On 03/02/2015 04:33 PM, Guertin, David S. wrote:
Lets separate issues.1. Adding AD user to "IPA group" in AD. Did you re-login as that user on Windows side and then tried to logon to IPA server?Yes.2. What do SSSD logs say about the login attempt? You need to set debug_level = 10 in [domain/..], [nss] and [pam] sections of /etc/sssd/sssd.conf and restart sssd. If 'su' says that user does not exist, it means SSSD does not see the user as existing. There may be multiple reasons for that, sssd logs should tell exactly what has happened. You can try 'id testuser' to reduce use case for sssd logs.OK, here's what shows up in /var/log/sssd_nss.log after "id [email protected]": (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '[email protected]' matched expression for domain 'middlebury.edu', user is testuser (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [middlebury.edu] (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed
The trust is established using one protocol while the lookup happens using another. Can it be that there is a FW and LDAP calls might not go through between IPA server and AD?
Will try to return what we have in cache (Mon Mar 2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! That makes it look like AD is not sending the user info to IPA. But if the trust is set up, why is it not sending it? BTW, if I don't include the domain name with the username, i.e. I do "id testuser", I see: (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain, user is testuser (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [<ALL>] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call (Mon Mar 2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
In this case it assumes that the user is IPA user and does not try to lookup user in AD.
Thanks, David Guertin
-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
