[Freeipa-users] reboot required after ipa-client-install?
Dean Hunter
deanhunter at comcast.net
Thu Nov 7 23:20:09 UTC 2013
On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> On 11/07/2013 12:59 PM, Dean Hunter wrote:
>
> > On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
> >
> > > On 11/07/2013 12:21 PM, Dean Hunter wrote:
> > >
> > > > On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote:
> > > >
> > > > > On Wed, 06 Nov 2013, Dean Hunter wrote:
> > > > >
> > > > > >After building a new VM and configuring the IPA 3.3.2 client, Gnome
> > > > > >seems to only perform a local log-in until the system is rebooted. SSH
> > > > > >works with IPA, but not Gnome. Is this correct? Is there anything less
> > > > > >disruptive than a reboot that I can do?
> > > >
> > > >
> > > >
> > > > > Restart gdm.service?
> > > > > I'm not sure how gdm handles PAM auth.
> > > >
> > > >
> > > > I have tried:
> > > >
> > > > ipa-client-install ...
> > > > systemctl restart gdm.service
> > > >
> > > > but the behavior remains the same. The Gnome log in screen
> > > > accepts the user name, pauses about 25 seconds, then displays
> > > > the log in screen again without any messages or indication of a
> > > > problem. This is the same behavior I see when entering an
> > > > incorrect local user name before configuring IPA.
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Freeipa-users mailing list
> > > > Freeipa-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > >
> > > Can it be a DIR cache issue and the fact that the directory can't
> > > is not created at proper time?
> >
> >
> > Which directory, please?
>
>
> If you are hitting the DIR cache issue (which I am not sure is the
> case this is why I asked about AVCs) then the directory we are talking
> about is /var/run/usr/<uid>
> This directory should be created by kerberos library when it tries to
> authenticate a user. But it might not be able to since a parent
> directory /var/run/usr might not be created yet. This is one of the
> reasons why we decided not to continue the path of DIR cache but
> switched to using Kernel based ccache.
>
>
>
> >
> >
> > > Do you see any AVCs?
>
>
> Question still stands.
I see no AVCs:
[root at ipa ~]# ausearch --message AVC
<no matches>
[root at ipa ~]#
I did find this in the man page for nsswitch.conf:
FILES
A service named SERVICE is implemented by a shared object
library named
libnss_SERVICE.so.X that resides in /lib.
/etc/nsswitch.conf NSS configuration file.
/lib/libnss_compat.so.X implements "compat" source.
/lib/libnss_db.so.X implements "db" source.
/lib/libnss_dns.so.X implements "dns" source.
/lib/libnss_files.so.X implements "files" source.
/lib/libnss_hesiod.so.X implements "hesiod" source.
/lib/libnss_nis.so.X implements "nis" source.
/lib/libnss_nisplus.so.X implements "nisplus" source.
NOTES
Within each process that uses nsswitch.conf, the entire
file is read
only once. If the file is later changed, the process
will continue
using the old configuration.
Is this why the default configuration of nsswitch.conf is changing in
Fedora 20, as noted on of the preceeding e-mails?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131107/658d41c4/attachment.htm>
More information about the Freeipa-users
mailing list