Hi Rob,

Yes, sssd is running and this is sssd.conf:

[domain/hq.example.com]
debug_level=9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = hq.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = meson.hq.example.com
chpass_provider = ipa
ipa_server = _srv_, ipa.hq.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2

domains = hq.example.com
[nss]
homedir_substring = /home
debug_level=9

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


On 21 March 2015 at 17:05, Rob Crittenden <rcrit...@redhat.com> wrote:

> Roberto Cornacchia wrote:
> > Indeed, id admin does not work and there is no sign of it in the log.
> >
> > From the client (with admin-tools installed):
> >
> > $ kinit admin
> > Password for ad...@hq.example.com <mailto:ad...@hq.example.com>:
> > $ ipa user-show admin
> >   User login: admin
> >   Last name: Administrator
> >   Home directory: /home/admin
> >   Login shell: /bin/bash
> >   UID: 1172000000
> >   GID: 1172000000
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, admins
> >   Kerberos keys available: True
> > $ id admin
> > id: admin: no such user
> > $ getent passwd ad...@hq.spinque.com <mailto:ad...@hq.spinque.com>
> > $ grep admin /var/log/sssd/*
> > $
>
> This is because sssd is not configured in nsswitch.conf to serve
> anything other than sudo.
>
> I see in the client install log you posted in the first message of the
> thread that there was no pre-existing sssd.conf so it created a new one,
> but that shouldn't be an issue.
>
> What does sssd.conf look like and is sssd running?
>
> rob
>
> >
> >
> > On 21 March 2015 at 01:01, Dmitri Pal <d...@redhat.com
> > <mailto:d...@redhat.com>> wrote:
> >
> >     On 03/20/2015 07:40 PM, Roberto Cornacchia wrote:
> >>     Two log files in attachment (the other files in /var/log/sssd are
> >>     all empty).
> >>
> >>     I'll also go through the troubleshooting page again, thanks
> >>
> >
> >     Do the logs include an id call for admin?
> >     I do not see any instance of the word "admin" in the log.
> >
> >
> >>
> >>     On 20 March 2015 at 23:03, Dmitri Pal <d...@redhat.com
> >>     <mailto:d...@redhat.com>> wrote:
> >>
> >>         On 03/20/2015 05:59 PM, Roberto Cornacchia wrote:
> >>>         SSSD logs are empty so far.
> >>
> >>         This is wrong.
> >>
> >>>         Isn't sssd.conf written by ipa-client-install?
> >>
> >>         Yes
> >>
> >>>         If I raise the debug level after client installation,
> >>
> >>         (and restart)
> >>
> >>>         what activities do you suggest to attempt from the client?
> >>         the ones that fail. getent call that returns nothing.
> >>         Also try 'id'.
> >>
> >>         http://www.freeipa.org/page/Troubleshooting#Client_Installation
> >>         https://fedorahosted.org/sssd/wiki/Troubleshooting
> >>
> >>>
> >>>
> >>>         On 20 March 2015 at 22:37, Dmitri Pal <d...@redhat.com
> >>>         <mailto:d...@redhat.com>> wrote:
> >>>
> >>>             On 03/20/2015 05:28 PM, Roberto Cornacchia wrote:
> >>>>             It certainly gets there, because the client gets in fact
> >>>>             enrolled as a domain host. I can see it from the UI in
> >>>>             Identity / Hosts. But not in the DNS zone.
> >>>>
> >>>>             *Before ipa-client-install, all these do work: *
> >>>>
> >>>>             $ ssh ipa.hq.example.com <http://ipa.hq.example.com>
> >>>>             $ ntpdate ipa.hq.example.com <http://ipa.hq.example.com>
> >>>>             $ ldapsearch -x -h ipa.hq.example.com
> >>>>             <http://ipa.hq.example.com> -b dc=hq,dc=example,dc=com
> >>>>             uid=admin
> >>>>
> >>>>
> >>>>             *After running ipa-client-install, all these do work:*
> >>>>
> >>>>             $ kinit admin
> >>>>             Password for ad...@hq.example.com
> >>>>             <mailto:ad...@hq.example.com>:
> >>>>             $ ipa dnszone-show --all
> >>>>             [...]
