Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-29 Thread Rich Megginson 

On 10/29/2014 06:45 PM, Dmitri Pal wrote:

On 10/29/2014 02:40 PM, Craig White wrote:

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, October 28, 2014 5:34 PM
To: Craig White; d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

Craig White wrote:

*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 5:10 PM
*To:* Craig White; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]


On 10/28/2014 04:41 PM, Craig White wrote:

 *From:*freeipa-users-boun...@redhat.com
 <mailto:freeipa-users-boun...@redhat.com>
 [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig 
White

 *Sent:* Tuesday, October 28, 2014 1:28 PM
 *To:* d...@redhat.com <mailto:d...@redhat.com>;
 freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
     *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]


 *From:*Dmitri Pal [mailto:d...@redhat.com]
 *Sent:* Tuesday, October 28, 2014 10:04 AM
 *To:* Craig White; freeipa-users@redhat.com
 <mailto:freeipa-users@redhat.com>
 *Subject:* Re: [Freeipa-users] getent passwd / group


 On 10/28/2014 12:11 PM, Craig White wrote:

 *From:*freeipa-users-boun...@redhat.com
 <mailto:freeipa-users-boun...@redhat.com>
 [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of 
*Dmitri Pal

 *Sent:* Monday, October 27, 2014 5:32 PM
 *To:* freeipa-users@redhat.com 
<mailto:freeipa-users@redhat.com>

 *Subject:* Re: [Freeipa-users] getent passwd / group


 On 10/27/2014 07:38 PM, Craig White wrote:

 RHEL 6.5 - new install

 ipa-server-3.0.0-42.el6.x86_64

 389-ds-base-1.2.11.15-47.el6.x86_64


 On the master, I get nothing


 [root@ipa001 log]# getent passwd admin

 [root@ipa001 log]#


 But it works on the replica as expected


 [root@ipa002nadev01 ~]# getent passwd admin

admin:*:114000:111000:Administrator:/home/admin:/bin/bash


 I am used to using PADL / NSSWITCH with OpenLDAP and I am
 rather surprised that on both, 'getent passwd' and 'getent
 group' return only entries from local files but then 
again,

 I've never used sssd before.


 REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-host-prohibited


 Then we need SSSD logs with the debug_level in the right 
sections as

 Jakub mentioned in his mail.
 

 Sorry - I had a long meeting and should have noted that after
 restarting SSSD, it all started working again as expected. Clearly
 something I have to watch for and indeed, I moved the debug to the
 domain section for future.

 I should add - came to the realization that restarting sssd and 
went to long meeting, then came back and couldn't log into ipa 
console or Kerberos and had to restart IPA service to restart Kerberos.



 IPA is logging nothing.


 This is not the first time I have had to go through this cycle 
- it seems that somehow, the IPA server is sensitive to the SSSD 
daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not 
functioning and must be restarted too.



 Thanks


 Craig


Is this on the same server?


Yes, same server... the one I call the master. The first one I set up.
I'm getting tuned in to the checking the status of dirsrv and ipa but
now I know to check the status of the sssd too.


Seems like it crashes a little too easily - I doubt I did much to 
harm it... I am fairly experienced with OpenLDAP and in fact used 
389-server back when it was called FedoraDS.



But it is running now, and seemingly will stay running for some time 
and I am upping the logging and watching for a crash like Richard 
said to provide some debug logs if possible. Sort of wish I could 
have just started with RHEL 7 and the updated IPA.

Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.

rob

OK - just after I left work last night - IPA crashed.

Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 
7f86cd04e572 sp 7f86a2bf7f10 error 4 in 
libslapd.so.0.0.0[7f86cd009000+fd000]


Required a 'service ipa restart' to get up and running again ;-(

Now Rich directed me to the 'debugging crashes' section which would 
have me installing debuginfo for 389.


