> The sequence to emulate what SSSD does would be > >kinit -k host/`hostname` >ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '([email protected])' > >As result, we have '[email protected]' inserted in the compat tree, and >can do a bind as >'[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' > >ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ > -D >'[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '([email protected])' > >This would reproduce what SSSD was supposed to do. If you get these >ldapsearches to work, we can look at what is SSSD doing.
Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here): ----------------------------- # ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '([email protected])' SASL/GSSAPI authentication started SASL username: host/[email protected] SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree # filter: ([email protected]) # requesting: ALL # # [email protected], users, compat, ipa.middlebury.edu dn: [email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: [email protected] # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- And I can bind as that user (after adding the -W flag to prompt for a password): ----------------------------- # ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D '[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '([email protected])' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree # filter: ([email protected]) # requesting: ALL # # [email protected], users, compat, ipa.middlebury.edu dn: [email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: [email protected] # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- But the user still cannot SSH in to the client: ----------------------------- $ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu MIDD\[email protected]'s password: Permission denied, please try again. MIDD\[email protected]'s password: Permission denied, please try again. MIDD\[email protected]'s password: Permission denied (publickey,gssapi-with-mic,password). ----------------------------- The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log David Guertin
sssd_default.log
Description: sssd_default.log
sssd_nss.log
Description: sssd_nss.log
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
