Hi Rob, Yes, sssd is running and this is sssd.conf:
[domain/hq.example.com] debug_level=9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = hq.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = meson.hq.example.com chpass_provider = ipa ipa_server = _srv_, ipa.hq.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = hq.example.com [nss] homedir_substring = /home debug_level=9 [pam] [sudo] [autofs] [ssh] [pac] [ifp] On 21 March 2015 at 17:05, Rob Crittenden <[email protected]> wrote: > Roberto Cornacchia wrote: > > Indeed, id admin does not work and there is no sign of it in the log. > > > > From the client (with admin-tools installed): > > > > $ kinit admin > > Password for [email protected] <mailto:[email protected]>: > > $ ipa user-show admin > > User login: admin > > Last name: Administrator > > Home directory: /home/admin > > Login shell: /bin/bash > > UID: 1172000000 > > GID: 1172000000 > > Account disabled: False > > Password: True > > Member of groups: trust admins, admins > > Kerberos keys available: True > > $ id admin > > id: admin: no such user > > $ getent passwd [email protected] <mailto:[email protected]> > > $ grep admin /var/log/sssd/* > > $ > > This is because sssd is not configured in nsswitch.conf to serve > anything other than sudo. > > I see in the client install log you posted in the first message of the > thread that there was no pre-existing sssd.conf so it created a new one, > but that shouldn't be an issue. > > What does sssd.conf look like and is sssd running? > > rob > > > > > > > On 21 March 2015 at 01:01, Dmitri Pal <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 03/20/2015 07:40 PM, Roberto Cornacchia wrote: > >> Two log files in attachment (the other files in /var/log/sssd are > >> all empty). > >> > >> I'll also go through the troubleshooting page again, thanks > >> > > > > Do the logs include an id call for admin? > > I do not see any instance of the word "admin" in the log. > > > > > >> > >> On 20 March 2015 at 23:03, Dmitri Pal <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> On 03/20/2015 05:59 PM, Roberto Cornacchia wrote: > >>> SSSD logs are empty so far. > >> > >> This is wrong. > >> > >>> Isn't sssd.conf written by ipa-client-install? > >> > >> Yes > >> > >>> If I raise the debug level after client installation, > >> > >> (and restart) > >> > >>> what activities do you suggest to attempt from the client? > >> the ones that fail. getent call that returns nothing. > >> Also try 'id'. > >> > >> http://www.freeipa.org/page/Troubleshooting#Client_Installation > >> https://fedorahosted.org/sssd/wiki/Troubleshooting > >> > >>> > >>> > >>> On 20 March 2015 at 22:37, Dmitri Pal <[email protected] > >>> <mailto:[email protected]>> wrote: > >>> > >>> On 03/20/2015 05:28 PM, Roberto Cornacchia wrote: > >>>> It certainly gets there, because the client gets in fact > >>>> enrolled as a domain host. I can see it from the UI in > >>>> Identity / Hosts. But not in the DNS zone. > >>>> > >>>> *Before ipa-client-install, all these do work: * > >>>> > >>>> $ ssh ipa.hq.example.com <http://ipa.hq.example.com> > >>>> $ ntpdate ipa.hq.example.com <http://ipa.hq.example.com> > >>>> $ ldapsearch -x -h ipa.hq.example.com > >>>> <http://ipa.hq.example.com> -b dc=hq,dc=example,dc=com > >>>> uid=admin > >>>> > >>>> > >>>> *After running ipa-client-install, all these do work:* > >>>> > >>>> $ kinit admin > >>>> Password for [email protected] > >>>> <mailto:[email protected]>: > >>>> $ ipa dnszone-show --all > >>>> [...] > >>>> $ ntpq -p > >>>> remote refid st t when poll reach > >>>> delay offset jitter > >>>> > > ============================================================================== > >>>> *ipa.hq.example. 