Re: [Freeipa-users] reboot required after ipa-client-install?
On Fri, Nov 08, 2013 at 02:42:21PM -0600, Dean Hunter wrote: On Thu, 2013-11-07 at 22:17 -0500, Dmitri Pal wrote: On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa ~]# ausearch --message AVC no matches [root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? Yes I think SSS is now included by default. But if man page does not list it it is probably a bug in the man page. Hmm, I just built a Fedora 20 Beta VM. /etc/nsswitch.conf is no different than after a Fedora 19 build. That's weird, what is the glibc version? sss should be automatically added for quite some time, since https://bugzilla.redhat.com/show_bug.cgi?id=867473 was fixed.. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Mon, 2013-11-11 at 10:51 +0100, Jakub Hrozek wrote: On Fri, Nov 08, 2013 at 02:42:21PM -0600, Dean Hunter wrote: On Thu, 2013-11-07 at 22:17 -0500, Dmitri Pal wrote: On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa ~]# ausearch --message AVC no matches [root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? Yes I think SSS is now included by default. But if man page does not list it it is probably a bug in the man page. Hmm, I just built a Fedora 20 Beta VM. /etc/nsswitch.conf is no different than after a Fedora 19 build. That's weird, what is the glibc version? sss should be automatically added for quite some time, since https://bugzilla.redhat.com/show_bug.cgi?id=867473 was fixed.. [root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On 11/11/2013 01:50 PM, Dean Hunter wrote: [root@test mailto:root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test mailto:root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Yes please. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Mon, 2013-11-11 at 13:57 -0500, Dmitri Pal wrote: On 11/11/2013 01:50 PM, Dean Hunter wrote: [root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? Yes please. I am sorry, but I do not seem to have permission to re-open this bug report. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Mon, 2013-11-11 at 13:07 -0600, Dean Hunter wrote: On Mon, 2013-11-11 at 13:57 -0500, Dmitri Pal wrote: On 11/11/2013 01:50 PM, Dean Hunter wrote: [root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? Yes please. I am sorry, but I do not seem to have permission to re-open this bug report. It appears to me as if https://bugzilla.redhat.com/show_bug.cgi?id=980861 describes the source of the problem. authconfig is being run by Anaconda(?) overwriting the initial values of the /etc/nsswitch.conf file. Anaconda needs to specify different options when invoking authconfig. Adding --enablesssd to the authconfig statement in the Kickstart file for Fedora 19 and 20 seems to produce the desired result. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Mon, 2013-11-11 at 16:21 -0600, Dean Hunter wrote: On Mon, 2013-11-11 at 13:07 -0600, Dean Hunter wrote: On Mon, 2013-11-11 at 13:57 -0500, Dmitri Pal wrote: On 11/11/2013 01:50 PM, Dean Hunter wrote: [root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? Yes please. I am sorry, but I do not seem to have permission to re-open this bug report. It appears to me as if https://bugzilla.redhat.com/show_bug.cgi?id=980861 describes the source of the problem. authconfig is being run by Anaconda(?) overwriting the initial values of the /etc/nsswitch.conf file. Anaconda needs to specify different options when invoking authconfig. Adding --enablesssd to the authconfig statement in the Kickstart file for Fedora 19 and 20 seems to produce the desired result. Thanks for the analysis Dean, however I would say it is a bug in authconfig. Authconfig should not removed the sss lines by default. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On 11/11/2013 06:22 PM, Simo Sorce wrote: On Mon, 2013-11-11 at 16:21 -0600, Dean Hunter wrote: On Mon, 2013-11-11 at 13:07 -0600, Dean Hunter wrote: On Mon, 2013-11-11 at 13:57 -0500, Dmitri Pal wrote: On 11/11/2013 01:50 PM, Dean Hunter wrote: [root@test ~]# rpm -q glibc glibc-2.18-11.fc20.x86_64 [root@test ~]# https://bugzilla.redhat.com/show_bug.cgi?id=867473 indicates the problem was fixed in Fedora 18. But the problem still occurs for both Fedora 19 and Fedora 20. Should I reopen the bug report? Yes please. I am sorry, but I do not seem to have permission to re-open this bug report. It appears to me as if https://bugzilla.redhat.com/show_bug.cgi?id=980861 describes the source of the problem. authconfig is being run by Anaconda(?) overwriting the initial values of the /etc/nsswitch.conf file. Anaconda needs to specify different options when invoking authconfig. Adding --enablesssd to the authconfig statement in the Kickstart file for Fedora 19 and 20 seems to produce the desired result. Thanks for the analysis Dean, however I would say it is a bug in authconfig. Authconfig should not removed the sss lines by default. Simo. May be it grants a new bug then. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, Nov 07, 2013 at 10:17:44PM -0500, Dmitri Pal wrote: On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa mailto:root@ipa ~]# ausearch --message AVC no matches [root@ipa mailto:root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? Yes I think SSS is now included by default. Yes, starting with F-20. But if man page does not list it it is probably a bug in the man page. I think the man page only lists modules that are shipped with the glibc RPM, not any 3rd party modules like nss_ldap or nss_sss. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, 2013-11-07 at 22:17 -0500, Dmitri Pal wrote: On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa ~]# ausearch --message AVC no matches [root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? Yes I think SSS is now included by default. But if man page does not list it it is probably a bug in the man page. Hmm, I just built a Fedora 20 Beta VM. /etc/nsswitch.conf is no different than after a Fedora 19 build. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, Nov 07, 2013 at 09:44:21AM +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I think the reason is actually nsswitch.conf, not PAM. Usually applications need to be restarted in order to notice changes to nsswitch.conf. That's also the reason why recent Fedora releases put sss to nsswitch.conf by default. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
