[Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users

Troels Hansen th at casalogic.dk
Tue Aug 9 11:45:27 UTC 2016 

Think it was a combination af multiple things, without ever really figuring out what I have now made it work.

Mainly, I think it had to do with the "full_name_format" parameter, which seems to cause problems if being set on the IPA client?

If I set it
"full_name_format = %1$s"

I'm unable to look up user on the SSSD client, despite the same thing works on SSSD on the IPA server?

My config looks like this:

[domain/linux.dr.dk]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.dr.dk
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel02udv.linux.dr.dk
chpass_provider = ipa
ipa_server = ipa02tst.linux.dr.dk
ldap_tls_cacert = /etc/ipa/ca.crt

# Bugfix untill RHEL 7.3 arrives
# http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal

debug_level=5

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linux.dr.dk
default_domain_suffix = NET.DR.DK
# full_name_format = %1$s

[nss]
homedir_substring = /home

[pam]
[sudo]
[autofs]
[ssh]
[pac]

With this I can lookup users, but not log in using SSH.

I think I'm circeling aroud the solution as both lookup and ssh login works on the IPA server.


----- On Aug 9, 2016, at 1:19 PM, Jakub Hrozek jhrozek at redhat.com wrote:

> On Tue, Aug 09, 2016 at 12:34:04PM +0200, Troels Hansen wrote:
>> Hi,I have an sssd client which is currently causing problems when looking up IPA
>> / AD users.
>> 
>> # getent passwd drextrha at net.dr.dk
>> returns nothing.
>> 
>> # getent passwd admin at linux.dr.dk
>> admin at linux.dr.dk:*:10000:10000:admin admin:/home/admin:/bin/bash
>> 
>> works, so it can see the IPA domain.
>> 
>> tried re-enrolling the client on IPA server (ipa-client-install --uninstall),
>> didn't make a difftence.
>> 
>> SSSD configuration parameters is the same on IPA server, and client.
>> 
>> Only thins I can find on the client (loglevel 5) is:
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [be_get_account_info]
>> (0x0200): Got request for [0x1001][1][name=drextrha]
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: 22
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [acctinfo_callback] (0x0100):
>> Request processed. Returned 3,22,Account info lookup failed
>> 
>> Can't grasp what that error covers?
> 
> You need to look into the corresponding server-side sssd logs. See:
>    https://fedorahosted.org/sssd/wiki/Troubleshooting
> search for 'Common IPA provider issues'.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list