On 10/28/2014 12:11 PM, Craig White wrote:

*From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
*Sent:* Monday, October 27, 2014 5:32 PM
*To:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:

    RHEL 6.5 -- new install



    On the master, I get nothing

    [root@ipa001 log]# getent passwd admin

    [root@ipa001 log]#

    But it works on the replica as expected

    [root@ipa002nadev01 ~]# getent passwd admin


    I am used to using PADL / NSSWITCH with OpenLDAP and I am rather
    surprised that on both, 'getent passwd' and 'getent group' return
    only entries from local files but then again, I've never used sssd

    Partial from /etc/sssd/sssd.conf


    cache_credentials = True

    krb5_store_password_if_offline = True

    ipa_domain = stt.local

    id_provider = ipa

    auth_provider = ipa

    access_provider = ipa

    ipa_hostname = ipa001nadev01.stt.local

    chpass_provider = ipa

    ipa_server = ipa001nadev01.stt.local

    ldap_tls_cacert = /etc/ipa/ca.crt


    services = nss, sudo, pam, ssh

    config_file_version = 2

    domains = stt.local

    debug_level = 6

    Shouldn't I be seeing both local files and IPA defined users with
    'getent passwd' and IPA defined users with 'getent group' commands?

    What could cause 'getent passwd admin' not to work on the master
    server now when I know I tested it when I first set it up and it
    worked?  I have done little more than import users and groups from
    OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.

Please check on master:
1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK.
2. DNS. Can you resolve the host properly?
3. Firewall. Can you kinit admin or or do an ldap search?

It's weird because it is mostly functioning perfectly.

/var/log/ipaclient-install.log doesn't show any errors. Gives every indication that things went as planned. The /var/log/ipaserver-install.log is a rather large file and a cursory inspection doesn't reveal anything that is interesting. The only thing that was not normal about the install was the first install was un-installed because I used DNS forwarders and the boss said no forwarders. So I installed a second time but nothing seemed unusual about either server or client install.

DNS -- resolves / working perfectly for the authoritative and non-authoritative zones -- forward and reverse. I thought the 'ipa-client-install --enable-dns-updates' worked extremely well after modifying it to ensure that both forward and reverse zone entries were created.

kinit admin@STT.LOCAL <mailto:admin@STT.LOCAL> works -- rejects wrong password entries and accepts correct password entries.

Ldapsearch works fine

Firewall... (we are talking about localhost but)


ACCEPT     icmp --

ACCEPT     all  --

ACCEPT     tcp  --           ctstate NEW tcp dpt:22

ACCEPT     tcp  --           state NEW tcp dpt:80

ACCEPT     tcp  --           state NEW tcp dpt:53

ACCEPT     udp  --           state NEW udp dpt:53

ACCEPT     tcp  --           state NEW tcp dpt:88

ACCEPT     udp  --           state NEW udp dpt:88

ACCEPT     udp  --           state NEW udp dpt:123

ACCEPT     tcp  --           state NEW tcp dpt:389

ACCEPT     tcp  --           state NEW tcp dpt:443

ACCEPT     tcp  --           state NEW tcp dpt:464

ACCEPT     udp  --           state NEW udp dpt:464

ACCEPT     tcp  --           state NEW tcp dpt:636

ACCEPT     tcp  --           state NEW tcp dpt:7389

ACCEPT     udp  --           state NEW udp dpt:7389

ACCEPT     tcp  --           state NEW tcp dpt:9443

ACCEPT     tcp  --           state NEW tcp dpt:9444

ACCEPT     tcp  --           state NEW tcp dpt:9445

REJECT all -- reject-with icmp-host-prohibited

Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to