<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:<br> </div> <blockquote cite="mid:CAFGv-=db7pS_-sWoELoGgA3Oy_Ahum-aoQvZrZ1ce7V9WrzTGA@mail.gmail.com" type="cite"> <div dir="ltr"> <div>Thanks Rob.</div> <div><br> </div> <div>Knowing that <span style="font-size:12.8000001907349px">/etc/nsswitch.conf is created wrongly is a step forward, although we don't know why that happens yet. </span></div> <div><span style="font-size:12.8000001907349px">I'm not very keen on fixing it post-installation (except if this is just to learn more about the issue)</span><span style="font-size:12.8000001907349px">, even if this seems to solve problems. I'm not going to deploy freeIPA for real before I can at least run successfully a plain installation.</span></div> <div><span style="font-size:12.8000001907349px"><br> </span></div> <div>It seems SELinux can be ruled out as well.</div> <div>I switched to permissive mode and tried again, no difference.</div> <div><br> </div> <div>And so far I haven't been able to find anything useful in the logs.</div> <div><br> </div> <div><span style="font-size:12.8000001907349px">What strikes me is that these are really a plain and up to date FC21 machines, and my deployment was as from the book. The last of the settings you'd expect issues from. </span></div> <div><span style="font-size:12.8000001907349px"><br> </span></div> <div><span style="font-size:12.8000001907349px">Can anyone (user or developer) confirm successful deployment of both server and client on up-to-date </span><span style="font-size:12.8000001907349px">(updated this week) </span><span style="font-size:12.8000001907349px">FC21 systems? I know it's maybe a bit far-fetched, but could any of the latest FC updates have created the issue?</span></div> </div> </blockquote> <br> May be.<br> To config nsswitch we call authconfig so may be there is something weird with it, can you check?<br> <br> <blockquote cite="mid:CAFGv-=db7pS_-sWoELoGgA3Oy_Ahum-aoQvZrZ1ce7V9WrzTGA@mail.gmail.com" type="cite"> <div dir="ltr"> <div><span style="font-size:12.8000001907349px"><br> </span></div> <div><span style="font-size:12.8000001907349px">Roberto</span></div> <div><br> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On 21 March 2015 at 17:26, Rob Crittenden <span dir="ltr"><<a moz-do-not-send="true" href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Roberto Cornacchia wrote:<br> > Hi Rob,<br> ><br> > Yes, sssd is running and this is sssd.conf:<br> ><br> </span>> [domain/<a moz-do-not-send="true" href="http://hq.example.com" target="_blank">hq.example.com</a> <<a moz-do-not-send="true" href="http://hq.example.com" target="_blank">http://hq.example.com</a>>]<br> <span class="">> debug_level=9<br> > cache_credentials = True<br> > krb5_store_password_if_offline = True<br> </span>> ipa_domain = <a moz-do-not-send="true" href="http://hq.example.com" target="_blank">hq.example.com</a> <<a moz-do-not-send="true" href="http://hq.example.com" target="_blank">http://hq.example.com</a>><br> <span class="">> id_provider = ipa<br> > auth_provider = ipa<br> > access_provider = ipa<br> > ipa_hostname = <a moz-do-not-send="true" href="http://meson.hq.example.com" target="_blank">meson.hq.example.com</a><br> > chpass_provider = ipa<br> > ipa_server = _srv_, <a moz-do-not-send="true" href="http://ipa.hq.example.com" target="_blank">ipa.hq.example.com</a><br> > ldap_tls_cacert = /etc/ipa/ca.crt<br> > [sssd]<br> > services = nss, sudo, pam, ssh<br> > config_file_version = 2<br> ><br> > domains = <a moz-do-not-send="true" href="http://hq.example.com" target="_blank">hq.example.com</a><br> > [nss]<br> > homedir_substring = /home<br> > debug_level=9<br> ><br> > [pam]<br> ><br> > [sudo]<br> ><br> > [autofs]<br> ><br> > [ssh]<br> ><br> > [pac]<br> ><br> > [ifp]<br> <br> </span>Ok, that's good. Maybe authconfig didn't do the right thing. I'd add sss<br> to these values in /etc/nsswitch.conf, grepp'd from mine:<br> <br> passwd: files sss<br> shadow: files sss<br> group: files sss<br> services: files sss<br> netgroup: files sss<br> automount: files sss<br> sudoers: sss<br> <br> You've got quite a mix of odd things happening during install. It seems<br> like DNS and firewall can be ruled out given that lots of other<br> operations are working fine, and you've confirmed that NTP works<br> pre-install.<br> <br> I guess working on a cleanish system, the things I'd look for on both<br> client and server are the system logs to see if any errors are being<br> thrown to syslog or service-specific logs.<br> <br> And I'd check for SELinux errors on the client if you're in enforcing mode.<br> <span class="HOEnZb"><font color="#888888"><br> rob<br> </font></span></blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>