Hello,
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04 when joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net'!:"
And sure enough getent passwd won't pull details, and thus no accounts can be pulled down as far as I can tell.
It works on every 16.04 machine and fails on every 14.04. Anyone have any tips/ideas on how i'd go about troubleshooting this? This is with doing an apt-get install freeipa-client and ipa-client-install.
Thanks!
Cody Rathgeber via FreeIPA-users wrote:
Hello,
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04 when joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net mailto:admin@redacted.net'!:"
And sure enough getent passwd won't pull details, and thus no accounts can be pulled down as far as I can tell.
It works on every 16.04 machine and fails on every 14.04. Anyone have any tips/ideas on how i'd go about troubleshooting this? This is with doing an apt-get install freeipa-client and ipa-client-install.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
rob
Thanks,
Here's what I get in the sssd nss log with debug level set to 6;
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*] from [<ALL>]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [redacted.net][4097][1][name=*]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Now i know the data provider is up because the 16.04 machines can get to it, all the "redacted.net"s are the proper domain, the clients can resolve everything fine. is the using default domain [(null)] At the top something I should be worried about? kinit admin username also works so I know kerberos is working fine.
On Thu, Jan 4, 2018 at 2:20 PM, Rob Crittenden rcritten@redhat.com wrote:
Cody Rathgeber via FreeIPA-users wrote:
Hello,
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04 when joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net mailto:admin@redacted.net'!:"
And sure enough getent passwd won't pull details, and thus no accounts can be pulled down as far as I can tell.
It works on every 16.04 machine and fails on every 14.04. Anyone have any tips/ideas on how i'd go about troubleshooting this? This is with doing an apt-get install freeipa-client and ipa-client-install.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
rob
What versions of ipa server and ipa client on 14.04 do you have? As I think, server - 4+, but on the ubuntu 14 client version is 3.* It is a problem probably. For example similar problem - https://pagure.io/freeipa/issue/7072
2018-01-05 0:49 GMT+03:00 Cody Rathgeber via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Thanks,
Here's what I get in the sssd nss log with debug level set to 6;
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*] from [<ALL>]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [redacted.net][4097][1][name=*]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Now i know the data provider is up because the 16.04 machines can get to it, all the "redacted.net"s are the proper domain, the clients can resolve everything fine. is the using default domain [(null)] At the top something I should be worried about? kinit admin username also works so I know kerberos is working fine.
On Thu, Jan 4, 2018 at 2:20 PM, Rob Crittenden rcritten@redhat.com wrote:
Cody Rathgeber via FreeIPA-users wrote:
Hello,
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04 when joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net mailto:admin@redacted.net'!:"
And sure enough getent passwd won't pull details, and thus no accounts can be pulled down as far as I can tell.
It works on every 16.04 machine and fails on every 14.04. Anyone have any tips/ideas on how i'd go about troubleshooting this? This is with doing an apt-get install freeipa-client and ipa-client-install.
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Thu, Jan 04, 2018 at 02:49:59PM -0700, Cody Rathgeber via FreeIPA-users wrote:
Thanks,
Here's what I get in the sssd nss log with debug level set to 6;
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*] from [<ALL>]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [redacted.net][4097][1][name=*]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417c90:1:*@redacted.net]
(Thu Jan 4 14:35:56 2018) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
The sssd_redacted.net log should have more info. Usually, when I look for root causes of issues like this, I search for the first occurence of "Going offline" in the logs and then I look a couple of lines earlier for e.g. timeouts, DNS issues and such.
Cody Rathgeber via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04 when joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net'!:"
What packages do you use on 14.04? I'm using the packages from ppa:freeipa/4.0. What's your IPA server release?
There were also reports about sssd problems: https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html
Jochen
Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see the default ubuntu 14.04 packages i was using were 3.3. Using the repo Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below errors in the log during install, is this still due to 4.0 being too far behind the server's 4.5 and i'll need to build from source? It's complaining about the certificate but i've followed the instructions here https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/comments/6 and added the root certificate to the NSS DB (which fixed the same error on the centos fallback server I setup) , and based on the following errors I think it may be having other issues and complaining the cert as a by product
"Cannot connect to the server due to generic error: cannot connect to ' https://rd-freeipa1.redacted.net/ipa/json': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
dbus failed to start: Command ''/usr/sbin/service' 'dbus' 'start' ''' returned non-zero exit status 1
certmonger failed to start: Command ''/usr/sbin/service' 'certmonger' 'start' ''' returned non-zero exit status 1 "
I also get these in the freeipa install log
"2018-01-05T20:38:53Z ERROR dbus failed to start: Command ''/usr/sbin/service' 'dbus' 'start' ''' returned non-zero exit status 1
2018-01-05T20:38:53Z DEBUG Starting external process
2018-01-05T20:38:53Z DEBUG args='/usr/sbin/service' 'certmonger' 'start' ''
2018-01-05T20:38:53Z DEBUG Process finished, return code=1
2018-01-05T20:38:53Z DEBUG stdout=
2018-01-05T20:38:53Z DEBUG stderr=start: Job is already running: certmonger
2018-01-05T20:38:53Z ERROR certmonger failed to start: Command ''/usr/sbin/service' 'certmonger' 'start' ''' returned non-zero exit status 1
2018-01-05T20:38:53Z DEBUG Starting external process
2018-01-05T20:38:53Z DEBUG args='/usr/sbin/service' 'certmonger' 'status' ''
2018-01-05T20:38:53Z DEBUG Process finished, return code=0
2018-01-05T20:38:53Z DEBUG stdout=certmonger start/running, process 7415 "
On Thu, Jan 4, 2018 at 2:34 PM, Jochen Hein jochen@jochen.org wrote:
Cody Rathgeber via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04
when
joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net'!:"
What packages do you use on 14.04? I'm using the packages from ppa:freeipa/4.0. What's your IPA server release?
