[Freeipa-users] reboot required after ipa-client-install?
Jakub Hrozek
jhrozek at redhat.com
Fri Nov 8 09:46:02 UTC 2013
On Thu, Nov 07, 2013 at 10:17:44PM -0500, Dmitri Pal wrote:
> On 11/07/2013 06:20 PM, Dean Hunter wrote:
> > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:
> >> On 11/07/2013 12:59 PM, Dean Hunter wrote:
> >>> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote:
> >>>> On 11/07/2013 12:21 PM, Dean Hunter wrote:
> >>>>> On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote:
> >>>>>> On Wed, 06 Nov 2013, Dean Hunter wrote:
> >>>>>>
> >>>>>> >After building a new VM and configuring the IPA 3.3.2 client, Gnome
> >>>>>> >seems to only perform a local log-in until the system is rebooted. SSH
> >>>>>> >works with IPA, but not Gnome. Is this correct? Is there anything less
> >>>>>> >disruptive than a reboot that I can do?
> >>>>>
> >>>>>> Restart gdm.service?
> >>>>>> I'm not sure how gdm handles PAM auth.
> >>>>>
> >>>>> I have tried:
> >>>>>
> >>>>> ipa-client-install ...
> >>>>> systemctl restart gdm.service
> >>>>>
> >>>>> but the behavior remains the same. The Gnome log in screen accepts
> >>>>> the user name, pauses about 25 seconds, then displays the log in
> >>>>> screen again without any messages or indication of a problem. This
> >>>>> is the same behavior I see when entering an incorrect local user
> >>>>> name before configuring IPA.
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Freeipa-users mailing list
> >>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> Can it be a DIR cache issue and the fact that the directory can't
> >>>> is not created at proper time?
> >>>
> >>> Which directory, please?
> >>
> >> If you are hitting the DIR cache issue (which I am not sure is the
> >> case this is why I asked about AVCs) then the directory we are
> >> talking about is /var/run/usr/<uid>
> >> This directory should be created by kerberos library when it tries to
> >> authenticate a user. But it might not be able to since a parent
> >> directory /var/run/usr might not be created yet. This is one of the
> >> reasons why we decided not to continue the path of DIR cache but
> >> switched to using Kernel based ccache.
> >>
> >>
> >>>
> >>>> Do you see any AVCs?
> >>
> >> Question still stands.
> >
> > I see no AVCs:
> >
> > [root at ipa <mailto:root at ipa> ~]# ausearch --message AVC
> > <no matches>
> > [root at ipa <mailto:root at ipa> ~]#
> >
> > I did find this in the man page for nsswitch.conf:
> >
> > FILES
> > A service named SERVICE is implemented by a shared object
> > library named
> > libnss_SERVICE.so.X that resides in /lib.
> >
> > /etc/nsswitch.conf NSS configuration file.
> > /lib/libnss_compat.so.X implements "compat" source.
> > /lib/libnss_db.so.X implements "db" source.
> > /lib/libnss_dns.so.X implements "dns" source.
> > /lib/libnss_files.so.X implements "files" source.
> > /lib/libnss_hesiod.so.X implements "hesiod" source.
> > /lib/libnss_nis.so.X implements "nis" source.
> > /lib/libnss_nisplus.so.X implements "nisplus" source.
> >
> > NOTES
> > Within each process that uses nsswitch.conf, the entire
> > file is read
> > only once. If the file is later changed, the process
> > will continue
> > using the old configuration.
> >
> >
> > Is this why the default configuration of nsswitch.conf is changing in
> > Fedora 20, as noted on of the preceeding e-mails?
> >
>
>
> Yes I think SSS is now included by default.
Yes, starting with F-20.
> But if man page does not
> list it it is probably a bug in the man page.
I think the man page only lists modules that are shipped with the glibc
RPM, not any 3rd party modules like nss_ldap or nss_sss.
More information about the Freeipa-users
mailing list