[Freeipa-users] reboot required after ipa-client-install?

Dmitri Pal dpal at redhat.com
Fri Nov 8 03:17:44 UTC 2013 

On 11/07/2013 06:20 PM, Dean Hunter wrote:
> On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
>> On 11/07/2013 12:59 PM, Dean Hunter wrote:
>>> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
>>>> On 11/07/2013 12:21 PM, Dean Hunter wrote:
>>>>> On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote:
>>>>>> On Wed, 06 Nov 2013, Dean Hunter wrote:
>>>>>>
>>>>>> >After building a new VM and configuring the IPA 3.3.2 client, Gnome
>>>>>> >seems to only perform a local log-in until the system is rebooted. SSH
>>>>>> >works with IPA, but not Gnome. Is this correct? Is there anything less
>>>>>> >disruptive than a reboot that I can do?
>>>>>
>>>>>> Restart gdm.service?
>>>>>> I'm not sure how gdm handles PAM auth.
>>>>>
>>>>> I have tried:
>>>>>
>>>>>     ipa-client-install ...
>>>>>     systemctl restart gdm.service
>>>>>
>>>>> but the behavior remains the same. The Gnome log in screen accepts
>>>>> the user name, pauses about 25 seconds, then displays the log in
>>>>> screen again without any messages or indication of a problem. This
>>>>> is the same behavior I see when entering an incorrect local user
>>>>> name before configuring IPA.
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Can it be a DIR cache issue and the fact that the directory can't
>>>> is not created at proper time?
>>>
>>> Which directory, please?
>>
>> If you are hitting the DIR cache issue (which I am not sure is the
>> case this is why I asked about AVCs) then the directory we are
>> talking about is /var/run/usr/<uid>
>> This directory should be created by kerberos library when it tries to
>> authenticate a user. But it might not be able to since a parent
>> directory /var/run/usr might not be created yet. This is one of the
>> reasons why we decided not to continue the path of DIR cache but
>> switched to using Kernel based ccache.
>>
>>
>>>
>>>> Do you see any AVCs?
>>
>> Question still stands.
>
> I see no AVCs:
>
>     [root at ipa <mailto:root at ipa> ~]# ausearch --message AVC
>     <no matches>
>     [root at ipa <mailto:root at ipa> ~]#
>
> I did find this in the man page for nsswitch.conf:
>
>     FILES
>            A service named SERVICE is implemented by a shared object
>     library named
>            libnss_SERVICE.so.X that resides in /lib.
>
>                /etc/nsswitch.conf       NSS configuration file.
>                /lib/libnss_compat.so.X  implements "compat" source.
>                /lib/libnss_db.so.X      implements "db" source.
>                /lib/libnss_dns.so.X     implements "dns" source.
>                /lib/libnss_files.so.X   implements "files" source.
>                /lib/libnss_hesiod.so.X  implements "hesiod" source.
>                /lib/libnss_nis.so.X     implements "nis" source.
>                /lib/libnss_nisplus.so.X implements "nisplus" source.
>
>     NOTES
>            Within each process that uses nsswitch.conf, the entire 
>     file  is  read
>            only  once.   If  the  file is later changed, the process
>     will continue
>            using the old configuration.
>
>
> Is this why the default configuration of nsswitch.conf is changing in
> Fedora 20, as noted on of the preceeding e-mails?
>


Yes I think SSS is now included by default. But if man page does not
list it it is probably a bug in the man page.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131107/2d998725/attachment.htm>

More information about the Freeipa-users mailing list