[Freeipa-users] Unable to resolve AD users from IPA

Jan Karásek jan.karasek at elostech.cz
Wed Oct 19 13:32:11 UTC 2016 

Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. 

Jan 



---------------------------------------------------------------------- 

Message: 1 
Date: Wed, 19 Oct 2016 12:28:31 +0200 
From: Sumit Bose <sbose at redhat.com> 
To: freeipa-users at redhat.com 
Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA 
Message-ID: 
<20161019102831.GC9339 at p.Speedport_W_724V_Typ_A_05011603_00_009> 
Content-Type: text/plain; charset=iso-8859-1 

On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote: 
> Hi, 
> 
> thank you for help. 
> 
> This is my sssd.conf from server : 
> 
> [domain/vs.example.cz] 
> debug_level = 7 
> cache_credentials = True 
> krb5_store_password_if_offline = True 
> ipa_domain = vs.example.cz 
> id_provider = ipa 
> auth_provider = ipa 
> access_provider = ipa 
> ipa_hostname = tidmipa02.vs.example.cz 
> chpass_provider = ipa 
> ipa_server = tidmipa02.vs.example.cz 
> ipa_server_mode = True 
> ldap_tls_cacert = /etc/ipa/ca.crt 
> [sssd] 
> services = nss, sudo, pam, ssh 
> config_file_version = 2 
> 
> domains = vs.example.cz 
> [nss] 
> debug_level = 7 
> memcache_timeout = 600 
> homedir_substring = /home 
> 
> [pam] 
> debug_level = 7 
> [sudo] 
> debug_level = 7 
> [autofs] 
> debug_level = 7 
> [ssh] 
> debug_level = 7 
> [pac] 
> debug_level = 7 
> [ifp] 
> debug_level = 7 
> 
> 
> I can resolve all groups from client : 
> 
> SERVER: id tst99654 at cen.example.cz 
> uid=20019(tst99654 at cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) 
> 
> CLIENT: 
> getent group 5001 
> csunix:x:5001: 
> 
> getent group 930000008 
> final_test_group:*:930000008: 
> 
> getent group final_test_group at vs.example.cz 
> final_test_group:*:930000008: 
> 
> getent group csunix at cen.example.cz 
> No reply - can't resolve that group from client. 
> 
> 
... 

> 
> Also I find out that in AD there are multiple objects with gidNumber=5001 

This might be the issue each gidNumber (and each uidNumber as well) 
should be unique in the whole environment. Please check with the AD 
administrators why it was done this way and if it can be changed. 

HTH 

bye, 
Sumit 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161019/8da00c20/attachment.htm>

More information about the Freeipa-users mailing list