On Thu, May 23, 2013 at 10:32:21AM -0400, Will_Darton@navyfederal.org wrote:
Does anyone have any experience with using IBM IHS Apache and sssd together? I've got some RHEL6.4 servers that need to use IBM IHS for apache.
The 'User <user>' in the httpd.conf file is set to a userid that is present in LDAP ( via sssd) and can be su - <userid> without any issue, but httpd will not start, and kicks back
httpd: <user> is not a valid user.
I would think Apache would use nss to get this information, but I can't find any errors in the sssd_nss logs to indicate a problem.
Thoughts?
This might actually be similar to another issue on this list -- do you know if apache start before or after SSSD ?
On 05/23/2013 10:55 AM, Will_Darton@navyfederal.org wrote:
This is straight from the command line. no daemons or init.d services in play here
# su - wasadmin $ id uid=1209(wasadmin) gid=1209(was) groups=1209(was),1230(abcadmin),1231(enetstaf),2209(ibmcmgrp) $ getent passwd wasadmin wasadmin:*:1209:1209:WebSphere admin:/home/wasadmin:/bin/ksh $ id $ pwd $ . /opt/ihs/70/bin/envvars $ /opt/ihs/70/bin/httpd -d /opt/ihs/70 -k start httpd: bad user name wasadmin
Can it be related to some groups? Can it be that apache expects the user to be a member of a group which he is not in this case?
/* ----------------------------- Will Darton I.T. Operations Information Services Navy Federal Credit Union wk 703.255.8639 cell: 703.232.2344 will_darton@navyfederal.org */
From: Jakub Hrozek jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org, Date: 05/23/2013 10:51 AM Subject: Re: [SSSD-users] IBM IHS Apache and SSSD Sent by: sssd-users-bounces@lists.fedorahosted.org
On Thu, May 23, 2013 at 10:32:21AM -0400, Will_Darton@navyfederal.org wrote:
Does anyone have any experience with using IBM IHS Apache and sssd together? I've got some RHEL6.4 servers that need to use IBM IHS for apache.
The 'User <user>' in the httpd.conf file is set to a userid that is present in LDAP ( via sssd) and can be su - <userid> without any
issue,
but httpd will not start, and kicks back
httpd: <user> is not a valid user.
I would think Apache would use nss to get this information, but I
can't
find any errors in the sssd_nss logs to indicate a problem.
Thoughts?
This might actually be similar to another issue on this list -- do you know if apache start before or after SSSD ? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, May 23, 2013 at 10:32:21AM -0400, Will_Darton@navyfederal.org wrote:
Does anyone have any experience with using IBM IHS Apache and sssd together? I've got some RHEL6.4 servers that need to use IBM IHS for apache.
The 'User <user>' in the httpd.conf file is set to a userid that is present in LDAP ( via sssd) and can be su - <userid> without any issue, but httpd will not start, and kicks back
httpd: <user> is not a valid user.
I would think Apache would use nss to get this information, but I can't find any errors in the sssd_nss logs to indicate a problem.
Thoughts?
Does getent passwd <user> also work fine?
Did you see the user being requested in the NSS logs at all? Please note that in 6.4 some requests might be served from the memory cache and not make its way to the nss responder at all. Running sss_cache -UG should clear the cache for you.
Then I would suggest checking if apache requests the user with standard interface or whether it just reads /etc/password. Maybe something like:
# strace httpd -DNO_DETACH -DFOREGROUND -k start 2>&1 | grep sss
btw I just ran a 5-minute test here and was able to start Apache (httpd-2.4.4-2.fc18.x86_64) that used user and group from IPA just fine.
On Thu, 2013-05-23 at 11:40 -0400, Will_Darton@navyfederal.org wrote:
getent passwd returns results as I suspect.
# getent passwd wasadmin wasadmin:*:1209:1209:WebSphere admin:/home/wasadmin:/bin/ksh
Thanks for the suggestion on strace.. I think that helped me find the source of the problem. I'm guessing that the issue is that there is no 32 bit libnss support?
Install the i686 version of sssd-client
On RHEL it would be: yum install sssd-client-1.9.2-82.7.el6_4.i686
Simo.
On Thu, May 23, 2013 at 11:40:54AM -0400, Will_Darton@navyfederal.org wrote:
getent passwd returns results as I suspect.
# getent passwd wasadmin wasadmin:*:1209:1209:WebSphere admin:/home/wasadmin:/bin/ksh
Thanks for the suggestion on strace.. I think that helped me find the source of the problem. I'm guessing that the issue is that there is no 32 bit libnss support?
Yes, there is, you just need to install the 32bit version of sssd-client. I do the same in order to get acroread (stupid govt taxes form only works in acroread) working:
# yum install sssd-client.i686
# file httpd httpd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
Right, I didn't think that the binary could have been native.
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Simo Sorce -
Will_Darton@navyfederal.org