[Freeipa-users] cannot find name for user ID
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Thu Aug 9 08:35:17 UTC 2012
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
> On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
>> An interesting problem has popped up and I am not sure where the issue
>> lies. Users logging in are presented with "cannot find name for user ID"
>> etc. etc. for all groups they are a member of
>>
>> id returns nothing but the numbers, and a getent passwd <username>
>> returns nothing, when running as the user.
>>
>> However, as root a getent passwd <username> works.
>>
>> I am taking a look through logs and haven't found much so far, another
>> user experienced a similar issue and a ipa-client-install --uninstall
>> and reinstall (this is starting to feel like windows :) did the trick
>> for them, however it has not solved the issue for me.
>>
>> I have also cleared the sssd cache, and given that process a kick to no
>> avail.
>>
>> Firewall rules have not changed, and I assume the ipa-client-install
>> process would have failed if a firewall issue was present.
>>
>> After increasing sssd logging levels I see a lot of requests for the
>> user in the sssd logs, but no returns, not that I know if the logging is
>> supposed to log the return.
>>
>> This is on a RHEL 5.8 client:
>> ipa-client-2.1.3-2.el5_8
>> sssd-1.5.1-49.el5_8.1
>>
>> Connecting to a RHEL 6.3 IPA server.
>>
>> Any ideas?
>>
>> -Erinn
>>
>
> Hi Erinn,
>
> The requests for the user you saw were only in the sssd_nss log or did
> they make it to the sssd_$domain.log as well? Can you paste sanitized
> contents of both, please?
>
> I can't think of a reason to make lookups work only as root, that's
> really strange. Can you check for AVC denials? Can you also check the
> permissions on /var/lib/sss/pipes/nss ? It should be 0666.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Ok I figured out what was happening, or at least a portion of it, it
looks like the sudo package update that was pushed out from red hat to
rhel5 c86_64 systems (at least) modified the permissions of the
/etc/nsswitch.conf to 600, thus blocking everyone but root from reading
it and causing this weird issue where root could pull user info but no
one else.
At this point I only assume it was the sudo package as that is the
package that was updated on 10 or so RHEL 5 hosts at the exact same time
as the nsswitch file was updated and the permissions changed.
I have to go dig through the rpm scripts to see what could cause this,
then work with support to get it fixed overall.
Thanks for the help, this was a really odd problem.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120809/c6c83943/attachment.sig>
More information about the Freeipa-users
mailing list