1028432 – GUI user add doesn't work but cli user add does

Bug 1028432 - GUI user add doesn't work but cli user add does

Summary: GUI user add doesn't work but cli user add does

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-08 12:40 UTC by Jim Kinney
Modified:	2013-11-08 14:05 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-08 14:05:21 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jim Kinney 2013-11-08 12:40:13 UTC

Description of problem:
Adding users by the web GUI results in users visible only in the gui and not on by an ipa-client system. neither id user-foo nor getent password user-foo have any knowledge of user-foo. However, the master ipa server does know user-foo.

If adding a user by ipa user-add user-foo, all clients know user-foo instantly

Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.4.x86_64

How reproducible:
every time

Steps to Reproduce:
1. create new user in gui
2. run id or getent password on new user on non-ipa server and user not found
3.

Actual results:
user not found

Expected results:
user ID and GID

Additional info:

Comment 2 Martin Kosek 2013-11-08 12:56:36 UTC

This obviously should not happen. We need more data to investigate though.

1) Is the client enrolled with an IPA server?

2) Is SSSD service running on that client?

3) Does 'id user-foo' work on the server?

Comment 3 Jim Kinney 2013-11-08 13:43:52 UTC

(In reply to Martin Kosek from comment #2)
> This obviously should not happen. We need more data to investigate though.
> 
> 1) Is the client enrolled with an IPA server?

yes. all clients enrolled through ipa-client-install and other users on IPA added earlier through a bulk ipa user-add scripts are working.
> 
> 2) Is SSSD service running on that client?

yes. all tested clients have sssd running. 
> 
> 3) Does 'id user-foo' work on the server?

The ipa server can get id user-foo data just fine. The secondary server has the same issue as clients - no user found.

Comment 4 Jim Kinney 2013-11-08 13:48:05 UTC

Also, web gui access is over ssh -X connection to master IPA server then kinit admin then firefox localhost. The browser has been setup to understand the kerberos tickets but still doesn't allow access based on kinit for either a local (to the server) browser or a remote browser on a client.

Clients are Fedora 19 and CentOS 6.4. Most are connecting over a single switch hop but some are over the campus WAN (my desktop to lab cluster running IPA).

Comment 5 Jim Kinney 2013-11-08 14:04:09 UTC

AARRGGH!

Now it's working. I chased a new user not being able to login to anything all yesterday. The gui showed the account was active and I couldn't log in to reset the password on any system but the ipa server. So I dumped the account and did it over the cli and instantly everything worked.

I just created a dummy account to test this for the bugzilla and it all worked. New user in the gui, id new-user on non-ipa server instantly showed new-user.

AND I was able to log into the ipa gui from a remote browser with admin password. That has never worked before. Last updates were Oct 30 so I'm stumped.

Let's close this as a non-issue.

Note You need to log in before you can comment on or make changes to this bug.