On Mon, Mar 02, 2015 at 09:33:04PM +0000, Guertin, David S. wrote: > > Lets separate issues. > > > > 1. Adding AD user to "IPA group" in AD. > > Did you re-login as that user on Windows side and then tried to logon > > to IPA server? > > Yes. > > > 2. What do SSSD logs say about the login attempt? You need to set > > debug_level = 10 in [domain/..], [nss] and [pam] sections of > > /etc/sssd/sssd.conf and restart sssd. > > > If 'su' says that user does not exist, it means SSSD does not see the user > > as > > existing. There may be multiple reasons for that, sssd logs should tell > > exactly what has happened. You can try 'id testuser' to reduce use case for > > sssd logs. > > OK, here's what shows up in /var/log/sssd_nss.log after "id > [email protected]": > > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > name '[email protected]' matched expression for domain > 'middlebury.edu', user is testuser > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [testuser] from [middlebury.edu] > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [[email protected]] > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): > Unable to get information from Data Provider > Error: 3, 1432158221, Account info lookup failed > Will try to return what we have in cache > (Mon Mar 2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > > That makes it look like AD is not sending the user info to IPA. But if the > trust is set up, why is it not sending it?
The request was actually sent by the NSS front-end, but the Unable to get information from Data provider line says the sssd_be back end process was unable to connect to the server and fetch the data. Do these logs come from a client or the IPA server? Are you able to look up the user on the IPA server at least? Can you paste (sanitized) logs from the sssd_be process as well? They would be located at /var/log/sssd/sssd_middlebury.edu.log If the logs are from the client and the back end logs would say something about extended operation failing, then we need to take a look at the sssd logs on the server as well. > > BTW, if I don't include the domain name with the username, i.e. I do "id > testuser", I see: > > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Received client version [1]. > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): > Offered version [1]. > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > name 'testuser' matched without domain, user is testuser > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): > using default domain [(null)] > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > Requesting info for [testuser] from [<ALL>] > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [[email protected]] > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [[email protected]] > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No > results for getpwnam call > (Mon Mar 2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! Right, the code paths for retrieving IPA users and AD users are mostly separate on the sssd_be side. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
