<html><body><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000"><div data-marker="__QUOTED_TEXT__"><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"><div>Hi, </div> <div>thank you for help.</div> <div>This is my sssd.conf from server :</div><div> [domain/vs.example.cz] debug_level = 7 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = vs.example.cz id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = tidmipa02.vs.example.cz chpass_provider = ipa ipa_server = tidmipa02.vs.example.cz ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = vs.example.cz [nss] debug_level = 7 memcache_timeout = 600 homedir_substring = /home [pam] debug_level = 7 [sudo] debug_level = 7 [autofs] debug_level = 7 [ssh] debug_level = 7 [pac] debug_level = 7 [ifp] debug_level = 7 </div> <div>I can resolve all groups from client :</div> <div>SERVER: id tst99654@cen.example.cz uid=20019(tst99654@cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) </div> <div>CLIENT:</div><div>getent group 5001 </div><div>csunix:x:5001: </div><div> </div><div>getent group 930000008 final_test_group:*:930000008:</div><div> </div><div>getent group final_test_group@vs.example.cz </div><div>final_test_group:*:930000008: </div><div> </div><div>getent group csunix@cen.example.cz </div><div>No reply - can't resolve that group from client.</div><div> </div> <div>More detailed log from client:</div><div>==> sssd_vs.example.cz.log <== (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f9e77a81430 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_print_server] (0x2000): Searching 10.88.14.63 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 20 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 20 timeout 60 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a92e60], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 20 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=tst99654))]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 21 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 21 timeout 6 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a75b80], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 21 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [add_v1_user_data] (0x4000): BER tag is [48] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Found new sequence. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [objectSIDString]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [userPrincipalName]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [adUserAccountControl]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalDN]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf]. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [get_extra_attrs] (0x4000): Extra attribute [originalMemberOf]. ... (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry ... (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 22 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[0x7f9e77a8cf50], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9e77a628e0], connected[1], ops[(nil)], ldap[0x7f9e77a60bd0] (Wed Oct 19 10:16:58 2016) [sssd[be[vs.example.cz]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! </div> <div>This is nss log on server during id request from client:</div> <div>(Mon Oct 17 12:26:05 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [tst99654@cen.example.cz]. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'tst99654@cen.example.cz' matched expression for domain 'cen.example.cz', user is tst99654 (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [tst99654] from [cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [tst99654@cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:tst99654@cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4097][1][name=tst99654] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:tst99654@cen.example.cz] </div> <div>(Mon Oct 17 12:26:05 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:3:tst99654@cen.example.cz] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [cen.example.cz][4099][1][name=tst99654] (Mon Oct 17 12:26:05 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:3:tst99654@cen.example.cz] </div> <div>(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Success) (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0100): Requesting info for [tst99654@cen.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): Initgroups for [tst99654@cen.example.cz] completed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:3:tst99654@cen.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running command [34] with id [930000008]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100): Requesting info for [930000008@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0400): Returning info for gid [930000008@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080): No matching domain found for [930000008] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix@vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix@vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix@vs.example.cz] </div> <div>(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix@vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix@vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix@vs.example.cz] </div> <div>(Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 0 error message: Account info lookup failed (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 0, Account info lookup failed Will try to return what we have in cache (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix@vs.example.cz] </div> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">Also I find out that in AD there are multiple objects with gidNumber=5001</div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">ldapsearch .... (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0)))) > /tmp/csunix_dump </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">cat /tmp/csunix_dump dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_0 ... gidNumber: 5001 dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_1 .... gidNumber: 5001 dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_2 ... gidNumber: 5001 dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_3 ... gidNumber: 5001 dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_4 ... gidNumber: 5001 dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix_5 ... gidNumber: 5001 dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz objectClass: top objectClass: posixGroup objectClass: group cn: csunix ... gidNumber: 5001 </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">and in the logs on the server(both nss and sssd grep by csunix). It looks like it has problem with that 'multiple' object :</div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">(Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0@cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Processing group csunix_0@cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_check_ad_group_type] (0x0400): Filtering AD group [csunix_0@cen.