On Thu, 02 Apr 2015, Guertin, David S. wrote:
Can you try searching the compat tree with ldapsearch to see if an entry turns up? IIRC you need to search for a particular entry, not for any (not ie cn=*), but if you crank up the debug_level in the domain section, then sssd should log the searches to /var/log/sssd/sssd_default.logHere's the result of ldapsearch on the RHEL 5 client (the same command works on RHEL 6): # ldapsearch -h middlebury.edu -p 389 -D 'MIDD\admin' -W -b "dc=middlebury,dc=edu" -s sub "cn=juser,cn=users,dc=middlebury,dc=edu" Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)
This is wrong use of ldapsearch -- if you are using simple bind, make sure you tell ldapsearch about it. However, I'm not sure what you wanted to show as both hostname and base DN are different from what SSSD tries in the logs below. Also, unlike Active Directory, IPA LDAP does not (yet) accept short version of bind DN, you have to specify it fully. If you wanted to have Kerberos auth working on RHEL5, that is something that might or might not work for AD users depending on many circumstances, mostly related to the need to manually configure krb5.conf to know about AD realm and how to contact servers there but also due to possible issues with auth_to_local rulesets (if they even exist in that Kerberos library version). In case of AD users there is a sequence to follow for LDAP authentication if you want to repeat what SSSD does: 1. Search user with filter '(uid=username@domain)' to get the entry into compat tree. 2. Bind as uid=username@domain,cn=users,cn=compat,$BASEDN to trigger authentication check. This is how various LDAP-based NSS modules work, be it nss_ldap or pam-nss-ldapd, or SSSD. So, let's say, you have kerberos keytab with a host principal in /etc/krb5.keytba. The sequence to emulate what SSSD does would be kinit -k host/`hostname` ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ '([email protected])' As result, we have '[email protected]' inserted in the compat tree, and can do a bind as '[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ -D '[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' \ -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ '([email protected])' This would reproduce what SSSD was supposed to do. If you get these ldapsearches to work, we can look at what is SSSD doing. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
