Bug 1368973 - ipa-client-install: Unable to reliably detect configuration. Check NSS setup manually
Summary: ipa-client-install: Unable to reliably detect configuration. Check NSS setup ...
Keywords:
Status: CLOSED DUPLICATE of bug 1366569
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
: 1368969 (view as bug list)
Depends On: 1366569 1371879
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-22 09:22 UTC by Sudhir Menon
Modified: 2016-08-31 12:56 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-31 12:56:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sudhir Menon 2016-08-22 09:22:01 UTC 
Description of problem: ipa-client-install displays the below message during installation.
 
Unable to find 'admin' user with 'getent passwd admin'!
Unable to reliably detect configuration. Check NSS setup manually.

Version-Release number of selected component (if applicable):
ipa-server-4.4.0-8.el7.x86_64
ipa-client-4.4.0-8.el7.x86_64
sssd-1.14.0-27.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server
 
#ipa-server-install --no-dnssec-validation --setup-dns -n REDLABS.QE -p <password> -a <password> -r REDLABS.QE --hostname=ipaserver.redlabs.qe --ip-address=<IP-address>
 
2. Install ipa-client
3. Check the message displayed on the console.
 
Actual results: On the client machine the below message is displayed.
 
[root@client ~]# ipa-client-install
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
 
Discovery was successful!
Client hostname: client.redlabs.qe
Realm: REDLABS.QE
DNS Domain: redlabs.qe
IPA Server: ipaserver.redlabs.qe
BaseDN: dc=redlabs,dc=qe
 
Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=REDLABS.QE
    Issuer:      CN=Certificate Authority,O=REDLABS.QE
    Valid From:  Mon Aug 22 08:44:21 2016 UTC
    Valid Until: Fri Aug 22 08:44:21 2036 UTC
 
Enrolled in IPA realm REDLABS.QE
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm REDLABS.QE
trying https://ipaserver.redlabs.qe/ipa/json
Forwarding 'ping' to json server 'https://ipaserver.redlabs.qe/ipa/json'
Forwarding 'ca_is_enabled' to json server 'https://ipaserver.redlabs.qe/ipa/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://ipaserver.redlabs.qe/ipa/json'
SSSD enabled
SSSD service restart was unsuccessful.
Configured /etc/openldap/ldap.conf
Unable to find 'admin' user with 'getent passwd admin'!
Unable to reliably detect configuration. Check NSS setup manually.
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring redlabs.qe as NIS domain.
Client configuration complete.

===Status of sssd service===
[root@client ~]# systemctl status sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: failed (Result: exit-code) since Mon 2016-08-22 14:39:41 IST; 1min 2s ago
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Starting System Security Services Daemon...
Aug 22 14:39:41 client.redlabs.qe systemd[1]: sssd.service: control process exited, code=exited status=3
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Failed to start System Security Services Daemon.
Aug 22 14:39:41 client.redlabs.qe systemd[1]: Unit sssd.service entered failed state.
Aug 22 14:39:41 client.redlabs.qe systemd[1]: sssd.service failed.
 
===sssd.conf configuration on IPA client====

[root@client ~]# cat /etc/sssd/sssd.conf
[domain/redlabs.qe]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = redlabs.qe
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = client.redlabs.qe
chpass_provider = ipa
ipa_server = _srv_, ipaserver.redlabs.qe
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
config_file_version = 2
services = nss, sudo, pam, ssh
domains = shadowutils, redlabs.qe
 
[nss]
 
[pam]
 
[domain/shadowutils]
id_provider = proxy
proxy_lib_name = files
 
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
 
proxy_fast_alias = True
[ssh]
 
[sudo]
 
[root@client ~]# rpm -qf /etc/sssd/sssd.conf
sssd-common-1.14.0-27.el7.x86_64

[root@ipaserver ~]# getent passwd admin
admin:*:820400000:820400000:Administrator:/home/admin:/bin/bash

[root@client ~]# getent passwd admin

Expected results: 

1. The message displayed during installation should be fixed.
2. getent passwd admin should display same output as seen in the IPA-server
3. sssd.conf configuration needs fix.
4. sssd service should be running on ipa-client.