I can't find it...
# yum search 389-ds-base-debuginfo
Loaded plugins: product-id, rhnplugin, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
rackspace-rhel-x86_64-server-6-common |  871 B 00:00
rackspace-rhel-x86_64-server-6-ius |  871 B 00:00
rhel-x86_64-server-6 | 1.5 kB 00:00
rhel-x86_64-server-opti

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-29 Thread Dmitri Pal 

On 10/29/2014 02:40 PM, Craig White wrote:

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Tuesday, October 28, 2014 5:34 PM
To: Craig White; d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

Craig White wrote:

*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 5:10 PM
*To:* Craig White; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

  


On 10/28/2014 04:41 PM, Craig White wrote:

 *From:*freeipa-users-boun...@redhat.com
 <mailto:freeipa-users-boun...@redhat.com>
 [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White
 *Sent:* Tuesday, October 28, 2014 1:28 PM
 *To:* d...@redhat.com <mailto:d...@redhat.com>;
 freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
     *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

  


 *From:*Dmitri Pal [mailto:d...@redhat.com]
 *Sent:* Tuesday, October 28, 2014 10:04 AM
 *To:* Craig White; freeipa-users@redhat.com
 <mailto:freeipa-users@redhat.com>
 *Subject:* Re: [Freeipa-users] getent passwd / group

  


 On 10/28/2014 12:11 PM, Craig White wrote:

 *From:*freeipa-users-boun...@redhat.com
 <mailto:freeipa-users-boun...@redhat.com>
 [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
 *Sent:* Monday, October 27, 2014 5:32 PM
 *To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
 *Subject:* Re: [Freeipa-users] getent passwd / group

  


 On 10/27/2014 07:38 PM, Craig White wrote:

 RHEL 6.5 - new install

 ipa-server-3.0.0-42.el6.x86_64

 389-ds-base-1.2.11.15-47.el6.x86_64

  


 On the master, I get nothing

  


 [root@ipa001 log]# getent passwd admin

 [root@ipa001 log]#

  


 But it works on the replica as expected

  


 [root@ipa002nadev01 ~]# getent passwd admin

 
admin:*:114000:111000:Administrator:/home/admin:/bin/bash


  


 I am used to using PADL / NSSWITCH with OpenLDAP and I am
 rather surprised that on both, 'getent passwd' and 'getent
 group' return only entries from local files but then again,
 I've never used sssd before.

  


 REJECT all  --  0.0.0.0/00.0.0.0/0
 reject-with icmp-host-prohibited


 Then we need SSSD logs with the debug_level in the right sections as
 Jakub mentioned in his mail.
 

 Sorry - I had a long meeting and should have noted that after
 restarting SSSD, it all started working again as expected. Clearly
 something I have to watch for and indeed, I moved the debug to the
 domain section for future.

 I should add - came to the realization that restarting sssd and went to 
long meeting, then came back and couldn't log into ipa console or Kerberos and 
had to restart IPA service to restart Kerberos.

  


 IPA is logging nothing.

  


 This is not the first time I have had to go through this cycle - it seems 
that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD 
goes haywire, when I restart SSSD, IPA is not functioning and must be restarted 
too.

  


 Thanks

  


 Craig


Is this on the same server?


Yes, same server... the one I call the master. The first one I set up.
I'm getting tuned in to the checking the status of dirsrv and ipa but
now I know to check the status of the sssd too.

  


Seems like it crashes a little too easily - I doubt I did much to harm it... I 
am fairly experienced with OpenLDAP and in fact used 389-server back when it 
was called FedoraDS.

  


But it is running now, and seemingly will stay running for some time and I am 
upping the logging and watching for a crash like Richard said to provide some 
debug logs if possible. Sort of wish I could have just started with RHEL 7 and 
the updated IPA.

Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.

rob

OK - just after I left work last night - IPA crashed.

Oct 28 17:17:11 ipa001 kernel: ns-slapd[1219]: segfault at 0 ip 
7f86cd04e572 sp 7f86a2bf7f10 error 4 in 
libslapd.so.0.0.0[7f86cd009000+fd000]

Required a 'service ipa restart' to get up and running again  ;-(

Now Rich directed me to the 'debugging crashes' section which would have me 
installing debuginfo for 389.

