On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:
Thanks Rob.

Knowing that /etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. I'm not very keen on fixing it post-installation (except if this is just to learn more about the issue), even if this seems to solve problems. I'm not going to deploy freeIPA for real before I can at least run successfully a plain installation.

It seems SELinux can be ruled out as well.
I switched to permissive mode and tried again, no difference.

And so far I haven't been able to find anything useful in the logs.

What strikes me is that these are really a plain and up to date FC21 machines, and my deployment was as from the book. The last of the settings you'd expect issues from.

Can anyone (user or developer) confirm successful deployment of both server and client on up-to-date (updated this week) FC21 systems? I know it's maybe a bit far-fetched, but could any of the latest FC updates have created the issue?

May be.
To config nsswitch we call authconfig so may be there is something weird with it, can you check?


On 21 March 2015 at 17:26, Rob Crittenden <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:

    Roberto Cornacchia wrote:
    > Hi Rob,
    > Yes, sssd is running and this is sssd.conf:
    > [domain/hq.example.com <http://hq.example.com>
    > debug_level=9
    > cache_credentials = True
    > krb5_store_password_if_offline = True
    > ipa_domain = hq.example.com <http://hq.example.com>
    > id_provider = ipa
    > auth_provider = ipa
    > access_provider = ipa
    > ipa_hostname = meson.hq.example.com <http://meson.hq.example.com>
    > chpass_provider = ipa
    > ipa_server = _srv_, ipa.hq.example.com <http://ipa.hq.example.com>
    > ldap_tls_cacert = /etc/ipa/ca.crt
    > [sssd]
    > services = nss, sudo, pam, ssh
    > config_file_version = 2
    > domains = hq.example.com <http://hq.example.com>
    > [nss]
    > homedir_substring = /home
    > debug_level=9
    > [pam]
    > [sudo]
    > [autofs]
    > [ssh]
    > [pac]
    > [ifp]

    Ok, that's good. Maybe authconfig didn't do the right thing. I'd
    add sss
    to these values in /etc/nsswitch.conf, grepp'd from mine:

    passwd:     files sss
    shadow:     files sss
    group:      files sss
    services:   files sss
    netgroup:   files sss
    automount:  files sss
    sudoers:    sss

    You've got quite a mix of odd things happening during install. It
    like DNS and firewall can be ruled out given that lots of other
    operations are working fine, and you've confirmed that NTP works

    I guess working on a cleanish system, the things I'd look for on both
    client and server are the system logs to see if any errors are being
    thrown to syslog or service-specific logs.

    And I'd check for SELinux errors on the client if you're in
    enforcing mode.


Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to