Re: [Freeipa-users] IPA different ID results on different nodes
On Tue, Jun 04, 2013 at 09:40:21AM -0400, Aly Khimji wrote: > I re-logged in this morning into the server and i see the following on the > server > Any thoughts? > > Thx again. > > SERVER: > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd..com) gid=59401108( > akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > CLIENT: > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd..com) gid=59401108( > akhi...@corpnonprd..com) > groups=59401108(akhi...@corpnonprd..com),59400512(domain > adm...@corpnonprd..com),59400513(domain us...@corpnonprd..com > ),59401123(mirra-supapp-admin-corp-...@corpnonprd..com),162200012(mirra-supapp-admin-nix-cde) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > -sh-4.1$ so the client side still looks ok. Can you send the logs from the server as well? Besides the log of the domain the krb5_child and sssd_pac log would be interesting as well. If you do not want to disclose the logs on public mailing lists feel free to send them to me directly. bye, Sumit ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA different ID results on different nodes
I re-logged in this morning into the server and i see the following on the server Any thoughts? Thx again. SERVER: -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 CLIENT: -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400512(domain adm...@corpnonprd..com),59400513(domain us...@corpnonprd..com ),59401123(mirra-supapp-admin-corp-...@corpnonprd..com),162200012(mirra-supapp-admin-nix-cde) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.1$ CLIENT LOG: (Tue Jun 4 09:35:51 2013) [sssd[be[nix.corpnonprd..com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Tue Jun 4 09:35:51 2013) [sssd[be[nix.corpnonprd..com]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server (Tue Jun 4 09:35:51 2013) [sssd[be[nix.corpnonprd..com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,110,User lookup failed (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,95,User lookup failed (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): domain: CorpNonPrd..com (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): user: akhi...@corpnonprd..com (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): service: sshd (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): tty: ssh (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): ruser: (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): rhost: 10.210.240.246 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): authtok size: 11 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): priv: 1 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [pam_print_data] (0x0100): cli_pid: 10644 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [check_for_valid_tgt] (0x0020): krb5_cc_retrieve_cred failed. (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [be_resolve_server_process] (0x0200): Found address for server didmsvrua01.nix.corpnonprd..com: [10.137.216.162] TTL 1200 (Tue Jun 4 09:36:17 2013) [sssd[be[nix.corpnonprd..com]]] [krb5_find_ccache_step] (0x0080): Saved ccache FILE:/tmp/krb5cc_59401108_opsH3I if of different type than ccache in configuration file, reusing the old ccache (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [fo_set_port_status] (0x0100): Marking port 389 of server ' didmsvrua01.nix.corpnonprd..com' as 'working' (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [set_server_common_status] (0x0100): Marking server ' didmsvrua01.nix.corpnonprd..com' as 'working' (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, ) [Success] (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler_callback] (0x0100): Sending result [0][CorpNonPrd..com] (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_handler_callback] (0x0100): Sent result [0][CorpNonPrd..com] (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [child_sig_handler] (0x0100): child [10648] finished successfully. (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_get_account_info] (0x0100): Got request for [3][1][name=akhimji] (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [acctinfo_callback] (0x0100): *Request processed. Returned 3,95,User lookup failed* (Tue Jun 4 09:36:18 2013) [sssd[be[nix.corpnonprd..com]]] [be_pam_ha
Re: [Freeipa-users] IPA different ID results on different nodes
On Mon, Jun 03, 2013 at 09:22:21PM -0400, Aly Khimji wrote: > Hey guys, > > Just wanted to say thank you for all your support with everything and > answering all my questions. > > Just wanted to show you something, maybe you can shed some light.. > Below is my self running the ID command on 2 different nodes (1) the IDM > server and the other the IDM client. I get two different results of my user > ID, the client being correct and the server not having the correct groups > displaying with the ID, and even having one that has been deleted. > > Is there someplace this information in cached? or I can set an invalidator > so that the information is pulled down or is forced to expire quicker so > its checked from AD? > > CLIENT: > -sh-4.1$ hostname > rhidmclient.nix.corpnonprd..com > -sh-4.1$ id > uid=59401108(akhi...@corpnonprd..com) gid=59401108( > akhi...@corpnonprd..com) > groups=59401108(akhi...@corpnonprd..com),59400512(domain > adm...@corpnonprd..com), > 59400513(domain us...@corpnonprd..com),59401123( > mirra-supapp-admin-corp-...@corpnonprd..com), > 162200012(mirra-supapp-admin-nix-cde) > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > SERVER: > didmsvrua01.nix.corpnonprd..com > [root@didmsvrua01 ~]# id akhimji@corpnonprd > uid=59401108(akhi...@corpnonprd..com) gid=59401108( > akhi...@corpnonprd..com) > groups=59401108(akhi...@corpnonprd..com),59400513,59400513,59401113( > s...@corpnonprd..com) > > just a note this group [59401113(s...@corpnonprd..com)] was deleted on > AD, and correctly doesn't show up on the client, but remains in the server. Group-memberships are cached for some time by SSSD so I would guess you see cached data on the server. But during authentication the group-memberships of a user are updated. Can you check if s...@corpnonprd..com does away if you log in with akhimji@corpnonprd on the server? bye, Sumit > > Please let me know if you need more info (eg logs, etc..) > > Thx > > Aly > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA different ID results on different nodes
Hey guys, Just wanted to say thank you for all your support with everything and answering all my questions. Just wanted to show you something, maybe you can shed some light.. Below is my self running the ID command on 2 different nodes (1) the IDM server and the other the IDM client. I get two different results of my user ID, the client being correct and the server not having the correct groups displaying with the ID, and even having one that has been deleted. Is there someplace this information in cached? or I can set an invalidator so that the information is pulled down or is forced to expire quicker so its checked from AD? CLIENT: -sh-4.1$ hostname rhidmclient.nix.corpnonprd..com -sh-4.1$ id uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400512(domain adm...@corpnonprd..com), 59400513(domain us...@corpnonprd..com),59401123( mirra-supapp-admin-corp-...@corpnonprd..com), 162200012(mirra-supapp-admin-nix-cde) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 SERVER: didmsvrua01.nix.corpnonprd..com [root@didmsvrua01 ~]# id akhimji@corpnonprd uid=59401108(akhi...@corpnonprd..com) gid=59401108( akhi...@corpnonprd..com) groups=59401108(akhi...@corpnonprd..com),59400513,59400513,59401113( s...@corpnonprd..com) just a note this group [59401113(s...@corpnonprd..com)] was deleted on AD, and correctly doesn't show up on the client, but remains in the server. Please let me know if you need more info (eg logs, etc..) Thx Aly ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users