[Freeipa-users] cannot find name for user ID
An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with "cannot find name for user ID" etc. etc. for all groups they are a member of id returns nothing but the numbers, and a getent passwd returns nothing, when running as the user. However, as root a getent passwd works. I am taking a look through logs and haven't found much so far, another user experienced a similar issue and a ipa-client-install --uninstall and reinstall (this is starting to feel like windows :) did the trick for them, however it has not solved the issue for me. I have also cleared the sssd cache, and given that process a kick to no avail. Firewall rules have not changed, and I assume the ipa-client-install process would have failed if a firewall issue was present. After increasing sssd logging levels I see a lot of requests for the user in the sssd logs, but no returns, not that I know if the logging is supposed to log the return. This is on a RHEL 5.8 client: ipa-client-2.1.3-2.el5_8 sssd-1.5.1-49.el5_8.1 Connecting to a RHEL 6.3 IPA server. Any ideas? -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > An interesting problem has popped up and I am not sure where the issue > lies. Users logging in are presented with "cannot find name for user ID" > etc. etc. for all groups they are a member of > > id returns nothing but the numbers, and a getent passwd > returns nothing, when running as the user. > > However, as root a getent passwd works. > > I am taking a look through logs and haven't found much so far, another > user experienced a similar issue and a ipa-client-install --uninstall > and reinstall (this is starting to feel like windows :) did the trick > for them, however it has not solved the issue for me. > > I have also cleared the sssd cache, and given that process a kick to no > avail. > > Firewall rules have not changed, and I assume the ipa-client-install > process would have failed if a firewall issue was present. > > After increasing sssd logging levels I see a lot of requests for the > user in the sssd logs, but no returns, not that I know if the logging is > supposed to log the return. > > This is on a RHEL 5.8 client: > ipa-client-2.1.3-2.el5_8 > sssd-1.5.1-49.el5_8.1 > > Connecting to a RHEL 6.3 IPA server. > > Any ideas? > > -Erinn > Hi Erinn, The requests for the user you saw were only in the sssd_nss log or did they make it to the sssd_$domain.log as well? Can you paste sanitized contents of both, please? I can't think of a reason to make lookups work only as root, that's really strange. Can you check for AVC denials? Can you also check the permissions on /var/lib/sss/pipes/nss ? It should be 0666. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Yes it is very odd. I have had a rash of system with SELinux labelling issues, so I ran a restorecon on the file system to no avail, as well I set SELinux to permissive mode, again no help there. Permissions appear correct: srw-rw-rw- 1 root root0 Aug 8 18:35 nss srw-rw-rw- 1 root root0 Aug 8 18:35 pam Is there a simple way to sanitize these log files? -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Ok I figured out what was happening, or at least a portion of it, it looks like the sudo package update that was pushed out from red hat to rhel5 c86_64 systems (at least) modified the permissions of the /etc/nsswitch.conf to 600, thus blocking everyone but root from reading it and causing this weird issue where root could pull user info but no one else. At this point I only assume it was the sudo package as that is the package that was updated on 10 or so RHEL 5 hosts at the exact same time as the nsswitch file was updated and the permissions changed. I have to go dig through the rpm scripts to see what could cause this, then work with support to get it fixed overall. Thanks for the help, this was a really odd problem. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: >> An interesting problem has popped up and I am not sure where the issue >> lies. Users logging in are presented with "cannot find name for user ID" >> etc. etc. for all groups they are a member of >> >> id returns nothing but the numbers, and a getent passwd >> returns nothing, when running as the user. >> >> However, as root a getent passwd works. >> >> I am taking a look through logs and haven't found much so far, another >> user experienced a similar issue and a ipa-client-install --uninstall >> and reinstall (this is starting to feel like windows :) did the trick >> for them, however it has not solved the issue for me. >> >> I have also cleared the sssd cache, and given that process a kick to no >> avail. >> >> Firewall rules have not changed, and I assume the ipa-client-install >> process would have failed if a firewall issue was present. >> >> After increasing sssd logging levels I see a lot of requests for the >> user in the sssd logs, but no returns, not that I know if the logging is >> supposed to log the return. >> >> This is on a RHEL 5.8 client: >> ipa-client-2.1.3-2.el5_8 >> sssd-1.5.1-49.el5_8.1 >> >> Connecting to a RHEL 6.3 IPA server. >> >> Any ideas? >> >> -Erinn >> > > Hi Erinn, > > The requests for the user you saw were only in the sssd_nss log or did > they make it to the sssd_$domain.log as well? Can you paste sanitized > contents of both, please? > > I can't think of a reason to make lookups work only as root, that's > really strange. Can you check for AVC denials? Can you also check the > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > Yeah I can confirm this for certain now, take a look below: erinn@numbersix ~ $ ls -l /etc/nsswitch.conf -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf erinn@numbersix ~ $ sudo yum -y update sudo Loaded plugins: rhnplugin, security Skipping security plugin, no data Setting up Update Process Resolving Dependencies Skipping security plugin, no data --> Running transaction check ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated --> Finished Dependency Resolution Dependencies Resolved Package ArchVersion Repository Size Updating: sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5 359 k Transaction Summary Install 0 Package(s) Upgrade 1 Package(s) Total size: 359 k Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : sudo 1/2 Cleanup: sudo 2/2 Updated: sudo.x86_64 0:1.7.2p1-14.el5_8.2 Complete! erinn@numbersix ~ $ ls -l /etc/nsswitch.conf -rw--- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf So it appears the latest sudo update is causing this issue, I am uncertain whether this is intentional or not at this point (probably not), but it is the cause, and it sure does make things messy for IPA. I have filed a support case. -Erinn signature.asc Description: OpenPGP digital signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cannot find name for user ID
On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote: > On 08/08/2012 01:11 PM, Jakub Hrozek wrote: > > On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: > >> An interesting problem has popped up and I am not sure where the issue > >> lies. Users logging in are presented with "cannot find name for user ID" > >> etc. etc. for all groups they are a member of > >> > >> id returns nothing but the numbers, and a getent passwd > >> returns nothing, when running as the user. > >> > >> However, as root a getent passwd works. > >> > >> I am taking a look through logs and haven't found much so far, another > >> user experienced a similar issue and a ipa-client-install --uninstall > >> and reinstall (this is starting to feel like windows :) did the trick > >> for them, however it has not solved the issue for me. > >> > >> I have also cleared the sssd cache, and given that process a kick to no > >> avail. > >> > >> Firewall rules have not changed, and I assume the ipa-client-install > >> process would have failed if a firewall issue was present. > >> > >> After increasing sssd logging levels I see a lot of requests for the > >> user in the sssd logs, but no returns, not that I know if the logging is > >> supposed to log the return. > >> > >> This is on a RHEL 5.8 client: > >> ipa-client-2.1.3-2.el5_8 > >> sssd-1.5.1-49.el5_8.1 > >> > >> Connecting to a RHEL 6.3 IPA server. > >> > >> Any ideas? > >> > >> -Erinn > >> > > > > Hi Erinn, > > > > The requests for the user you saw were only in the sssd_nss log or did > > they make it to the sssd_$domain.log as well? Can you paste sanitized > > contents of both, please? > > > > I can't think of a reason to make lookups work only as root, that's > > really strange. Can you check for AVC denials? Can you also check the > > permissions on /var/lib/sss/pipes/nss ? It should be 0666. > > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > Yeah I can confirm this for certain now, take a look below: > > erinn@numbersix ~ $ ls -l /etc/nsswitch.conf > -rw-r--r-- 1 root root 1726 Dec 27 2011 /etc/nsswitch.conf > erinn@numbersix ~ $ sudo yum -y update sudo > > Loaded plugins: rhnplugin, security > Skipping security plugin, no data > Setting up Update Process > Resolving Dependencies > Skipping security plugin, no data > --> Running transaction check > ---> Package sudo.x86_64 0:1.7.2p1-14.el5_8.2 set to be updated > --> Finished Dependency Resolution > > Dependencies Resolved > > > Package ArchVersion Repository >Size > > Updating: > sudo x86_64 1.7.2p1-14.el5_8.2 rhel-x86_64-server-5 > 359 k > > Transaction Summary > > Install 0 Package(s) > Upgrade 1 Package(s) > > Total size: 359 k > Downloading Packages: > Running rpm_check_debug > Running Transaction Test > Finished Transaction Test > Transaction Test Succeeded > Running Transaction > Updating : sudo > 1/2 > Cleanup: sudo > 2/2 > > Updated: > sudo.x86_64 0:1.7.2p1-14.el5_8.2 > > > Complete! > erinn@numbersix ~ $ ls -l /etc/nsswitch.conf > -rw--- 1 root root 1727 Aug 9 08:43 /etc/nsswitch.conf > > So it appears the latest sudo update is causing this issue, I am > uncertain whether this is intentional or not at this point (probably > not), but it is the cause, and it sure does make things messy for IPA. I > have filed a support case. > > -Erinn > You were a victim of https://bugzilla.redhat.com/show_bug.cgi?id=846631 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users