[Freeipa-users] cannot find name for user ID
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Thu Aug 9 08:52:47 UTC 2012
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
> On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
>> An interesting problem has popped up and I am not sure where the issue
>> lies. Users logging in are presented with "cannot find name for user ID"
>> etc. etc. for all groups they are a member of
>>
>> id returns nothing but the numbers, and a getent passwd <username>
>> returns nothing, when running as the user.
>>
>> However, as root a getent passwd <username> works.
>>
>> I am taking a look through logs and haven't found much so far, another
>> user experienced a similar issue and a ipa-client-install --uninstall
>> and reinstall (this is starting to feel like windows :) did the trick
>> for them, however it has not solved the issue for me.
>>
>> I have also cleared the sssd cache, and given that process a kick to no
>> avail.
>>
>> Firewall rules have not changed, and I assume the ipa-client-install
>> process would have failed if a firewall issue was present.
>>
>> After increasing sssd logging levels I see a lot of requests for the
>> user in the sssd logs, but no returns, not that I know if the logging is
>> supposed to log the return.
>>
>> This is on a RHEL 5.8 client:
>> ipa-client-2.1.3-2.el5_8
>> sssd-1.5.1-49.el5_8.1
>>
>> Connecting to a RHEL 6.3 IPA server.
>>
>> Any ideas?
>>
>> -Erinn
>>
>
> Hi Erinn,
>
> The requests for the user you saw were only in the sssd_nss log or did
> they make it to the sssd_$domain.log as well? Can you paste sanitized
> contents of both, please?
>
> I can't think of a reason to make lookups work only as root, that's
> really strange. Can you check for AVC denials? Can you also check the
> permissions on /var/lib/sss/pipes/nss ? It should be 0666.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Yeah I can confirm this for certain now, take a look below:
erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
-rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf
erinn at numbersix ~ $ sudo yum -y update sudo
Loaded plugins: rhnplugin, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository
Size
================================================================================
Updating:
sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5
359 k
Transaction Summary
================================================================================
Install 0 Package(s)
Upgrade 1 Package(s)
Total size: 359 k
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : sudo
1/2
Cleanup : sudo
2/2
Updated:
sudo.x86_64 0:1.7.2p1-14.el5_8.2
Complete!
erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
-rw------- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf
So it appears the latest sudo update is causing this issue, I am
uncertain whether this is intentional or not at this point (probably
not), but it is the cause, and it sure does make things messy for IPA. I
have filed a support case.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120809/3a2868d0/attachment.sig>
More information about the Freeipa-users
mailing list