[Freeipa-users] Unable to authenticate a client user against IPA
Stephen Gallagher
sgallagh at redhat.com
Thu Mar 10 15:31:25 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/10/2011 10:10 AM, Simo Sorce wrote:
> ----- Original Message -----
>> Steven Jones wrote:
>>> Ok,
>>>
>>> However I cant LDAP/Ipa authenticate still....on either
>>> client..........
>>>
>>> So what next?
>>
>> sssd handles logins, you can try turning up the log level on that
>> (though I suspect it wasn't the reboot that fixed this but
>> restarting sssd).
>
> If sssd was never used before then what was needed was a restart of
> the services using it (sshd, gdm), as nsswitch.conf is never re-read
> by glibc, you can't use the new users until those services are
> restarted after nsswitch.conf is modified.
>
> I think we also offer to restart the client after ipa-client-install
> exactly as a way to restart all services that may depend on picking
> up this change. That reboot is not necessary if you manually restart
> all services after that, but if you don't than you better do a reboot
> as we suggest.
>
>> As part of ipa-client-install sssd is restarted and tested via
>> 'getent passwd admin'. This should be visible in
>> /var/log/ipaclient-install.log. Did this command succeed?
>
> Even if this succeed, authentication via gdm or ssh can still fail
> until the services are restarted.
>
> Just pointing out this fact as a help point for other users testing
> ipa-client-install in future.
FYI, while this might be an issue for sshd, GDM actually has a
workaround for this and doesn't need a restart. GDM just forks and
exec's the 'id' command instead of calling getpwent directly.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk147s0ACgkQeiVVYja6o6OQBgCeNHlXcAm4liybFkJwS0Q+mWTt
vtkAoIsKvsa2qowVZr0pMrjVGOqaLkeq
=CC82
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list