Think it was a combination af multiple things, without ever really figuring out what I have now made it work.
Mainly, I think it had to do with the "full_name_format" parameter, which seems to cause problems if being set on the IPA client? If I set it "full_name_format = %1$s" I'm unable to look up user on the SSSD client, despite the same thing works on SSSD on the IPA server? My config looks like this: [domain/linux.dr.dk] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = linux.dr.dk id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = rhel02udv.linux.dr.dk chpass_provider = ipa ipa_server = ipa02tst.linux.dr.dk ldap_tls_cacert = /etc/ipa/ca.crt # Bugfix untill RHEL 7.3 arrives # http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal debug_level=5 [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = linux.dr.dk default_domain_suffix = NET.DR.DK # full_name_format = %1$s [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] With this I can lookup users, but not log in using SSH. I think I'm circeling aroud the solution as both lookup and ssh login works on the IPA server. ----- On Aug 9, 2016, at 1:19 PM, Jakub Hrozek [email protected] wrote: > On Tue, Aug 09, 2016 at 12:34:04PM +0200, Troels Hansen wrote: >> Hi,I have an sssd client which is currently causing problems when looking up >> IPA >> / AD users. >> >> # getent passwd [email protected] >> returns nothing. >> >> # getent passwd [email protected] >> [email protected]:*:10000:10000:admin admin:/home/admin:/bin/bash >> >> works, so it can see the IPA domain. >> >> tried re-enrolling the client on IPA server (ipa-client-install --uninstall), >> didn't make a difftence. >> >> SSSD configuration parameters is the same on IPA server, and client. >> >> Only thins I can find on the client (loglevel 5) is: >> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [be_get_account_info] >> (0x0200): Got request for [0x1001][1][name=drextrha] >> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] >> [ipa_srv_ad_acct_lookup_done] >> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument. >> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] >> [ipa_subdomain_account_done] >> (0x0040): ipa_get_*_acct request failed: 22 >> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [acctinfo_callback] >> (0x0100): >> Request processed. Returned 3,22,Account info lookup failed >> >> Can't grasp what that error covers? > > You need to look into the corresponding server-side sssd logs. See: > https://fedorahosted.org/sssd/wiki/Troubleshooting > search for 'Common IPA provider issues'. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
