Thanks Rob.

Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is just to
learn more about the issue), even if this seems to solve problems. I'm not
going to deploy freeIPA for real before I can at least run successfully a
plain installation.

It seems SELinux can be ruled out as well.
I switched to permissive mode and tried again, no difference.

And so far I haven't been able to find anything useful in the logs.

What strikes me is that these are really a plain and up to date FC21
machines, and my deployment was as from the book. The last of the settings
you'd expect issues from.

Can anyone (user or developer) confirm successful deployment of both server
and client on up-to-date (updated this week) FC21 systems? I know it's
maybe a bit far-fetched, but could any of the latest FC updates have
created the issue?

Roberto


On 21 March 2015 at 17:26, Rob Crittenden <rcrit...@redhat.com> wrote:

> Roberto Cornacchia wrote:
> > Hi Rob,
> >
> > Yes, sssd is running and this is sssd.conf:
> >
> > [domain/hq.example.com <http://hq.example.com>]
> > debug_level=9
> > cache_credentials = True
> > krb5_store_password_if_offline = True
> > ipa_domain = hq.example.com <http://hq.example.com>
> > id_provider = ipa
> > auth_provider = ipa
> > access_provider = ipa
> > ipa_hostname = meson.hq.example.com
> > chpass_provider = ipa
> > ipa_server = _srv_, ipa.hq.example.com
> > ldap_tls_cacert = /etc/ipa/ca.crt
> > [sssd]
> > services = nss, sudo, pam, ssh
> > config_file_version = 2
> >
> > domains = hq.example.com
> > [nss]
> > homedir_substring = /home
> > debug_level=9
> >
> > [pam]
> >
> > [sudo]
> >
> > [autofs]
> >
> > [ssh]
> >
> > [pac]
> >
> > [ifp]
>
> Ok, that's good. Maybe authconfig didn't do the right thing. I'd add sss
> to these values in /etc/nsswitch.conf, grepp'd from mine:
>
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> services:   files sss
> netgroup:   files sss
> automount:  files sss
> sudoers:    sss
>
> You've got quite a mix of odd things happening during install. It seems
> like DNS and firewall can be ruled out given that lots of other
> operations are working fine, and you've confirmed that NTP works
> pre-install.
>
> I guess working on a cleanish system, the things I'd look for on both
> client and server are the system logs to see if any errors are being
> thrown to syslog or service-specific logs.
>
> And I'd check for SELinux errors on the client if you're in enforcing mode.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to