[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

Guertin, David S. guertin at middlebury.edu
Mon Mar 2 21:33:04 UTC 2015 

> Lets separate issues.
> 
> 1. Adding AD user to "IPA group" in AD.
>    Did you re-login as that user on Windows side and then tried to logon
>    to IPA server?

Yes.

> 2. What do SSSD logs say about the login attempt? You need to set
>    debug_level = 10 in [domain/..], [nss] and [pam] sections of
>    /etc/sssd/sssd.conf and restart sssd.

> If 'su' says that user does not exist, it means SSSD does not see the user as
> existing. There may be multiple reasons for that, sssd logs should tell
> exactly what has happened. You can try 'id testuser' to reduce use case for
> sssd logs.

OK, here's what shows up in /var/log/sssd_nss.log after "id testuser at middlebury.edu":

(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser at middlebury.edu' matched expression for domain 'middlebury.edu', user is testuser
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [middlebury.edu]
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at middlebury.edu]
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 3, 1432158221, Account info lookup failed
Will try to return what we have in cache
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

That makes it look like AD is not sending the user info to IPA. But if the trust is set up, why is it not sending it?

BTW, if I don't include the domain name with the username, i.e. I do "id testuser", I see:

(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain, user is testuser
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [<ALL>]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

Thanks,
David Guertin

More information about the Freeipa-users mailing list