> >>>>             $ ntpq -p
> >>>>                  remote           refid      st t when poll reach
> >>>>             delay   offset  jitter
> >>>>
>  
> ==============================================================================
> >>>>             *ipa.hq.example. 131.155.140.130  3 u   19   64    1
> >>>>              0.415   -0.006   0.000
> >>>>              LOCAL(0)        .LOCL.           5 l    -   64    0
> >>>>              0.000    0.000   0.000
> >>>>
> >>>>             *But this does NOT work:*
> >>>>             $ getent passwd ad...@hq.example.com
> >>>>             <mailto:ad...@hq.example.com>
> >>>
> >>>             What do SSSD logs show on the client?
> >>>             Please rise the SSSD debug_level and provide SSSD logs.
> >>>
> >>>>
> >>>>             *On the server, in /var/log/krb5kdc.log, I see many of
> >>>>             these:*
> >>>>
> >>>>             Mar 20 21:53:17 ipa.hq.example.com
> >>>>             <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ
> >>>>             (6 etypes {18 17 16 23 25 26}) 192.168.0.207
> >>>>             <http://192.168.0.207>: NEEDED_PREAUTH:
> >>>>             ad...@hq.example.com <mailto:ad...@hq.example.com> for
> >>>>             krbtgt/hq.example....@hq.example.com
> >>>>             <mailto:c...@hq.example.com>, Additional
> >>>>             pre-authentication required
> >>>>             Mar 20 21:53:17 ipa.hq.example.com
> >>>>             <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ
> >>>>             (6 etypes {18 17 16 23 25 26}) 192.168.0.207
> >>>>             <http://192.168.0.207>: ISSUE: authtime 1426884797,
> >>>>             etypes {rep=18 tkt=18 ses=18}, ad...@hq.example.com
> >>>>             <mailto:ad...@hq.example.com> for
> >>>>             krbtgt/hq.example....@hq.example.com
> >>>>             <mailto:hq.example....@hq.example.com>
> >>>
> >>>             This is not an error. It is a normal user authentication.
> >>>             OK so it is DNS that is not working. Is DNS server
> >>>             running on the server?
> >>>             What do Bind logs show?
> >>>
> >>>
> >>>>
> >>>>             192.168.0.207 is the IP of the client I'm trying to
> >>>>             install. However, higher up in the log, I also see such
> >>>>             errors for the ipa server itself.
> >>>>
> >>>>             On 20 March 2015 at 20:24, Dmitri Pal <d...@redhat.com
> >>>>             <mailto:d...@redhat.com>> wrote:
> >>>>
> >>>>                 On 03/20/2015 02:48 PM, Roberto Cornacchia wrote:
> >>>>>                 No, all real machines.
> >>>>>
> >>>>>                 I'm really sorry it's taking so much of your time.
> >>>>>                 I had tried almost everything on a VM setting
> >>>>>                 first, and everything was fine.
> >>>>>                 Everything always works fine, until you actually
> >>>>>                 need it.
> >>>>
> >>>>
> >>>>                 We try to help as much as we can.
> >>>>                 Can you do LDAP lookups as a directory manager from
> >>>>                 client host to server?
> >>>>                 Can you ssh from client to server?
> >>>>
> >>>>                 When you try to install client is there anything in
> >>>>                 the logs on the server? Does it even get there?
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>
> >>>>>
> >>>>>                 On 20 March 2015 at 19:41, Dmitri Pal
> >>>>>                 <d...@redhat.com <mailto:d...@redhat.com>> wrote:
> >>>>>
> >>>>>                     On 03/20/2015 01:57 PM, Roberto Cornacchia wrote:
> >>>>>>                     But the ipa server itself is also enrolled as
> >>>>>>                     a client, just after the server installation,
> >>>>>>                     right?. And that worked fine.
