Created attachment 1499980 [details] output of 'journalctl -xe' Description of problem: When joining a Fedora Client to FreeIPA switching to users in the ipa-domain is not possible because of sssd not being able to start Version-Release number of selected component (if applicable): sssd: 2.0.0-4.fc29 ipa-client: 4.7.0-3.fc29 How reproducible: Steps to Reproduce: 1. dnf -y install ipa-client 2. ipa-client-install 3. Actual results: switching to users stored in IPA is not possible because users are not found and sssd.service does not start Expected results: switching to users stored in IPA should work Additional info: Already tested on a freshly installed VM to make it work and got the same result.
Created attachment 1499981 [details] output of 'systemctl status -l sssd.service'
I'm sorry about the bug. Can you also provide sssd debug logs? Please see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html
Created attachment 1500492 [details] changed debug to 'debug_level = 8'
Created attachment 1500493 [details] domain log
Created attachment 1500494 [details] nss log
In the domain log there is '[select_principal_from_keytab] (0x0010): Failed to read keytab [default]: No such file or directory' Does /etc/krb5.keytab exists and contains valid keys? 'klist -k' should show the host keys from this file.
[ag@f29 ~]$ sudo klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 nfs/f29.domain.com 2 nfs/f29.domain.com apparently it does not show the host/f29.domain.com only the nfs principal.
Then maybe the client needs to be re-joined? It would still be a bug if you're seeing an apparent crash: Oct 31 20:28:03 f29.domain.com sssd[9541]: dbus[9784]: arguments to dbus_bus_request_name() were incorrect, assertion "_dbus_check_is_valid_bus_name (name)" failed in file ../../dbus/dbus-bus.c lin> but maybe joining the client could at least get you up and running?
May I see your sssd.conf please? I am especially interested in unsanitized domain name since it might have cause the dbus error that Jakub mentioned in previous comment.
I re-joined the client and see the host principal now: [ag@f29 ~]$ sudo klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal---- -------------------------------------------------------------------------- 1 host/f29.domain.com 1 host/f29.domain.com still, the same result with sssd.service not being able to start nor getting any informations about any user that is stored in IPA. I'll attach the updated log files.
Created attachment 1500506 [details] sssd.conf
Created attachment 1500507 [details] sssd.log
Created attachment 1500508 [details] sssd_domain.com.log
Created attachment 1500509 [details] sssd_nss.log
I guess Pavel might be right about the domain name, can you try to remove the leading number from the domain name in the [domain/15knetworks.com] and 'domains = 15knetworks.com' but keep them in all other places?
Thanks for the suggestion, sssd starts now as expected. Anyway, I've got some questions about that behavior: 1. What is causing this problem in sssd-2.0.0? 2. Why has it been working with sssd-1.16.0? 3. Is it supposed to work with numbers in the domain name? 4. What imapcts should be expected by removing the numbers?
ad 1 and 2) We switch to different internal implementation of D-Bus protocol in 2.0 which gives us more functions and testing capabilities. Unfortunately, as this bugzilla reveals, we failed to correctly translate domain name into D-Bus name. ad 3) Yes, this is bug in sssd-2.0. ad 4) Reading your configuration, there should be no impact if you remove the number as a workaround for now. The impact would be in case you would use a fully qualified name, i.e. user@15domain would not be found because the new name would be user@domain. Snippet from specification: - Interface names are composed of 1 or more elements separated by a period ('.') character. All elements must contain at least one character. - Each element must only contain the ASCII characters "[A-Z][a-z][0-9]_" and must not begin with a digit. - Interface names must contain at least one '.' (period) character (and thus at least two elements). - Interface names must not begin with a '.' (period) character. - Interface names must not exceed the maximum name length. We need to make sss_iface_domain_bus() more robust.
Alright, thanks for clarifying and the workaround.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3872
* master: f47940356462a3f477fe462e71d7680c959300db
https://bodhi.fedoraproject.org/updates/FEDORA-2019-efe7e2c5cf