On to, 18 helmi 2021, Braden McGrath via FreeIPA-users wrote:
Alexander, I truly appreciate your help once again. :-)
Check your /etc/nsswitch.conf, does it have 'sss' in 'passwd' and
'group' entries?
It does not... you're definitely onto something.
I think Debian/Ubuntu platform code does not modify /etc/nsswitch.conf
and expects that 'sss' is present. If I'd do 'apt-get install sssd'
on
Ubuntu 20.04, then an install script from one of installed packages
modifies /etc/nsswitch.conf to include 'sss', this can be seen here:
https://salsa.debian.org/sssd-team/sssd/-/blob/master/debian/libnss-sss.p...
Setting up libnss-sss:amd64 (2.2.3-3ubuntu0.3) ...
First installation detected...
Checking NSS setup...
Adding an entry for automount.
I'd guess your cloud image is incomplete and may be it didn't really
run the post install scripts for many packages, not just libnss-sss.
May be 'dpkg-reconfigure libnss-sss' would help?
'dpkg-reconfigure libnss-sss' doesn't seem to do anything, it isn't
even adding 'sss' to nsswitch.conf.
Do you have it (libnss-sss) installed? If you do, maybe running
/var/lib/dpkg/info/libnss-sss\:amd64.postinst configure
manually would help?
In any case, this is definitely something with particulars of the cloud
image you are using and perhaps dependencies of the packages in
Debian/Ubuntu.
FreeIPA upstream development team has no influence over distributions'
packaging in Debian/Ubuntu. So if you see some issue there, please
report a bug to your distribution as only distribution maintainers could
fix that.
I'm not sure how or why the cloud image would be incomplete. It has
been booted and then restarted multiple times after the initial
cloud-config ran. But now I'm going to do more research on what other
differences there might be between a "cloud image" and a normal
install...
To be clear, I did *not* install the freeipa-client package as part of
the cloud-init. I manually ran 'sudo apt -y install freeipa-client'
which is supposed to grab all other dependencies / etc. I saw it
install a whole bunch of SSS-related libs and such.
On the other two VMs (Alpha & Beta), I used the same process and they
worked correctly.
For the heck of it, I just did an ipa-client-install --uninstall, and
wiped it all off of Gamma and started over. During the apt install, it
throws some warnings during the setup of 'sssd-common', and I don't
think I remember seeing this on the VMs installed from ISO. So now I
need to track down why apparmor.d is doing a "Force-complain" and why
(if?) this is different from the ISO-installed systems.
Setting up libpam-pwquality:amd64 (1.4.2-1build1) ...
Setting up nss-plugin-pem:amd64 (1.0.5-1) ...
Setting up sssd-common (2.2.3-3ubuntu0.3) ...
Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing
complain mode
Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line
59): Warning failed to create cache: usr.sbin.sssd
sssd-autofs.service is a disabled or a static unit not running, not starting it.
sssd-nss.service is a disabled or a static unit not running, not starting it.
sssd-pam.service is a disabled or a static unit not running, not starting it.
sssd-ssh.service is a disabled or a static unit not running, not starting it.
sssd-sudo.service is a disabled or a static unit not running, not starting it.
sssd.service is a disabled or a static unit not running, not starting it.
A dependency job for sssd-autofs.socket failed. See 'journalctl -xe' for
details.
A dependency job for sssd-nss.socket failed. See 'journalctl -xe' for details.
A dependency job for sssd-pam-priv.socket failed. See 'journalctl -xe' for
details.
A dependency job for sssd-pam.socket failed. See 'journalctl -xe' for details.
A dependency job for sssd-ssh.socket failed. See 'journalctl -xe' for details.
A dependency job for sssd-sudo.socket failed. See 'journalctl -xe' for details.
Setting up sssd-proxy (2.2.3-3ubuntu0.3) ...
Setting up rpm-common (4.14.2.1+dfsg1-1build2) ...
Setting up python3-pil:amd64 (7.0.0-4ubuntu0.2) ...
Setting up sssd-krb5-common (2.2.3-3ubuntu0.3) ...
Setting up libcups2:amd64 (2.3.1-9ubuntu1.1) ...
Setting up certmonger (0.79.9-2) ...
certmonger.conf:3: Line references path below legacy directory /var/run/,
updating /var/run/certmonger → /run/certmonger; please update the tmpfiles.d/
drop-in file
accordingly.
certmonger.service is a disabled or a static unit not running, not starting it.
Setting up sssd-krb5 (2.2.3-3ubuntu0.3) ...
Setting up python3-qrcode (6.1-2build1) ...
update-alternatives: using /usr/bin/python3-qr to provide /usr/bin/qr (qr) in
auto mode
Setting up libpam-sss:amd64 (2.2.3-3ubuntu0.3) ...
Setting up sssd-ldap (2.2.3-3ubuntu0.3) ...
Setting up python3-ipalib (4.8.6-1ubuntu2) ...
Setting up samba-libs:amd64 (2:4.11.6+dfsg-0ubuntu1.6) ...
Setting up sssd-ad-common (2.2.3-3ubuntu0.3) ...
sssd-pac.service is a disabled or a static unit not running, not starting it.
A dependency job for sssd-pac.socket failed. See 'journalctl -xe' for details.
Setting up libsmbclient:amd64 (2:4.11.6+dfsg-0ubuntu1.6) ...
Setting up python3-ipaclient (4.8.6-1ubuntu2) ...
Setting up sssd-ad (2.2.3-3ubuntu0.3) ...
Setting up sssd-ipa (2.2.3-3ubuntu0.3) ...
Setting up sssd (2.2.3-3ubuntu0.3) ...
Setting up freeipa-client (4.8.6-1ubuntu2) ...
Processing triggers for systemd (245.4-4ubuntu3.4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for dbus (1.12.16-2ubuntu2.1) ...
Processing triggers for libc-bin (2.31-0ubuntu9.2) ...
[end]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
