[Freeipa-users] AD - Freeipa trust confusion
Simo Sorce
simo at redhat.com
Fri Jan 3 13:47:34 UTC 2014
On Fri, 2014-01-03 at 12:29 +0100, Jakub Hrozek wrote:
> On Thu, Jan 02, 2014 at 08:06:31PM +0000, Andrew Holway wrote:
> > /var/log/sssd/*
> > this is using bob at host (prattle.com is the windows domain)
> > https://gist.github.com/anonymous/ff817a251948ff58bdb1
> >
> > this is using bob at prattle.com@host (prattle.com is the windows domain)
>
> Thanks, these logs have somewhat more info than those in the other
> thread.
>
> It seems that Winbind on the IPA server has trouble talking to the AD
> server:
>
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [fo_set_port_status]
> (0x0100): Marking port 0 of server 'ipa.wibble.com' as 'working'
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]]
> [set_server_common_status] (0x0100): Marking server 'ipa.wibble.com' as
> 'working'
> (Thu Jan 2 19:27:41 2014) [sssd[be[wibble.com]]] [ipa_s2n_get_user_done]
> (0x0040): s2n exop request failed.
>
> (The s2n exop does a special LDAP call to IPA which in turn calls
> winbind on the server).
>
> To generate the winbind logs on the server, can you do 'smbcontrol winbindd
> debug 100', then request the trusted user. The winbind logs would be at
> /var/log/samba/log.w*
Don't use debug level 100, it will litter the tmp with packet dumps and
[possibly fill the disk.
Log level 10 is the max that is ever useful.
> I'd advise to restart SSSD on the client before the test to get rid of
> the negative cache and make sure the request actually hits the server.
or simply run wbinfo on the server to check winbindd can properly
retrieve users before moving back to testing on client.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list