<div dir="ltr"><div><div><div><div>Hey Jason,<br><br></div>I realized I had made one more change. I setup the FreeIPA server again and this time I added the --enable-compat with my /usr/sbin/ipa-adtrust-install command. <br><br></div>Yes, I cannot use GSSAPI as well. I use simple bind to run a LDAP query. On IPA clients I don't need to authenticate as IPA takes care of that. Hope this helps.<br><br></div>Regards,<br><br></div>Hanoz<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><span><b><span style="font-size:9.5pt;font-family:"times new roman","serif""><span style="color:rgb(255,0,0)"><img src="https://docs.google.com/a/atomiccartoons.com/uc?id=0BzG4iWi2gPgKc2FvTEJfQVN5VTQ&export=download" height="27" width="200"><br><span style="font-family:arial,helvetica,sans-serif"><font size="2">Hanoz Elavia</font></span></span><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="color:rgb(95,95,95)"> </span><span style="color:rgb(64,64,64)">|</span></font></span></span></b><span style="font-family:arial,helvetica,sans-serif"><font size="2"><span style="color:rgb(64,64,64)"> IT Manager <br></span><b><span style="color:rgb(64,64,64)">O:</span></b><span style="color:rgb(64,64,64)"> <a href="tel:604-734-2866" value="+16047342866" target="_blank">604-734-2866</a> </span><span style="color:black"><b>|</b> </span><span style="color:black"><u><span><span style="color:black"></span><a href="http://www.atomiccartoons.com" target="_blank">www.atomiccartoons.com</a></span></u><br>112 West 6<sup>th</sup> Ave, Vancouver, BC, Canada, V5Y1K6</span></font></span></span></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Wed, Feb 22, 2017 at 1:50 PM, Jason B. Nance <span dir="ltr"><<a href="mailto:jason@tresgeek.net" target="_blank">jason@tresgeek.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">> For example, for user that would be (&(objectClass=posixAccount)(<wbr>uid=%s))<br> > where %s is <a href="mailto:ad_user@server.com">ad_user@server.com</a> according to your example.<br> ><br> > This is what would be intercepted and queried through SSSD.<br> ><br> > For example:<br> ><br> > $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool<br> > '(&(objectClass=posixAccount)(<wbr>uid=user@ad.ipa.cool))'<br> > SASL/GSSAPI authentication started<br> > SASL username: admin@XS.IPA.COOL<br> > SASL SSF: 56<br> > SASL data security layer installed.<br> > # extended LDIF<br> > #<br> > # LDAPv3<br> > # base <cn=compat,dc=xs,dc=ipa,dc=<wbr>cool> with scope subtree<br> > # filter: (&(objectClass=posixAccount)(<wbr>uid=user@ad.ipa.cool))<br> > # requesting: ALL<br> > #<br> ><br> > # user@ad.ipa.cool, users, compat, xs.ipa.cool<br> > dn: uid=user@ad.ipa.cool,cn=users,<wbr>cn=compat,dc=xs,dc=ipa,dc=cool<br> > objectClass: ipaOverrideTarget<br> > objectClass: posixAccount<br> > objectClass: top<br> > cn: YO!<br> > gidNumber: 967001113<br> > gecos: YO!<br> > ipaAnchorUUID:: <some base64 value><br> > uidNumber: 967001113<br> > loginShell: /bin/bash<br> > homeDirectory: /home/ad.ipa.cool/user<br> > uid: user@ad.ipa.cool<br> ><br> > # search result<br> > search: 4<br> > result: 0 Success<br> ><br> > # numResponses: 2<br> > # numEntries: 1<br> <br> </div></div>I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage status" says "Plugin Enabled", but searches for AD users yield no results:<br> <br> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=<wbr>gen,dc=zone '(&(objectClass=posixAccount)(<wbr>uid=jnance@lab.gen.zone))' -W -x -D 'cn=Directory Manager'<br> Enter LDAP Password:<br> <span class=""># extended LDIF<br> #<br> # LDAPv3<br> </span># base <cn=compat,dc=ipa,dc=lab,dc=<wbr>gen,dc=zone> with scope subtree<br> # filter: (&(objectClass=posixAccount)(<wbr>uid=jnance@lab.gen.zone))<br> # requesting: ALL<br> #<br> <br> # search result<br> search: 2<br> result: 0 Success<br> <br> # numResponses: 1<br> <br> <br> I'm currently logged into the machine with an AD account from a trust:<br> <br> [jnance@lab.gen.zone@<wbr>sl2aospljmp0001 ~]$ whoami<br> jnance@lab.gen.zone<br> [jnance@lab.gen.zone@<wbr>sl2aospljmp0001 ~]$ id<br> uid=21104(jnance@lab.gen.zone) gid=21104(jnance@lab.gen.zone) groups=21104(jnance@lab.gen.<wbr>zone),10009(lgz-lxusers),<wbr>10011(lxeng),20512(domain admins@lab.gen.zone),20513(<wbr>domain users@lab.gen.zone),21112(<wbr>lxusers@lab.gen.zone),21117(<wbr>lab_admins@lab.gen.zone) context=unconfined_u:<wbr>unconfined_r:unconfined_t:s0-<wbr>s0:c0.c1023<br> <br> <br> If I search for a user that is local to IPA it works:<br> <br> $ ldapsearch -b cn=compat,dc=ipa,dc=lab,dc=<wbr>gen,dc=zone '(&(objectClass=posixAccount)(<wbr>uid=jnance-ipa))' -W -x -D 'cn=Directory Manager' -H 'ldaps://sl2mmgplidm0001.ipa.<wbr>lab.gen.zone'<br> Enter LDAP Password:<br> <span class=""># extended LDIF<br> #<br> # LDAPv3<br> </span># base <cn=compat,dc=ipa,dc=lab,dc=<wbr>gen,dc=zone> with scope subtree<br> # filter: (&(objectClass=posixAccount)(<wbr>uid=jnance-ipa))<br> # requesting: ALL<br> #<br> <br> # jnance-ipa, users, compat, ipa.lab.gen.zone<br> dn: uid=jnance-ipa,cn=users,cn=<wbr>compat,dc=ipa,dc=lab,dc=gen,<wbr>dc=zone<br> cn: Jason Nance<br> objectClass: posixAccount<br> objectClass: ipaOverrideTarget<br> objectClass: top<br> gidNumber: 10008<br> gecos: Jason Nance<br> ipaAnchorUUID:: OklQQTppcGEubGFiLmdlbi56b25lOm<wbr>QxYzU0NGI2LWU5YjktMTFlNi1iNWM1<wbr>LT<br> AwNTA1NjkxMGE0NA==<br> uidNumber: 10008<br> loginShell: /bin/bash<br> homeDirectory: /home/jnance-ipa<br> uid: jnance-ipa<br> <br> # search result<br> search: 2<br> <span class="">result: 0 Success<br> <br> # numResponses: 2<br> # numEntries: 1<br> <br> <br> </span>As a side note, I'm also not able to use GSSAPI auth as you did:<br> <br> $ kinit<br> Password for jnance@LAB.GEN.ZONE:<br> $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=<wbr>gen,dc=zone '(&(objectClass=posixAccount)(<wbr>uid=jnance@lab.gen.zone))'<br> SASL/GSSAPI authentication started<br> ldap_sasl_interactive_bind_s: Invalid credentials (49)<br> </blockquote></div><br></div>