[Freeipa-users] Unable to resolve AD users from IPA
Jan Karásek
jan.karasek at elostech.cz
Wed Oct 19 10:08:01 UTC 2016
Hi,
thank you for help.
This is my sssd.conf from server :
[domain/vs.example.cz]
debug_level = 7
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = vs.example.cz
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = tidmipa02.vs.example.cz
chpass_provider = ipa
ipa_server = tidmipa02.vs.example.cz
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = vs.example.cz
[nss]
debug_level = 7
memcache_timeout = 600
homedir_substring = /home
[pam]
debug_level = 7
[sudo]
debug_level = 7
[autofs]
debug_level = 7
[ssh]
debug_level = 7
[pac]
debug_level = 7
[ifp]
debug_level = 7
I can resolve all groups from client :
SERVER: id tst99654 at cen.example.cz
uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group)
CLIENT:
getent group 5001
csunix:x:5001:
getent group 930000008
final_test_group:*:930000008:
getent group final_test_group at vs.example.cz
final_test_group:*:930000008:
getent group csunix at cen.example.cz
No reply - can't resolve that group from client.
More detailed log from client:
==> sssd_vs.example.cz.log <==
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f9e77a81430
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_print_server] (0x2000): Searching 10.88.14.63
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 20 timeout 60
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a92e60], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 20 finished
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 21 timeout 6
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null).
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 21 finished
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [add_v1_user_data] (0x4000): BER tag is [48]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Found new sequence.
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [objectSIDString].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [userPrincipalName].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [adUserAccountControl].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalDN].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf].
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf].
...
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
...
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 6
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[(nil)], ldap[0x7f9e77a60bd0]
(Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
This is nss log on server during id request from client:
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [tst99654 at cen.example.cz].
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'tst99654 at cen.example.cz' matched expression for domain 'cen.example.cz', user is tst99654
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [tst99654] from [cen.example.cz]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [tst99654 at cen.example.cz]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values.
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:tst99654 at cen.example.cz]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4097][1][name=tst99654]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:tst99654 at cen.example.cz]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values.
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:3:tst99654 at cen.example.cz]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4099][1][name=tst99654]
(Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:3:tst99654 at cen.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success)
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [tst99654 at cen.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [tst99654 at cen.example.cz] completed
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:3:tst99654 at cen.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [930000008].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [930000008 at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values.
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning..
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [930000008 at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [930000008]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix at vs.example.cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values.
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 3, 0, Account info lookup failed
Will try to return what we have in cache
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix at vs.example.cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values.
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 3, 0, Account info lookup failed
Will try to return what we have in cache
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix at vs.example.cz]
Also I find out that in AD there are multiple objects with gidNumber=5001
ldapsearch .... (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) > /tmp/csunix_dump
cat /tmp/csunix_dump
dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_0
...
gidNumber: 5001
dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_1
....
gidNumber: 5001
dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_2
...
gidNumber: 5001
dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_3
...
gidNumber: 5001
dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_4
...
gidNumber: 5001
dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix_5
...
gidNumber: 5001
dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz
objectClass: top
objectClass: posixGroup
objectClass: group
cn: csunix
...
gidNumber: 5001
and in the logs on the server(both nss and sssd grep by csunix). It looks like it has problem with that 'multiple' object :
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0 at cen.example.cz
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Processing group csunix_0 at cen.example.cz
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_check_ad_group_type] (0x0400): Filtering AD group [csunix_0 at cen.example.cz].
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Storing info for group csunix_0 at cen.example.cz
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sysdb_store_group] (0x1000): Group csunix_0 at cen.example.cz does not exist.
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0 at example.cz
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0400): Processing group csunix_0 at example.cz
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0040): Failed to save members of group csunix_0 at example.cz
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix at vs.example.cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=csunix)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix at vs.example.cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix at vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix at vs.example.cz]
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=csunix]
(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=csunix)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz].
(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix at vs.example.cz]
I dont know why there is that 'multiobject' in AD, will have to ask Windows team. Can this be the reason, why clients are not able to resolve users ?
OR
Can be the reason that it asking for csunix at vs.example.cz ?
Sorry for the long post.
Thank you,
Jan
From: "freeipa-users-request" <freeipa-users-request at redhat.com>
To: freeipa-users at redhat.com
Sent: Monday, October 17, 2016 3:56:08 PM
Subject: Freeipa-users Digest, Vol 99, Issue 46
Send Freeipa-users mailing list submissions to
freeipa-users at redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/freeipa-users
or, via email, send a message with subject or body 'help' to
freeipa-users-request at redhat.com
You can reach the person managing the list at
freeipa-users-owner at redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeipa-users digest..."
