On Fri, Jun 17, 2011 at 6:15 PM, Jeff Schroeder
<jeffschroeder(a)computer.org> wrote:
On Fri, Jun 17, 2011 at 2:46 PM, Johnny Tan
<jt(a)renttherunway.com> wrote:
> On Fri, Jun 17, 2011 at 5:37 PM, Jeff Schroeder
> <jeffschroeder(a)computer.org> wrote:
>> On Fri, Jun 17, 2011 at 2:12 PM, Johnny Tan <jt(a)renttherunway.com> wrote:
>>> I recently setup sssd (sssd-1.2.1-39.el5) in our environment. We have
>>> an LDAP server running openldap-servers-2.3.43-12.el5_5.2.x86_64.
>>>
>>> It seems that certain users can't authenticate to certain servers. All
>>> servers have identical sssd.conf, nsswitch.conf, and system-auth-ac
>>> files (pushed by puppet). I haven't yet found a pattern as to which
>>> users and which servers, as it seems to be random.
>> ... snip ...
>>
>>> My own hypothesis is that the successful auth is using cached
>>> credentials (since jt has logged in previously), but the failed one is
>>> from a user that has not successfully logged into the server. But if
>>> I'm correct, what I don't get is why sssd cannot pull information
from
>>> the LDAP provider. It's online and serving out requests, and the
>>> failed user on this machine has successfully logged in for the first
>>> time on a couple other servers in the same timeframe.
>>>
>>> Thoughts?
>>> johnny
>>
>> Can you reproduce this? If you can, login as a separate user such as
>> yourself or root and run something like:
>> getent passwd faileduser@LDAP
>> getent group groupthatfailedusershouldbein@LDAP
>
> [root@www01:~]# getent passwd iambot@LDAP
> iambot:*:10079:10022::/home/iambot:/bin/bash
> [root@www01:~]# getent group staff@LDAP
>
> Not sure what this means, but even the group for the
> successfuluser@LDAP is blank. In fact, none of the LDAP groups return
> anything.
>
>
>> It might very well be something related to the cache cleanup bug I've
>> ran into with that exact same version of sssd (RHEL 5.6 perhaps?)
>
> CentOS-5.5, but sssd was almost certainly pulled from the 5.6 updates.
>
> Do you have more info on this bug? Since you mention cache, I'm not
> entirely sure if it's the same thing, as this faileduser hasn't yet
> successfully auth'ed to this particular server, so it wouldn't be in
> cache.
https://bugzilla.redhat.com/show_bug.cgi?id=675007
Thanks, it doesn't quite look like my problem. Even if the groups are
missing (which indeed, it looks like they are), I don't think that
would account for why this user can't auth to this particular server,
yet other users can, and it can auth to other servers.