On 03/04/2015 08:55 PM, Nathan Peters wrote:
I am using FreeIPA 4.1.2 on CentOS 7.
Yes, AD users can login to all Linux / Centos machines.
Also, when I'm at a shell prompt on the FreeIPA DC, I can getent
passwd <aduser> and I see their info properly.
The guide you linked below is the first thing I read while trying to
troubleshoot this. It seems aimed toward older sssd clients < 1.9 and
not Solaris clients.
I will try this again tomorrow and confirm that the request is being
passed to the FreeIPA DC and rejected there. I was assuming that it
was being rejected by the Solaris machine.
Good that everything else works. That narrows things down.
Let us see whether the auth request hits SSSD and what happens then.
May be it is on Solaris. The password line should in fact point to the
compat tree as you noticed. But authentication should work.
May be it ts NS_LDAP_OBJECTCLASSMAP, the mention of shadow looks suspicious.
Also NS_LDAP_AUTH= none ... may be it should be some other value.
Also the configuration seems to be different from one described here:
Those are old guides but still should be relevant to Solaris configuration.
Just use compat tree as recent docs prescribe.
-----Original Message----- From: Dmitri Pal
Sent: Wednesday, March 04, 2015 4:36 PM
Subject: Re: [Freeipa-users] AD trust users cannot login to Solaris
On 03/04/2015 07:24 PM, nat...@nathanpeters.com wrote:
I have successfully setup a Solaris 10 client so that internal FreeIPA
users can login, get the correct shell, and can sudo to root using ldap.
The problem is that the AD trusted users cannot login. I have read all
the freeIPA docs about enabling legacy clients, and they say to use the
compat tree. I'm pretty sure I'm already doing this. Here is the
contents of the ldap_client_file from my Solaris machine (which was
downloaded automatically when I did ldapclient init):
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
I see that the users are coming from the accounts tree and the groups
coming from the compat tree. Is this right? The trust was created with
--enable-compat so I'm surprised that only the groups are coming from
Does FreeIPA serve up an improperly configured DefaultDUAProfile?
I couldn't login with this configuration, so I switched the passwd
cn=compat just to test, but that didn't seem to work.
Here is the result of getent passwd on solaris (last 2 lines):
So once again, we can see FreeIPA users, but not AD users.
I don't think this is a Solaris problem because when I go onto my
desktop and load ldp.exe and view the ldap tree, I can view
However, the compat tree has a users section that only includes my
internal users. So my questions are :
1.)What is the point of a compat tree in FreeIPA if it doesn't list
2.)How do I get my compat tree to list my AD users?
3.)If there is something manual I have to do to make my compat tree show
AD users, why is this not done when enable the trust with
>From what I can see, my compat tree basically contains the exact same
users and groups as my regular tree, so it will never allow a client
ldap only auth to see the AD users?
What version of IPA are you using?
Have you verified that trust actually works by looking up or
authenticating with the AD users on the SSSD client or on the server
The compat tree fills the data dynamically as you need it. When an AD
user accesses Solaris box Solaris would authenticate against the compat
tree. Compat tree will use SSSD on the server to authenticate against
the AD. It seems that this part is failing. SSSD logs from the IPA
server with high debug level would be helpful.
More info is here:
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project