I do not know, may be I am wrong somewhere, but I did not make any extra things with config files, just run ipa-client-install and everything seemed works fine. that worked for f17, f18, f19 with ipa-server on CentOS 6.36.4. Jakub Hrozek wrote: On Thu, Nov 07, 2013 at 09:44:21AM +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I think the reason is actually nsswitch.conf, not PAM. Usually applications need to be restarted in order to notice changes to nsswitch.conf. That's also the reason why recent Fedora releases put sss to nsswitch.conf by default. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, Nov 07, 2013 at 08:47:35PM +0600, Arthur wrote: I do not know, may be I am wrong somewhere, but I did not make any extra things with config files, just run ipa-client-install and everything seemed works fine. ipa-client-install modifies /etc/nsswitch.conf and adds sss to the list of modules if not already there. that worked for f17, f18, f19 with ipa-server on CentOS 6.36.4. I'm not sure about F-19 from the top of my head, sorry, but starting with F-20 at least you'll get sss configured right from the install time. Jakub Hrozek wrote: On Thu, Nov 07, 2013 at 09:44:21AM +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I think the reason is actually nsswitch.conf, not PAM. Usually applications need to be restarted in order to notice changes to nsswitch.conf. That's also the reason why recent Fedora releases put sss to nsswitch.conf by default. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Do you see any AVCs? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? Do you see any AVCs? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa ~]# ausearch --message AVC no matches [root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On 11/07/2013 06:20 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: On 11/07/2013 12:59 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: On 11/07/2013 12:21 PM, Dean Hunter wrote: On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. I have tried: ipa-client-install ... systemctl restart gdm.service but the behavior remains the same. The Gnome log in screen accepts the user name, pauses about 25 seconds, then displays the log in screen again without any messages or indication of a problem. This is the same behavior I see when entering an incorrect local user name before configuring IPA. ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Can it be a DIR cache issue and the fact that the directory can't is not created at proper time? Which directory, please? If you are hitting the DIR cache issue (which I am not sure is the case this is why I asked about AVCs) then the directory we are talking about is /var/run/usr/uid This directory should be created by kerberos library when it tries to authenticate a user. But it might not be able to since a parent directory /var/run/usr might not be created yet. This is one of the reasons why we decided not to continue the path of DIR cache but switched to using Kernel based ccache. Do you see any AVCs? Question still stands. I see no AVCs: [root@ipa mailto:root@ipa ~]# ausearch --message AVC no matches [root@ipa mailto:root@ipa ~]# I did find this in the man page for nsswitch.conf: FILES A service named SERVICE is implemented by a shared object library named libnss_SERVICE.so.X that resides in /lib. /etc/nsswitch.conf NSS configuration file. /lib/libnss_compat.so.X implements compat source. /lib/libnss_db.so.X implements db source. /lib/libnss_dns.so.X implements dns source. /lib/libnss_files.so.X implements files source. /lib/libnss_hesiod.so.X implements hesiod source. /lib/libnss_nis.so.X implements nis source. /lib/libnss_nisplus.so.X implements nisplus source. NOTES Within each process that uses nsswitch.conf, the entire file is read only once. If the file is later changed, the process will continue using the old configuration. Is this why the default configuration of nsswitch.conf is changing in Fedora 20, as noted on of the preceeding e-mails? Yes I think SSS is now included by default. But if man page does not list it it is probably a bug in the man page. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
I have not rebooted whale machine. everything worked fine. May be just try to restart gdm? # systemctl restart gdm.service В Ср, 06/11/2013 в 22:13 -0600, Dean Hunter пишет: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] reboot required after ipa-client-install?
On Wed, 06 Nov 2013, Dean Hunter wrote: After building a new VM and configuring the IPA 3.3.2 client, Gnome seems to only perform a local log-in until the system is rebooted. SSH works with IPA, but not Gnome. Is this correct? Is there anything less disruptive than a reboot that I can do? Restart gdm.service? I'm not sure how gdm handles PAM auth. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users