[Freeipa-users] ipa-client-install failure

Sun Mar 22 19:23:09 UTC 2015

On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:
> Thanks Rob.
>
> Knowing that /etc/nsswitch.conf is created wrongly is a step forward, 
> although we don't know why that happens yet.
> I'm not very keen on fixing it post-installation (except if this is 
> just to learn more about the issue), even if this seems to solve 
> problems. I'm not going to deploy freeIPA for real before I can at 
> least run successfully a plain installation.
>
> It seems SELinux can be ruled out as well.
> I switched to permissive mode and tried again, no difference.
>
> And so far I haven't been able to find anything useful in the logs.
>
> What strikes me is that these are really a plain and up to date FC21 
> machines, and my deployment was as from the book. The last of the 
> settings you'd expect issues from.
>
> Can anyone (user or developer) confirm successful deployment of both 
> server and client on up-to-date (updated this week) FC21 systems? I 
> know it's maybe a bit far-fetched, but could any of the latest FC 
> updates have created the issue?

May be.
To config nsswitch we call authconfig so may be there is something weird 
with it, can you check?

>
> Roberto
>
>
> On 21 March 2015 at 17:26, Rob Crittenden <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>> wrote:
>
>     Roberto Cornacchia wrote:
>     > Hi Rob,
>     >
>     > Yes, sssd is running and this is sssd.conf:
>     >
>     > [domain/hq.example.com <http://hq.example.com>
>     <http://hq.example.com>]
>     > debug_level=9
>     > cache_credentials = True
>     > krb5_store_password_if_offline = True
>     > ipa_domain = hq.example.com <http://hq.example.com>
>     <http://hq.example.com>
>     > id_provider = ipa
>     > auth_provider = ipa
>     > access_provider = ipa
>     > ipa_hostname = meson.hq.example.com <http://meson.hq.example.com>
>     > chpass_provider = ipa
>     > ipa_server = _srv_, ipa.hq.example.com <http://ipa.hq.example.com>
>     > ldap_tls_cacert = /etc/ipa/ca.crt
>     > [sssd]
>     > services = nss, sudo, pam, ssh
>     > config_file_version = 2
>     >
>     > domains = hq.example.com <http://hq.example.com>
>     > [nss]
>     > homedir_substring = /home
>     > debug_level=9
>     >
>     > [pam]
>     >
>     > [sudo]
>     >
>     > [autofs]
>     >
>     > [ssh]
>     >
>     > [pac]
>     >
>     > [ifp]
>
>     Ok, that's good. Maybe authconfig didn't do the right thing. I'd
>     add sss
>     to these values in /etc/nsswitch.conf, grepp'd from mine:
>
>     passwd:     files sss
>     shadow:     files sss
>     group:      files sss
>     services:   files sss
>     netgroup:   files sss
>     automount:  files sss
>     sudoers:    sss
>
>     You've got quite a mix of odd things happening during install. It
>     seems
>     like DNS and firewall can be ruled out given that lots of other
>     operations are working fine, and you've confirmed that NTP works
>     pre-install.
>
>     I guess working on a cleanish system, the things I'd look for on both
>     client and server are the system logs to see if any errors are being
>     thrown to syslog or service-specific logs.
>
>     And I'd check for SELinux errors on the client if you're in
>     enforcing mode.
>
>     rob
>
>
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150322/336fdd25/attachment.htm>