[Freeipa-users] Unable to resolve AD users from IPA
Jan Karásek
jan.karasek at elostech.cz
Wed Oct 19 13:32:11 UTC 2016
Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that.
Jan
----------------------------------------------------------------------
Message: 1
Date: Wed, 19 Oct 2016 12:28:31 +0200
From: Sumit Bose <sbose at redhat.com>
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA
Message-ID:
<20161019102831.GC9339 at p.Speedport_W_724V_Typ_A_05011603_00_009>
Content-Type: text/plain; charset=iso-8859-1
On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote:
> Hi,
>
> thank you for help.
>
> This is my sssd.conf from server :
>
> [domain/vs.example.cz]
> debug_level = 7
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = vs.example.cz
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = tidmipa02.vs.example.cz
> chpass_provider = ipa
> ipa_server = tidmipa02.vs.example.cz
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> [sssd]
> services = nss, sudo, pam, ssh
> config_file_version = 2
>
> domains = vs.example.cz
> [nss]
> debug_level = 7
> memcache_timeout = 600
> homedir_substring = /home
>
> [pam]
> debug_level = 7
> [sudo]
> debug_level = 7
> [autofs]
> debug_level = 7
> [ssh]
> debug_level = 7
> [pac]
> debug_level = 7
> [ifp]
> debug_level = 7
>
>
> I can resolve all groups from client :
>
> SERVER: id tst99654 at cen.example.cz
> uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group)
>
> CLIENT:
> getent group 5001
> csunix:x:5001:
>
> getent group 930000008
> final_test_group:*:930000008:
>
> getent group final_test_group at vs.example.cz
> final_test_group:*:930000008:
>
> getent group csunix at cen.example.cz
> No reply - can't resolve that group from client.
>
>
...
>
> Also I find out that in AD there are multiple objects with gidNumber=5001
This might be the issue each gidNumber (and each uidNumber as well)
should be unique in the whole environment. Please check with the AD
administrators why it was done this way and if it can be changed.
HTH
bye,
Sumit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161019/8da00c20/attachment.htm>
More information about the Freeipa-users
mailing list