I've figured it out. You are right. SSSD triggers key generation. For
migrated clients though, since ypbind still runs and the NIS-plugin serves
maps, they authenticate first using NIS before SSSD. If ypbind is stopped,
it is forced to use SSSD, and then it triggers the migration. Thanks for
persisting with this. It's pretty clear how it works now.

On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera <prasun.g...@gmail.com> wrote:

>
>
>> ? SSSD does not seem to be involved as user is found in the /etc/passwd
>> and this SSSD should not do anything.
>>
>> It's not  a local user. There's no entry in /etc/passwd. Here's the
> relevant sssd log
>
>
> sssd_ssh
>
> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains]
> (0x0200): name 'testuser2' matched without domain, user is testuser2
> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client
> disconnected!
> (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
> Received client version [0].
>
> sssd_pam
>
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
> ipadomain
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user:
> testuser2
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): service:
> sshd
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> not set
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> host_ip
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
> 23983
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: testuser2
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100):
> received: [0][ipadomain]
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
> called with result [0].
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27
> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client
> disconnected!
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to