On 10/28/2014 08:15 PM, Craig White wrote:
*From:*Dmitri Pal [mailto:[email protected]]
*Sent:* Tuesday, October 28, 2014 5:10 PM
*To:* Craig White; [email protected]
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
On 10/28/2014 04:41 PM, Craig White wrote:
*From:*[email protected]
<mailto:[email protected]>
[mailto:[email protected]] *On Behalf Of *Craig White
*Sent:* Tuesday, October 28, 2014 1:28 PM
*To:* [email protected] <mailto:[email protected]>;
[email protected] <mailto:[email protected]>
*Subject:* Re: [Freeipa-users] getent passwd / group [SOLVED]
*From:*Dmitri Pal [mailto:[email protected]]
*Sent:* Tuesday, October 28, 2014 10:04 AM
*To:* Craig White; [email protected]
<mailto:[email protected]>
*Subject:* Re: [Freeipa-users] getent passwd / group
On 10/28/2014 12:11 PM, Craig White wrote:
*From:*[email protected]
<mailto:[email protected]>
[mailto:[email protected]] *On Behalf Of
*Dmitri Pal
*Sent:* Monday, October 27, 2014 5:32 PM
*To:* [email protected] <mailto:[email protected]>
*Subject:* Re: [Freeipa-users] getent passwd / group
On 10/27/2014 07:38 PM, Craig White wrote:
RHEL 6.5 -- new install
ipa-server-3.0.0-42.el6.x86_64
389-ds-base-1.2.11.15-47.el6.x86_64
On the master, I get nothing
[root@ipa001 log]# getent passwd admin
[root@ipa001 log]#
But it works on the replica as expected
[root@ipa002nadev01 ~]# getent passwd admin
admin:*:1140000000:1110000000:Administrator:/home/admin:/bin/bash
I am used to using PADL / NSSWITCH with OpenLDAP and I am
rather surprised that on both, 'getent passwd' and 'getent
group' return only entries from local files but then
again, I've never used sssd before.
REJECT all -- 0.0.0.0/0 0.0.0.0/0
reject-with icmp-host-prohibited
Then we need SSSD logs with the debug_level in the right sections
as Jakub mentioned in his mail.
----
Sorry -- I had a long meeting and should have noted that after
restarting SSSD, it all started working again as expected. Clearly
something I have to watch for and indeed, I moved the debug to the
domain section for future.
I should add -- came to the realization that restarting sssd and went to
long meeting, then came back and couldn't log into ipa console or Kerberos and
had to restart IPA service to restart Kerberos.
IPA is logging nothing.
This is not the first time I have had to go through this cycle -- it seems
that somehow, the IPA server is sensitive to the SSSD daemon and if the SSSD
goes haywire, when I restart SSSD, IPA is not functioning and must be restarted
too.
Thanks
Craig
Is this on the same server?
----
Yes, same server... the one I call the master. The first one I set up.
I'm getting tuned in to the checking the status of dirsrv and ipa but
now I know to check the status of the sssd too.
Seems like it crashes a little too easily -- I doubt I did much to harm it... I am fairly experienced with OpenLDAP and in fact used 389-server back when it was called FedoraDS.
But it is running now, and seemingly will stay running for some time and I am upping the logging and watching for a crash like Richard said to provide some debug logs if possible. Sort of wish I could have just started with RHEL 7 and the updated IPA.
Thanks
Craig
6.5 was pretty stable but things happen from time to time so it is not
clear what exactly went wrong. I suspect some race condition that is
rare but happens sometimes.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