There were also reports about sssd problems: https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html
Jochen
-- This space is intentionally left blank.
This error doesn't familiar for me, but I'd at least try to compile 4.5 for excluding versioning issues. And maybe you can find some hint from ansible role for manual freeipa client installing from Lee Wiscovitch in "debian 8 freeipa-client" thread.
2018-01-05 23:42 GMT+03:00 Cody Rathgeber via FreeIPA-users < freeipa-users@lists.fedorahosted.org>:
Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see the default ubuntu 14.04 packages i was using were 3.3. Using the repo Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below errors in the log during install, is this still due to 4.0 being too far behind the server's 4.5 and i'll need to build from source? It's complaining about the certificate but i've followed the instructions here https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1635568/comments/6 and added the root certificate to the NSS DB (which fixed the same error on the centos fallback server I setup) , and based on the following errors I think it may be having other issues and complaining the cert as a by product
"Cannot connect to the server due to generic error: cannot connect to ' https://rd-freeipa1.redacted.net/ipa/json': [Errno -8172] (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as not trusted by the user.
Installation failed. Rolling back changes.
dbus failed to start: Command ''/usr/sbin/service' 'dbus' 'start' ''' returned non-zero exit status 1
certmonger failed to start: Command ''/usr/sbin/service' 'certmonger' 'start' ''' returned non-zero exit status 1 "
I also get these in the freeipa install log
"2018-01-05T20:38:53Z ERROR dbus failed to start: Command ''/usr/sbin/service' 'dbus' 'start' ''' returned non-zero exit status 1
2018-01-05T20:38:53Z DEBUG Starting external process
2018-01-05T20:38:53Z DEBUG args='/usr/sbin/service' 'certmonger' 'start' ''
2018-01-05T20:38:53Z DEBUG Process finished, return code=1
2018-01-05T20:38:53Z DEBUG stdout=
2018-01-05T20:38:53Z DEBUG stderr=start: Job is already running: certmonger
2018-01-05T20:38:53Z ERROR certmonger failed to start: Command ''/usr/sbin/service' 'certmonger' 'start' ''' returned non-zero exit status 1
2018-01-05T20:38:53Z DEBUG Starting external process
2018-01-05T20:38:53Z DEBUG args='/usr/sbin/service' 'certmonger' 'status' ''
2018-01-05T20:38:53Z DEBUG Process finished, return code=0
2018-01-05T20:38:53Z DEBUG stdout=certmonger start/running, process 7415 "
On Thu, Jan 4, 2018 at 2:34 PM, Jochen Hein jochen@jochen.org wrote:
Cody Rathgeber via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I'm trying to deploy freeipa to an environment running a mix of ubuntu 16.04 and 14.04 servers. on 16.04 the servers join and can pull down users no problem, on 14.04
when
joining it'll throw a
"Unable to find 'admin' user with 'getent passwd admin@redacted.net'!:"
What packages do you use on 14.04? I'm using the packages from ppa:freeipa/4.0. What's your IPA server release?
There were also reports about sssd problems: https://www.redhat.com/archives/freeipa-users/2017-January/msg00190.html
Jochen
-- This space is intentionally left blank.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Cody Rathgeber cody@yellowpencil.com writes:
Thanks, I'm sure it was a versioning issue as the server is 4.5, and i see the default ubuntu 14.04 packages i was using were 3.3. Using the repo Jochen Mentioned I can install 4.0 on ubuntu 14.04 but I will get the below errors in the log during install, is this still due to 4.0 being too far behind the server's 4.5 and i'll need to build from source?
Possible. I don't know where the problems begin - I started with IPA server 4.1/4.2 some time ago and enrolled my 14.04 Laptop with 4.0.4 client (I had a system with 12.04 enrolled too). I'm not going to install/enroll another old Laptop - only 16.04 and newer...
Jochen
freeipa-users@lists.fedorahosted.org