[Freeipa-users] Active Directory and IPA Client

Cameron Christensen cameron.christensen at uk2group.com
Mon Jan 25 17:15:42 UTC 2016 

Hello,

I have a trust established between Windows Active Directory and IPA.
From the IPA server I can get details about AD users but not from a
server configured as an IPA client.

[root at ipa_server ~]# getent passwd ad_user at ad_domain
ad_user at ad_domain:*:1869402973:1869402973:ADUser
Name:/home/ad_domain/ad_user:

Trying to access details about AD users from a server configured as an
IPA client, no results.

[root at ipa_client server ~]# getent passwd ad_user at ad_domain
[root at ipa_client server ~]#

I've enabled debugging of sssd. I believe this is the relevant
information from /var/log/sssd/sssd_<ipa_domain>.log

(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sbus_handler_got_caller_id] (0x4000): Received SBUS method
[getAccountInfo]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_get_account_info]
(0x0200): Got request for [0x1001][1][name=ad_user]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_req_set_domain]
(0x0400): Changing request domain from [ipa_domain] to [ad_domain]
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in
view [Default Trust View] with filter
[(&(objectClass=ipaUserOverride)(uid=ad_user))].
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_print_server]
(0x2000): Searching <IP of IPA server>
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust
View,cn=views,cn=accounts,d
c=sub_domain,dc=domain].
(Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa957b0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[ipa_get_ad_override_done] (0x4000): No override found with filter
[(&(objectClass=ipaUserOverride)(uid=ad_user))].
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
(0x0400): Executing extended operation
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
(0x2000): ldap_extended_operation sent, msgid = 10
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_done]
(0x0040): ldap_extended_operation result: No such object(32), (null).
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: sh[0xa88e70], connected[1], ops[(nil)], ldap[0xa8a650]
(Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!

I see two issues, " ldap_extended_operation result: No such object(32),
(null)" and "ldap_result found nothing!"

Using ldapsearch to execute the query from the ipa_server or the
ipa_client_server produces no results:

[root at ipa_client_server sssd]# ldapsearch -Y GSSAPI
"(&(objectClass=ipaUserOverride)(uid=ad_user))"
SASL/GSSAPI authentication started
SASL username: admin@<ipa_domain>
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=sub_domain,dc=domain> (default) with scope subtree
# filter: (&(objectClass=ipaUserOverride)(uid=ad_user))
# requesting: ALL
#

# search result
search: 4
result: 0 Success

# numResponses: 1

Any help would be greatly appreciated.

Cameron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160125/0d85b03b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160125/0d85b03b/attachment.sig>

More information about the Freeipa-users mailing list