I can't find it...
# yum search 389-ds-base-debuginfo
Loaded plugins: product-id, rhnplugin, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
rackspace-rhel-x86_64-server-6-common

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-29 Thread Craig White 
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Tuesday, October 28, 2014 5:34 PM
To: Craig White; d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

Craig White wrote:
> *From:*Dmitri Pal [mailto:d...@redhat.com]
> *Sent:* Tuesday, October 28, 2014 5:10 PM
> *To:* Craig White; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
> 
>  
> 
> On 10/28/2014 04:41 PM, Craig White wrote:
> 
> *From:*freeipa-users-boun...@redhat.com
> <mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White
> *Sent:* Tuesday, October 28, 2014 1:28 PM
> *To:* d...@redhat.com <mailto:d...@redhat.com>;
> freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
> 
>  
> 
> *From:*Dmitri Pal [mailto:d...@redhat.com]
> *Sent:* Tuesday, October 28, 2014 10:04 AM
> *To:* Craig White; freeipa-users@redhat.com
> <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
> 
>  
> 
> On 10/28/2014 12:11 PM, Craig White wrote:
> 
> *From:*freeipa-users-boun...@redhat.com
> <mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 27, 2014 5:32 PM
> *To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
> 
>  
> 
> On 10/27/2014 07:38 PM, Craig White wrote:
> 
> RHEL 6.5 - new install
> 
> ipa-server-3.0.0-42.el6.x86_64
> 
> 389-ds-base-1.2.11.15-47.el6.x86_64
> 
>  
> 
> On the master, I get nothing
> 
>  
> 
> [root@ipa001 log]# getent passwd admin
> 
> [root@ipa001 log]#
> 
>  
> 
> But it works on the replica as expected
> 
>  
> 
> [root@ipa002nadev01 ~]# getent passwd admin
> 
> 
> admin:*:114000:111000:Administrator:/home/admin:/bin/bash
> 
>  
> 
> I am used to using PADL / NSSWITCH with OpenLDAP and I am
> rather surprised that on both, 'getent passwd' and 'getent
> group' return only entries from local files but then again,
> I've never used sssd before.
> 
>  
> 
> REJECT all  --  0.0.0.0/00.0.0.0/0  
> reject-with icmp-host-prohibited
> 
> 
> Then we need SSSD logs with the debug_level in the right sections as
> Jakub mentioned in his mail.
> 
> 
> Sorry - I had a long meeting and should have noted that after
> restarting SSSD, it all started working again as expected. Clearly
> something I have to watch for and indeed, I moved the debug to the
> domain section for future.
> 
> I should add - came to the realization that restarting sssd and went to 
> long meeting, then came back and couldn't log into ipa console or Kerberos 
> and had to restart IPA service to restart Kerberos.
> 
>  
> 
> IPA is logging nothing.
> 
>  
> 
> This is not the first time I have had to go through this cycle - it seems 
> that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD 
> goes haywire, when I restart SSSD, IPA is not functioning and must be 
> restarted too.
> 
>  
> 
> Thanks
> 
>  
> 
> Craig
> 
> 
> Is this on the same server?
> 
> 
> Yes, same server... the one I call the master. The first one I set up. 
> I'm getting tuned in to the checking the status of dirsrv and ipa but 
> now I know to check the status of the sssd too.
> 
>  
> 
> Seems like it crashes a little too easily - I doubt I did much to harm it... 
> I am fairly experienced with OpenLDAP and in fact used 389-server back when 
> it was called FedoraDS. 
> 
>  
> 
> But it is running now, and seemingly will stay running for some time and I am 
> upping the logging and watching for a crash like Richard said to provide some 
> debug logs if possible. Sort of wish I could have just started with RHEL 7 
> and the updated IPA.

Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.

rob

OK - just after I left work last night - IPA crashed.

