[Freeipa-users] ipa_get_*_acct request failed: [22]: Invalid argument on IPA client when looking up AD users
Troels Hansen
th at casalogic.dk
Tue Aug 9 11:45:27 UTC 2016
Think it was a combination af multiple things, without ever really figuring out what I have now made it work.
Mainly, I think it had to do with the "full_name_format" parameter, which seems to cause problems if being set on the IPA client?
If I set it
"full_name_format = %1$s"
I'm unable to look up user on the SSSD client, despite the same thing works on SSSD on the IPA server?
My config looks like this:
[domain/linux.dr.dk]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = linux.dr.dk
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel02udv.linux.dr.dk
chpass_provider = ipa
ipa_server = ipa02tst.linux.dr.dk
ldap_tls_cacert = /etc/ipa/ca.crt
# Bugfix untill RHEL 7.3 arrives
# http://www.redhat.com/archives/freeipa-users/2016-May/msg00209.html
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
debug_level=5
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = linux.dr.dk
default_domain_suffix = NET.DR.DK
# full_name_format = %1$s
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
With this I can lookup users, but not log in using SSH.
I think I'm circeling aroud the solution as both lookup and ssh login works on the IPA server.
----- On Aug 9, 2016, at 1:19 PM, Jakub Hrozek jhrozek at redhat.com wrote:
> On Tue, Aug 09, 2016 at 12:34:04PM +0200, Troels Hansen wrote:
>> Hi,I have an sssd client which is currently causing problems when looking up IPA
>> / AD users.
>>
>> # getent passwd drextrha at net.dr.dk
>> returns nothing.
>>
>> # getent passwd admin at linux.dr.dk
>> admin at linux.dr.dk:*:10000:10000:admin admin:/home/admin:/bin/bash
>>
>> works, so it can see the IPA domain.
>>
>> tried re-enrolling the client on IPA server (ipa-client-install --uninstall),
>> didn't make a difftence.
>>
>> SSSD configuration parameters is the same on IPA server, and client.
>>
>> Only thins I can find on the client (loglevel 5) is:
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [be_get_account_info]
>> (0x0200): Got request for [0x1001][1][name=drextrha]
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [ipa_srv_ad_acct_lookup_done]
>> (0x0040): ipa_get_*_acct request failed: [22]: Invalid argument.
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [ipa_subdomain_account_done]
>> (0x0040): ipa_get_*_acct request failed: 22
>> (Tue Aug 9 11:33:44 2016) [sssd[be[linux.dr.dk]]] [acctinfo_callback] (0x0100):
>> Request processed. Returned 3,22,Account info lookup failed
>>
>> Can't grasp what that error covers?
>
> You need to look into the corresponding server-side sssd logs. See:
> https://fedorahosted.org/sssd/wiki/Troubleshooting
> search for 'Common IPA provider issues'.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
More information about the Freeipa-users
mailing list