[Freeipa-users] getent passwd / group
Dmitri Pal
dpal at redhat.com
Tue Oct 28 17:04:18 UTC 2014
On 10/28/2014 12:11 PM, Craig White wrote:
>
> *From:*freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] *On Behalf Of *Dmitri Pal
> *Sent:* Monday, October 27, 2014 5:32 PM
> *To:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] getent passwd / group
>
> On 10/27/2014 07:38 PM, Craig White wrote:
>
> RHEL 6.5 -- new install
>
> ipa-server-3.0.0-42.el6.x86_64
>
> 389-ds-base-1.2.11.15-47.el6.x86_64
>
> On the master, I get nothing
>
> [root at ipa001 log]# getent passwd admin
>
> [root at ipa001 log]#
>
> But it works on the replica as expected
>
> [root at ipa002nadev01 ~]# getent passwd admin
>
> admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
>
> I am used to using PADL / NSSWITCH with OpenLDAP and I am rather
> surprised that on both, 'getent passwd' and 'getent group' return
> only entries from local files but then again, I've never used sssd
> before.
>
> Partial from /etc/sssd/sssd.conf
>
> [domain/stt.local]
>
> cache_credentials = True
>
> krb5_store_password_if_offline = True
>
> ipa_domain = stt.local
>
> id_provider = ipa
>
> auth_provider = ipa
>
> access_provider = ipa
>
> ipa_hostname = ipa001nadev01.stt.local
>
> chpass_provider = ipa
>
> ipa_server = ipa001nadev01.stt.local
>
> ldap_tls_cacert = /etc/ipa/ca.crt
>
> [sssd]
>
> services = nss, sudo, pam, ssh
>
> config_file_version = 2
>
> domains = stt.local
>
> debug_level = 6
>
> Shouldn't I be seeing both local files and IPA defined users with
> 'getent passwd' and IPA defined users with 'getent group' commands?
>
> What could cause 'getent passwd admin' not to work on the master
> server now when I know I tested it when I first set it up and it
> worked? I have done little more than import users and groups from
> OpenLDAP and configure HBAC, sudo stuff in the IPA web UI.
>
>
> Please check on master:
> 1. Installation logs. Client on the server is installed last and may
> be there is something that went wrong at this stage but the rest of
> the server is OK.
> 2. DNS. Can you resolve the host properly?
> 3. Firewall. Can you kinit admin or or do an ldap search?
> ----
>
> It's weird because it is mostly functioning perfectly.
>
> /var/log/ipaclient-install.log doesn't show any errors. Gives every
> indication that things went as planned. The
> /var/log/ipaserver-install.log is a rather large file and a cursory
> inspection doesn't reveal anything that is interesting. The only thing
> that was not normal about the install was the first install was
> un-installed because I used DNS forwarders and the boss said no
> forwarders. So I installed a second time but nothing seemed unusual
> about either server or client install.
>
> DNS -- resolves / working perfectly for the authoritative and
> non-authoritative zones -- forward and reverse. I thought the
> 'ipa-client-install --enable-dns-updates' worked extremely well after
> modifying it to ensure that both forward and reverse zone entries were
> created.
>
> kinit admin at STT.LOCAL <mailto:admin at STT.LOCAL> works -- rejects wrong
> password entries and accepts correct password entries.
>
> Ldapsearch works fine
>
> Firewall... (we are talking about localhost but)
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
> RELATED,ESTABLISHED
>
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:88
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:88
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:464
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:464
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:636
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:7389
>
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:7389
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9443
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9444
>
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9445
>
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
> icmp-host-prohibited
>
Then we need SSSD logs with the debug_level in the right sections as
Jakub mentioned in his mail.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141028/18aa4595/attachment.htm>
More information about the Freeipa-users
mailing list