On Thu, Feb 11, 2016 at 3:21 AM Alexander Bokovoy <[email protected]> wrote:
> On Wed, 10 Feb 2016, Mike Kelly wrote: > >On Wed, Feb 10, 2016 at 3:19 AM Alexander Bokovoy <[email protected]> > >wrote: > > > >> On Wed, 10 Feb 2016, Mike Kelly wrote: > >> > >> >Is there some extra logging I can turn on to see why this ID View isn't > >> >being applied like I would expect? Or perhaps some extra bit of > >> >configuration I missed? > >> Level 7 or 9 debug logs in SSSD on the client might help. > >> > > > >Thanks. > > > >Here's what looks like the relevant bits in /var/log/sssd/sssd_nss.log, > >after I ran `sss_cache -E ; id pioto`: > Please provide content of sssd_<domain>.log, this is where the actual > work is done when user information is obtained and processed. > sssd_nss.log is merely a requestor. > Thanks. Here's what is hopefully the relevant lines: (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [cn=accounts,dc=home,dc=pioto,dc=org] (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=pioto)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0 ))))][cn=accounts,dc=home,dc=pioto,dc=org]. (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_parse_entry] (0x1000): OriginalDN: [uid=pioto,cn=users,cn=accounts,dc=home,dc=pioto,dc=org]. (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user] (0x0400): Save user (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute. [0][Success] (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_get_primary_name] (0x0400): Processing object pioto (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user] (0x0400): Processing user pioto (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [pioto]. (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user] (0x0400): Adding user principal [[email protected]] to attributes of [pioto]. (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user] (0x0400): Storing info for user pioto (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) -- so, looks like i don't see any evidence of an id view being searched for or applied? (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][idnumber=1403400001] (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [cn=accounts,dc=home,dc=pioto,dc=org] (Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(gidNumber=1403400001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup ))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=home,dc=pioto,dc=org]. -- and here, looks like nss is requesting the details from my FreeIPA default GID... The only log entries I see in /var/log/sssd/sssd_<domain>.log that are related to views seem to be from when I last restarted sssd: (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_get_options] (0x0400): Option ipa_views_search_base has no value (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [ipa_get_id_options] (0x0100): Option ipa_views_search_base set to cn=views,cn=accounts,dc=home,dc=pioto,dc=org (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [common_parse_search_base] (0x0100): Search base added: [IPA_VIEWS][cn=views,cn=accounts,dc=home,dc=pioto,dc=org][SUBTREE][] (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sdap_get_map] (0x0400): Option ipa_view_class has value nsContainer (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sdap_get_map] (0x0400): Option ipa_view_name has value cn (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sssm_ipa_id_init] (0x0020): Cannot find view name in the cache. Will do online lookup later. (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=home,dc=pioto,dc=org (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=home,dc=pioto,dc=org ---- When I search LDAP under that search base, I get 3 DNs I'd expect to see: dn: cn=views,cn=accounts,dc=home,dc=pioto,dc=org dn: cn=oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org dn: ipaanchoruuid=:IPA:home.pioto.org: fc07446e-ce52-11e5-8a98-52540092d8fc,cn= oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org And, under the servers tree, I see a corresponding ipaAssignedIDView: dn: fqdn=data.home.pioto.org ,cn=computers,cn=accounts,dc=home,dc=pioto,dc=org ipaAssignedIDView: cn=oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org -- Mike Kelly
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
