[Freeipa-users] Unable to resolve AD users from IPA

Wed Oct 19 10:28:31 UTC 2016

On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote:
> Hi, 
> 
> thank you for help. 
> 
> This is my sssd.conf from server : 
> 
> [domain/vs.example.cz] 
> debug_level = 7 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> ipa_domain = vs.example.cz 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = tidmipa02.vs.example.cz 
> chpass_provider = ipa 
> ipa_server = tidmipa02.vs.example.cz 
> ipa_server_mode = True 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, sudo, pam, ssh 
> config_file_version = 2 
> 
> domains = vs.example.cz 
> [nss] 
> debug_level = 7 
> memcache_timeout = 600 
> homedir_substring = /home 
> 
> [pam] 
> debug_level = 7 
> [sudo] 
> debug_level = 7 
> [autofs] 
> debug_level = 7 
> [ssh] 
> debug_level = 7 
> [pac] 
> debug_level = 7 
> [ifp] 
> debug_level = 7 
> 
> 
> I can resolve all groups from client : 
> 
> SERVER: id tst99654 at cen.example.cz 
> uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) 
> 
> CLIENT: 
> getent group 5001 
> csunix:x:5001: 
> 
> getent group 930000008 
> final_test_group:*:930000008: 
> 
> getent group final_test_group at vs.example.cz 
> final_test_group:*:930000008: 
> 
> getent group csunix at cen.example.cz 
> No reply - can't resolve that group from client. 
> 
> 
...

> 
> Also I find out that in AD there are multiple objects with gidNumber=5001 

This might be the issue each gidNumber (and each uidNumber as well)
should be unique in the whole environment. Please check with the AD
administrators why it was done this way and if it can be changed.

HTH

bye,
Sumit

> 
> ldapsearch .... (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) > /tmp/csunix_dump 
> cat /tmp/csunix_dump 
> dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_0 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_1 
> .... 
> gidNumber: 5001 
> 
> dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_2 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_3 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_4 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix_5 
> ... 
> gidNumber: 5001 
> 
> dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz 
> objectClass: top 
> objectClass: posixGroup 
> objectClass: group 
> cn: csunix 
> ... 
> gidNumber: 5001 
> 