On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users wrote:
> Hi,
> 
> for testing i've installed an FreeIPA-Server with a trust to an
> AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com',
> on IdM member client not.
> 
> AD-Domain is Server 2012R2 as 'example.com'
> IdM is latest CentOS 7 with ipa-server-4.4.0-14.el7.centos.7.x86_64 as
> 'ipa.example.com'
> IdM member client is latest CentOS 7 with
> sssd-client-1.14.0-43.el7_3.18.x86_64
> 
> Here an example on an Centos 7 client:
> ipa-member> id usern...@example.com
> id: 'usern...@example.com': no such user
> 
> Logmessages, with log_level=10, shows:
> ipa-member> tail -f /var/log/sssd/sssd_ipa.example.com.log | grep s2n
> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
> Success(0), (null).
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
> object(32), (null).
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
> 
> Running on IdM:
> ipa-server> id usern...@example.com
> uid=299801104(username) gid=299801104(username)
> Gruppen=299801104(username),299800513(domänen-benutzer),299801109(mitarbeiter),556800008(ad_users)

The s2n operation triggers, through a DS plugin on the IPA side, a
lookup through the SSSD NSS interface. So, tailing the sssd_nss logs
on the server would be a good start to make sure all the NSS operations
succeed.

By the way, the name resolution of the users from the trusted domain
does not include the domain name, just the username. How is that? Are
you sure you're not using some hacks like full_name_format = $1 on the
server side?

> 
> Any help is welcome.
> 
> Michael
> 
> ----- /etc/sssd.conf on ipa-member -----
> [domain/ipa.example.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa-server.ipa.example.com
> chpass_provider = ipa
> dyndns_update = True
> ipa_server = _srv_, ipa-server.ipa.example.com
> dyndns_iface = eth0
> ldap_tls_cacert = /etc/ipa/ca.crt
> debug_level = 10
> 
> [sssd]
> debug_level = 10
> services = nss, sudo, pam, ssh
> domains = ipa.example.com
> 
> [nss]
> debug_level = 10
> homedir_substring = /home
> 
> [pam]
> debug_level = 10
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> debug_level = 10
> 
> [ifp]
> 
> ----- /etc/sssd.conf on ipa-server -----
> [domain/ipa.example.com]
> 
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = ipa.example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ipa_hostname = ipa-server.ipa.example.com
> chpass_provider = ipa
> ipa_server = ipa-server.ipa.example.com
> chpass_provider = ipa
> ipa_server_mode = True
> ldap_tls_cacert = /etc/ipa/ca.crt
> subdomain_homedir = /home/%u
> shell_fallback = /bin/bash
> debug_level = 10
> 
> [sssd]
> services = nss, sudo, pam, ssh
> domains = ipa.example.com
> 
> [nss]
> memcache_timeout = 600
> homedir_substring = /home
> 
> [pam]
> 
> [sudo]
> 
> [autofs]
> 
> [ssh]
> 
> [pac]
> 
> [ifp]
> 
> 
> ----- complete log messages for 'id usern...@example.com' on ipa-member
> -----
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sysdb_search_user_by_upn] (0x0400): No entry with upn
> [usern...@example.com] found.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending
> request
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
> (0x0400): DP Request [Account #5]: Request handler finished [0]: Erfolg
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
> (0x0400): DP Request [Account #5]: Receiving request data.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_reply_list_success] (0x0400): DP Request [Account #5]: Finished.
> Success.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_reply_std] (0x1000): DP Request [Account #5]: Returning
> [Success]: 0,0,Success
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_table_value_destructor] (0x0400): Removing
> [0:1:0x0001:1:1:U:ipa.example.com:name=usern...@example.com] from reply
> table
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_destructor] (0x0400): Number of active DP request: 0
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
> ops[(nil)], ldap[0x7f14ec409710]
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_result] (0x2000): Trace: end of ldap_result list
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
> (0x4000): dbus conn: 0x7f14ec428290
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
> (0x4000): Dispatching.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sbus_message_handler] (0x2000): Received SBUS method
> org.freedesktop.sssd.dataprovider.getAccountInfo on path
> /org/freedesktop/sssd/dataprovider
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_get_account_info_handler] (0x0200): Got request for
> [0x1][BE_REQ_USER][1][name=usern...@example.com]
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
> (0x0400): DP Request [Account #6]: New request. Flags [0x0001].
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
> (0x0400): Number of active DP request: 1
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_add]
> (0x2000): New operation 12 timeout 6
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
> ops[0x7f14ec40ca10], ldap[0x7f14ec409710]
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
> object(32), (null).
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_op_destructor] (0x2000): Operation 12 finished
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_done]
> (0x4000): releasing operation connection
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
> (0x0400): DP Request [Account #6]: Request handler finished [0]: Erfolg
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
> (0x0400): DP Request [Account #6]: Receiving request data.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_reply_list_success] (0x0400): DP Request [Account #6]: Finished.
> Success.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_reply_std] (0x1000): DP Request [Account #6]: Returning
> [Success]: 0,0,Success
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_table_value_destructor] (0x0400): Removing
> [0:1:0x0001:1:1:U:webtrekk.com:name=usern...@example.com] from reply table
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [dp_req_destructor] (0x0400): Number of active DP request: 0
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
> ops[(nil)], ldap[0x7f14ec409710]
> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
> [sdap_process_result] (0x2000): Trace: end of ldap_result list
> 
> -- 
> 
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to