Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Adding users by the web GUI results in users visible only in the gui and not on by an ipa-client system. neither id user-foo nor getent password user-foo have any knowledge of user-foo. However, the master ipa server does know user-foo.
If adding a user by ipa user-add user-foo, all clients know user-foo instantly
Version-Release number of selected component (if applicable):
ipa-server-3.0.0-26.el6_4.4.x86_64
How reproducible:
every time
Steps to Reproduce:
1. create new user in gui
2. run id or getent password on new user on non-ipa server and user not found
3.
Actual results:
user not found
Expected results:
user ID and GID
Additional info:
This obviously should not happen. We need more data to investigate though.
1) Is the client enrolled with an IPA server?
2) Is SSSD service running on that client?
3) Does 'id user-foo' work on the server?
(In reply to Martin Kosek from comment #2)
> This obviously should not happen. We need more data to investigate though.
>
> 1) Is the client enrolled with an IPA server?
yes. all clients enrolled through ipa-client-install and other users on IPA added earlier through a bulk ipa user-add scripts are working.
>
> 2) Is SSSD service running on that client?
yes. all tested clients have sssd running.
>
> 3) Does 'id user-foo' work on the server?
The ipa server can get id user-foo data just fine. The secondary server has the same issue as clients - no user found.
Also, web gui access is over ssh -X connection to master IPA server then kinit admin then firefox localhost. The browser has been setup to understand the kerberos tickets but still doesn't allow access based on kinit for either a local (to the server) browser or a remote browser on a client.
Clients are Fedora 19 and CentOS 6.4. Most are connecting over a single switch hop but some are over the campus WAN (my desktop to lab cluster running IPA).
AARRGGH!
Now it's working. I chased a new user not being able to login to anything all yesterday. The gui showed the account was active and I couldn't log in to reset the password on any system but the ipa server. So I dumped the account and did it over the cli and instantly everything worked.
I just created a dummy account to test this for the bugzilla and it all worked. New user in the gui, id new-user on non-ipa server instantly showed new-user.
AND I was able to log into the ipa gui from a remote browser with admin password. That has never worked before. Last updates were Oct 30 so I'm stumped.
Let's close this as a non-issue.