Hello Jakub,

with my first tries i'v had following entries in /etc/sss/sssd.conf on
server side:

[sssd]
services = nss, sudo, pam, ssh
default_domain_suffix = example.com
full_name_format = %1$s
domains = ipa.example.com
debug_level = 10

With writing my first mail, i've disabled  'default_domain_suffix' and
'full_name_format', with no success on ipa-member.

In the meanwhile, i did some test's on ipa-member:

ipa-member> systemctl restart sssd
ipa-member> sss_cache -E
ipa-member> systemctl restart sssd
ipa-member> id usern...@example.com
uid=299801104(usern...@example.com) gid=299801104(usern...@example.com)
Gruppen=299801104(usern...@example.com),299800513(domänen-benut...@example.com),299801109(mitarbei...@example.com),556800008(ad_us...@example.com)

So it work's as expected. Now i've enabled 'default_domain_suffix' and
'full_name_format' on server's sssd.conf, restart sssd and run
sss_cache. It's still working. I'm not sure, if 'sss_cache' does some
magical things. I will setup an other ipa client and test behavior on it.

Thanks,

Michael


Am 18.08.2017 um 12:07 schrieb Jakub Hrozek via FreeIPA-users:
> On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users 
> wrote:
>> Hi,
>>
>> for testing i've installed an FreeIPA-Server with a trust to an
>> AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com',
>> on IdM member client not.
>>
>> AD-Domain is Server 2012R2 as 'example.com'
>> IdM is latest CentOS 7 with ipa-server-4.4.0-14.el7.centos.7.x86_64 as
>> 'ipa.example.com'
>> IdM member client is latest CentOS 7 with
>> sssd-client-1.14.0-43.el7_3.18.x86_64
>>
>> Here an example on an Centos 7 client:
>> ipa-member> id usern...@example.com
>> id: 'usern...@example.com': no such user
>>
>> Logmessages, with log_level=10, shows:
>> ipa-member> tail -f /var/log/sssd/sssd_ipa.example.com.log | grep s2n
>> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>> Success(0), (null).
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
>> object(32), (null).
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
>>
>> Running on IdM:
>> ipa-server> id usern...@example.com
>> uid=299801104(username) gid=299801104(username)
>> Gruppen=299801104(username),299800513(domänen-benutzer),299801109(mitarbeiter),556800008(ad_users)
> The s2n operation triggers, through a DS plugin on the IPA side, a
> lookup through the SSSD NSS interface. So, tailing the sssd_nss logs
> on the server would be a good start to make sure all the NSS operations
> succeed.
>
> By the way, the name resolution of the users from the trusted domain
> does not include the domain name, just the username. How is that? Are
> you sure you're not using some hacks like full_name_format = $1 on the
> server side?
>
>> Any help is welcome.
>>
>> Michael
>>
>> ----- /etc/sssd.conf on ipa-member -----
>> [domain/ipa.example.com]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = ipa.example.com
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = ipa-server.ipa.example.com
>> chpass_provider = ipa
>> dyndns_update = True
>> ipa_server = _srv_, ipa-server.ipa.example.com
>> dyndns_iface = eth0
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> debug_level = 10
>>
>> [sssd]
>> debug_level = 10
>> services = nss, sudo, pam, ssh
>> domains = ipa.example.com
>>
>> [nss]
>> debug_level = 10
>> homedir_substring = /home
>>
>> [pam]
>> debug_level = 10
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>> debug_level = 10
>>
>> [ifp]
>>
>> ----- /etc/sssd.conf on ipa-server -----
>> [domain/ipa.example.com]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = ipa.example.com
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = ipa-server.ipa.example.com
>> chpass_provider = ipa
>> ipa_server = ipa-server.ipa.example.com
>> chpass_provider = ipa
>> ipa_server_mode = True
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> subdomain_homedir = /home/%u
>> shell_fallback = /bin/bash
>> debug_level = 10
>>
>> [sssd]
>> services = nss, sudo, pam, ssh
>> domains = ipa.example.com
>>
>> [nss]
>> memcache_timeout = 600
>> homedir_substring = /home
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>> [ifp]
>>
>>
>> ----- complete log messages for 'id usern...@example.com' on ipa-member
>> -----
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sysdb_search_user_by_upn] (0x0400): No entry with upn
>> [usern...@example.com] found.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending
>> request
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
>> (0x0400): DP Request [Account #5]: Request handler finished [0]: Erfolg
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
>> (0x0400): DP Request [Account #5]: Receiving request data.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_reply_list_success] (0x0400): DP Request [Account #5]: Finished.
>> Success.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_reply_std] (0x1000): DP Request [Account #5]: Returning
>> [Success]: 0,0,Success
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_table_value_destructor] (0x0400): Removing
>> [0:1:0x0001:1:1:U:ipa.example.com:name=usern...@example.com] from reply
>> table
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_destructor] (0x0400): Number of active DP request: 0
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>> ops[(nil)], ldap[0x7f14ec409710]
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_result] (0x2000): Trace: end of ldap_result list
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
>> (0x4000): dbus conn: 0x7f14ec428290
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
>> (0x4000): Dispatching.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sbus_message_handler] (0x2000): Received SBUS method
>> org.freedesktop.sssd.dataprovider.getAccountInfo on path
>> /org/freedesktop/sssd/dataprovider
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_get_account_info_handler] (0x0200): Got request for
>> [0x1][BE_REQ_USER][1][name=usern...@example.com]
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
>> (0x0400): DP Request [Account #6]: New request. Flags [0x0001].
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
>> (0x0400): Number of active DP request: 1
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_id_op_connect_step] (0x4000): reusing cached connection
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_add]
>> (0x2000): New operation 12 timeout 6
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>> ops[0x7f14ec40ca10], ldap[0x7f14ec409710]
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
>> object(32), (null).
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_op_destructor] (0x2000): Operation 12 finished
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_done]
>> (0x4000): releasing operation connection
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
>> (0x0400): DP Request [Account #6]: Request handler finished [0]: Erfolg
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
>> (0x0400): DP Request [Account #6]: Receiving request data.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_reply_list_success] (0x0400): DP Request [Account #6]: Finished.
>> Success.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_reply_std] (0x1000): DP Request [Account #6]: Returning
>> [Success]: 0,0,Success
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_table_value_destructor] (0x0400): Removing
>> [0:1:0x0001:1:1:U:webtrekk.com:name=usern...@example.com] from reply table
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [dp_req_destructor] (0x0400): Number of active DP request: 0
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>> ops[(nil)], ldap[0x7f14ec409710]
>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>> [sdap_process_result] (0x2000): Trace: end of ldap_result list
>>
>> -- 
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 

________________________________________________


*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Wolf Lichtenstein


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to