[Freeipa-users] Active Directory and IPA Client
Sumit Bose
sbose at redhat.com
Mon Jan 25 17:26:21 UTC 2016
On Mon, Jan 25, 2016 at 10:15:42AM -0700, Cameron Christensen wrote:
> Hello,
>
> I have a trust established between Windows Active Directory and IPA.
> From the IPA server I can get details about AD users but not from a
> server configured as an IPA client.
>
> [root at ipa_server ~]# getent passwd ad_user at ad_domain
> ad_user at ad_domain:*:1869402973:1869402973:ADUser
> Name:/home/ad_domain/ad_user:
>
> Trying to access details about AD users from a server configured as an
> IPA client, no results.
>
> [root at ipa_client server ~]# getent passwd ad_user at ad_domain
> [root at ipa_client server ~]#
>
> I've enabled debugging of sssd. I believe this is the relevant
> information from /var/log/sssd/sssd_<ipa_domain>.log
>
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sbus_handler_got_caller_id] (0x4000): Received SBUS method
> [getAccountInfo]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_get_account_info]
> (0x0200): Got request for [0x1001][1][name=ad_user]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_req_set_domain]
> (0x0400): Changing request domain from [ipa_domain] to [ad_domain]
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in
> view [Default Trust View] with filter
> [(&(objectClass=ipaUserOverride)(uid=ad_user))].
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_print_server]
> (0x2000): Searching <IP of IPA server>
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust
> View,cn=views,cn=accounts,d
> c=sub_domain,dc=domain].
> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa957b0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [ipa_get_ad_override_done] (0x4000): No override found with filter
> [(&(objectClass=ipaUserOverride)(uid=ad_user))].
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
> (0x0400): Executing extended operation
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send]
> (0x2000): ldap_extended_operation sent, msgid = 10
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0],
> ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_done]
> (0x0040): ldap_extended_operation result: No such object(32), (null).
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]]
> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_done]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy]
> (0x4000): releasing operation connection
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 0,0,Success
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: sh[0xa88e70], connected[1], ops[(nil)], ldap[0xa8a650]
> (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result]
> (0x2000): Trace: ldap_result found nothing!
>
> I see two issues, " ldap_extended_operation result: No such object(32),
> (null)" and "ldap_result found nothing!"
The IPA client cannot talk to AD directly to look up the user data, but
request the data from the IPA server with an extended operation. Please
check if 'getent passwd ad_user at ad_domain' can look up the user on the
server and check the SSSD logs on the server if not.
HTH
bye,
Sumit
>
> Using ldapsearch to execute the query from the ipa_server or the
> ipa_client_server produces no results:
>
> [root at ipa_client_server sssd]# ldapsearch -Y GSSAPI
> "(&(objectClass=ipaUserOverride)(uid=ad_user))"
> SASL/GSSAPI authentication started
> SASL username: admin@<ipa_domain>
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <dc=sub_domain,dc=domain> (default) with scope subtree
> # filter: (&(objectClass=ipaUserOverride)(uid=ad_user))
> # requesting: ALL
> #
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 1
>
> Any help would be greatly appreciated.
>
> Cameron
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list