[Freeipa-users] getent passwd / group

Dmitri Pal dpal at redhat.com
Tue Oct 28 17:04:18 UTC 2014 

On 10/28/2014 12:11 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 27, 2014 5:32 PM
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] getent passwd / group
>
> On 10/27/2014 07:38 PM, Craig White wrote:
>
>     RHEL 6.5 -- new install
>
>     ipa-server-3.0.0-42.el6.x86_64
>
>     389-ds-base-1.2.11.15-47.el6.x86_64
>
>     On the master, I get nothing
>
>     [root at ipa001 log]# getent passwd admin
>
>     [root at ipa001 log]#
>
>     But it works on the replica as expected
>
>     [root at ipa002nadev01 ~]# getent passwd admin
>
>     admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
>
>     I am used to using PADL / NSSWITCH with OpenLDAP and I am rather
>     surprised that on both, 'getent passwd' and 'getent group' return
>     only entries from local files but then again, I've never used sssd
>     before.
>
>     Partial from /etc/sssd/sssd.conf
>
>     [domain/stt.local]
>
>     cache_credentials = True
>
>     krb5_store_password_if_offline = True
>
>     ipa_domain = stt.local
>
>     id_provider = ipa
>
>     auth_provider = ipa
>
>     access_provider = ipa
>
>     ipa_hostname = ipa001nadev01.stt.local
>
>     chpass_provider = ipa
>
>     ipa_server = ipa001nadev01.stt.local
>
>     ldap_tls_cacert = /etc/ipa/ca.crt
>
>     [sssd]
>
>     services = nss, sudo, pam, ssh
>
>     config_file_version = 2
>
>     domains = stt.local
>
>     debug_level = 6
>
>     Shouldn't I be seeing both local files and IPA defined users with
>     'getent passwd' and IPA defined users with 'getent group' commands?
>
>     What could cause 'getent passwd admin' not to work on the master
>     server now when I know I tested it when I first set it up and it
>     worked?  I have done little more than import users and groups from
>     OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.
>
>
> Please check on master:
> 1. Installation logs. Client on the server is installed last and may 
> be there is something that went wrong at this stage but the rest of 
> the server is OK.
> 2. DNS. Can you resolve the host properly?
> 3. Firewall. Can you kinit admin or or do an ldap search?
> ----
>
> It's weird because it is mostly functioning perfectly.
>
> /var/log/ipaclient-install.log doesn't show any errors. Gives every 
> indication that things went as planned. The 
> /var/log/ipaserver-install.log is a rather large file and a cursory 
> inspection doesn't reveal anything that is interesting. The only thing 
> that was not normal about the install was the first install was 
> un-installed because I used DNS forwarders and the boss said no 
> forwarders. So I installed a second time but nothing seemed unusual 
> about either server or client install.
>
> DNS -- resolves / working perfectly for the authoritative and 
> non-authoritative zones -- forward and reverse. I thought the 
> 'ipa-client-install --enable-dns-updates' worked extremely well after 
> modifying it to ensure that both forward and reverse zone entries were 
> created.
>
> kinit admin at STT.LOCAL <mailto:admin at STT.LOCAL> works -- rejects wrong 
> password entries and accepts correct password entries.
>
> Ldapsearch works fine
>
> Firewall... (we are talking about localhost but)
>
> ACCEPT     all  --  0.0.0.0/0 0.0.0.0/0           ctstate 
> RELATED,ESTABLISHED
>
> ACCEPT     icmp --  0.0.0.0/0 0.0.0.0/0
>
> ACCEPT     all  --  0.0.0.0/0 0.0.0.0/0
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           ctstate NEW tcp dpt:22
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:80
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:53
>
> ACCEPT     udp  --  0.0.0.0/0 0.0.0.0/0           state NEW udp dpt:53
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:88
>
> ACCEPT     udp  --  0.0.0.0/0 0.0.0.0/0           state NEW udp dpt:88
>
> ACCEPT     udp  --  0.0.0.0/0 0.0.0.0/0           state NEW udp dpt:123
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:389
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:443
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:464
>
> ACCEPT     udp  --  0.0.0.0/0 0.0.0.0/0           state NEW udp dpt:464
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:636
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:7389
>
> ACCEPT     udp  --  0.0.0.0/0 0.0.0.0/0           state NEW udp dpt:7389
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:9443
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:9444
>
> ACCEPT     tcp  --  0.0.0.0/0 0.0.0.0/0           state NEW tcp dpt:9445
>
> REJECT     all  --  0.0.0.0/0 0.0.0.0/0           reject-with 
> icmp-host-prohibited
>

Then we need SSSD logs with the debug_level in the right sections as 
Jakub mentioned in his mail.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/18aa4595/attachment.htm>

More information about the Freeipa-users mailing list