On Tue, Jul 10, 2018 at 02:25:53PM -0000, tolotos--- via FreeIPA-users wrote: > Hi, > > we have a setup with a Forest Trust to an AD Domain. > > Everything looks good on the FreeIPA Servers itself. We can see User > information if we do "getent passwd user@ad.domain" or "id user@ad.domain" or > "sssctl user-checks user@ad.domain". > > But on a connected client, we get only the user of the ipa domain and no user > information on ad user. > > In the logs, we found no obvious error. > The only thing we see in sssd.log is: > (Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]] > [delayed_online_authentication_callback] (0x0200): Backend is online, > starting delayed online authentication. > (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] > [dp_get_account_info_handler] (0x0200): Got request for > [0x1][BE_REQ_USER][name=user@ad.domain] > (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] > (0x0040): s2n exop request failed.
Are all the groups the user is a member of resolvable by ID? (getent group $GID) ? A good way to debug this kind of issues is to enable debugging in the [nss] section in sssd.conf on the IPA server and check if any of the requests goes unanswered. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/5IZZCHS6DREIWR4ODRTMJHFSCQBWAWKU/