[Freeipa-users] ipa-client stall on 'args=getent passwd admin'

Rob Crittenden rcritten at redhat.com
Wed Nov 30 02:43:55 UTC 2011 

Craig T wrote:
> Hi,
>
> I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work.
> See errors below;
>
> ----------------------------------------------------------------------
> [root at chtvm-centos-6 /]# ipa-client-install
> Discovery was successful!
> Hostname: chtvm-centos-6.example.com
> Realm: example.com
> DNS Domain: example.com
> IPA Server: chtvm-389.example.com
> BaseDN: dc=example,dc=com
>
> Continue to configure the system with these values? [no]: yes
> User authorized to enroll computers: admin
> Password for admin at example.com:
>
> Enrolled in IPA realm example.com
> Created /etc/ipa/default.conf
> Configured /etc/sssd/sssd.conf
> Configured /etc/krb5.conf for IPA realm example.com
> SSSD enabled
> Kerberos 5 enabled
> Unable to find 'admin' user with 'getent passwd admin'!
> Recognized configuration: SSSD
> NTP enabled
> Client configuration complete.
>
> -------------------------------------------------------------------------------------------------------------------------
> File: /var/log/sssd/sssd_nss.log
> (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> -------------------------------------------------------------------------------------------------------------------------
> File: /var/log/sssd/sssd_pam.log
> (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> -------------------------------------------------------------------------------------------------------------------------
> Debug Version:
> File: /var/log/sssd/sssd_nss.log
> (Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring.
> (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0
> (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring.
> (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/   private/sbus-dp_example.com]
> (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open connection: name=org.freedesktop.DBus.Error.       NoServer, message=Failed to connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection refused
> (Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider.
> -------------------------------------------------------------------------------------------------------------------------

Can you see if there are any SELinux AVCs (/var/log/audit/audit.log)?

Is the messagebus service running?

>
>
> "getent passwd admin" returns no result at all.

That is expected if sssd can't connect.

rob

>
>
> Regards,
>
> Craig
>
> On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote:
>> Craig T wrote:
>>> I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that.
>>
>> I would think the version you have would work fine.
>>
>> What it is doing is testing to be sure that nss is working as
>> expected. It can take some time for sssd to come up, connect to the
>> IPA server, etc, so we loop and try several times (IIRC 5 in your
>> version) to look up a known remote user (admin).
>>
>> If it never does successfully get the admin user you should get an
>> error that nss_ldap can't be configured (yeah, I know, we're using
>> sssd. We fixed this). If you aren't getting this message and the
>> client otherwise seems to be installing ok then things are fine.
>>
>> rob
>>
>>>
>>>
>>> cya
>>>
>>> Craig
>>>
>>> On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote:
>>>> On Tue, November 29, 2011 01:52, Craig T wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>> I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos
>>>>> 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall
>>>>> right at the end of the ipa-client-install command.
>>>>>
>>>>> Current Spec;
>>>>> Server:
>>>>> RHEL 6.2 Beta
>>>>> ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch
>>>>> ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64
>>>>>   ipa-server-selinux-2.1.1-4.el6.x86_64
>>>>>
>>>>> Client:
>>>>> Centos 6.0 x64
>>>>> ipa-client-2.1.1-4.el6.x86_64
>>>>>
>>>>>
>>>>> Just an odd error during the "ipa-client-install" command, the installer seems to pause on
>>>>> kerberos; [root at server-centos-6 ~]# ipa-client-install
>>>>> Discovery was successful!
>>>>> Hostname: server-centos-6.example.com
>>>>> Realm: example.com
>>>>> DNS Domain: example.com
>>>>> IPA Server: server-389.example.com
>>>>> BaseDN: dc=example,dc=com
>>>>>
>>>>>
>>>>>
>>>>> Continue to configure the system with these values? [no]: yes
>>>>> User authorized to enroll computers: admin
>>>>> Password for admin at example.com:
>>>>>
>>>>>
>>>>> Enrolled in IPA realm example.com
>>>>> Created /etc/ipa/default.conf
>>>>> Configured /etc/sssd/sssd.conf
>>>>> Configured /etc/krb5.conf for IPA realm example.com
>>>>> SSSD enabled
>>>>> Kerberos 5 enabled
>>>>>
>>>>>
>>>>>
>>>>> When run in debug mode it shows this;
>>>>> Kerberos 5 enabled
>>>>> root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= root        : DEBUG
>>>>> stderr= root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= root
>>>>    :
>>>>> DEBUG    stderr=
>>>>> root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= root        : DEBUG
>>>>> stderr= root        : DEBUG    args=getent passwd admin root        : DEBUG    stdout= root
>>>>    :
>>>>> DEBUG    stderr=
>>>>>
>>>>>
>>>>>
>>>>> Advice anyone?
>>>>>
>>>>>
>>>>
>>>> I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages
>>> >from RHEL 6.2 beta for clients instead.
>>>>
>>>> I found the IPA server was easiest to test using Fedora 15.
>>>>
>>>> For production, wait for RHEL 6.2. It's not far away now. :)
>>>>
>>>>
>>>> Regards,
>>>> Siggi
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>

More information about the Freeipa-users mailing list