131.155.140.130 3 u 19 64 1 > >>>> 0.415 -0.006 0.000 > >>>> LOCAL(0) .LOCL. 5 l - 64 0 > >>>> 0.000 0.000 0.000 > >>>> > >>>> *But this does NOT work:* > >>>> $ getent passwd [email protected] > >>>> <mailto:[email protected]> > >>> > >>> What do SSSD logs show on the client? > >>> Please rise the SSSD debug_level and provide SSSD logs. > >>> > >>>> > >>>> *On the server, in /var/log/krb5kdc.log, I see many of > >>>> these:* > >>>> > >>>> Mar 20 21:53:17 ipa.hq.example.com > >>>> <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ > >>>> (6 etypes {18 17 16 23 25 26}) 192.168.0.207 > >>>> <http://192.168.0.207>: NEEDED_PREAUTH: > >>>> [email protected] <mailto:[email protected]> for > >>>> krbtgt/[email protected] > >>>> <mailto:[email protected]>, Additional > >>>> pre-authentication required > >>>> Mar 20 21:53:17 ipa.hq.example.com > >>>> <http://ipa.hq.example.com> krb5kdc[9229](info): AS_REQ > >>>> (6 etypes {18 17 16 23 25 26}) 192.168.0.207 > >>>> <http://192.168.0.207>: ISSUE: authtime 1426884797, > >>>> etypes {rep=18 tkt=18 ses=18}, [email protected] > >>>> <mailto:[email protected]> for > >>>> krbtgt/[email protected] > >>>> <mailto:[email protected]> > >>> > >>> This is not an error. It is a normal user authentication. > >>> OK so it is DNS that is not working. Is DNS server > >>> running on the server? > >>> What do Bind logs show? > >>> > >>> > >>>> > >>>> 192.168.0.207 is the IP of the client I'm trying to > >>>> install. However, higher up in the log, I also see such > >>>> errors for the ipa server itself. > >>>> > >>>> On 20 March 2015 at 20:24, Dmitri Pal <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> On 03/20/2015 02:48 PM, Roberto Cornacchia wrote: > >>>>> No, all real machines. > >>>>> > >>>>> I'm really sorry it's taking so much of your time. > >>>>> I had tried almost everything on a VM setting > >>>>> first, and everything was fine. > >>>>> Everything always works fine, until you actually > >>>>> need it. > >>>> > >>>> > >>>> We try to help as much as we can. > >>>> Can you do LDAP lookups as a directory manager from > >>>> client host to server? > >>>> Can you ssh from client to server? > >>>> > >>>> When you try to install client is there anything in > >>>> the logs on the server? Does it even get there? > >>>> > >>>> > >>>> > >>>> > >>>>> > >>>>> > >>>>> On 20 March 2015 at 19:41, Dmitri Pal > >>>>> <[email protected] <mailto:[email protected]>> wrote: > >>>>> > >>>>> On 03/20/2015 01:57 PM, Roberto Cornacchia wrote: > >>>>>> But the ipa server itself is also enrolled as > >>>>>> a client, just after the server installation, > >>>>>> right?. And that worked fine. > >>>>> > >>>>> Are these VMs? > >>>>> There have been a similar case when the network > >>>>> was not set properly for the virtual test > >>>>> environment. > >>>>> > >>>>> > >>>>>> > >>>>>> On 20 March 2015 at 18:55, Roberto Cornacchia > >>>>>> <[email protected] > >>>>>> <mailto:[email protected]>> wrote: > >>>>>> > >>>>>> No, sorry about the confusion, i shouldn't > >>>>>> have posted so quickly. > >>>>>> > >>>>>> When I use the correct domain > >>>>>> (hq.example.com <http://hq.example.com>), > >>>>>> then