On 10/29/2014 02:40 PM, Craig White wrote:
-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, October 28, 2014 5:34 PM
To: Craig White; d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

Craig White wrote:
*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 5:10 PM
*To:* Craig White; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

On 10/28/2014 04:41 PM, Craig White wrote:

     *From:*freeipa-users-boun...@redhat.com
     <mailto:freeipa-users-boun...@redhat.com>
     [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White
     *Sent:* Tuesday, October 28, 2014 1:28 PM
     *To:* d...@redhat.com <mailto:d...@redhat.com>;
     freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
     *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

     *From:*Dmitri Pal [mailto:d...@redhat.com]
     *Sent:* Tuesday, October 28, 2014 10:04 AM
     *To:* Craig White; freeipa-users@redhat.com
     <mailto:freeipa-users@redhat.com>
     *Subject:* Re: [Freeipa-users] getent passwd / group

     On 10/28/2014 12:11 PM, Craig White wrote:

         *From:*freeipa-users-boun...@redhat.com
         <mailto:freeipa-users-boun...@redhat.com>
         [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
         *Sent:* Monday, October 27, 2014 5:32 PM
         *To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
         *Subject:* Re: [Freeipa-users] getent passwd / group

         On 10/27/2014 07:38 PM, Craig White wrote:

             RHEL 6.5 - new install

             ipa-server-3.0.0-42.el6.x86_64

             389-ds-base-1.2.11.15-47.el6.x86_64

             On the master, I get nothing

             [root@ipa001 log]# getent passwd admin

             [root@ipa001 log]#

             But it works on the replica as expected

             [root@ipa002nadev01 ~]# getent passwd admin

admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash

             I am used to using PADL / NSSWITCH with OpenLDAP and I am
             rather surprised that on both, 'getent passwd' and 'getent
             group' return only entries from local files but then again,
             I've never used sssd before.

         REJECT     all  --  0.0.0.0/0            0.0.0.0/0
         reject-with icmp-host-prohibited


     Then we need SSSD logs with the debug_level in the right sections as
     Jakub mentioned in his mail.
     ----

     Sorry - I had a long meeting and should have noted that after
     restarting SSSD, it all started working again as expected. Clearly
     something I have to watch for and indeed, I moved the debug to the
     domain section for future.

     I should add - came to the realization that restarting sssd and went to 
long meeting, then came back and couldn't log into ipa console or Kerberos and 
had to restart IPA service to restart Kerberos.

     IPA is logging nothing.

     This is not the first time I have had to go through this cycle - it seems 
that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD 
goes haywire, when I restart SSSD, IPA is not functioning and must be restarted 
too.

     Thanks

     Craig


Is this on the same server?
----

Yes, same server... the one I call the master. The first one I set up.
I'm getting tuned in to the checking the status of dirsrv and ipa but
now I know to check the status of the sssd too.

Seems like it crashes a little too easily - I doubt I did much to harm it... I 
am fairly experienced with OpenLDAP and in fact used 389-server back when it 
was called FedoraDS.

But it is running now, and seemingly will stay running for some time and I am 
upping the logging and watching for a crash like Richard said to provide some 
debug logs if possible. Sort of wish I could have just started with RHEL 7 and 
the updated IPA.
Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.

rob
----
OK - just after I left work last night - IPA crashed.

Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 
00007f86cd04e572 sp 00007f86a2bf7f10 error 4 in 
libslapd.so.0.0.0[7f86cd009000+fd000]

Required a 'service ipa restart' to get up and running again  ;-(

Now Rich directed me to the 'debugging crashes' section which would have me 
installing debuginfo for 389.

I can't find it...
# yum search 389-ds-base-debuginfo
Loaded plugins: product-id, rhnplugin, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
rackspace-rhel-x86_64-server-6-common                                           
                           |  871 B     00:00
rackspace-rhel-x86_64-server-6-ius                                              
                           |  871 B     00:00
rhel-x86_64-server-6                                                            
                           | 1.5 kB     00:00
rhel-x86_64-server-optional-6                                                   
                           | 1.5 kB     00:00
rhel-x86_64-server-supplementary-6                                              
                           | 1.5 kB     00:00
rhn-tools-rhel-x86_64-server-6                                                  
                           | 1.3 kB     00:00
epel/pkgtags                                                                    
                           | 1.3 MB     00:00
Warning: No matches found for: 389-ds-base-debuginfo
No Matches found

Which sort of makes sense in that we are forced to use Rackspace mirrors and 
can't use any public repos.

I can probably get around it by separately downloading to my desktop, using SCP 
to transfer the packages over and installing but that is quite a hassle.
I do not think there is another option. Sorry.

Do I have any other options?  Is the only debuginfo package I need the 
389-ds-base?
AFAIU yes.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to