Quick update that might help those how face the same issue. The issue was cause by a configuration of the DNS config. The forwarding policy on global config and the main zone was set to "only" instead of "first".
Once set back to "first" everything is fine. Still don't understand why it succeeded to login after cleaning the sssd cache, but for the rest it makes sens. On Friday, September 16, 2022 5:11:39 PM CEST Rob Crittenden via FreeIPA-users wrote: > If anything it is more likely the client SSSD cache. The server doesn't > cache much beyond AD information (inside SSSD). > > See sss_cache(8). > > rob > > Antoine Gatineau wrote: > > OK this is strange. > > > > > > After enrolling a new client (exact same distro) I was able to log in it > > with my ipa user. > > > > The idea was to rule out the server configuration, which it did. > > > > > > When I went back to the previous client (that was posing me the issue) > > it started to work. > > > > > > My assumption now is that the cache was somehow corrupted and logging > > from a new client renewed it and fixed it. > > > > Are there some configurations on the servers that would require to clean > > the cache? > > > > > > Anyway it seems to be ok now.... > > > > > > > > On Wednesday, September 14, 2022 4:17:03 PM CEST Antoine Gatineau via > > FreeIPA-users wrote: > > > > sssd logs are in the tar.gz file > > > > > > kwin is there just because it was there :) > > > > > > > > > > On Wednesday, September 14, 2022 3:48:31 PM CEST Rob Crittenden wrote: > > > > > >> Antoine Gatineau via FreeIPA-users wrote: > > > > > >> > Dear freeipa-users, > > > > > >> > > > > > > >> > I recently am having trouble logging into my kde sessions. > > > > > >> > Client OS: Fedora 36 Kde Plasma (up to date) (freeipa-client > > 4.10.0-4 , sssd 2.7.4-1) > > > > > >> > Server: Centos Stream 9 (ipa 4.10.0-6) > > > > > >> > > > > > > >> > Here are my symptoms : > > > > > >> > ipa user on KDE Wayland: ��� kwin_wayland_wrapper crashes > > > > > >> > ipa user on KDE X11: ��� login ok but policykit integration seems > > broken. Can't connect to qemu for instance or apply system settings. > > Running `id` returns the expected groups and uid. > > > > > >> > ipa user on Console: ��� login ok > > > > > >> > ipa user on ssh: ��� login ok. > > > > > >> > Local users : ��� ��� no problem > > > > > >> > Brand new ipa user : ��� same login issues > > > > > >> > > > > > > >> > The only way I found to be able to correctly login is to stop sssd , > > remove the cache files and reboot: > > > > > >> > systemctl stop sssd && rm -rf /var/lib/sss/db/* && reboot > > > > > >> > > > > > > >> > After that I can successfully login with wayland and X11 session. At > > the next reboot, session login will fail. > > > > > >> > > > > > > >> > I am not sure there is an issue with the freeipa integration itself > > but the fact that rebooting with a clean sssd context makes it work, I > > assume sssd and freeipa are involved somehow. > > > > > >> > It could also be an issue with kde itself or my IPA configuration. > > > > > >> > I still need to start troubleshooting somewhere. > > > > > >> > > > > > > >> > Find attached sssd debug logs on the client. I didn't find anything > > strange but someone else might. > > > > > >> > If logs are need, I can easily reproduce the issue and generate logs > > or test changes. > > > > > >> > > > > > > >> > If someone with the same setup can confirm it works for them, that > > would be great. > > > > > >> > If this is absolutely not the place for this request, please say so ;-) > > > > > >> > > > > > > >> > Any help troubleshooting this issue is appreciated > > > > > >> > > > > > > >> > > > > > >> Looks like you attached the wrong log. > > > > > >> > > > > > >> rob > > > > > >> > > > > > >> > > > > > > > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
