OK, maybe it’s this: (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_print_server] (0x2000): Searching 192.168.2.105:389 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))][cn=Default Trust View,cn=v iews,cn=accounts,dc=fs,dc=lan]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_add] (0x2000): New operation 21 timeout 6 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_destructor] (0x2000): Operation 21 finished (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x1000): Processing group 2/4 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x0040): The group name=domainus...@fs.lan,cn=groups,cn=fs.lan,cn=sysdb has no UUID attribute objectSIDString, error!
—> here (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_id_get_groups_overrides_done] (0x0040): IPA resolve user groups overrides failed [22]. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_dom_offline] (0x1000): Marking subdomain start-line.local offline (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x56065d7255a0 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x56065d6f6dd0 (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Running timer event 0x56065d7255a0 "ltdb_callback" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Destroying timer event 0x56065d6f6dd0 "ltdb_timeout" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Ending timer event 0x56065d7255a0 "ltdb_callback" (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_subdom_offline] (0x1000): Marking subdomain start-line.local as inactive (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [22]: Недопустимый аргумент. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [22]: Недопустимый аргумент. (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_reply_std_set] (0x0080): DP Error is OK on failed request? (Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_req_done] (0x0400): DP Request [Initgroups #4]: Request handler finished [0]: Победа So this group doesn’t have a SID (note that the objectSIDString is what SSSD saves into the database, not the actual LDAP attribute. On the IPA side, all groups a trusted object is a member of must have the attribute ipaNTSecurityIdentifier. Does the group domainusers have one? You can check with “ipa group-show —all —raw domainusers”. btw when you established the trust, the ipa-adtrust-install command should have given you the option to generate SIDs for IPA objects. I don’t know exactly how to generate the SIDs post-install, maybe one of the IPA developers would help me out. Looking at the —help output of ipa-adtrust-install there is an option —add-sids.. > On 24 Jul 2018, at 19:33, Николай Савельев via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Here logs after attempt autentication via ssh. > > Also config files, > > >> 23.07.2018, 14:49, "Jakub Hrozek" <jhro...@redhat.com>: > > -- > С уважением, Николай. > <conf.tgz><sssd.tgz>_______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/43AYRA2MSIC46KHF5BGSBHN5WBAAZZKR/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/IAHBDACV3TF7TPIXB5AD7JGNUYQIQEZC/