Oct 28 17:17:11 ipa001 kernel: ns-sla

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Rob Crittenden 
Craig White wrote:
> *From:*Dmitri Pal [mailto:d...@redhat.com]
> *Sent:* Tuesday, October 28, 2014 5:10 PM
> *To:* Craig White; freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
> 
>  
> 
> On 10/28/2014 04:41 PM, Craig White wrote:
> 
> *From:*freeipa-users-boun...@redhat.com
> <mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White
> *Sent:* Tuesday, October 28, 2014 1:28 PM
> *To:* d...@redhat.com <mailto:d...@redhat.com>;
> freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
> 
>  
> 
> *From:*Dmitri Pal [mailto:d...@redhat.com]
> *Sent:* Tuesday, October 28, 2014 10:04 AM
> *To:* Craig White; freeipa-users@redhat.com
> <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
> 
>  
> 
> On 10/28/2014 12:11 PM, Craig White wrote:
> 
> *From:*freeipa-users-boun...@redhat.com
> <mailto:freeipa-users-boun...@redhat.com>
> [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 27, 2014 5:32 PM
> *To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
> *Subject:* Re: [Freeipa-users] getent passwd / group
> 
>  
> 
> On 10/27/2014 07:38 PM, Craig White wrote:
> 
> RHEL 6.5 – new install
> 
> ipa-server-3.0.0-42.el6.x86_64
> 
> 389-ds-base-1.2.11.15-47.el6.x86_64
> 
>  
> 
> On the master, I get nothing
> 
>  
> 
> [root@ipa001 log]# getent passwd admin
> 
> [root@ipa001 log]#
> 
>  
> 
> But it works on the replica as expected
> 
>  
> 
> [root@ipa002nadev01 ~]# getent passwd admin
> 
> admin:*:114000:111000:Administrator:/home/admin:/bin/bash
> 
>  
> 
> I am used to using PADL / NSSWITCH with OpenLDAP and I am
> rather surprised that on both, ‘getent passwd’ and ‘getent
> group’ return only entries from local files but then again,
> I’ve never used sssd before.
> 
>  
> 
> REJECT all  --  0.0.0.0/00.0.0.0/0  
> reject-with icmp-host-prohibited
> 
> 
> Then we need SSSD logs with the debug_level in the right sections as
> Jakub mentioned in his mail.
> 
> 
> Sorry – I had a long meeting and should have noted that after
> restarting SSSD, it all started working again as expected. Clearly
> something I have to watch for and indeed, I moved the debug to the
> domain section for future.
> 
> I should add – came to the realization that restarting sssd and went to 
> long meeting, then came back and couldn’t log into ipa console or Kerberos 
> and had to restart IPA service to restart Kerberos.
> 
>  
> 
> IPA is logging nothing.
> 
>  
> 
> This is not the first time I have had to go through this cycle – it seems 
> that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD 
> goes haywire, when I restart SSSD, IPA is not functioning and must be 
> restarted too.
> 
>  
> 
> Thanks
> 
>  
> 
> Craig
> 
> 
> Is this on the same server?
> 
> 
> Yes, same server… the one I call the master. The first one I set up. I’m
> getting tuned in to the checking the status of dirsrv and ipa but now I
> know to check the status of the sssd too.
> 
>  
> 
> Seems like it crashes a little too easily – I doubt I did much to harm it… I 
> am fairly experienced with OpenLDAP and in fact used 389-server back when it 
> was called FedoraDS. 
> 
>  
> 
> But it is running now, and seemingly will stay running for some time and I am 
> upping the logging and watching for a crash like Richard said to provide some 
> debug logs if possible. Sort of wish I could have just started with RHEL 7 
> and the updated IPA.

Ok, and to be clear if it crashes again Rich needs to get a stacktrace.
Logs won't be enough.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Dmitri Pal 

On 10/28/2014 08:15 PM, Craig White wrote:


*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 5:10 PM
*To:* Craig White; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

On 10/28/2014 04:41 PM, Craig White wrote:

*From:*freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White
*Sent:* Tuesday, October 28, 2014 1:28 PM
*To:* d...@redhat.com <mailto:d...@redhat.com>;
freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
    *Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 10:04 AM
*To:* Craig White; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:

*From:*freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of
*Dmitri Pal
*Sent:* Monday, October 27, 2014 5:32 PM
*To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:

RHEL 6.5 -- new install

ipa-server-3.0.0-42.el6.x86_64

389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin

[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin

admin:*:114000:111000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am
rather surprised that on both, 'getent passwd' and 'getent
group' return only entries from local files but then
again, I've never used sssd before.

REJECT all  -- 0.0.0.0/00.0.0.0/0  
reject-with icmp-host-prohibited



Then we need SSSD logs with the debug_level in the right sections
as Jakub mentioned in his mail.


Sorry -- I had a long meeting and should have noted that after
restarting SSSD, it all started working again as expected. Clearly
something I have to watch for and indeed, I moved the debug to the
domain section for future.

I should add -- came to the realization that restarting sssd and went to 
long meeting, then came back and couldn't log into ipa console or Kerberos and 
had to restart IPA service to restart Kerberos.

  


IPA is logging nothing.

  


This is not the first time I have had to go through this cycle -- it seems 
that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD 
goes haywire, when I restart SSSD, IPA is not functioning and must be restarted 
too.

