[Freeipa-users] RHEL 5 client?

Fri Apr 3 12:58:55 UTC 2015

> The sequence to emulate what SSSD does would be
>
>kinit -k host/`hostname`
>ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
>           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
>           '(uid=admin at middlebury.edu)'
>
>As result, we have 'admin at middlebury.edu' inserted in the compat tree, and
>can do a bind as
>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
>=edu'
>
>ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
>           -D
>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
>=edu' \
>           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
>           '(uid=admin at middlebury.edu)'
>
>This would reproduce what SSSD was supposed to do. If you get these
>ldapsearches to work, we can look at what is SSSD doing.

Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here):

-----------------------------
# ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)'
SASL/GSSAPI authentication started
SASL username: host/yakko.ipa.middlebury.edu at IPA.MIDDLEBURY.EDU
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: (uid=juser at middlebury.edu)
# requesting: ALL
#

# juser at middlebury.edu, users, compat, ipa.middlebury.edu
dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: juser at middlebury.edu

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
-----------------------------

And I can bind as that user (after adding the -W flag to prompt for a password):

-----------------------------
# ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D 'uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' -W
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: (uid=juser at middlebury.edu)
# requesting: ALL
#

# juser at middlebury.edu, users, compat, ipa.middlebury.edu
dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: juser at middlebury.edu

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
-----------------------------

But the user still cannot SSH in to the client:

-----------------------------
$ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu
MIDD\juser at yakko.ipa.middlebury.edu's password: 
Permission denied, please try again.
MIDD\juser at yakko.ipa.middlebury.edu's password: 
Permission denied, please try again.
MIDD\juser at yakko.ipa.middlebury.edu's password: 
Permission denied (publickey,gssapi-with-mic,password).
-----------------------------

The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log

David Guertin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_default.log
Type: application/octet-stream
Size: 49172 bytes
Desc: sssd_default.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150403/39878ff4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd_nss.log
Type: application/octet-stream
Size: 24475 bytes
Desc: sssd_nss.log
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150403/39878ff4/attachment-0001.obj>