Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
brilliant! I checked /var/log/messages and found; Nov 30 10:33:58 chtvm-centos-6 sssd[be[teratext.saic.com.au]]: Starting up Nov 30 10:33:58 chtvm-centos-6 kernel: sssd_be[1516]: segfault at 10 ip 003a12a13eee sp 7fffdb5e3b60 error 4 in libldap-2.4.so.2.5.2[3a12a0+43000] Nov 30 10:33:58 chtvm-centos-6 kernel: abrt-hook-ccpp[1598]: segfault at 0 ip 0039fea800d2 sp 7fff4a1fc5f8 error 4 in libc-2.12.so[39fea0+175000] Nov 30 10:33:58 chtvm-centos-6 kernel: Process 1598(abrt-hook-ccpp) has RLIMIT_CORE set to 1 Nov 30 10:33:58 chtvm-centos-6 kernel: Aborting core I then upgraded openldap to openldap-2.4.23-19.el6.x86_64 and now the ipa-client-install script works perfectly ;) Regards, Craig On Wed, Nov 30, 2011 at 12:39:38PM +0100, Jakub Hrozek wrote: On Tue, Nov 29, 2011 at 09:43:55PM -0500, Rob Crittenden wrote: Craig T wrote: Hi, I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. See errors below; -- [root@chtvm-centos-6 /]# ipa-client-install Discovery was successful! Hostname: chtvm-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: chtvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. - File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - File: /var/log/sssd/sssd_pam.log (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. - Also the {nss,pam}_dp_reconnect_init functions are only called when the back end crashes and the other processes are reconnecting to a new back end instance. Can you check logs (/var/log/messages should have the info) if there are any messages indicating a crash? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: On Tue, November 29, 2011 01:52, Craig T wrote: Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the ipa-client-install command, the installer seems to pause on kerberos; [root@server-centos-6 ~]# ipa-client-install Discovery was successful! Hostname: server-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: server-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled When run in debug mode it shows this; Kerberos 5 enabled root: DEBUGargs=getent passwd admin root: DEBUG stdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= Advice anyone? I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages from RHEL 6.2 beta for clients instead. I found the IPA server was easiest to test using Fedora 15. For production, wait for RHEL 6.2. It's not far away now. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
Craig T wrote: I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. I would think the version you have would work fine. What it is doing is testing to be sure that nss is working as expected. It can take some time for sssd to come up, connect to the IPA server, etc, so we loop and try several times (IIRC 5 in your version) to look up a known remote user (admin). If it never does successfully get the admin user you should get an error that nss_ldap can't be configured (yeah, I know, we're using sssd. We fixed this). If you aren't getting this message and the client otherwise seems to be installing ok then things are fine. rob cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: On Tue, November 29, 2011 01:52, Craig T wrote: Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the ipa-client-install command, the installer seems to pause on kerberos; [root@server-centos-6 ~]# ipa-client-install Discovery was successful! Hostname: server-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: server-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled When run in debug mode it shows this; Kerberos 5 enabled root: DEBUGargs=getent passwd admin root: DEBUGstdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= root: DEBUGargs=getent passwd admin root: DEBUGstdout= root: DEBUG stderr= root: DEBUGargs=getent passwd admin root: DEBUG stdout= root : DEBUGstderr= Advice anyone? I found CentOS to be too far behind, so I started using Scientific Linux 6.1 with latest packages from RHEL 6.2 beta for clients instead. I found the IPA server was easiest to test using Fedora 15. For production, wait for RHEL 6.2. It's not far away now. :) Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa-client stall on 'args=getent passwd admin'
Hi, I tried letting the client install go and it does eventually finish, however SSSD_NSS queries don't work. See errors below; -- [root@chtvm-centos-6 /]# ipa-client-install Discovery was successful! Hostname: chtvm-centos-6.example.com Realm: example.com DNS Domain: example.com IPA Server: chtvm-389.example.com BaseDN: dc=example,dc=com Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Password for ad...@example.com: Enrolled in IPA realm example.com Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm example.com SSSD enabled Kerberos 5 enabled Unable to find 'admin' user with 'getent passwd admin'! Recognized configuration: SSSD NTP enabled Client configuration complete. - File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:34:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - File: /var/log/sssd/sssd_pam.log (Wed Nov 30 10:34:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:34:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:16 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. (Wed Nov 30 10:35:46 2011) [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to example.com provider. - Debug Version: File: /var/log/sssd/sssd_nss.log (Wed Nov 30 10:47:09 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 0 (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_dispatch] (6): SBUS is reconnecting. Deferring. (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (3): Making reconnection attempt 3 to [unix:path=/var/lib/sss/pipes/ private/sbus-dp_example.com] (Wed Nov 30 10:47:10 2011) [sssd[nss]] [sbus_reconnect] (1): Failed to open connection: name=org.freedesktop.DBus.Error. NoServer, message=Failed to connect to socket /var/lib/sss/pipes/private/sbus-dp_example.com: Connection refused (Wed Nov 30 10:47:10 2011) [sssd[nss]] [nss_dp_reconnect_init] (0): Could not reconnect to example.com provider. - getent passwd admin returns no result at all. Regards, Craig On Tue, Nov 29, 2011 at 10:01:52AM -0500, Rob Crittenden wrote: Craig T wrote: I can really see how you came to that conclusion, I'm not sure if I'll get the luxury of choice, due to the servers in our environment. Centos 6.1 could be updated enough, so we might just have to wait for that. I would think the version you have would work fine. What it is doing is testing to be sure that nss is working as expected. It can take some time for sssd to come up, connect to the IPA server, etc, so we loop and try several times (IIRC 5 in your version) to look up a known remote user (admin). If it never does successfully get the admin user you should get an error that nss_ldap can't be configured (yeah, I know, we're using sssd. We fixed this). If you aren't getting this message and the client otherwise seems to be installing ok then things are fine. rob cya Craig On Tue, Nov 29, 2011 at 12:23:52PM +0100, Sigbjorn Lie wrote: On Tue, November 29, 2011 01:52, Craig T wrote: Hi, I was getting a lot of errors with the default ipa-client for Centos 6.0, so I've upgraded Centos 6 to use the RHEL6.2 RPMS for IPA (now version 2.1.1). I get a lot further, but seems to stall right at the end of the ipa-client-install command. Current Spec; Server: RHEL 6.2 Beta ipa-admintools-2.1.1-4.el6.x86_64 ipa-client-2.1.1-4.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.1-4.el6.x86_64 ipa-server-2.1.1-4.el6.x86_64 ipa-server-selinux-2.1.1-4.el6.x86_64 Client: Centos 6.0 x64 ipa-client-2.1.1-4.el6.x86_64 Just an odd error during the ipa-client-install command, the installer seems to pause on kerberos; [root@server-centos-6 ~]# ipa-client-install