On 03/02/2015 04:33 PM, Guertin, David S. wrote:
Lets separate issues.

1. Adding AD user to "IPA group" in AD.
    Did you re-login as that user on Windows side and then tried to logon
    to IPA server?
Yes.

2. What do SSSD logs say about the login attempt? You need to set
    debug_level = 10 in [domain/..], [nss] and [pam] sections of
    /etc/sssd/sssd.conf and restart sssd.
If 'su' says that user does not exist, it means SSSD does not see the user as
existing. There may be multiple reasons for that, sssd logs should tell
exactly what has happened. You can try 'id testuser' to reduce use case for
sssd logs.
OK, here's what shows up in /var/log/sssd_nss.log after "id 
testu...@middlebury.edu":

(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received 
client version [1].
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
name 'testu...@middlebury.edu' matched expression for domain 'middlebury.edu', 
user is testuser
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting 
info for [testuser] from [middlebury.edu]
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
Requesting info for [testu...@middlebury.edu]
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): 
Unable to get information from Data Provider
Error: 3, 1432158221, Account info lookup failed

The trust is established using one protocol while the lookup happens using another. Can it be that there is a FW and LDAP calls might not go through between IPA server and AD?

Will try to return what we have in cache
(Mon Mar  2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client 
disconnected!

That makes it look like AD is not sending the user info to IPA. But if the 
trust is set up, why is it not sending it?

BTW, if I don't include the domain name with the username, i.e. I do "id 
testuser", I see:

(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received 
client version [1].
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered 
version [1].
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
name 'testuser' matched without domain, user is testuser
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
using default domain [(null)]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info 
for [testuser] from [<ALL>]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
Requesting info for [testu...@csns.middlebury.edu]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
Requesting info for [testu...@csns.middlebury.edu]
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No 
results for getpwnam call
(Mon Mar  2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client 
disconnected!

In this case it assumes that the user is IPA user and does not try to lookup user in AD.


Thanks,
David Guertin




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to