Additional info:
Comment 1 Sudhir Menon 2016-08-22 09:24:39 UTC 
*** Bug 1368969 has been marked as a duplicate of this bug. ***
Comment 4 Petr Vobornik 2016-08-22 10:29:46 UTC 
Anything is SSSD logs?
Comment 5 Jakub Hrozek 2016-08-22 10:39:20 UTC 
Yeah, this is really not a useful bug report. Please see https://fedorahosted.org/sssd/wiki/Reporting_sssd_bugs and https://fedorahosted.org/sssd/wiki/Troubleshooting
Comment 6 Sudhir Menon 2016-08-22 11:01:36 UTC 
Jakub,

After adding sss against initgroups in nsswitch.conf file, the warning message is not displayed on the client and the admin user is also resolved on the client.

[root@client ~]# ipa-client-install 
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Discovery was successful!
Client hostname: client.redlabs.qe
Realm: REDLABS.QE
DNS Domain: redlabs.qe
IPA Server: replica.redlabs.qe
BaseDN: dc=redlabs,dc=qe

Continue to configure the system with these values? [no]: yes
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin: 
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=REDLABS.QE
    Issuer:      CN=Certificate Authority,O=REDLABS.QE
    Valid From:  Mon Aug 22 08:44:21 2016 UTC
    Valid Until: Fri Aug 22 08:44:21 2036 UTC

Enrolled in IPA realm REDLABS.QE
Created /etc/ipa/default.conf
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm REDLABS.QE
trying https://replica.redlabs.qe/ipa/json
Forwarding 'schema' to json server 'https://replica.redlabs.qe/ipa/json'
trying https://replica.redlabs.qe/ipa/session/json
Forwarding 'ping' to json server 'https://replica.redlabs.qe/ipa/session/json'
Forwarding 'ca_is_enabled' to json server 'https://replica.redlabs.qe/ipa/session/json'
Systemwide CA database updated.
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
Forwarding 'host_mod' to json server 'https://replica.redlabs.qe/ipa/session/json'
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring redlabs.qe as NIS domain.
Client configuration complete.


[root@client ~]# getent passwd admin
admin:*:820400000:820400000:Administrator:/home/admin:/bin/bash

[root@client ~]# id admin
uid=820400000(admin) gid=820400000(admins) groups=820400000(admins)

[root@client ~]# service sssd status
Redirecting to /bin/systemctl status  sssd.service
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: active (running) since Mon 2016-08-22 16:27:13 IST; 5s ago
  Process: 3242 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS)
 Main PID: 3243 (sssd)
   CGroup: /system.slice/sssd.service
           ├─3243 /usr/sbin/sssd -D -f
           ├─3244 /usr/libexec/sssd/sssd_be --domain shadowutils --uid 0 --gid 0 --debug-to-files
           ├─3245 /usr/libexec/sssd/sssd_be --domain redlabs.qe --uid 0 --gid 0 --debug-to-files
           ├─3246 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           ├─3247 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
           ├─3248 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
           ├─3249 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
           └─3250 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files

Aug 22 16:27:13 client.redlabs.qe sssd[ssh][3249]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[nss][3246]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[sudo][3247]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[pam][3248]: Starting up
Aug 22 16:27:13 client.redlabs.qe sssd[pac][3250]: Starting up
Aug 22 16:27:13 client.redlabs.qe systemd[1]: Started System Security Services Daemon.
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 1
Aug 22 16:27:14 client.redlabs.qe sssd_be[3245]: GSSAPI client step 2

Related to bz1366569
Comment 7 Jakub Hrozek 2016-08-22 11:20:06 UTC 
Then I believe we can close this as a duplicate of #1366569 right?
Comment 8 Martin Bašti 2016-08-31 12:56:33 UTC 

*** This bug has been marked as a duplicate of bug 1366569 ***
Note You need to log in before you can comment on or make changes to this bug.