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_group] (0x0400): Storing info for group csunix_0@cen.example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sysdb_store_group] (0x1000): Group csunix_0@cen.example.cz does not exist. (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_primary_name] (0x0400): Processing object csunix_0@example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0400): Processing group csunix_0@example.cz (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_save_grpmem] (0x0040): Failed to save members of group csunix_0@example.cz (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [csunix@vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix@vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:1:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4097][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:1:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=csunix)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:1:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [csunix@vs.example.cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'csunix@vs.example.cz' matched expression for domain 'vs.example.cz', user is csunix (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [csunix] from [vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [nss_cmd_getgrnam_search] (0x0100): Requesting info for [csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff311bd20d0:2:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vs.example.cz][4098][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff311bd20d0:2:csunix@vs.example.cz] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][name=csunix] (Mon Oct 17 12:26:06 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(cn=csunix)(|(objectClass=ipaUserGroup)(objectClass=posixGroup))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:26:06 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff311bd20d0:2:csunix@vs.example.cz] </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">I dont know why there is that 'multiobject' in AD, will have to ask Windows team. Can this be the reason, why clients are not able to resolve users ? </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">OR</div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">Can be the reason that it asking for <span style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; display: inline !important; float: none;" data-mce-style="color: #000000; font-family: arial, helvetica, sans-serif; font-size: 16px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: #ffffff; display: inline !important; float: none;">csunix@vs.example.cz ? </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"> </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;">Sorry for the long post. </div><div style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;" data-mce-style="font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000;"><div>Thank you, </div><div>Jan </div> <hr id="zwchr"><div>From: "freeipa-users-request" <freeipa-users-request@redhat.com> To: freeipa-users@redhat.com Sent: Monday, October 17, 2016 3:56:08 PM Subject: Freeipa-users Digest, Vol 99, Issue 46 </div> <div>Send Freeipa-users mailing list submissions to freeipa-users@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/freeipa-users or, via email, send a message with subject or body 'help' to freeipa-users-request@redhat.com You can reach the person managing the list at freeipa-users-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeipa-users digest..." Today's Topics: 1. Re: Unable to resolve AD users from IPA client (Sumit Bose) 2. Re: Unable to resolve AD users from IPA client (Jakub Hrozek) 3. Re: Best and Secure Way for a System Account (G?nther J. Niederwimmer) 4. Re: Best and Secure Way for a System Account (Martin Babinsky) 5. Re: FreeIPA as domain controller? (Brian Candler) ---------------------------------------------------------------------- Message: 1 Date: Mon, 17 Oct 2016 13:49:23 +0200 From: Sumit Bose <sbose@redhat.com> To: freeipa-users@redhat.com Subject: Hi client Message-ID: <20161017114923.GA9339@p.Speedport_W_724V_Typ_A_05011603_00_009> Content-Type: text/plain; charset=iso-8859-1 On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654@cen.example.cz > uid=20019(tst99654@cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct Can you send your sssd.conf from the server? I wonder why the AD groups are returned with a short name 'csunix' while the user is returned with the full name (tst99654@cen.example.cz). bye, Sumit > > but from IPA client: > root#:id tst99654@cen.example.cz > id: tst99654@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? > > Thank you . > > Jan > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project ------------------------------ Message: 2 Date: Mon, 17 Oct 2016 13:51:41 +0200 From: Jakub Hrozek <jhrozek@redhat.com> To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA client Message-ID: <20161017115141.ug26fx7rhhaijrgj@hendrix> Content-Type: text/plain; charset=iso-8859-1 On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 98800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 68800000 > Number of IDs in the range: 200000 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 930000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99654@cen.example.cz > uid=20019(tst99654@cen.example.cz) gid=5001(csunix) groups=5001(csunix),930000008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99654@cen.example.cz > id: tst99654@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=cen,dc=example,dc=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point me what else I could try ? the most typical cause is that the IPA client cannot resolve all the POSIX information from the server. Check if all the groups are resolvable by ID: getent group 5001 getent group 930000008 alternatively, tail /var/log/sssd/sssd_nss.log on the IPA *server* and watch if all requests that come from the DS UID (typically the dirsrv user, see getent passwd dirsrv) are resolvable on the server. </div></div></div></div></body></html>