Bug 1028432

Summary:	GUI user add doesn't work but cli user add does
Product:	Red Hat Enterprise Linux 6	Reporter:	Jim Kinney <jimkinney>
Component:	ipa	Assignee:	Martin Kosek <mkosek>
Status:	CLOSED NOTABUG	QA Contact:	Namita Soman <nsoman>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.4	CC:	dpal, rcritten
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-08 14:05:21 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Jim Kinney 2013-11-08 12:40:13 UTC

Description of problem:
Adding users by the web GUI results in users visible only in the gui and not on by an ipa-client system. neither id user-foo nor getent password user-foo have any knowledge of user-foo. However, the master ipa server does know user-foo.

If adding a user by ipa user-add user-foo, all clients know user-foo instantly

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.4.x86_64

How reproducible:
every time

Steps to Reproduce:
1. create new user in gui
2. run id or getent password on new user on non-ipa server and user not found
3.

Actual results:
user not found

Expected results:
user ID and GID

Additional info:

Comment 2 Martin Kosek 2013-11-08 12:56:36 UTC

This obviously should not happen. We need more data to investigate though.

1) Is the client enrolled with an IPA server?

2) Is SSSD service running on that client?

3) Does 'id user-foo' work on the server?

Comment 3 Jim Kinney 2013-11-08 13:43:52 UTC

(In reply to Martin Kosek from comment #2)
> This obviously should not happen. We need more data to investigate though.
> 
> 1) Is the client enrolled with an IPA server?

yes. all clients enrolled through ipa-client-install and other users on IPA added earlier through a bulk ipa user-add scripts are working.
> 
> 2) Is SSSD service running on that client?

yes. all tested clients have sssd running. 
> 
> 3) Does 'id user-foo' work on the server?

The ipa server can get id user-foo data just fine. The secondary server has the same issue as clients - no user found.

Comment 4 Jim Kinney 2013-11-08 13:48:05 UTC

Also, web gui access is over ssh -X connection to master IPA server then kinit admin then firefox localhost. The browser has been setup to understand the kerberos tickets but still doesn't allow access based on kinit for either a local (to the server) browser or a remote browser on a client.

Clients are Fedora 19 and CentOS 6.4. Most are connecting over a single switch hop but some are over the campus WAN (my desktop to lab cluster running IPA).

Comment 5 Jim Kinney 2013-11-08 14:04:09 UTC

AARRGGH!

Now it's working. I chased a new user not being able to login to anything all yesterday. The gui showed the account was active and I couldn't log in to reset the password on any system but the ipa server. So I dumped the account and did it over the cli and instantly everything worked.

I just created a dummy account to test this for the bugzilla and it all worked. New user in the gui, id new-user on non-ipa server instantly showed new-user.

AND I was able to log into the ipa gui from a remote browser with admin password. That has never worked before. Last updates were Oct 30 so I'm stumped.

Let's close this as a non-issue.