[Freeipa-users] IPA users not visible in NIS passwd map
Prasun Gera
prasun.gera at gmail.com
Wed Jan 13 20:53:26 UTC 2016
I think I've solved this. I don't know what or who enabled it, but for some
reason the original NIS service (ypserv) was running on the server. That
was taking precedence over ipa's fake NIS, and causing problems. I have now
deleted the maps and commented them out in the Makefile so that it doesn't
get enabled accidentally again.
I do see another problem though. In an attempt to clean up a lot of old
users, I have disabled them in the webui. This works for ipa clients and
access is denied, but the users can still log in on the old NIS clients. Is
this a known limitation ?
On Mon, Jan 11, 2016 at 9:21 PM, Prasun Gera <prasun.gera at gmail.com> wrote:
> This is the output of the command:
>
> ldapsearch -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d=
> -f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: nis-domain=domain.edu+nis-map=auto.home,cn=NIS
> Server,cn=plugins,cn=config
> CreateTimestamp: 20150321091139Z
> ModifyTimestamp: 20150321091139Z
>
> dn: nis-domain=domain.edu+nis-map=auto.local,cn=NIS
> Server,cn=plugins,cn=confi
> g
> CreateTimestamp: 20150321091209Z
> ModifyTimestamp: 20150321091209Z
>
> dn: nis-domain=domain.edu+nis-map=auto.master,cn=NIS
> Server,cn=plugins,cn=conf
> ig
> CreateTimestamp: 20150321091201Z
> ModifyTimestamp: 20150321091201Z
>
> dn: nis-domain=domain.edu+nis-map=ethers.byaddr,cn=NIS
> Server,cn=plugins,cn=co
> nfig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=ethers.byname,cn=NIS
> Server,cn=plugins,cn=co
> nfig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=group.bygid,cn=NIS
> Server,cn=plugins,cn=conf
> ig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=group.byname,cn=NIS
> Server,cn=plugins,cn=con
> fig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=netgroup,cn=NIS
> Server,cn=plugins,cn=config
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=netid.byname,cn=NIS
> Server,cn=plugins,cn=con
> fig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=passwd.byname,cn=NIS
> Server,cn=plugins,cn=co
> nfig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
> dn: nis-domain=domain.edu+nis-map=passwd.byuid,cn=NIS
> Server,cn=plugins,cn=con
> fig
> CreateTimestamp: 20150320220124Z
> ModifyTimestamp: 20150320220124Z
>
>
> All the maps are listed from what I can tell. passwd is the one that is
> not working as expected. Autofs maps are working all right on nis clients.
>
> On Mon, Jan 11, 2016 at 4:21 PM, Alexander Bokovoy <abokovoy at redhat.com>
> wrote:
>
>> On Mon, 11 Jan 2016, Prasun Gera wrote:
>>
>>> I upgraded ipa to 4.2 on my rhel 7.2 servers a few weeks ago. One of the
>>> users reported that he is not able to log in to certain systems any more.
>>> It turns out that there is some change in behaviour w.r.t NIS clients
>>> after
>>> this upgrade. I see that his username is not visible in "ypcat passwd" on
>>> the old clients that are using NIS. This user was added natively through
>>> ipa. The old users that were migrated from NIS still work as expected on
>>> the NIS clients. I can also confirm that if I add a new user now in ipa,
>>> it
>>> is not visible in NIS maps. Until we phase out the NIS clients
>>> completely,
>>> I would like all users to be able to log into them. This used to be the
>>> case, but a recent update seems to have changed that. I don't know if
>>> this
>>> is intentional. How do i revert to the old behaviour ?
>>>
>> Do you see all the maps configured?
>>
>> # ldapsearch -LLL -H $(cat /etc/ipa/default.conf | grep ldap_uri|cut -d=
>> -f2) -b cn=config '(nis-domain=*)' dn CreateTimestamp ModifyTimestamp
>>
>> We have a bug in the upgrade script that was fixed this morning
>> https://www.redhat.com/archives/freeipa-devel/2016-January/msg00154.html
>>
>> --
>> / Alexander Bokovoy
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/79606bb4/attachment.htm>
More information about the Freeipa-users
mailing list