<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/07/2013 06:20 PM, Dean Hunter wrote:
<blockquote cite="mid:1383866409.2467.6.camel@host.hunter.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="GENERATOR" content="GtkHTML/4.6.6">
On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote:<br>
<blockquote type="CITE"> On 11/07/2013 12:59 PM, Dean Hunter
wrote: <br>
<blockquote type="CITE"> On Thu, 2013-11-07 at 12:36 -0500,
Dmitri Pal wrote:<br>
<blockquote type="CITE"> On 11/07/2013 12:21 PM, Dean Hunter
wrote: <br>
<blockquote type="CITE"> On Thu, 2013-11-07 at 09:44 +0200,
Alexander Bokovoy wrote:
<blockquote type="CITE">
<pre>On Wed, 06 Nov 2013, Dean Hunter wrote:
<font color="#737373">>After building a new VM and configuring the IPA 3.3.2 client, Gnome</font>
<font color="#737373">>seems to only perform a local log-in until the system is rebooted. SSH</font>
<font color="#737373">>works with IPA, but not Gnome. Is this correct? Is there anything less</font>
<font color="#737373">>disruptive than a reboot that I can do?</font>
</pre>
</blockquote>
<br>
<blockquote type="CITE">
<pre>Restart gdm.service?
I'm not sure how gdm handles PAM auth.
</pre>
</blockquote>
<br>
I have tried:<br>
<blockquote> <tt>ipa-client-install ...</tt><br>
<tt>systemctl restart gdm.service</tt><br>
</blockquote>
but the behavior remains the same. The Gnome log in screen
accepts the user name, pauses about 25 seconds, then
displays the log in screen again without any messages or
indication of a problem. This is the same behavior I see
when entering an incorrect local user name before
configuring IPA.<br>
<br>
<br>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
</blockquote>
Can it be a DIR cache issue and the fact that the directory
can't is not created at proper time?<br>
</blockquote>
<br>
Which directory, please?<br>
</blockquote>
<br>
If you are hitting the DIR cache issue (which I am not sure is
the case this is why I asked about AVCs) then the directory we
are talking about is /var/run/usr/<uid> <br>
This directory should be created by kerberos library when it
tries to authenticate a user. But it might not be able to since
a parent directory /var/run/usr might not be created yet. This
is one of the reasons why we decided not to continue the path of
DIR cache but switched to using Kernel based ccache.<br>
<br>
<br>
<blockquote type="CITE"> <br>
<blockquote type="CITE"> Do you see any AVCs?<br>
</blockquote>
</blockquote>
<br>
Question still stands.<br>
</blockquote>
<br>
I see no AVCs:<br>
<blockquote> <tt><font size="2">[<a moz-do-not-send="true"
href="mailto:root@ipa">root@ipa</a> ~]# ausearch --message
AVC</font></tt><br>
<tt><font size="2"><no matches></font></tt><br>
<tt><font size="2">[<a moz-do-not-send="true"
href="mailto:root@ipa">root@ipa</a> ~]# </font></tt><br>
<br>
</blockquote>
I did find this in the man page for nsswitch.conf:<br>
<blockquote> <tt><font size="2">FILES</font></tt><br>
<tt><font size="2"> A service named SERVICE is implemented
by a shared object library named</font></tt><br>
<tt><font size="2"> libnss_SERVICE.so.X that resides in
/lib.</font></tt><br>
<br>
<tt><font size="2"> /etc/nsswitch.conf NSS
configuration file.</font></tt><br>
<tt><font size="2"> /lib/libnss_compat.so.X
implements "compat" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_db.so.X
implements "db" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_dns.so.X
implements "dns" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_files.so.X
implements "files" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_hesiod.so.X
implements "hesiod" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_nis.so.X
implements "nis" source.</font></tt><br>
<tt><font size="2"> /lib/libnss_nisplus.so.X
implements "nisplus" source.</font></tt><br>
<br>
<tt><font size="2">NOTES</font></tt><br>
<tt><font size="2"> Within each process that uses
nsswitch.conf, the entire file is read</font></tt><br>
<tt><font size="2"> only once. If the file is later
changed, the process will continue</font></tt><br>
<tt><font size="2"> using the old configuration.</font></tt><br>
</blockquote>
<br>
Is this why the default configuration of nsswitch.conf is changing
in Fedora 20, as noted on of the preceeding e-mails?<br>
<br>
</blockquote>
<br>
<br>
Yes I think SSS is now included by default. But if man page does not
list it it is probably a bug in the man page.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>