  


Thanks

  


Craig


Is this on the same server?


Yes, same server... the one I call the master. The first one I set up. 
I'm getting tuned in to the checking the status of dirsrv and ipa but 
now I know to check the status of the sssd too.


  
Seems like it crashes a little too easily -- I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS.
  
But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA.
  
Thanks
  
Craig


6.5 was pretty stable but things happen from time to time so it is not 
clear what exactly went wrong. I suspect some race condition that is 
rare but happens sometimes.


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Craig White 
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 28, 2014 5:10 PM
To: Craig White; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

On 10/28/2014 04:41 PM, Craig White wrote:
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White
Sent: Tuesday, October 28, 2014 1:28 PM
To: d...@redhat.com<mailto:d...@redhat.com>; 
freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 28, 2014 10:04 AM
To: Craig White; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Monday, October 27, 2014 5:32 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 - new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin
admin:*:114000:111000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that 
on both, 'getent passwd' and 'getent group' return only entries from local 
files but then again, I've never used sssd before.

REJECT all  --  0.0.0.0/00.0.0.0/0   reject-with 
icmp-host-prohibited

Then we need SSSD logs with the debug_level in the right sections as Jakub 
mentioned in his mail.

Sorry - I had a long meeting and should have noted that after restarting SSSD, 
it all started working again as expected. Clearly something I have to watch for 
and indeed, I moved the debug to the domain section for future.

I should add - came to the realization that restarting sssd and went to long 
meeting, then came back and couldn't log into ipa console or Kerberos and had 
to restart IPA service to restart Kerberos.



IPA is logging nothing.



This is not the first time I have had to go through this cycle - it seems that 
somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes 
haywire, when I restart SSSD, IPA is not functioning and must be restarted too.



Thanks



Craig

Is this on the same server?

Yes, same server... the one I call the master. The first one I set up. I'm 
getting tuned in to the checking the status of dirsrv and ipa but now I know to 
check the status of the sssd too.



Seems like it crashes a little too easily - I doubt I did much to harm it... I 
am fairly experienced with OpenLDAP and in fact used 389-server back when it 
was called FedoraDS.



But it is running now, and seemingly will stay running for some time and I am 
upping the logging and watching for a crash like Richard said to provide some 
debug logs if possible. Sort of wish I could have just started with RHEL 7 and 
the updated IPA.



Thanks



Craig
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Dmitri Pal 

On 10/28/2014 04:41 PM, Craig White wrote:


*From:*freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Craig White

*Sent:* Tuesday, October 28, 2014 1:28 PM
*To:* d...@redhat.com; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]

*From:*Dmitri Pal [mailto:d...@redhat.com]
*Sent:* Tuesday, October 28, 2014 10:04 AM
*To:* Craig White; freeipa-users@redhat.com 
<mailto:freeipa-users@redhat.com>

*Subject:* Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:

*From:*freeipa-users-boun...@redhat.com
<mailto:freeipa-users-boun...@redhat.com>
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Dmitri Pal
*Sent:* Monday, October 27, 2014 5:32 PM
*To:* freeipa-users@redhat.com <mailto:freeipa-users@redhat.com>
*Subject:* Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:

RHEL 6.5 -- new install

ipa-server-3.0.0-42.el6.x86_64

389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin

[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin

admin:*:114000:111000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am
rather surprised that on both, 'getent passwd' and 'getent
group' return only entries from local files but then again,
I've never used sssd before.

REJECT all  --  0.0.0.0/0 0.0.0.0/0   reject-with
icmp-host-prohibited


Then we need SSSD logs with the debug_level in the right sections as 
Jakub mentioned in his mail.



Sorry -- I had a long meeting and should have noted that after 
restarting SSSD, it all started working again as expected. Clearly 
something I have to watch for and indeed, I moved the debug to the 
domain section for future.


I should add -- came to the realization that restarting sssd and went to long 
meeting, then came back and couldn't log into ipa console or Kerberos and had 
to restart IPA service to restart Kerberos.
  
IPA is logging nothing.
  
This is not the first time I have had to go through this cycle -- it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too.
  
Thanks
  
Craig


Is this on the same server?

