<div dir="ltr"><div><div><div>Thanks Alexander, </div>I have rebuilt the server with compatibility and I can now query AD users. I'll just have to confirm with Dell / EMC whether the Isilon can now handle this. </div>Regards, </div>Hanoz <div class="gmail_extra"> <div class="gmail_quote">On Wed, Feb 22, 2017 at 10:26 PM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On ke, 22 helmi 2017, Jason B. Nance wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> For example, for user that would be (&(objectClass=posixAccount)(uid=%s)) where %s is <a href="mailto:ad_user@server.com" target="_blank">ad_user@server.com</a> according to your example. This is what would be intercepted and queried through SSSD. For example: $ ldapsearch -Y GSSAPI -b cn=compat,dc=xs,dc=ipa,dc=cool '(&(objectClass=posixAccount)(uid=user@ad.ipa.cool))' SASL/GSSAPI authentication started SASL username: admin@XS.IPA.COOL SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=compat,dc=xs,dc=ipa,dc=cool> with scope subtree # filter: (&(objectClass=posixAccount)(uid=user@ad.ipa.cool)) # requesting: ALL # # user@ad.ipa.cool, users, compat, xs.ipa.cool dn: uid=user@ad.ipa.cool,cn=users,cn=compat,dc=xs,dc=ipa,dc=cool objectClass: ipaOverrideTarget objectClass: posixAccount objectClass: top cn: YO! gidNumber: 967001113 gecos: YO! ipaAnchorUUID:: <some base64 value> uidNumber: 967001113 loginShell: /bin/bash homeDirectory: /home/ad.ipa.cool/user uid: user@ad.ipa.cool # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 </blockquote> I'm not able to recreate this (on FreeIPA 4.4.0). "ipa-compat-manage status" says "Plugin Enabled", but searches for AD users yield no results: </blockquote></div></div> Sorry, I forgot mention yesterday that if you didn't use 'ipa-adtrust-install --enable-compat' then one thing is missing from compat tree configuration to allow resolution of AD users. Luckily, it is a simple ldapadd that can fix it. You can use ipa-ldap-updater: # cat 80-enable-compat-nsswitch.update dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-lookup-nsswitch: user dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config add:schema-compat-lookup-nsswitch: group # ipa-ldap-updater ./80-enable-compat-nsswitch.update and then restart 389-ds. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> As a side note, I'm also not able to use GSSAPI auth as you did: $ kinit Password for jnance@LAB.GEN.ZONE: $ ldapsearch -Y GSSAPI -b cn=compat,dc=ipa,dc=lab,dc=gen,dc=zone '(&(objectClass=posixAccount)(uid=jnance@lab.gen.zone))' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) </blockquote> I used IPA user, not AD user to bind with GSSAPI. In FreeIPA 4.4 it should also work with AD user as well but only if the user has ID override entry, even empty one: # ipa idoverrideuser-add 'Default Trust View' administrator@ad.ipa.cool and now administrator@ad.ipa.cool will be able to issue ldap searches against IPA LDAP server from Linux machines. Note that ldp.exe will still be unable to perform searches against IPA LDAP until <a href="https://github.com/cyrusimap/cyrus-sasl/pull/424" rel="noreferrer" target="_blank">https://github.com/cyrusimap/cyrus-sasl/pull/424</a> is released in a distribution. -- / Alexander Bokovoy </blockquote></div> </div></div>