[Freeipa-users] Cannot loging via SSH with AD user TO IPA Domain.

Jakub Hrozek jhrozek at redhat.com
Tue Jan 7 20:14:09 UTC 2014 

On Tue, Jan 07, 2014 at 12:00:56AM +0200, Genadi Postrilko wrote:
> sssd_example.com.log after changing the debug level:
> https://gist.github.com/anonymous/8290381#file-sssd_example-com-log

This info from the log:
(Mon Jan  6 13:23:11 2014) [sssd[be[example.com]]] [ipa_s2n_exop_done]
(0x0400): ldap_extended_operation result: Operations error(1), (null)
(Mon Jan  6 13:23:11 2014) [sssd[be[example.com]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed

Plus the wbinfo output below indicates that you are seeing a similar
kind of error as the user in thread called "AD - Freeipa trust
confusion".

Would you mind getting the same debug information on the IPA server? In
short, set "smbcontrol winbindd debug 10", run the testcase, then revert
the debug level. Feel free to chek the other thread for some more
details on debugging..

> 
> [genadi at ipaserver root]$ wbinfo -u
> (no output)
> 
> [genadi at ipaserver root]$ wbinfo -g
> admins
> editors
> default smb group
> ad_users
> ad_admins
> 
> [genadi at ipaserver root]$ wbinfo --trusted-domains
> BUILTIN
> EXAMPLE
> ADDC
> 
> [genadi at ipaserver root]$ wbinfo -i Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user Administrator
> 
> [genadi at ipaserver root]$ wbinfo --domain-info ADDC.COM
> Name              : ADDC
> Alt_Name          : addc.com
> SID               : S-1-5-21-33789592-1708006097-2663368750
> Active Directory  : No
> Native            : No
> Primary           : No
> 
> 
> 
> 
> 
> 2014/1/6 Jakub Hrozek <jhrozek at redhat.com>
> 
> > On Fri, Jan 03, 2014 at 07:29:54PM +0200, Genadi Postrilko wrote:
> > > Here are the other logs as well (ldap_child.log, sssd_pac.log,
> > > sssd_ssh.log).
> > >
> > > https://gist.github.com/anonymous/8242061
> > >
> > > I attempted to log in (as Administrator at ADDC.COM) at 9:04.
> > >
> > > Thanks for the help.
> > >
> >
> > You need the *domain* log. According to the logs, your domain is called
> > example.com, do you need to put debug_level=6 (or higher, but 6 should
> > be enough) to the section called [domain/example.com] in sssd.conf,
> > restart sssd, attempt the login and then attach
> > /var/log/sssd/sssd_example.com.log
> >
> > Given that SSSD is complaining about not being able to find the user, I
> > suspect a similar problem as in the other thread, that is, Winbind on
> > the server not being able to talk to the AD. Does "wbinfo -u $user" work
> > on the server?
> >

More information about the Freeipa-users mailing list