On 10/28/2014 12:11 PM, Craig White wrote:
*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
*Sent:* Monday, October 27, 2014 5:32 PM
*To:* freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group
On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 -- new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64
On the master, I get nothing
[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#
But it works on the replica as expected
[root@ipa002nadev01 ~]# getent passwd admin
admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
I am used to using PADL / NSSWITCH with OpenLDAP and I am rather
surprised that on both, 'getent passwd' and 'getent group' return
only entries from local files but then again, I've never used sssd
before.
Partial from /etc/sssd/sssd.conf
[domain/stt.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = stt.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa001nadev01.stt.local
chpass_provider = ipa
ipa_server = ipa001nadev01.stt.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = stt.local
debug_level = 6
Shouldn't I be seeing both local files and IPA defined users with
'getent passwd' and IPA defined users with 'getent group' commands?
What could cause 'getent passwd admin' not to work on the master
server now when I know I tested it when I first set it up and it
worked? I have done little more than import users and groups from
OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.
Please check on master:
1. Installation logs. Client on the server is installed last and may
be there is something that went wrong at this stage but the rest of
the server is OK.
2. DNS. Can you resolve the host properly?
3. Firewall. Can you kinit admin or or do an ldap search?
----
It's weird because it is mostly functioning perfectly.
/var/log/ipaclient-install.log doesn't show any errors. Gives every
indication that things went as planned. The
/var/log/ipaserver-install.log is a rather large file and a cursory
inspection doesn't reveal anything that is interesting. The only thing
that was not normal about the install was the first install was
un-installed because I used DNS forwarders and the boss said no
forwarders. So I installed a second time but nothing seemed unusual
about either server or client install.
DNS -- resolves / working perfectly for the authoritative and
non-authoritative zones -- forward and reverse. I thought the
'ipa-client-install --enable-dns-updates' worked extremely well after
modifying it to ensure that both forward and reverse zone entries were
created.
kinit admin@STT.LOCAL <mailto:admin@STT.LOCAL> works -- rejects wrong
password entries and accepts correct password entries.
Ldapsearch works fine
Firewall... (we are talking about localhost but)
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:88
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:88
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:464
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:464
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:636
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7389
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:7389
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9444
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9445
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited
Then we need SSSD logs with the debug_level in the right sections as
Jakub mentioned in his mail.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project