On Wed, Jul 21, 2010 at 6:18 PM, Dmitri Pal <[email protected]> wrote: > Scott Duckworth wrote: > > On Wed, Jul 21, 2010 at 5:58 PM, Dmitri Pal <[email protected] > > <mailto:[email protected]>> wrote: > > > > Scott Duckworth wrote: > > > I'm trying to setup a vanilla installation of Fedora 13 to > > > authenticate against an eDirectory server. We have this working on > > > RHEL5 using nss_ldap and pam_ldap, but doing this same > configuration > > > on Fedora 13 did not work. So I'm now attempting the configuration > > > using SSS. I used the graphical tools to setup the basics, then > > > started editing /etc/sssd/sssd.conf to get the specifics right. > > > > > > The directory server uses rfc2307bis groups. User DNs do not have > > > memberOf attributes or any shadow or kerberos attributes. > > Kerberos is > > > not available, LDAP is used for authentication. > > > > > > The SSSD client is sssd-1.2.1-15.fc13.x86_64. > > > > > > /etc/sssd/sssd.conf: > > > [sssd] > > > config_file_version = 2 > > > reconnection_retries = 3 > > > sbus_timeout = 30 > > > services = nss, pam > > > domains = CLEMSONU > > > [nss] > > > debug_level = 7 > > > filter_groups = root > > > filter_users = root > > > reconnection_retries = 3 > > > entry_cache_timeout = 1 > > > entry_cache_nowait_timeout = 1 > > > [pam] > > > debug_level = 7 > > > reconnection_retries = 3 > > > [domain/CLEMSONU] > > > debug_level = 20 > > > enumerate = False > > > cache_credentials = False > > > id_provider = ldap > > > auth_provider = ldap > > Try adding here > > > > ldap_schema = rfc2307bis > > > > > > No difference. > > I assume you restarted SSSD and probably cleared the cache since it > might already got it wrong. > > Instructions for cleaning: > Beginning with version 0.6.0, SSSD maintains a separate database file > for each domain. This means that each domain has its own cache, and in > the event that problems occur and maintenance is necessary, it is very > easy to purge the cache for a single domain, by stopping |sssd| and > deleting the corresponding cache file. These cache files are stored in > the |/var/lib/sss/db/| directory. > All cache files are named according to the domain that they represent, > for example |cache_/|DOMAINNAME|/.ldb|. >
I removed all files from /var/lib/sss/db/ and restarted sssd. Same behavior. nscd is disabled, so I don't think it's caching at any level. Here is what I ran: [r...@duck2 ~]# getent passwd sduckwo sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash [r...@duck2 ~]# groups sduckwo sduckwo : cuuser [r...@duck2 ~]# getent group coes_socunix coes_socunix:*:120105:sduckwo And here is what the domain log shows: (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sbus_message_handler] (9): Received SBUS method [getAccountInfo] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [be_get_account_info] (4): Got request for [4098][1][name=coes_socunix] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU]. (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [objectClass] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [cn] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [userPassword] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [member] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (8): ldap_search_ext called, msgid = 6 (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0xc55ad0], connected[1], ops[0xd5d5a0], ldap[0xc55cf0] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry] (9): OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU]. (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0xc55ad0], connected[1], ops[0xd5d5a0], ldap[0xc55cf0] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_process] (6): Search for groups, returned 1 results. (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0xc55ad0], connected[1], ops[(nil)], ldap[0xc55cf0] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb transaction (nesting: 0) (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (7): Adding original DN [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to attributes of [coes_socunix]. (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (6): Storing info for group coes_socunix (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_groups_loop] (9): Group 0 processed! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (7): Adding member users to group [coes_socunix] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (9): [IPA or AD Schema] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #0 (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU): [name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb] (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #1 (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #2 (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #3 (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #4 (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #5 (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #6 (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #7 (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found! (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (6): Storing members for group coes_socunix (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb transaction (nesting: 0) (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done] (9): Saving 1 Groups - Done (Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success It looks like it's only recognizing user DNs which have already been cached. > If this does not help then you need to wait till tomorrow for Steve > Gallagher to reply to you. He is gone for the day. > > -- > Thank you, > Dmitri Pal > > Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