Today's Topics:
1. Re: Unable to resolve AD users from IPA client (Sumit Bose)
2. Re: Unable to resolve AD users from IPA client (Jakub Hrozek)
3. Re: Best and Secure Way for a System Account
(G?nther J. Niederwimmer)
4. Re: Best and Secure Way for a System Account (Martin Babinsky)
5. Re: FreeIPA as domain controller? (Brian Candler)
----------------------------------------------------------------------
Message: 1
Date: Mon, 17 Oct 2016 13:49:23 +0200
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at redhat.com
Subject: Hi
client
Message-ID:
<20161017114923.GA9339 at p.Speedport_W_724V_Typ_A_05011603_00_009>
Content-Type: text/plain; charset=iso-8859-1
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote:
> Hi,
> please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2.
> AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz.
> Trust is set as one-way trust. User's POSIX attributes are stored in AD.
>
> ipa idrange-find
> ----------------
> 3 ranges matched
> ----------------
> Range name: CEN.EXAMPLE.CZ
> First Posix ID of the range: 98800000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330
> Range type: Active Directory trust range with POSIX attributes
>
> Range name: EXAMPLE.CZ_id_range
> First Posix ID of the range: 68800000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330
> Range type: Active Directory trust range with POSIX attributes
>
> Range name: VS.EXAMPLE.CZ_id_range
> First Posix ID of the range: 930000000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> I have no problem to resolve AD users from both IPA server:
>
> IPA Server:
> root#:id tst99654 at cen.example.cz
> uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct
Can you send your sssd.conf from the server? I wonder why the AD groups
are returned with a short name 'csunix' while the user is returned with
the full name (tst99654 at cen.example.cz).
bye,
Sumit
>
> but from IPA client:
> root#:id tst99654 at cen.example.cz
> id: tst99654 at cen.example.cz: no such user
>
> ==> sssd_vs.example.cz.log <==
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654]
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz]
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz].
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null).
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>
> All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers.
>
>
> On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id:
>
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz].
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz].
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user
> ...
>
>
> I can provide full log from IPA server, but its quite long. Could you point me what else I could try ?
>
> Thank you .
>
> Jan
>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
------------------------------
Message: 2
Date: Mon, 17 Oct 2016 13:51:41 +0200
From: Jakub Hrozek <jhrozek at redhat.com>
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA
client
Message-ID: <20161017115141.ug26fx7rhhaijrgj at hendrix>
Content-Type: text/plain; charset=iso-8859-1
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote:
> Hi,
> please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2.
> AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz.
> Trust is set as one-way trust. User's POSIX attributes are stored in AD.
>
> ipa idrange-find
> ----------------
> 3 ranges matched
> ----------------
> Range name: CEN.EXAMPLE.CZ
> First Posix ID of the range: 98800000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330
> Range type: Active Directory trust range with POSIX attributes
>
> Range name: EXAMPLE.CZ_id_range
> First Posix ID of the range: 68800000
> Number of IDs in the range: 200000
> Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330
> Range type: Active Directory trust range with POSIX attributes
>
> Range name: VS.EXAMPLE.CZ_id_range
> First Posix ID of the range: 930000000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> I have no problem to resolve AD users from both IPA server:
>
> IPA Server:
> root#:id tst99654 at cen.example.cz
> uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct
>
> but from IPA client:
> root#:id tst99654 at cen.example.cz
> id: tst99654 at cen.example.cz: no such user
>
> ==> sssd_vs.example.cz.log <==
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654]
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz]
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz].
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null).
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null).
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
> (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
>
> All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers.
>
>
> On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id:
>
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz].
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz].
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
> (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user
> ...
>
>
> I can provide full log from IPA server, but its quite long. Could you point me what else I could try ?
the most typical cause is that the IPA client cannot resolve all the
POSIX information from the server.
Check if all the groups are resolvable by ID:
getent group 5001
getent group 930000008
alternatively, tail /var/log/sssd/sssd_nss.log on the IPA *server* and
watch if all requests that come from the DS UID (typically the dirsrv
user, see getent passwd dirsrv) are resolvable on the server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161019/bf02efdc/attachment.htm>
More information about the Freeipa-users
mailing list