[Freeipa-users] ID Views without AD

Mike Kelly pioto at pioto.org
Wed Feb 10 20:18:51 UTC 2016 

On Wed, Feb 10, 2016 at 3:19 AM Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Wed, 10 Feb 2016, Mike Kelly wrote:
>
> >Is there some extra logging I can turn on to see why this ID View isn't
> >being applied like I would expect? Or perhaps some extra bit of
> >configuration I missed?
> Level 7 or 9 debug logs in SSSD on the client might help.
>

Thanks.

Here's what looks like the relevant bits in /var/log/sssd/sssd_nss.log,
after I ran `sss_cache -E ; id pioto`:

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17] with input [pioto].

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'pioto' matched without domain, user is pioto

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [pioto] from [<ALL>]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x7f9b482220e0:1:pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [home.pioto.org][4097][1][name=pioto]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x7f9b482220e0:1:pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Success)

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
Returning info for user [pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7f9b482220e0:1:pioto at home.pioto.org]

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running
command [34] with id [1403400001].

(Wed Feb 10 15:06:45 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100):
Requesting info for [1403400001 at home.pioto.org]

----

So, if I'm reading that right, it looks like we first query the server to
find the user with name 'pioto', and then get back a response containing my
IPA-assigned UID, and do a further lookup on that... it mentions "Not a
LOCAL view, ...", but I'm not sure that's related?
So, I wonder if there's some bit of client-side configuration that I'm
missing? But, the bit that I see in /var/log/sssd/sssd_home.pioto.org.log
seems to match up with what I can see in LDAP:

(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex]
(0x0400): Option ipa_views_search_base has value
cn=views,cn=accounts,dc=home,dc=pioto,dc=org



>I'm running a pair of CentOS 7 boxes, one acting as the FreeIPA server, and
> >the other is the "legacy" box I want to shim FreeIPA into...
> ID Views are only applied on machines where you have SSSD that supports
> them, just to make sure.
>

Thanks. Both server and client are running:

$ sssd --version
1.13.0

-- 

Mike Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160210/31ce70c2/attachment.htm>

More information about the Freeipa-users mailing list