[Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

Mon Nov 12 16:27:29 UTC 2012

On Mon, 2012-11-12 at 09:51 -0600, Anthony Messina wrote:
> On Monday, November 12, 2012 09:17:17 AM Anthony Messina wrote:
> > > > I also find that when I do a manual ldapsearch for the non-upgraded
> > > > clients as >
> > > >
> > > > follows:
> > > > 
> > > >
> > > > ldapsearch -x -D "cn=directory manager" -W -b
> > > > cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost)(fqdn=*))" dn
> > > >
> > > > 
> > > >
> > > > the non-upgraded clients DO NOT appear in the list, but if I do the 
> > 
> > following:
> > > > 
> > > >
> > > > ldapsearch -x -D "cn=directory manager" -W -b
> > > > cn=accounts,dc=messinet,dc=com  "(&(objectClass=ipaHost))" dn
> > > >
> > > > 
> > > >
> > > > the non-upgraded clients DO appear in the list.  Somehow the addition of
> > > > the  fqdn=* in the filter "(&(objectClass=ipaHost)(fqdn=*))" prevents
> > > > them from being displayed.
> > > >
> > > > 
> > > >
> > > > There were no errors on any of the servers or clients during the
> > > > upgrade.
> > > >
> > > > 
> > > >
> > > > Your help is appreciated.  I've tried to get this corrected all day
> > > > without  success.
> > > >
> > > > 
> > > >
> > > > Thanks in advance.  -A
> > >
> > > 
> > >
> > > Hi,
> > >
> > > 
> > >
> > > the SSSD depends on the fqdn attribute being present for the access
> > > control mechanism. Also, the SSSD searches the directory anonymously, so
> > > in order to get the same results, you should simply search the directory
> > > with anonymous bind.
> > > Can you check on the server how the host entries look like? 
> > >
> > > 
> > >
> > > For example:
> > > ipa host-show ds.messinet.com --all --raw
> > >
> > > 
> > >
> > > Is the FQDN attribute present in the directory at all?
> > 
> > Yes it is present.  The entry seems to appear similar to other
> > entries.  I'm  wondering if for some reason it wasn't indexed (I don't know
> > much about indexing), but only the hosts that are re-enrolled after the
> > update are displayed with the above search.  I'm thinking this may be
> > related to
> > http://git.fedorahosted.org/cgit/freeipa.git/commit/?h=ipa-2-2&id=ce11a7c0e
> > 22ee8f70e14c43419f20be70176fe8c
> > 
> > Is there a way to re-index the fqdn attribute?
> 
> While this may be a red herring, I also do not find in my ipaupgrade.log any 
> attempt to re-index the fqdn attribute.  These are the only entries for which 
> tasks are created.
> 
> 2012-11-11T13:25:39Z INFO Creating task to index attribute: memberuid
> 2012-11-11T13:25:45Z INFO Creating task to index attribute: memberOf
> 2012-11-11T13:25:51Z INFO Creating task to index attribute: memberHost
> 2012-11-11T13:25:57Z INFO Creating task to index attribute: memberUser
> 2012-11-11T13:26:03Z INFO Creating task to index attribute: ntUniqueId
> 2012-11-11T13:26:09Z INFO Creating task to index attribute: ntUserDomainId

Seem like it may be the issue.
Can you open a ticket on this ?

Rich,
do you have a quick pointer for recreating the fqdn index ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York