I really get all the same errors as > >>>>>> before, also in the new client. > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 20 Mar 2015 18:39, "Dmitri Pal" > >>>>>> <[email protected] <mailto:[email protected]>> > >>>>>> wrote: > >>>>>> > >>>>>> On 03/20/2015 01:25 PM, Roberto > >>>>>> Cornacchia wrote: > >>>>>>> Oops. Not true, forget last email. > >>>>>>> > >>>>>>> This secon client installation went > >>>>>>> different just because it took the > >>>>>>> wrong domain. > >>>>>>> It used *example.com > >>>>>>> <http://example.com>* (what was > >>>>>>> previously set) instead of > >>>>>>> *hq.example.com <http://hq.example.com > >* > >>>>>>> > >>>>>>> Uninstalled, tried again with > >>>>>>> --hostname=photon.hq.example.com > >>>>>>> <http://photon.hq.example.com> > >>>>>>> And then it behaves precisely like > >>>>>>> the previous client. > >>>>>>> > >>>>>>> So something seems wrong in the server. > >>>>>>> > >>>>>>> On 20 March 2015 at 18:18, Roberto > >>>>>>> Cornacchia > >>>>>>> <[email protected] > >>>>>>> <mailto:[email protected]>> > wrote: > >>>>>>> > >>>>>>> Update: > >>>>>>> I tried from another client. Also > >>>>>>> FC21, same network, same settings > >>>>>>> from the same DHCP. > >>>>>>> But obviously it must have > >>>>>>> something different because it > >>>>>>> partially succeeded. > >>>>>>> > >>>>>>> - I do not get errors about LDAP > >>>>>>> users. > >>>>>>> - I do not get errors about DNS > >>>>>>> update > >>>>>>> > >>>>>>> However: > >>>>>>> - I still get the initial error > >>>>>>> about NTP > >>>>>>> - The host is enrolled, but not > >>>>>>> added to the DNS zone > >>>>>>> > >>>>>>> Now, I don't care much about the > >>>>>>> previous client. It was pretty > >>>>>>> much empty and can re-install > >>>>>>> Fedora from scratch. > >>>>>>> > >>>>>>> But I'd like to understand if > >>>>>>> this is still a problem. > >>>>>>> It should be added to the zone, > >>>>>>> shouldn't it? > >>>>>>> > >>>>>>> $ ipa-client-install --mkhomedir > >>>>>>> --ssh-trust-dns --force-ntpd > >>>>>>> Discovery was successful! > >>>>>>> Hostname: photon.example.com > >>>>>>> <http://photon.example.com> > >>>>>>> Realm: HQ.EXAMPLE.COM > >>>>>>> <http://HQ.EXAMPLE.COM> > >>>>>>> DNS Domain: hq.example.com > >>>>>>> <http://hq.example.com> > >>>>>>> IPA Server: ipa.hq.example.com > >>>>>>> <http://ipa.hq.example.com> > >>>>>>> BaseDN: dc=hq,dc=example,dc=com > >>>>>>> > >>>>>>> Continue to configure the system > >>>>>>> with these values? [no]: yes > >>>>>>> Synchronizing time with KDC... > >>>>>>> *Unable to sync time with IPA NTP > >>>>>>> server, assuming the time is in > >>>>>>> sync. Please check that 123 UDP > >>>>>>> port is opened.* > >>>>>>> User authorized to enroll > >>>>>>> computers: admin > >>>>>>> Password for [email protected] > >>>>>>> <mailto:[email protected]>: > >>>>>>> Successfully retrieved CA cert > >>>>>>> Subject: CN=Certificate > >>>>>>> Authority,O=HQ.EXAMPLE.COM > >>>>>>> <http://HQ.EXAMPLE.COM> > >>>>>>> Issuer: CN=Certificate > >>>>>>> Authority,O=HQ.EXAMPLE.COM > >>>>>>> <http://HQ.EXAMPLE.COM> > >>>>>>> Valid From: Mon Mar 16 > >>>>>>> 18:44:35 2015 UTC > >>>>>>> Valid Until: Fri Mar 16 > >>>>>>> 18:44:35 2035 UTC > >>>>>>> > >>>>>>> Enrolled in IPA realm > >>>>>>> HQ.EXAMPLE.COM > >>>>>>> <http://HQ.EXAMPLE.COM> > >>>>>>> Created /etc/ipa/default.conf > >>>>>>> New SSSD config will be created > >>>>>>> Configured sudoers in > >>>>>>> /etc/nsswitch.conf > >>>>>>> Configured /etc/sssd/sssd.conf > >>>>>>> Configured /etc/krb5.conf for IPA > >>>>>>> realm HQ.EXAMPLE.COM > >>>>>>> <http://HQ.EXAMPLE.COM> > >>>>>>> trying > >>>>>>> > https://ipa.hq.example.com/ipa/json > >>>>>>> Forwarding 'ping' to json server > >>>>>>> ' > https://ipa.hq.example.com/ipa/json' > >>>>>>> Forwarding 'ca_is_enabled' to > >>>>>>> json server > >>>>>>> ' > https://ipa.hq.example.com/ipa/json' > >>>>>>> Systemwide CA database updated. > >>>>>>> Added CA certificates to the > >>>>>>> default NSS database. > >>>>>>> Adding SSH public key from > >>>>>>> /etc/ssh/ssh_host_rsa_key.pub > >>>>>>> Adding SSH public key from > >>>>>>> /etc/ssh/ssh_host_ed25519_key.pub > >>>>>>> Adding SSH public key from > >>>>>>> /etc/ssh/ssh_host_dsa_key.pub > >>>>>>> Adding SSH public key from > >>>>>>> /etc/ssh/ssh_host_ecdsa_key.pub > >>>>>>> Forwarding 'host_mod' to json > >>>>>>> server > >>>>>>> ' > https://ipa.hq.example.com/ipa/json' > >>>>>>> *Could not update DNS SSHFP > records.* > >>>>>>> SSSD enabled > >>>>>>> Configured /etc/openldap/ldap.conf > >>>>>>> NTP enabled > >>>>>>> Configured /etc/ssh/ssh_config > >>>>>>> Configured /etc/ssh/sshd_config > >>>>>>> Configuring hq.example.com > >>>>>>> <http://hq.example.com> as NIS > >>>>>>> domain. > >>>>>>> Client configuration complete. > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> It is different. It does not have the > >>>>>> same failure about admin as you had in > >>>>>> the first email. > >>>>>> So may be it is the permissions issue > >>>>>> and a separate NTP issue? > >>>>>> Did you play with any permissions on > >>>>>> the server side? > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Thank you, > >>>>>> Dmitri Pal > >>>>>> > >>>>>> Sr. Engineering Manager IdM portfolio > >>>>>> Red Hat, Inc. > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Manage your subscription for the > >>>>>> Freeipa-users mailing list: > >>>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>>> Go to http://freeipa.org for more info > >>>>>> on the project > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Thank you, > >>>>> Dmitri Pal > >>>>> > >>>>> Sr. Engineering Manager IdM portfolio > >>>>> Red Hat, Inc. > >>>>> > >>>>> > >>>>> -- > >>>>> Manage your subscription for the Freeipa-users > >>>>> mailing list: > >>>>> > https://www.redhat.com/mailman/listinfo/freeipa-users > >>>>> Go to http://freeipa.org for more info on the > >>>>> project > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>>> -- > >>>> Thank you, > >>>> Dmitri Pal > >>>> > >>>> Sr. Engineering Manager IdM portfolio > >>>> Red Hat, Inc. > >>>> > >>>> > >>>> -- > >>>> Manage your subscription for the Freeipa-users > >>>> mailing list: > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> Go to http://freeipa.org for more info on the project > >>>> > >>>> > >>>> > >>>> > >>> > >>> > >>> -- > >>> Thank you, > >>> Dmitri Pal > >>> > >>> Sr. Engineering Manager IdM portfolio > >>> Red Hat, Inc. > >>> > >>> > >>> -- > >>> Manage your subscription for the Freeipa-users mailing > list: > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Go to http://freeipa.org for more info on the project > >>> > >>> > >>> > >>> > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager IdM portfolio > >> Red Hat, Inc. > >> > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > >> > >> > >> > >> > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
