<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 10/28/2014 08:15 PM, Craig White
wrote:<br>
</div>
<blockquote
cite="mid:3c0fa0a2867c4d1584baac5b51d6c771@BLUPR08MB488.namprd08.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \, serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Dmitri Pal [<a class="moz-txt-link-freetext" href="mailto:dpal@redhat.com">mailto:dpal@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 28, 2014 5:10 PM<br>
<b>To:</b> Craig White; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] getent passwd / group
[SOLVED]<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 10/28/2014 04:41 PM, Craig White
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Craig White<br>
<b>Sent:</b> Tuesday, October 28, 2014 1:28 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:dpal@redhat.com">dpal@redhat.com</a>; <a
moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] getent passwd / group
[SOLVED]</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Dmitri Pal [<a moz-do-not-send="true"
href="mailto:dpal@redhat.com">mailto:dpal@redhat.com</a>]
<br>
<b>Sent:</b> Tuesday, October 28, 2014 10:04 AM<br>
<b>To:</b> Craig White; <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] getent passwd / group</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/28/2014 12:11 PM, Craig White
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Dmitri Pal<br>
<b>Sent:</b> Monday, October 27, 2014 5:32 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] getent passwd /
group</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">On 10/27/2014 07:38 PM, Craig White
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">RHEL 6.5 – new install<o:p></o:p></p>
<p class="MsoNormal">ipa-server-3.0.0-42.el6.x86_64<o:p></o:p></p>
<p class="MsoNormal">389-ds-base-1.2.11.15-47.el6.x86_64<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On the master, I get nothing<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">[root@ipa001 log]# getent passwd
admin<o:p></o:p></p>
<p class="MsoNormal">[root@ipa001 log]#<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">But it works on the replica as
expected<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">[root@ipa002nadev01 ~]# getent passwd
admin<o:p></o:p></p>
<p class="MsoNormal">admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I am used to using PADL / NSSWITCH
with OpenLDAP and I am rather surprised that on both,
‘getent passwd’ and ‘getent group’ return only entries
from local files but then again, I’ve never used sssd
before.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
</blockquote>
<p class="MsoNormal">REJECT all --
0.0.0.0/0 0.0.0.0/0 reject-with
icmp-host-prohibited<o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New Roman
, serif","serif""><br>
Then we need SSSD logs with the debug_level in the right
sections as Jakub mentioned in his mail.<br>
</span><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">----</span><o:p></o:p></p>
<div style="border:none;border-bottom:solid windowtext
1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">Sorry – I had a long
meeting and should have noted that after restarting
SSSD, it all started working again as expected. Clearly
something I have to watch for and indeed, I moved the
debug to the domain section for future.</span><o:p></o:p></p>
</div>
<pre><span style="color:#1F497D">I should add – came to the realization that restarting sssd and went to long meeting, then came back and couldn’t log into ipa console or Kerberos and had to restart IPA service to restart Kerberos.</span><o:p></o:p></pre>
<pre><span style="color:#1F497D"> </span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">IPA is logging nothing.</span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This is not the first time I have had to go through this cycle – it seems that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD goes haywire, when I restart SSSD, IPA is not functioning and must be restarted too.</span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks</span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Craig</span><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
Is this on the same server?<br>
</span><span style="font-size:10.0pt;font-family:"Courier
New","serif"">----<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">Yes, same server… the one I
call the master. The first one I set up. I’m getting tuned
in to the checking the status of dirsrv and ipa but now I
know to check the status of the sssd too.</span><o:p></o:p></p>
<pre><span style="color:#1F497D"><o:p> </o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Seems like it crashes a little too easily – I doubt I did much to harm it… I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS. <o:p></o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA.<o:p></o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks<o:p></o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></pre>
<pre><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Craig<o:p></o:p></span></pre>
</div>
</blockquote>
<br>
6.5 was pretty stable but things happen from time to time so it is
not clear what exactly went wrong. I suspect some race condition
that is rare but happens sometimes.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>