> >>>>>
> >>>>>                     Are these VMs?
> >>>>>                     There have been a similar case when the network
> >>>>>                     was not set properly for the virtual test
> >>>>>                     environment.
> >>>>>
> >>>>>
> >>>>>>
> >>>>>>                     On 20 March 2015 at 18:55, Roberto Cornacchia
> >>>>>>                     <roberto.cornacc...@gmail.com
> >>>>>>                     <mailto:roberto.cornacc...@gmail.com>> wrote:
> >>>>>>
> >>>>>>                         No, sorry about the confusion, i shouldn't
> >>>>>>                         have posted so quickly.
> >>>>>>
> >>>>>>                         When I use the correct domain
> >>>>>>                         (hq.example.com <http://hq.example.com>),
> >>>>>>                         then I really get all the same errors as
> >>>>>>                         before, also in the new client.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>                         On 20 Mar 2015 18:39, "Dmitri Pal"
> >>>>>>                         <d...@redhat.com <mailto:d...@redhat.com>>
> >>>>>>                         wrote:
> >>>>>>
> >>>>>>                             On 03/20/2015 01:25 PM, Roberto
> >>>>>>                             Cornacchia wrote:
> >>>>>>>                             Oops. Not true, forget last email.
> >>>>>>>
> >>>>>>>                             This secon client installation went
> >>>>>>>                             different just because it took the
> >>>>>>>                             wrong domain.
> >>>>>>>                             It used *example.com
> >>>>>>>                             <http://example.com>* (what was
> >>>>>>>                             previously set) instead of
> >>>>>>>                             *hq.example.com <http://hq.example.com
> >*
> >>>>>>>
> >>>>>>>                             Uninstalled, tried again with
> >>>>>>>                             --hostname=photon.hq.example.com
> >>>>>>>                             <http://photon.hq.example.com>
> >>>>>>>                             And then it behaves precisely like
> >>>>>>>                             the previous client.
> >>>>>>>
> >>>>>>>                             So something seems wrong in the server.
> >>>>>>>
> >>>>>>>                             On 20 March 2015 at 18:18, Roberto
> >>>>>>>                             Cornacchia
> >>>>>>>                             <roberto.cornacc...@gmail.com
> >>>>>>>                             <mailto:roberto.cornacc...@gmail.com>>
> wrote:
> >>>>>>>
> >>>>>>>                                 Update:
> >>>>>>>                                 I tried from another client. Also
> >>>>>>>                                 FC21, same network, same settings
> >>>>>>>                                 from the same DHCP.
> >>>>>>>                                 But obviously it must have
> >>>>>>>                                 something different because it
> >>>>>>>                                 partially succeeded.
> >>>>>>>
> >>>>>>>                                 - I do not get errors about LDAP
> >>>>>>>                                 users.
> >>>>>>>                                 - I do not get errors about DNS
> >>>>>>>                                 update
> >>>>>>>
> >>>>>>>                                 However:
> >>>>>>>                                 - I still get the initial error
> >>>>>>>                                 about NTP
> >>>>>>>                                 - The host is enrolled, but not
> >>>>>>>                                 added to the DNS zone
> >>>>>>>
> >>>>>>>                                 Now, I don't care much about the
> >>>>>>>                                 previous client. It was pretty
> >>>>>>>                                 much empty and can re-install
> >>>>>>>                                 Fedora from scratch.
> >>>>>>>
> >>>>>>>                                 But I'd like to understand if
> >>>>>>>                                 this is still a problem.
> >>>>>>>                                 It should be added to the zone,
> >>>>>>>                                 shouldn't it?
> >>>>>>>
> >>>>>>>                                 $ ipa-client-install --mkhomedir
> >>>>>>>                                 --ssh-trust-dns --force-ntpd
> >>>>>>>                                 Discovery was successful!
