0

I'm trying to develop an Ansible which install freeipa clients regardless of operating system. I fixed many issues, but I can't fix the following:

ipaclient1 version --> 3.3.4 (Ubuntu 14)
ipaclient2 version --> 4.3.1 (Ubuntu 16)
ipaclient3 version --> 3.0.0 (CentOS 6)
ipaSERVER version  --> 4.2.0 (CentOS 7)

When ipa client join using "ipa-client-install" command, I have no problems, all clients can login with all current users in ipa server. The issue is when I create new users after clients are in the domain. Client 1 and 3 can login correctly with the new users, but the client 2 can't find the new users (after reboot too).

root@dev-ipaclient2:~# su prueba3
No passwd entry for user 'prueba3'

Getent passwd show local users. If I use "ipa user-find prueba3" I get this:

ipa: ERROR: 2.164 client incompatible with 2.156 server at 'https://dev-ipaserver.mydomain.net/ipa/xml'

This error exists with all users, for example i can log with user "user1" (because this user exist before client 2 joined in the domain) but this command can't found him.

/var/log/auth.log:

Jun  1 09:03:38 dev-ipaclient2 su[4378]: No passwd entry for user 'prueba3'
Jun  1 09:03:38 dev-ipaclient2 su[4378]: FAILED su for prueba3 by root
Jun  1 09:03:38 dev-ipaclient2 su[4378]: - /dev/pts/0 root:prueba3

Yes, I tried:

/sbin/initctl stop sssd
rm /var/lib/sss/db/*
/sbin/initctl start sssd

However, if I use "ipa -e skip_version_check=1 user-find prueba3":

--------------
1 user matched
--------------
User login: prueba3
First name: prueba
Last name: 3
Home directory: /home/prueba3
Login shell: /bin/sh
Email address: prueba3@mydomain.net
UID: 50007
GID: 50007
Account disabled: False
Password: True
Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------

I know the problem is with API versions Ubuntu 16 client <---> CentOS 7 Server but i can't find a answer to solve this issue.

This ansible will be used with so many machines so i need that this works correctly (the client2 update correctly all new users).

Thanks for help!

Lord Arkadellas
  • 1
  • 2

2 Answers2

0

By the message that su gives, it looks like it does not use pam_sss in its PAM definition in /etc/pam.d/su. Can you check that?

This has nothing to do with IPA version difference.

abbra
  • 852
  • 5
  • 6
0

I'm sorry for don't answer before, the problem was in the installation. I tried two or three installs and all installations had the same error. Then, I tried purge all packages after uninstall ipa client, install all packages after clean the machine, and then install ipa client. In this case this installation was all correct.

Thanks for your answer abbra.

Lord Arkadellas
  • 1
  • 2