My tests with new ipa client is done. With 'default_domain_suffix' and
'full_name_format' on server's sssd.conf, trust user's are not known on
ipa client's site. If i disable them on server's side and run 'sss_cache
-E', trust user's are known. From my point of view it's not important to
have these options on server side, so i will will still left them.

Thanks for help !

Michael


Am 18.08.2017 um 14:00 schrieb Michael Gusek via FreeIPA-users:
>
> Hello Jakub,
>
> with my first tries i'v had following entries in /etc/sss/sssd.conf on
> server side:
>
> [sssd]
> services = nss, sudo, pam, ssh
> default_domain_suffix = example.com
> full_name_format = %1$s
> domains = ipa.example.com
> debug_level = 10
>
> With writing my first mail, i've disabled  'default_domain_suffix' and
> 'full_name_format', with no success on ipa-member.
>
> In the meanwhile, i did some test's on ipa-member:
>
> ipa-member> systemctl restart sssd
> ipa-member> sss_cache -E
> ipa-member> systemctl restart sssd
> ipa-member> id usern...@example.com
> uid=299801104(usern...@example.com)
> gid=299801104(usern...@example.com)
> Gruppen=299801104(usern...@example.com),299800513(domänen-benut...@example.com),299801109(mitarbei...@example.com),556800008(ad_us...@example.com)
>
> So it work's as expected. Now i've enabled 'default_domain_suffix' and
> 'full_name_format' on server's sssd.conf, restart sssd and run
> sss_cache. It's still working. I'm not sure, if 'sss_cache' does some
> magical things. I will setup an other ipa client and test behavior on it.
>
> Thanks,
>
> Michael
>
>
> Am 18.08.2017 um 12:07 schrieb Jakub Hrozek via FreeIPA-users:
>> On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users 
>> wrote:
>>> Hi,
>>>
>>> for testing i've installed an FreeIPA-Server with a trust to an
>>> AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com',
>>> on IdM member client not.
>>>
>>> AD-Domain is Server 2012R2 as 'example.com'
>>> IdM is latest CentOS 7 with ipa-server-4.4.0-14.el7.centos.7.x86_64 as
>>> 'ipa.example.com'
>>> IdM member client is latest CentOS 7 with
>>> sssd-client-1.14.0-43.el7_3.18.x86_64
>>>
>>> Here an example on an Centos 7 client:
>>> ipa-member> id usern...@example.com
>>> id: 'usern...@example.com': no such user
>>>
>>> Logmessages, with log_level=10, shows:
>>> ipa-member> tail -f /var/log/sssd/sssd_ipa.example.com.log | grep s2n
>>> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>>> (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
>>> Success(0), (null).
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
>>> object(32), (null).
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
>>> (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.
>>>
>>> Running on IdM:
>>> ipa-server> id usern...@example.com
>>> uid=299801104(username) gid=299801104(username)
>>> Gruppen=299801104(username),299800513(domänen-benutzer),299801109(mitarbeiter),556800008(ad_users)
>> The s2n operation triggers, through a DS plugin on the IPA side, a
>> lookup through the SSSD NSS interface. So, tailing the sssd_nss logs
>> on the server would be a good start to make sure all the NSS operations
>> succeed.
>>
>> By the way, the name resolution of the users from the trusted domain
>> does not include the domain name, just the username. How is that? Are
>> you sure you're not using some hacks like full_name_format = $1 on the
>> server side?
>>
>>> Any help is welcome.
>>>
>>> Michael
>>>
>>> ----- /etc/sssd.conf on ipa-member -----
>>> [domain/ipa.example.com]
>>>
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = ipa.example.com
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ipa_hostname = ipa-server.ipa.example.com
>>> chpass_provider = ipa
>>> dyndns_update = True
>>> ipa_server = _srv_, ipa-server.ipa.example.com
>>> dyndns_iface = eth0
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> debug_level = 10
>>>
>>> [sssd]
>>> debug_level = 10
>>> services = nss, sudo, pam, ssh
>>> domains = ipa.example.com
>>>
>>> [nss]
>>> debug_level = 10
>>> homedir_substring = /home
>>>
>>> [pam]
>>> debug_level = 10
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>> debug_level = 10
>>>
>>> [ifp]
>>>
>>> ----- /etc/sssd.conf on ipa-server -----
>>> [domain/ipa.example.com]
>>>
>>> cache_credentials = True
>>> krb5_store_password_if_offline = True
>>> ipa_domain = ipa.example.com
>>> id_provider = ipa
>>> auth_provider = ipa
>>> access_provider = ipa
>>> ipa_hostname = ipa-server.ipa.example.com
>>> chpass_provider = ipa
>>> ipa_server = ipa-server.ipa.example.com
>>> chpass_provider = ipa
>>> ipa_server_mode = True
>>> ldap_tls_cacert = /etc/ipa/ca.crt
>>> subdomain_homedir = /home/%u