> >>>>>>>                                 Hostname: photon.example.com
> >>>>>>>                                 <http://photon.example.com>
> >>>>>>>                                 Realm: HQ.EXAMPLE.COM
> >>>>>>>                                 <http://HQ.EXAMPLE.COM>
> >>>>>>>                                 DNS Domain: hq.example.com
> >>>>>>>                                 <http://hq.example.com>
> >>>>>>>                                 IPA Server: ipa.hq.example.com
> >>>>>>>                                 <http://ipa.hq.example.com>
> >>>>>>>                                 BaseDN: dc=hq,dc=example,dc=com
> >>>>>>>
> >>>>>>>                                 Continue to configure the system
> >>>>>>>                                 with these values? [no]: yes
> >>>>>>>                                 Synchronizing time with KDC...
> >>>>>>>                                 *Unable to sync time with IPA NTP
> >>>>>>>                                 server, assuming the time is in
> >>>>>>>                                 sync. Please check that 123 UDP
> >>>>>>>                                 port is opened.*
> >>>>>>>                                 User authorized to enroll
> >>>>>>>                                 computers: admin
> >>>>>>>                                 Password for ad...@hq.example.com
> >>>>>>>                                 <mailto:ad...@hq.example.com>:
> >>>>>>>                                 Successfully retrieved CA cert
> >>>>>>>                                     Subject:     CN=Certificate
> >>>>>>>                                 Authority,O=HQ.EXAMPLE.COM
> >>>>>>>                                 <http://HQ.EXAMPLE.COM>
> >>>>>>>                                     Issuer:      CN=Certificate
> >>>>>>>                                 Authority,O=HQ.EXAMPLE.COM
> >>>>>>>                                 <http://HQ.EXAMPLE.COM>
> >>>>>>>                                     Valid From:  Mon Mar 16
> >>>>>>>                                 18:44:35 2015 UTC
> >>>>>>>                                     Valid Until: Fri Mar 16
> >>>>>>>                                 18:44:35 2035 UTC
> >>>>>>>
> >>>>>>>                                 Enrolled in IPA realm
> >>>>>>>                                 HQ.EXAMPLE.COM
> >>>>>>>                                 <http://HQ.EXAMPLE.COM>
> >>>>>>>                                 Created /etc/ipa/default.conf
> >>>>>>>                                 New SSSD config will be created
> >>>>>>>                                 Configured sudoers in
> >>>>>>>                                 /etc/nsswitch.conf
> >>>>>>>                                 Configured /etc/sssd/sssd.conf
> >>>>>>>                                 Configured /etc/krb5.conf for IPA
> >>>>>>>                                 realm HQ.EXAMPLE.COM
> >>>>>>>                                 <http://HQ.EXAMPLE.COM>
> >>>>>>>                                 trying
> >>>>>>>
> https://ipa.hq.example.com/ipa/json
> >>>>>>>                                 Forwarding 'ping' to json server
> >>>>>>>                                 '
> https://ipa.hq.example.com/ipa/json'
> >>>>>>>                                 Forwarding 'ca_is_enabled' to
> >>>>>>>                                 json server
> >>>>>>>                                 '
> https://ipa.hq.example.com/ipa/json'
> >>>>>>>                                 Systemwide CA database updated.
> >>>>>>>                                 Added CA certificates to the
> >>>>>>>                                 default NSS database.
