Re: [Freeipa-users] getent passwd / group [SOLVED]
-Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00 rackspace-rhel
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/29/2014 02:40 PM, Craig White wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00 rackspace-rhel-x86_64-server-6-ius
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/29/2014 06:45 PM, Dmitri Pal wrote: On 10/29/2014 02:40 PM, Craig White wrote: -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, October 28, 2014 5:34 PM To: Craig White; d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob OK - just after I left work last night - IPA crashed. Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 7f86cd04e572 sp 7f86a2bf7f10 error 4 in libslapd.so.0.0.0[7f86cd009000+fd000] Required a 'service ipa restart' to get up and running again ;-( Now Rich directed me to the 'debugging crashes' section which would have me installing debuginfo for 389. I can't find it... # yum search 389-ds-base-debuginfo Loaded plugins: product-id, rhnplugin, subscription-manager This system is receiving updates from RHN Classic or RHN Satellite. rackspace-rhel-x86_64-server-6-common | 871 B 00:00 rackspace-rhel-x86_64-server-6-ius | 871 B 00:00 rhel-x86_64-server-6 | 1.5 kB 00:00 rhel-x86_64-server-optional-6 | 1.5 kB 00:00 rhel-x86_64-server-supplementary-6 | 1.5 kB 00:00 rhn-tools-rhel-x86_64-server-6
Re: [Freeipa-users] getent passwd / group
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 27, 2014 5:32 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. Please check on master: 1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK. 2. DNS. Can you resolve the host properly? 3. Firewall. Can you kinit admin or or do an ldap search? It's weird because it is mostly functioning perfectly. /var/log/ipaclient-install.log doesn't show any errors. Gives every indication that things went as planned. The /var/log/ipaserver-install.log is a rather large file and a cursory inspection doesn't reveal anything that is interesting. The only thing that was not normal about the install was the first install was un-installed because I used DNS forwarders and the boss said no forwarders. So I installed a second time but nothing seemed unusual about either server or client install. DNS - resolves / working perfectly for the authoritative and non-authoritative zones - forward and reverse. I thought the 'ipa-client-install -enable-dns-updates' worked extremely well after modifying it to ensure that both forward and reverse zone entries were created. kinit admin@STT.LOCALmailto:admin@STT.LOCAL works - rejects wrong password entries and accepts correct password entries. Ldapsearch works fine Firewall... (we are talking about localhost but) ACCEPT all -- 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 ctstate NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:53 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:88 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:88 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:123 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:389 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:464 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:464 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:636 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:7389 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:7389 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9443 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9444 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9445 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group
On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 -- new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. Please check on master: 1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK. 2. DNS. Can you resolve the host properly? 3. Firewall. Can you kinit admin or or do an ldap search? It's weird because it is mostly functioning perfectly. /var/log/ipaclient-install.log doesn't show any errors. Gives every indication that things went as planned. The /var/log/ipaserver-install.log is a rather large file and a cursory inspection doesn't reveal anything that is interesting. The only thing that was not normal about the install was the first install was un-installed because I used DNS forwarders and the boss said no forwarders. So I installed a second time but nothing seemed unusual about either server or client install. DNS -- resolves / working perfectly for the authoritative and non-authoritative zones -- forward and reverse. I thought the 'ipa-client-install --enable-dns-updates' worked extremely well after modifying it to ensure that both forward and reverse zone entries were created. kinit admin@STT.LOCAL mailto:admin@STT.LOCAL works -- rejects wrong password entries and accepts correct password entries. Ldapsearch works fine Firewall... (we are talking about localhost but) ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:88 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:88 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:464 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:464 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:636 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7389 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:7389 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9444 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9445 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more
Re: [Freeipa-users] getent passwd / group [SOLVED]
From: Dmitri Pal [mailto:d...@redhat.com] Sent: Tuesday, October 28, 2014 10:04 AM To: Craig White; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 27, 2014 5:32 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. Please check on master: 1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK. 2. DNS. Can you resolve the host properly? 3. Firewall. Can you kinit admin or or do an ldap search? It's weird because it is mostly functioning perfectly. /var/log/ipaclient-install.log doesn't show any errors. Gives every indication that things went as planned. The /var/log/ipaserver-install.log is a rather large file and a cursory inspection doesn't reveal anything that is interesting. The only thing that was not normal about the install was the first install was un-installed because I used DNS forwarders and the boss said no forwarders. So I installed a second time but nothing seemed unusual about either server or client install. DNS - resolves / working perfectly for the authoritative and non-authoritative zones - forward and reverse. I thought the 'ipa-client-install -enable-dns-updates' worked extremely well after modifying it to ensure that both forward and reverse zone entries were created. kinit admin@STT.LOCALmailto:admin@STT.LOCAL works - rejects wrong password entries and accepts correct password entries. Ldapsearch works fine Firewall... (we are talking about localhost but) ACCEPT all -- 0.0.0.0/00.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 ACCEPT all -- 0.0.0.0/00.0.0.0/0 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 ctstate NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:53 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:53 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:88 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:88 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:123 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:389 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:443 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:464 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:464 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:636 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:7389 ACCEPT udp -- 0.0.0.0/00.0.0.0/0 state NEW udp dpt:7389 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9443 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9444 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:9445 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level
