK.
2. DNS. Can you resolve the host properly?
3. Firewall. Can you kinit admin or or do an ldap search?


Craig White

System Administrator

O623-201-8179 M602-377-9752

cid:image001.png@01CF86FE.42D51630

SkyTouch Technology 4225 E. Windrose Dr.     Phoenix, AZ 85032





--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to