On Wed, Feb 10, 2016 at 3:19 AM Alexander Bokovoy <[email protected]> wrote:
> On Wed, 10 Feb 2016, Mike Kelly wrote: > > >Is there some extra logging I can turn on to see why this ID View isn't > >being applied like I would expect? Or perhaps some extra bit of > >configuration I missed? > Level 7 or 9 debug logs in SSSD on the client might help. > Thanks. Here's what looks like the relevant bits in /var/log/sssd/sssd_nss.log, after I ran `sss_cache -E ; id pioto`: (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [pioto]. (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'pioto' matched without domain, user is pioto (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [pioto] from [<ALL>] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7f9b482220e0:1:[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [home.pioto.org][4097][1][name=pioto] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f9b482220e0:1:[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f9b482220e0:1:[email protected]] (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [1403400001]. (Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [[email protected]] ---- So, if I'm reading that right, it looks like we first query the server to find the user with name 'pioto', and then get back a response containing my IPA-assigned UID, and do a further lookup on that... it mentions "Not a LOCAL view, ...", but I'm not sure that's related? So, I wonder if there's some bit of client-side configuration that I'm missing? But, the bit that I see in /var/log/sssd/sssd_home.pioto.org.log seems to match up with what I can see in LDAP: (Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex] (0x0400): Option ipa_views_search_base has value cn=views,cn=accounts,dc=home,dc=pioto,dc=org >I'm running a pair of CentOS 7 boxes, one acting as the FreeIPA server, and > >the other is the "legacy" box I want to shim FreeIPA into... > ID Views are only applied on machines where you have SSSD that supports > them, just to make sure. > Thanks. Both server and client are running: $ sssd --version 1.13.0 -- Mike Kelly
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
