Hi,
I've installed ipa-client on my laptop without issues, it did found domain properly. kinit connects to ipa but I am unable to su any user or even login:
(root)$ su my_user su: user my_user does not exist
(root)$ cat /var/log/sssd/sssd_nss.log (Sun Mar 3 09:54:41 2019) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 0 (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_plugin] (0x2000): CR #219: Setting "User by ID" plugin (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_send] (0x0400): CR #219: New request 'User by ID' (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #219: Performing a multi-domain search (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #219: Search will check the cache and check the data provider (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/DOM_LOCATE_TYPE/implicit_files/User by ID] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/DOM_LOCATE_TYPE/home.mydomain.com/User by ID] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain implicit_files type POSIX is valid (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #219: Using domain [implicit_files] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #219: Looking up UID:0@implicit_files (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: Checking negative cache for [UID:0@implicit_files] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/implicit_files/0] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: [UID:0@implicit_files] does not exist (negative cache) (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_validate_domain_type] (0x2000): Request type POSIX-only for domain home.mydomain.com type POSIX is valid (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #219: Using domain [home.mydomain.com] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_send] (0x0400): CR #219: Looking up UID:0@home.mydomain.com (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: Checking negative cache for [UID:0@home.mydomain.com] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/home.mydomain.com/0] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/UID/0] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #219: [UID:0@home.mydomain.com] does not exist (negative cache) (Sun Mar 3 09:54:41 2019) [sssd[nss]] [cache_req_process_result] (0x0400): CR #219: Finished: Not found (Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x5565caddc630][31] (Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Sun Mar 3 09:54:41 2019) [sssd[nss]] [client_close_fn] (0x2000): Terminated client [0x5565cadddc60][30]
(root)$ id $my_user uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(root)$ kinit my_user Password for my_user@HOME.MYDOMAIN.COM: (root)$ ipa user-find my_user -------------- 1 user matched -------------- User login: my_user First name: MyUserName Last name: MyUserSurname Home directory: /home/my_user Login shell: /bin/sh Principal name: my_user@HOME.MYDOMAIN.COM Principal alias: my_user@HOME.MYDOMAIN.COM Email address: my_user@mydomain.com, my.user@gmail.com UID: 1907400004 GID: 1907400003 SSH public key fingerprint: SHA256:############################################# my_user@mydomain.com (ssh-rsa) Account disabled: False ---------------------------- Number of entries returned 1 ----------------------------
I've cleared /var/lib/sss/db/*
In addition, I see some troubling errors in /var/log/sssd/sssd_home.mydomain.com.log like 'cannot resolve' and 'not working'. While I am able to resolve properly my ipaserver and the domain without problems when doing it manually.
ok, issue was with SELinux:
SELinux is preventing sssd_be from read access on the file /etc/hosts.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label. /etc/hosts default label should be net_conf_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /etc/hosts
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that sssd_be should be allowed read access on the hosts file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sssd_be' --raw | audit2allow -M my-sssdbe # semodule -X 300 -i my-sssdbe.pp
After '/sbin/restorecon -v /etc/hosts' I can login without problems
freeipa-users@lists.fedorahosted.org
-
Albert Szostkiewicz