[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

[Dmitri Pal]

On 03/02/2015 04:33 PM, Guertin, David S. wrote:
>> Lets separate issues.
>>
>> 1. Adding AD user to "IPA group" in AD.
>>     Did you re-login as that user on Windows side and then tried to logon
>>     to IPA server?
> Yes.
>
>> 2. What do SSSD logs say about the login attempt? You need to set
>>     debug_level = 10 in [domain/..], [nss] and [pam] sections of
>>     /etc/sssd/sssd.conf and restart sssd.
>> If 'su' says that user does not exist, it means SSSD does not see the user as
>> existing. There may be multiple reasons for that, sssd logs should tell
>> exactly what has happened. You can try 'id testuser' to reduce use case for
>> sssd logs.
> OK, here's what shows up in /var/log/sssd_nss.log after "id testuser at middlebury.edu":
>
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser at middlebury.edu' matched expression for domain 'middlebury.edu', user is testuser
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed

The trust is established using one protocol while the lookup happens 
using another. Can it be that there is a FW and LDAP calls might not go 
through between IPA server and AD?

> Will try to return what we have in cache
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
>
> That makes it look like AD is not sending the user info to IPA. But if the trust is set up, why is it not sending it?
>
> BTW, if I don't include the domain name with the username, i.e. I do "id testuser", I see:
>
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain, user is testuser
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [<ALL>]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

In this case it assumes that the user is IPA user and does not try to 
lookup user in AD.

>
> Thanks,
> David Guertin
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.