[Freeipa-users] Unable to authenticate a client user against IPA

Dmitri Pal dpal at redhat.com
Fri Mar 11 00:26:03 UTC 2011


On 03/10/2011 06:30 PM, Steven Jones wrote:
> My problem is "To troubleshoot we need logs. There are all sorts of logs and configuration files on the server and on the client."
On the client:

Config:
1) /etc/sssd/sssd.conf
2) /etc/pam.d/system-auth-ac
3) /etc/nsswitch.conf

Logs
/var/log/sssd
The most interesting one is sssd_default.log but you can include all of
them.
/var/log/ipaclient-install.log
/var/log/ipaclient-uninstall.log


On the server there are all sorts of logs in the /var/log and under the
directories. Dirsrv for DS, http for apache etc. Do not have the
directory in front of me.

Make sure that the versions of the packages are latest and match each
other on both sides.
Make sure the time is in synch.
Make sure that names are resolvable if you are not using IPA with the
embedded DNS.
It makes sense to reboot machine after installing and configuring SSSD.
Test a user on the server first make sure you can authenticate and he
has a valid password.

Include the commands you used to install the server and the client in
the mail.

Good luck!

Thanks
Dmitri


> Thats just it.....I dont know where to look.....its simply not documented....so what I need is for someone to tell me what logs you need....and how to make the system log reliably...... for instance debug_level = 9 in the sssd.conf still produces 0 length logs on client1....so there is nothing to report....
>
> It may well be my problems stems from trying to use RHEL6 svr and KVM with fedora 14 clients inside it which I am finding very flaky....I may need to blow it away and move the test bed to vmware ESXi.....
>
> Or maybe indeed I am serially doing something wrong.....
>
> I am trying again to setup client 3, what selinux is telling me is ipa-submit is trying to open krb5.keytab....
>
> I will test and maybe turn selinux off, if i can figur eout how!
>
> regards
>
> Steven
>
>
>
> Steve,
>
> Sorry but it looks like you are doing something wrong over and over again or there is something mis-configured in your environment.
> We are executing tests every day with new and old machines bare metal and VMs.
> And everything works so there is definitely something specific to your environment which is different.
> May be it is DNS or NTP or something like. We do not know. May be it is a bug that we do not hit because we do not run things in the sequence you run or with configuration you use.
>
> You write a lot of mails to us but few contain any substantial information about your setup.
> To troubleshoot we need logs.
> There are all sorts of logs and configuration files on the server and on the client.
> You do not include them in your emails.
> How do you think we can troubleshoot the problems?
>
> If you want us to help please include more detailed information.
> I am really sorry that you are experiencing the issues and spending that much time but I do not see a way to help you since we do not have sufficient information to do the troubleshooting.
>
> We will be happy to help you as soon as you provide such information.
>
>
> Thank you,
> Dmitri
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/





More information about the Freeipa-users mailing list