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Craig White 
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Craig White
Sent: Tuesday, October 28, 2014 1:28 PM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group [SOLVED]

From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 28, 2014 10:04 AM
To: Craig White; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:
From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Monday, October 27, 2014 5:32 PM
To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
Subject: Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 - new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin
admin:*:114000:111000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that 
on both, 'getent passwd' and 'getent group' return only entries from local 
files but then again, I've never used sssd before.

REJECT all  --  0.0.0.0/00.0.0.0/0   reject-with 
icmp-host-prohibited

Then we need SSSD logs with the debug_level in the right sections as Jakub 
mentioned in his mail.

Sorry - I had a long meeting and should have noted that after restarting SSSD, 
it all started working again as expected. Clearly something I have to watch for 
and indeed, I moved the debug to the domain section for future.

I should add - came to the realization that restarting sssd and went to long 
meeting, then came back and couldn't log into ipa console or Kerberos and had 
to restart IPA service to restart Kerberos.



IPA is logging nothing.



This is not the first time I have had to go through this cycle - it seems that 
somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes 
haywire, when I restart SSSD, IPA is not functioning and must be restarted too.



Thanks



Craig
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] getent passwd / group [SOLVED]

2014-10-28 Thread Craig White 
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Tuesday, October 28, 2014 10:04 AM
To: Craig White; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group

On 10/28/2014 12:11 PM, Craig White wrote:
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: Monday, October 27, 2014 5:32 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] getent passwd / group

On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 - new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64

On the master, I get nothing

[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#

But it works on the replica as expected

[root@ipa002nadev01 ~]# getent passwd admin
admin:*:114000:111000:Administrator:/home/admin:/bin/bash

I am used to using PADL / NSSWITCH with OpenLDAP and I am rather surprised that 
on both, 'getent passwd' and 'getent group' return only entries from local 
files but then again, I've never used sssd before.

Partial from /etc/sssd/sssd.conf
[domain/stt.local]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = stt.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa001nadev01.stt.local
chpass_provider = ipa
ipa_server = ipa001nadev01.stt.local
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = stt.local
debug_level = 6

Shouldn't I be seeing both local files and IPA defined users with 'getent 
passwd' and IPA defined users with 'getent group' commands?

What could cause 'getent passwd admin' not to work on the master server now 
when I know I tested it when I first set it up and it worked?  I have done 
little more than import users and groups from OpenLDAP and configure HBAC, sudo 
stuff in the IPA web UI.


Please check on master:
1. Installation logs. Client on the server is installed last and may be there 
is something that went wrong at this stage but the rest of the server is OK.
2. DNS. Can you resolve the host properly?
3. Firewall. Can you kinit admin or or do an ldap search?

It's weird because it is mostly functioning perfectly.

/var/log/ipaclient-install.log doesn't show any errors. Gives every indication 
that things went as planned. The /var/log/ipaserver-install.log is a rather 
large file and a cursory inspection doesn't reveal anything that is 
interesting. The only thing that was not normal about the install was the first 
install was un-installed because I used DNS forwarders and the boss said no 
forwarders. So I installed a second time but nothing seemed unusual about 
either server or client install.

DNS - resolves / working perfectly for the authoritative and non-authoritative 
zones - forward and reverse. I thought the 'ipa-client-install 
-enable-dns-updates' worked extremely well after modifying it to ensure that 
both forward and reverse zone entries were created.

kinit admin@STT.LOCAL works - rejects wrong password 
entries and accepts correct password entries.
Ldapsearch works fine
Firewall... (we are talking about localhost but)
ACCEPT all  --  0.0.0.0/00.0.0.0/0   ctstate 
RELATED,ESTABLISHED
ACCEPT icmp --  0.0.0.0/00.0.0.0/0
ACCEPT all  --  0.0.0.0/00.0.0.0/0
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   ctstate NEW tcp 
dpt:22
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:80
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:53
ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp 
dpt:53
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:88
ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp 
dpt:88
ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp 
dpt:123
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:389
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:443
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:464
ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp 
dpt:464
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:636
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:7389
ACCEPT udp  --  0.0.0.0/00.0.0.0/0   state NEW udp 
dpt:7389
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:9443
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:9444
ACCEPT tcp  --  0.0.0.0/00.0.0.0/0   state NEW tcp 
dpt:9445
REJECT all  --  0.0.0.0/00.0.0.0/0   reject-with 
icmp-host-prohibited

Then we need SSSD logs with the debug_level in