On Mon, Mar 02, 2015 at 09:33:04PM +0000, Guertin, David S. wrote:
> > Lets separate issues.
> > 
> > 1. Adding AD user to "IPA group" in AD.
> >    Did you re-login as that user on Windows side and then tried to logon
> >    to IPA server?
> 
> Yes.
> 
> > 2. What do SSSD logs say about the login attempt? You need to set
> >    debug_level = 10 in [domain/..], [nss] and [pam] sections of
> >    /etc/sssd/sssd.conf and restart sssd.
> 
> > If 'su' says that user does not exist, it means SSSD does not see the user 
> > as
> > existing. There may be multiple reasons for that, sssd logs should tell
> > exactly what has happened. You can try 'id testuser' to reduce use case for
> > sssd logs.
> 
> OK, here's what shows up in /var/log/sssd_nss.log after "id 
> testu...@middlebury.edu":
> 
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): 
> Received client version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): 
> Offered version [1].
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
> name 'testu...@middlebury.edu' matched expression for domain 
> 'middlebury.edu', user is testuser
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): 
> Requesting info for [testuser] from [middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
> Requesting info for [testu...@middlebury.edu]
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): 
> Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed
> Will try to return what we have in cache
> (Mon Mar  2 15:34:34 2015) [sssd[nss]] [client_recv] (0x0200): Client 
> disconnected!
> 
> That makes it look like AD is not sending the user info to IPA. But if the 
> trust is set up, why is it not sending it?

The request was actually sent by the NSS front-end, but the Unable to
get information from Data provider line says the sssd_be back end
process was unable to connect to the server and fetch the data.

Do these logs come from a client or the IPA server? Are you able to look
up the user on the IPA server at least? 

Can you paste (sanitized) logs from the sssd_be process as well? They
would be located at /var/log/sssd/sssd_middlebury.edu.log

If the logs are from the client and the back end logs would say
something about extended operation failing, then we need to take a look
at the sssd logs on the server as well.


> 
> BTW, if I don't include the domain name with the username, i.e. I do "id 
> testuser", I see:
> 
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): 
> Received client version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_cmd_get_version] (0x0200): 
> Offered version [1].
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
> name 'testuser' matched without domain, user is testuser
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): 
> using default domain [(null)]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): 
> Requesting info for [testuser] from [<ALL>]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
> Requesting info for [testu...@csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): 
> Requesting info for [testu...@csns.middlebury.edu]
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No 
> results for getpwnam call
> (Mon Mar  2 15:35:49 2015) [sssd[nss]] [client_recv] (0x0200): Client 
> disconnected!

Right, the code paths for retrieving IPA users and AD users are mostly
separate on the sssd_be side.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to