Re: [Freeipa-users] getent passwd / group [SOLVED]
From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White Sent: Tuesday, October 28, 2014 1:28 PM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] From: Dmitri Pal [mailto:d...@redhat.com] Sent: Tuesday, October 28, 2014 10:04 AM To: Craig White; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 27, 2014 5:32 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 -- new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry -- I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add -- came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle -- it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
From: Dmitri Pal [mailto:d...@redhat.com] Sent: Tuesday, October 28, 2014 5:10 PM To: Craig White; freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White Sent: Tuesday, October 28, 2014 1:28 PM To: d...@redhat.commailto:d...@redhat.com; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group [SOLVED] From: Dmitri Pal [mailto:d...@redhat.com] Sent: Tuesday, October 28, 2014 10:04 AM To: Craig White; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal Sent: Monday, October 27, 2014 5:32 PM To: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry - I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add - came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle - it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily - I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Thanks Craig -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/28/2014 08:15 PM, Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 -- new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry -- I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add -- came to the realization that restarting sssd and went to long meeting, then came back and couldn't log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle -- it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server... the one I call the master. The first one I set up. I'm getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily -- I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Thanks Craig 6.5 was pretty stable but things happen from time to time so it is not clear what exactly went wrong. I suspect some race condition that is rare but happens sometimes. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group [SOLVED]
Craig White wrote: *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 5:10 PM *To:* Craig White; freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] On 10/28/2014 04:41 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White *Sent:* Tuesday, October 28, 2014 1:28 PM *To:* d...@redhat.com mailto:d...@redhat.com; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED] *From:*Dmitri Pal [mailto:d...@redhat.com] *Sent:* Tuesday, October 28, 2014 10:04 AM *To:* Craig White; freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/28/2014 12:11 PM, Craig White wrote: *From:*freeipa-users-boun...@redhat.com mailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal *Sent:* Monday, October 27, 2014 5:32 PM *To:* freeipa-users@redhat.com mailto:freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] getent passwd / group On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, getent passwd and getent group return only entries from local files but then again, Ive never used sssd before. REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited Then we need SSSD logs with the debug_level in the right sections as Jakub mentioned in his mail. Sorry I had a long meeting and should have noted that after restarting SSSD, it all started working again as expected. Clearly something I have to watch for and indeed, I moved the debug to the domain section for future. I should add came to the realization that restarting sssd and went to long meeting, then came back and couldnt log into ipa console or Kerberos and had to restart IPA service to restart Kerberos. IPA is logging nothing. This is not the first time I have had to go through this cycle it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too. Thanks Craig Is this on the same server? Yes, same server the one I call the master. The first one I set up. Im getting tuned in to the checking the status of dirsrv and ipa but now I know to check the status of the sssd too. Seems like it crashes a little too easily I doubt I did much to harm it I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA. Ok, and to be clear if it crashes again Rich needs to get a stacktrace. Logs won't be enough. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] getent passwd / group
RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. Craig White System Administrator O 623-201-8179 M 602-377-9752 [cid:image001.png@01CF86FE.42D51630] SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group
On 10/27/2014 07:38 PM, Craig White wrote: RHEL 6.5 -- new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. Please check on master: 1. Installation logs. Client on the server is installed last and may be there is something that went wrong at this stage but the rest of the server is OK. 2. DNS. Can you resolve the host properly? 3. Firewall. Can you kinit admin or or do an ldap search? Craig White System Administrator O623-201-8179 M602-377-9752 cid:image001.png@01CF86FE.42D51630 SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] getent passwd / group
On Mon, Oct 27, 2014 at 11:38:14PM +, Craig White wrote: RHEL 6.5 - new install ipa-server-3.0.0-42.el6.x86_64 389-ds-base-1.2.11.15-47.el6.x86_64 On the master, I get nothing [root@ipa001 log]# getent passwd admin We need to debug this one. I suspect DNS.. [root@ipa001 log]# But it works on the replica as expected [root@ipa002nadev01 ~]# getent passwd admin admin:*:114000:111000:Administrator:/home/admin:/bin/bash I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that on both, 'getent passwd' and 'getent group' return only entries from local files but then again, I've never used sssd before. Partial from /etc/sssd/sssd.conf [domain/stt.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = stt.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa001nadev01.stt.local chpass_provider = ipa ipa_server = ipa001nadev01.stt.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = stt.local debug_level = 6 Note - the debug_level directive belongs to the domain section. If present in the [sssd] section, only debugging for the main sssd process is enabled. Shouldn't I be seeing both local files and IPA defined users with 'getent passwd' and IPA defined users with 'getent group' commands? No, this is by design. See the description of the 'enumerate' parameter in sssd.conf, there is also an explanation on why enumeration is off by defualt. What could cause 'getent passwd admin' not to work on the master server now when I know I tested it when I first set it up and it worked? I have done little more than import users and groups from OpenLDAP and configure HBAC, sudo stuff in the IPA web UI. As Dmitri said.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project