[Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

Rich Megginson rmeggins at redhat.com
Mon Nov 12 16:28:22 UTC 2012 

On 11/12/2012 09:27 AM, Simo Sorce wrote:
> On Mon, 2012-11-12 at 09:51 -0600, Anthony Messina wrote:
>> On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote:
>>>>> I also find that when I do a manual ldapsearch for the non-upgraded
>>>>> clients as>
>>>>>
>>>>> follows:
>>>>>
>>>>>
>>>>> ldapsearch -x -D "cn=directory manager" -W -b
>>>>> cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost)(fqdn=*))" dn
>>>>>
>>>>>
>>>>>
>>>>> the non-upgraded clients DO NOT appear in the list, but if I do the
>>> following:
>>>>>
>>>>> ldapsearch -x -D "cn=directory manager" -W -b
>>>>> cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost))" dn
>>>>>
>>>>>
>>>>>
>>>>> the non-upgraded clients DO appear in the list.  Somehow the addition of
>>>>> the  fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents
>>>>> them from being displayed.
>>>>>
>>>>>
>>>>>
>>>>> There were no errors on any of the servers or clients during the
>>>>> upgrade.
>>>>>
>>>>>
>>>>>
>>>>> Your help is appreciated.  I've tried to get this corrected all day
>>>>> without  success.
>>>>>
>>>>>
>>>>>
>>>>> Thanks in advance.  -A
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> the SSSD depends on the fqdn attribute being present for the access
>>>> control mechanism. Also, the SSSD searches the directory anonymously, so
>>>> in order to get the same results, you should simply search the directory
>>>> with anonymous bind.
>>>> Can you check on the server how the host entries look like?
>>>>
>>>>
>>>>
>>>> For example:
>>>> ipa host-show ds.messinet.com --all --raw
>>>>
>>>>
>>>>
>>>> Is the FQDN attribute present in the directory at all?
>>> Yes it is present.  The entry seems to appear similar to other
>>> entries.  I'm  wondering if for some reason it wasn't indexed (I don't know
>>> much about indexing), but only the hosts that are re-enrolled after the
>>> update are displayed with the above search.  I'm thinking this may be
>>> related to
>>> http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=ce11a7c0e
>>> 22ee8f70e14c43419f20be70176fe8c
>>>
>>> Is there a way to re-index the fqdn attribute?
>> While this may be a red herring, I also do not find in my ipaupgrade.log any
>> attempt to re-index the fqdn attribute.  These are the only entries for which
>> tasks are created.
>>
>> 2012-11-11T13:25:39Z INFO Creating task to index attribute: memberuid
>> 2012-11-11T13:25:45Z INFO Creating task to index attribute: memberOf
>> 2012-11-11T13:25:51Z INFO Creating task to index attribute: memberHost
>> 2012-11-11T13:25:57Z INFO Creating task to index attribute: memberUser
>> 2012-11-11T13:26:03Z INFO Creating task to index attribute: ntUniqueId
>> 2012-11-11T13:26:09Z INFO Creating task to index attribute: ntUserDomainId
> Seem like it may be the issue.
> Can you open a ticket on this ?
>
> Rich,
> do you have a quick pointer for recreating the fqdn index ?
Creating the config
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Indexes-Creating_Indexes.html

Creating the actual index db files
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/applying-indexes.html
>
> Simo.
>

More information about the Freeipa-users mailing list