On 03/22/2015 11:24 AM, Roberto Cornacchia wrote:
Thanks Rob.
Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
although we don't know why that happens yet.
I'm not very keen on fixing it post-installation (except if this is
just to learn more about the issue), even if this seems to solve
problems. I'm not going to deploy freeIPA for real before I can at
least run successfully a plain installation.
It seems SELinux can be ruled out as well.
I switched to permissive mode and tried again, no difference.
And so far I haven't been able to find anything useful in the logs.
What strikes me is that these are really a plain and up to date FC21
machines, and my deployment was as from the book. The last of the
settings you'd expect issues from.
Can anyone (user or developer) confirm successful deployment of both
server and client on up-to-date (updated this week) FC21 systems? I
know it's maybe a bit far-fetched, but could any of the latest FC
updates have created the issue?
May be.
To config nsswitch we call authconfig so may be there is something weird
with it, can you check?
Roberto
On 21 March 2015 at 17:26, Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Roberto Cornacchia wrote:
> Hi Rob,
>
> Yes, sssd is running and this is sssd.conf:
>
> [domain/hq.example.com <http://hq.example.com>
<http://hq.example.com>]
> debug_level=9
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = hq.example.com <http://hq.example.com>
<http://hq.example.com>
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = meson.hq.example.com <http://meson.hq.example.com>
> chpass_provider = ipa
> ipa_server = _srv_, ipa.hq.example.com <http://ipa.hq.example.com>
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = hq.example.com <http://hq.example.com>
> [nss]
> homedir_substring = /home
> debug_level=9
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [ifp]
Ok, that's good. Maybe authconfig didn't do the right thing. I'd
add sss
to these values in /etc/nsswitch.conf, grepp'd from mine:
passwd: files sss
shadow: files sss
group: files sss
services: files sss
netgroup: files sss
automount: files sss
sudoers: sss
You've got quite a mix of odd things happening during install. It
seems
like DNS and firewall can be ruled out given that lots of other
operations are working fine, and you've confirmed that NTP works
pre-install.
I guess working on a cleanish system, the things I'd look for on both
client and server are the system logs to see if any errors are being
thrown to syslog or service-specific logs.
And I'd check for SELinux errors on the client if you're in
enforcing mode.
rob
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