> >>>>>>>                                 Adding SSH public key from
> >>>>>>>                                 /etc/ssh/ssh_host_rsa_key.pub
> >>>>>>>                                 Adding SSH public key from
> >>>>>>>                                 /etc/ssh/ssh_host_ed25519_key.pub
> >>>>>>>                                 Adding SSH public key from
> >>>>>>>                                 /etc/ssh/ssh_host_dsa_key.pub
> >>>>>>>                                 Adding SSH public key from
> >>>>>>>                                 /etc/ssh/ssh_host_ecdsa_key.pub
> >>>>>>>                                 Forwarding 'host_mod' to json
> >>>>>>>                                 server
> >>>>>>>                                 '
> https://ipa.hq.example.com/ipa/json'
> >>>>>>>                                 *Could not update DNS SSHFP
> records.*
> >>>>>>>                                 SSSD enabled
> >>>>>>>                                 Configured /etc/openldap/ldap.conf
> >>>>>>>                                 NTP enabled
> >>>>>>>                                 Configured /etc/ssh/ssh_config
> >>>>>>>                                 Configured /etc/ssh/sshd_config
> >>>>>>>                                 Configuring hq.example.com
> >>>>>>>                                 <http://hq.example.com> as NIS
> >>>>>>>                                 domain.
> >>>>>>>                                 Client configuration complete.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>                             It is different. It does not have the
> >>>>>>                             same failure about admin as you had in
> >>>>>>                             the first email.
> >>>>>>                             So may be it is the permissions issue
> >>>>>>                             and a separate NTP issue?
> >>>>>>                             Did you play with any permissions on
> >>>>>>                             the server side?
> >>>>>>
> >>>>>>
> >>>>>>                             --
> >>>>>>                             Thank you,
> >>>>>>                             Dmitri Pal
> >>>>>>
> >>>>>>                             Sr. Engineering Manager IdM portfolio
> >>>>>>                             Red Hat, Inc.
> >>>>>>
> >>>>>>
> >>>>>>                             --
> >>>>>>                             Manage your subscription for the
> >>>>>>                             Freeipa-users mailing list:
> >>>>>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>>                             Go to http://freeipa.org for more info
> >>>>>>                             on the project
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>>
> >>>>>                     --
> >>>>>                     Thank you,
> >>>>>                     Dmitri Pal
> >>>>>
> >>>>>                     Sr. Engineering Manager IdM portfolio
> >>>>>                     Red Hat, Inc.
> >>>>>
> >>>>>
> >>>>>                     --
> >>>>>                     Manage your subscription for the Freeipa-users
> >>>>>                     mailing list:
> >>>>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>>                     Go to http://freeipa.org for more info on the
> >>>>>                     project
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>>                 --
> >>>>                 Thank you,
> >>>>                 Dmitri Pal
> >>>>
> >>>>                 Sr. Engineering Manager IdM portfolio
> >>>>                 Red Hat, Inc.
> >>>>
> >>>>
> >>>>                 --
> >>>>                 Manage your subscription for the Freeipa-users
> >>>>                 mailing list:
> >>>>                 https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>>                 Go to http://freeipa.org for more info on the project
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>             --
> >>>             Thank you,
> >>>             Dmitri Pal
> >>>
> >>>             Sr. Engineering Manager IdM portfolio
> >>>             Red Hat, Inc.
> >>>
> >>>
> >>>             --
> >>>             Manage your subscription for the Freeipa-users mailing
> list:
> >>>             https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>             Go to http://freeipa.org for more info on the project
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>         --
> >>         Thank you,
> >>         Dmitri Pal
> >>
> >>         Sr. Engineering Manager IdM portfolio
> >>         Red Hat, Inc.
> >>
> >>
> >>         --
> >>         Manage your subscription for the Freeipa-users mailing list:
> >>         https://www.redhat.com/mailman/listinfo/freeipa-users
> >>         Go to http://freeipa.org for more info on the project
> >>
> >>
> >>
> >>
> >
> >
> >     --
> >     Thank you,
> >     Dmitri Pal
> >
> >     Sr. Engineering Manager IdM portfolio
> >     Red Hat, Inc.
> >
> >
> >     --
> >     Manage your subscription for the Freeipa-users mailing list:
> >     https://www.redhat.com/mailman/listinfo/freeipa-users
> >     Go to http://freeipa.org for more info on the project
> >
> >
> >
> >
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to