[Freeipa-users] AD trust relationship is established, but IPA cannot see AD users

Tue Mar 3 09:55:26 UTC 2015

On Mon, Mar 02, 2015 at 09:33:04PM +0000, Guertin, David S. wrote:
> > Lets separate issues.
> > 
> > 1. Adding AD user to "IPA group" in AD.
> >    Did you re-login as that user on Windows side and then tried to logon
> >    to IPA server?
> 
> Yes.
> 
> > 2. What do SSSD logs say about the login attempt? You need to set
> >    debug_level = 10 in [domain/..], [nss] and [pam] sections of
> >    /etc/sssd/sssd.conf and restart sssd.
> 
> > If 'su' says that user does not exist, it means SSSD does not see the user as
> > existing. There may be multiple reasons for that, sssd logs should tell
> > exactly what has happened. You can try 'id testuser' to reduce use case for
> > sssd logs.
> 
> OK, here's what shows up in /var/log/sssd_nss.log after "id testuser at middlebury.edu":
> 
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser at middlebury.edu' matched expression for domain 'middlebury.edu', user is testuser
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed
> Will try to return what we have in cache
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
> 
> That makes it look like AD is not sending the user info to IPA. But if the trust is set up, why is it not sending it?

The request was actually sent by the NSS front-end, but the Unable to
get information from Data provider line says the sssd_be back end
process was unable to connect to the server and fetch the data.

Do these logs come from a client or the IPA server? Are you able to look
up the user on the IPA server at least? 

Can you paste (sanitized) logs from the sssd_be process as well? They
would be located at /var/log/sssd/sssd_middlebury.edu.log

If the logs are from the client and the back end logs would say
something about extended operation failing, then we need to take a look
at the sssd logs on the server as well.

> 
> BTW, if I don't include the domain name with the username, i.e. I do "id testuser", I see:
> 
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain, user is testuser
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [<ALL>]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testuser at csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

Right, the code paths for retrieving IPA users and AD users are mostly
separate on the sssd_be side.