RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1368973 - ipa-client-install: Unable to reliably detect configuration. Check NSS setup manually
Summary: ipa-client-install: Unable to reliably detect configuration. Check NSS setup ...
Keywords:
Status: CLOSED DUPLICATE of bug 1366569
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
: 1368969 (view as bug list)
Depends On: 1366569 1371879
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-22 09:22 UTC by Sudhir Menon
Modified: 2016-08-31 12:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-31 12:56:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sudhir Menon 2016-08-22 09:22:01 UTC 
Description of problem: ipa-client-install displays the below message during installation.
 
Unable to find 'admin' user with 'getent passwd admin'!
Unable to reliably detect configuration. Check NSS setup manually.

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-8.el7.x86_64
ipa-client-4.4.0-8.el7.x86_64
sssd-1.14.0-27.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server
 
#ipa-server-install --no-dnssec-validation --setup-dns -n REDLABS.QE -p <password> -a <password> -r REDLABS.QE --hostname=ipaserver.redlabs.qe --ip-address=<IP-address>
 
2. Install ipa-client
3. Check the message displayed on the console.
 
Actual results: On the client machine the below message is displayed.
 
[root@client ~]# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
 
Discovery was successful!
Client hostname: client.redlabs.qe
Realm: REDLABS.QE
DNS Domain: redlabs.qe
IPA Server: ipaserver.redlabs.qe
BaseDN: dc=redlabs,dc=qe
 
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=REDLABS.QE
    Issuer:      CN=Certificate Authority,O=REDLABS.QE
    Valid From:  Mon Aug 22 08:44:21 2016 UTC
    Valid Until: Fri Aug 22 08:44:21 2036 UTC
 
Enrolled in IPA realm REDLABS.QE
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm REDLABS.QE
trying https://ipaserver.redlabs.qe/ipa/json
Forwarding 'ping' to json server 'https://ipaserver.redlabs.qe/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver.redlabs.qe/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipaserver.redlabs.qe/ipa/json'
SSSD enabled
SSSD service restart was unsuccessful.
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin'!
Unable to reliably detect configuration. Check NSS setup manually.
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring redlabs.qe as NIS domain.
Client configuration complete.

===Status of sssd service===
[root@client ~]# systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: failed (Result: exit-code) since Mon 2016-08-22 14:39:41 IST; 1min 2s ago
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Starting System Security Services Daemon...
Aug 22 14:39:41 client.redlabs.qe systemd[1]: sssd.service: control process exited, code=exited status=3
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Failed to start System Security Services Daemon.
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Unit sssd.service entered failed state.
Aug 22 14:39:41 client.redlabs.qe systemd[1]: sssd.service failed.
 
===sssd.conf configuration on IPA client====

[root@client ~]# cat /etc/sssd/sssd.conf
[domain/redlabs.qe]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = redlabs.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.redlabs.qe
chpass_provider = ipa
ipa_server = _srv_, ipaserver.redlabs.qe
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = shadowutils, redlabs.qe
 
[nss]
 
[pam]
 
[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
 
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
 
proxy_fast_alias = True
[ssh]
 
[sudo]
 
[root@client ~]# rpm -qf /etc/sssd/sssd.conf
sssd-common-1.14.0-27.el7.x86_64

[root@ipaserver ~]# getent passwd admin
admin:*:820400000:820400000:Administrator:/home/admin:/bin/bash

[root@client ~]# getent passwd admin

Expected results: 

1. The message displayed during installation should be fixed.
2. getent passwd admin should display same output as seen in the IPA-server
3. sssd.conf configuration needs fix.
4. sssd service should be running on ipa-client.

Additional info:
Comment 1 Sudhir Menon 2016-08-22 09:24:39 UTC 
*** Bug 1368969 has been marked as a duplicate of this bug. ***
Comment 4 Petr Vobornik 2016-08-22 10:29:46 UTC 
Anything is SSSD logs?
Comment 5 Jakub Hrozek 2016-08-22 10:39:20 UTC 
Yeah, this is really not a useful bug report. Please see https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs and https://fedorahosted.org/sssd/wiki/Troubleshooting
Comment 6 Sudhir Menon 2016-08-22 11:01:36 UTC 
Jakub,

After adding sss against initgroups in nsswitch.conf file, the warning message is not displayed on the client and the admin user is also resolved on the client.

[root@client ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client.redlabs.qe
Realm: REDLABS.QE
DNS Domain: redlabs.qe
IPA Server: replica.redlabs.qe
BaseDN: dc=redlabs,dc=qe

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=REDLABS.QE
    Issuer:      CN=Certificate Authority,O=REDLABS.QE
    Valid From:  Mon Aug 22 08:44:21 2016 UTC
    Valid Until: Fri Aug 22 08:44:21 2036 UTC

Enrolled in IPA realm REDLABS.QE
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm REDLABS.QE
trying https://replica.redlabs.qe/ipa/json
Forwarding 'schema' to json server 'https://replica.redlabs.qe/ipa/json'
trying https://replica.redlabs.qe/ipa/session/json
Forwarding 'ping' to json server 'https://replica.redlabs.qe/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://replica.redlabs.qe/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://replica.redlabs.qe/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring redlabs.qe as NIS domain.
Client configuration complete.


[root@client ~]# getent passwd admin
admin:*:820400000:820400000:Administrator:/home/admin:/bin/bash

[root@client ~]# id admin
uid=820400000(admin) gid=820400000(admins) groups=820400000(admins)

[root@client ~]# service sssd status
Redirecting to /bin/systemctl status  sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Mon 2016-08-22 16:27:13 IST; 5s ago
  Process: 3242 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
 Main PID: 3243 (sssd)
   CGroup: /system.slice/sssd.service
           ├─3243 /usr/sbin/sssd -D -f
           ├─3244 /usr/libexec/sssd/sssd_be --domain shadowutils --uid 0 --gid 0 --debug-to-files
           ├─3245 /usr/libexec/sssd/sssd_be --domain redlabs.qe --uid 0 --gid 0 --debug-to-files
           ├─3246 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           ├─3247 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
           ├─3248 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
           ├─3249 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
           └─3250 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

Aug 22 16:27:13 client.redlabs.qe sssd[ssh][3249]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[nss][3246]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[sudo][3247]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[pam][3248]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[pac][3250]: Starting up
Aug 22 16:27:13 client.redlabs.qe systemd[1]: Started System Security Services Daemon.
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 2

Related to bz1366569
Comment 7 Jakub Hrozek 2016-08-22 11:20:06 UTC 
Then I believe we can close this as a duplicate of #1366569 right?
Comment 8 Martin Bašti 2016-08-31 12:56:33 UTC 

*** This bug has been marked as a duplicate of bug 1366569 ***
Note You need to log in before you can comment on or make changes to this bug.