On Fri, Jun 17, 2011 at 5:37 PM, Jeff Schroeder
On Fri, Jun 17, 2011 at 2:12 PM, Johnny Tan
> I recently setup sssd (sssd-1.2.1-39.el5) in our environment. We have
> an LDAP server running openldap-servers-2.3.43-12.el5_5.2.x86_64.
> It seems that certain users can't authenticate to certain servers. All
> servers have identical sssd.conf, nsswitch.conf, and system-auth-ac
> files (pushed by puppet). I haven't yet found a pattern as to which
> users and which servers, as it seems to be random.
... snip ...
> My own hypothesis is that the successful auth is using cached
> credentials (since jt has logged in previously), but the failed one is
> from a user that has not successfully logged into the server. But if
> I'm correct, what I don't get is why sssd cannot pull information from
> the LDAP provider. It's online and serving out requests, and the
> failed user on this machine has successfully logged in for the first
> time on a couple other servers in the same timeframe.
Can you reproduce this? If you can, login as a separate user such as
yourself or root and run something like:
getent passwd faileduser@LDAP
getent group groupthatfailedusershouldbein@LDAP
[root@www01:~]# getent passwd iambot@LDAP
[root@www01:~]# getent group staff@LDAP
Not sure what this means, but even the group for the
successfuluser@LDAP is blank. In fact, none of the LDAP groups return
It might very well be something related to the cache cleanup bug
ran into with that exact same version of sssd (RHEL 5.6 perhaps?)
CentOS-5.5, but sssd was almost certainly pulled from the 5.6 updates.
Do you have more info on this bug? Since you mention cache, I'm not
entirely sure if it's the same thing, as this faileduser hasn't yet
successfully auth'ed to this particular server, so it wouldn't be in