On 11/07/2013 06:20 PM, Dean Hunter wrote: > On Thu, 2013-11-07 at 17:41 -0500, Dmitri Pal wrote: >> On 11/07/2013 12:59 PM, Dean Hunter wrote: >>> On Thu, 2013-11-07 at 12:36 -0500, Dmitri Pal wrote: >>>> On 11/07/2013 12:21 PM, Dean Hunter wrote: >>>>> On Thu, 2013-11-07 at 09:44 +0200, Alexander Bokovoy wrote: >>>>>> On Wed, 06 Nov 2013, Dean Hunter wrote: >>>>>> >>>>>> >After building a new VM and configuring the IPA 3.3.2 client, Gnome >>>>>> >seems to only perform a local log-in until the system is rebooted. SSH >>>>>> >works with IPA, but not Gnome. Is this correct? Is there anything less >>>>>> >disruptive than a reboot that I can do? >>>>> >>>>>> Restart gdm.service? >>>>>> I'm not sure how gdm handles PAM auth. >>>>> >>>>> I have tried: >>>>> >>>>> ipa-client-install ... >>>>> systemctl restart gdm.service >>>>> >>>>> but the behavior remains the same. The Gnome log in screen accepts >>>>> the user name, pauses about 25 seconds, then displays the log in >>>>> screen again without any messages or indication of a problem. This >>>>> is the same behavior I see when entering an incorrect local user >>>>> name before configuring IPA. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] <mailto:[email protected]> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Can it be a DIR cache issue and the fact that the directory can't >>>> is not created at proper time? >>> >>> Which directory, please? >> >> If you are hitting the DIR cache issue (which I am not sure is the >> case this is why I asked about AVCs) then the directory we are >> talking about is /var/run/usr/<uid> >> This directory should be created by kerberos library when it tries to >> authenticate a user. But it might not be able to since a parent >> directory /var/run/usr might not be created yet. This is one of the >> reasons why we decided not to continue the path of DIR cache but >> switched to using Kernel based ccache. >> >> >>> >>>> Do you see any AVCs? >> >> Question still stands. > > I see no AVCs: > > [root@ipa <mailto:root@ipa> ~]# ausearch --message AVC > <no matches> > [root@ipa <mailto:root@ipa> ~]# > > I did find this in the man page for nsswitch.conf: > > FILES > A service named SERVICE is implemented by a shared object > library named > libnss_SERVICE.so.X that resides in /lib. > > /etc/nsswitch.conf NSS configuration file. > /lib/libnss_compat.so.X implements "compat" source. > /lib/libnss_db.so.X implements "db" source. > /lib/libnss_dns.so.X implements "dns" source. > /lib/libnss_files.so.X implements "files" source. > /lib/libnss_hesiod.so.X implements "hesiod" source. > /lib/libnss_nis.so.X implements "nis" source. > /lib/libnss_nisplus.so.X implements "nisplus" source. > > NOTES > Within each process that uses nsswitch.conf, the entire > file is read > only once. If the file is later changed, the process > will continue > using the old configuration. > > > Is this why the default configuration of nsswitch.conf is changing in > Fedora 20, as noted on of the preceeding e-mails? >
Yes I think SSS is now included by default. But if man page does not list it it is probably a bug in the man page. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
