> Lets separate issues. > > 1. Adding AD user to "IPA group" in AD. > Did you re-login as that user on Windows side and then tried to logon > to IPA server?
Yes. > 2. What do SSSD logs say about the login attempt? You need to set > debug_level = 10 in [domain/..], [nss] and [pam] sections of > /etc/sssd/sssd.conf and restart sssd. > If 'su' says that user does not exist, it means SSSD does not see the user as > existing. There may be multiple reasons for that, sssd logs should tell > exactly what has happened. You can try 'id testuser' to reduce use case for > sssd logs. OK, here's what shows up in /var/log/sssd_nss.log after "id testu...@middlebury.edu": (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Mar 2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testu...@middlebury.edu' matched expression for domain 'middlebury.edu', user is testuser (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [middlebury.edu] (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testu...@middlebury.edu] (Mon Mar 2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 1432158221, Account info lookup failed Will try to return what we have in cache (Mon Mar 2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! That makes it look like AD is not sending the user info to IPA. But if the trust is set up, why is it not sending it? BTW, if I don't include the domain name with the username, i.e. I do "id testuser", I see: (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'testuser' matched without domain, user is testuser (Mon Mar 2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [testuser] from [<ALL>] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testu...@csns.middlebury.edu] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [testu...@csns.middlebury.edu] (Mon Mar 2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call (Mon Mar 2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client disconnected! Thanks, David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
