[Freeipa-users] cannot find name for user ID

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Thu Aug 9 08:52:47 UTC 2012 

On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
> On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
>> An interesting problem has popped up and I am not sure where the issue
>> lies. Users logging in are presented with "cannot find name for user ID"
>> etc. etc. for all groups they are a member of
>>
>> id returns nothing but the numbers, and a getent passwd <username>
>> returns nothing, when running as the user.
>>
>> However, as root a getent passwd <username> works.
>>
>> I am taking a look through logs and haven't found much so far, another
>> user experienced a similar issue and a ipa-client-install --uninstall
>> and reinstall (this is starting to feel like windows :) did the trick
>> for them, however it has not solved the issue for me.
>>
>> I have also cleared the sssd cache, and given that process a kick to no
>> avail.
>>
>> Firewall rules have not changed, and I assume the ipa-client-install
>> process would have failed if a firewall issue was present.
>>
>> After increasing sssd logging levels I see a lot of requests for the
>> user in the sssd logs, but no returns, not that I know if the logging is
>> supposed to log the return.
>>
>> This is on a RHEL 5.8 client:
>> ipa-client-2.1.3-2.el5_8
>> sssd-1.5.1-49.el5_8.1
>>
>> Connecting to a RHEL 6.3 IPA server.
>>
>> Any ideas?
>>
>> -Erinn
>>
> 
> Hi Erinn,
> 
> The requests for the user you saw were only in the sssd_nss log or did
> they make it to the sssd_$domain.log as well? Can you paste sanitized
> contents of both, please?
> 
> I can't think of a reason to make lookups work only as root, that's
> really strange. Can you check for AVC denials? Can you also check the
> permissions on /var/lib/sss/pipes/nss ? It should be 0666.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

Yeah I can confirm this for certain now, take a look below:

erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
-rw-r--r-- 1 root root 1726 Dec 27  2011 /etc/nsswitch.conf
erinn at numbersix ~ $ sudo yum -y update sudo

Loaded plugins: rhnplugin, security
Skipping security plugin, no data
Setting up Update Process
Resolving Dependencies
Skipping security plugin, no data
--> Running transaction check
---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package   Arch        Version                  Repository
   Size
================================================================================
Updating:
 sudo      x86_64      1.7.2p1-14.el5_8.2       rhel-x86_64-server-5
  359 k

Transaction Summary
================================================================================
Install       0 Package(s)
Upgrade       1 Package(s)

Total size: 359 k
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : sudo
    1/2
  Cleanup        : sudo
    2/2

Updated:
  sudo.x86_64 0:1.7.2p1-14.el5_8.2


Complete!
erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
-rw------- 1 root root 1727 Aug  9 08:43 /etc/nsswitch.conf

So it appears the latest sudo update is causing this issue, I am
uncertain whether this is intentional or not at this point (probably
not), but it is the cause, and it sure does make things messy for IPA. I
have filed a support case.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120809/3a2868d0/attachment.sig>

More information about the Freeipa-users mailing list