From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 28, 2014 10:04 AM
To: Craig White; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Monday, October 27, 2014 5:32 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 - new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin
admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that 
on both, 'getent passwd' and 'getent group' return only entries from local 
files but then again, I've never used sssd before.

Partial from /etc/sssd/sssd.conf
[domain/stt.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = stt.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa001nadev01.stt.local
chpass_provider = ipa
ipa_server = ipa001nadev01.stt.local
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = stt.local
debug_level = 6

Shouldn't I be seeing both local files and IPA defined users with 'getent 
passwd' and IPA defined users with 'getent group' commands?

What could cause 'getent passwd admin' not to work on the master server now 
when I know I tested it when I first set it up and it worked?  I have done 
little more than import users and groups from OpenLDAP and configure HBAC, sudo 
stuff in the IPA web UI.


Please check on master:
1. Installation logs. Client on the server is installed last and may be there 
is something that went wrong at this stage but the rest of the server is OK.
2. DNS. Can you resolve the host properly?
3. Firewall. Can you kinit admin or or do an ldap search?
----
It's weird because it is mostly functioning perfectly.

/var/log/ipaclient-install.log doesn't show any errors. Gives every indication 
that things went as planned. The /var/log/ipaserver-install.log is a rather 
large file and a cursory inspection doesn't reveal anything that is 
interesting. The only thing that was not normal about the install was the first 
install was un-installed because I used DNS forwarders and the boss said no 
forwarders. So I installed a second time but nothing seemed unusual about 
either server or client install.

DNS - resolves / working perfectly for the authoritative and non-authoritative 
zones - forward and reverse. I thought the 'ipa-client-install 
-enable-dns-updates' worked extremely well after modifying it to ensure that 
both forward and reverse zone entries were created.

kinit admin@STT.LOCAL<mailto:admin@STT.LOCAL> works - rejects wrong password 
entries and accepts correct password entries.
Ldapsearch works fine
Firewall... (we are talking about localhost but)
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           ctstate 
RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           ctstate NEW tcp 
dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp 
dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:88
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp 
dpt:88
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp 
dpt:123
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:389
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:464
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp 
dpt:464
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:636
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:7389
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp 
dpt:7389
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:9443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:9444
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp 
dpt:9445
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with 
icmp-host-prohibited

Then we need SSSD logs with the debug_level in the right sections as Jakub 
mentioned in his mail.
----
Sorry - I had a long meeting and should have noted that after restarting SSSD, 
it all started working again as expected. Clearly something I have to watch for 
and indeed, I moved the debug to the domain section for future.

Thanks

Craig


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to