On Thu, Apr 02, 2015 at 02:43:59PM +0000, Guertin, David S. wrote: > >Ah so you are using it with trust. Then you should change the configuration > >to > >not use kerberos but rather LDAP instead. > >More details are here. > >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf > > Thanks. When I ran ipa-adtrust-install on the servers, I hadn't used the > --enable-compat flag, so I re-ran "ipa-adtrust-install --enable-compat" on > all three IPA servers. I then cleared the sssd cache on the RHEL 5 client and > restarted sssd, but users still couldn't log in. Originally I had run > "ipa-advise config-redhat-sssd-before-1-9" on the server, so I tried > re-running that with "ipa-advise config-redhat-nss-ldap" instead, and ran the > resulting script on the client. Still no success -- I'm still getting the > same error. > > The current sssd.conf file on the client is: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = default > re_expression = (?P<name>.+) > > [domain/default] > cache_credentials = True > id_provider = ldap > auth_provider = ldap > ldap_uri = ldap://genet.ipa.middlebury.edu > ldap_search_base = cn=compat,dc=ipa,dc=middlebury,dc=edu > ldap_tls_cacert = /etc/openldap/cacerts/ipa.crt > > David Guertin
Can you try searching the compat tree with ldapsearch to see if an entry turns up? IIRC you need to search for a particular entry, not for any (not ie cn=*), but if you crank up the debug_level in the domain section, then sssd should log the searches to /var/log/sssd/sssd_default.log -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