>>> shell_fallback = /bin/bash
>>> debug_level = 10
>>>
>>> [sssd]
>>> services = nss, sudo, pam, ssh
>>> domains = ipa.example.com
>>>
>>> [nss]
>>> memcache_timeout = 600
>>> homedir_substring = /home
>>>
>>> [pam]
>>>
>>> [sudo]
>>>
>>> [autofs]
>>>
>>> [ssh]
>>>
>>> [pac]
>>>
>>> [ifp]
>>>
>>>
>>> ----- complete log messages for 'id usern...@example.com' on ipa-member
>>> -----
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sysdb_search_user_by_upn] (0x0400): No entry with upn
>>> [usern...@example.com] found.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending
>>> request
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
>>> (0x0400): DP Request [Account #5]: Request handler finished [0]: Erfolg
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
>>> (0x0400): DP Request [Account #5]: Receiving request data.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_reply_list_success] (0x0400): DP Request [Account #5]: Finished.
>>> Success.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_reply_std] (0x1000): DP Request [Account #5]: Returning
>>> [Success]: 0,0,Success
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_table_value_destructor] (0x0400): Removing
>>> [0:1:0x0001:1:1:U:ipa.example.com:name=usern...@example.com] from reply
>>> table
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_destructor] (0x0400): Number of active DP request: 0
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>>> ops[(nil)], ldap[0x7f14ec409710]
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_result] (0x2000): Trace: end of ldap_result list
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
>>> (0x4000): dbus conn: 0x7f14ec428290
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
>>> (0x4000): Dispatching.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sbus_message_handler] (0x2000): Received SBUS method
>>> org.freedesktop.sssd.dataprovider.getAccountInfo on path
>>> /org/freedesktop/sssd/dataprovider
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_get_account_info_handler] (0x0200): Got request for
>>> [0x1][BE_REQ_USER][1][name=usern...@example.com]
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
>>> (0x0400): DP Request [Account #6]: New request. Flags [0x0001].
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
>>> (0x0400): Number of active DP request: 1
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_id_op_connect_step] (0x4000): reusing cached connection
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x0400): Executing extended operation
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_add]
>>> (0x2000): New operation 12 timeout 6
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>>> ops[0x7f14ec40ca10], ldap[0x7f14ec409710]
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
>>> object(32), (null).
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_op_destructor] (0x2000): Operation 12 finished
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_done]
>>> (0x4000): releasing operation connection
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
>>> (0x0400): DP Request [Account #6]: Request handler finished [0]: Erfolg
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
>>> (0x0400): DP Request [Account #6]: Receiving request data.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_reply_list_success] (0x0400): DP Request [Account #6]: Finished.
>>> Success.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_reply_std] (0x1000): DP Request [Account #6]: Returning
>>> [Success]: 0,0,Success
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_table_value_destructor] (0x0400): Removing
>>> [0:1:0x0001:1:1:U:webtrekk.com:name=usern...@example.com] from reply table
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [dp_req_destructor] (0x0400): Number of active DP request: 0
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
>>> ops[(nil)], ldap[0x7f14ec409710]
>>> (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
>>> [sdap_process_result] (0x2000): Trace: end of ldap_result list
>>>
>>> -- 
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> -- 
>
> ________________________________________________
>
>
> *Michael**Gusek*| System Administrator| Webtrekk GmbH |
> *t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
> <https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
> Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
> Christian Sauer und Wolf Lichtenstein
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 

________________________________________________


*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Wolf Lichtenstein


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to