[Freeipa-users] cannot find name for user ID
Jakub Hrozek
jhrozek at redhat.com
Thu Aug 9 16:40:14 UTC 2012
On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote:
> On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
> > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
> >> An interesting problem has popped up and I am not sure where the issue
> >> lies. Users logging in are presented with "cannot find name for user ID"
> >> etc. etc. for all groups they are a member of
> >>
> >> id returns nothing but the numbers, and a getent passwd <username>
> >> returns nothing, when running as the user.
> >>
> >> However, as root a getent passwd <username> works.
> >>
> >> I am taking a look through logs and haven't found much so far, another
> >> user experienced a similar issue and a ipa-client-install --uninstall
> >> and reinstall (this is starting to feel like windows :) did the trick
> >> for them, however it has not solved the issue for me.
> >>
> >> I have also cleared the sssd cache, and given that process a kick to no
> >> avail.
> >>
> >> Firewall rules have not changed, and I assume the ipa-client-install
> >> process would have failed if a firewall issue was present.
> >>
> >> After increasing sssd logging levels I see a lot of requests for the
> >> user in the sssd logs, but no returns, not that I know if the logging is
> >> supposed to log the return.
> >>
> >> This is on a RHEL 5.8 client:
> >> ipa-client-2.1.3-2.el5_8
> >> sssd-1.5.1-49.el5_8.1
> >>
> >> Connecting to a RHEL 6.3 IPA server.
> >>
> >> Any ideas?
> >>
> >> -Erinn
> >>
> >
> > Hi Erinn,
> >
> > The requests for the user you saw were only in the sssd_nss log or did
> > they make it to the sssd_$domain.log as well? Can you paste sanitized
> > contents of both, please?
> >
> > I can't think of a reason to make lookups work only as root, that's
> > really strange. Can you check for AVC denials? Can you also check the
> > permissions on /var/lib/sss/pipes/nss ? It should be 0666.
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
>
> Yeah I can confirm this for certain now, take a look below:
>
> erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
> -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf
> erinn at numbersix ~ $ sudo yum -y update sudo
>
> Loaded plugins: rhnplugin, security
> Skipping security plugin, no data
> Setting up Update Process
> Resolving Dependencies
> Skipping security plugin, no data
> --> Running transaction check
> ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated
> --> Finished Dependency Resolution
>
> Dependencies Resolved
>
> ================================================================================
> Package Arch Version Repository
> Size
> ================================================================================
> Updating:
> sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5
> 359 k
>
> Transaction Summary
> ================================================================================
> Install 0 Package(s)
> Upgrade 1 Package(s)
>
> Total size: 359 k
> Downloading Packages:
> Running rpm_check_debug
> Running Transaction Test
> Finished Transaction Test
> Transaction Test Succeeded
> Running Transaction
> Updating : sudo
> 1/2
> Cleanup : sudo
> 2/2
>
> Updated:
> sudo.x86_64 0:1.7.2p1-14.el5_8.2
>
>
> Complete!
> erinn at numbersix ~ $ ls -l /etc/nsswitch.conf
> -rw------- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf
>
> So it appears the latest sudo update is causing this issue, I am
> uncertain whether this is intentional or not at this point (probably
> not), but it is the cause, and it sure does make things messy for IPA. I
> have filed a support case.
>
> -Erinn
>
You were a victim of https://bugzilla.redhat.com/show_bug.cgi?id=846631
More information about the Freeipa-users
mailing list