> The sequence to emulate what SSSD does would be > >kinit -k host/`hostname` >ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '(uid=ad...@middlebury.edu)' > >As result, we have 'ad...@middlebury.edu' inserted in the compat tree, and >can do a bind as >'uid=ad...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' > >ldapsearch -x -H ldap://genet.ipa.middlebury.edu \ > -D >'uid=ad...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc >=edu' \ > -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \ > '(uid=ad...@middlebury.edu)' > >This would reproduce what SSSD was supposed to do. If you get these >ldapsearches to work, we can look at what is SSSD doing.
Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here): ----------------------------- # ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=ju...@middlebury.edu)' SASL/GSSAPI authentication started SASL username: host/yakko.ipa.middlebury....@ipa.middlebury.edu SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree # filter: (uid=ju...@middlebury.edu) # requesting: ALL # # ju...@middlebury.edu, users, compat, ipa.middlebury.edu dn: uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: ju...@middlebury.edu # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- And I can bind as that user (after adding the -W flag to prompt for a password): ----------------------------- # ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D 'uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=ju...@middlebury.edu)' -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree # filter: (uid=ju...@middlebury.edu) # requesting: ALL # # ju...@middlebury.edu, users, compat, ipa.middlebury.edu dn: uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu objectClass: posixAccount objectClass: top cn: juser gidNumber: 435021613 gecos: juser uidNumber: 435021613 homeDirectory: /home/middlebury.edu/juser uid: ju...@middlebury.edu # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----------------------------- But the user still cannot SSH in to the client: ----------------------------- $ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu MIDD\ju...@yakko.ipa.middlebury.edu's password: Permission denied, please try again. MIDD\ju...@yakko.ipa.middlebury.edu's password: Permission denied, please try again. MIDD\ju...@yakko.ipa.middlebury.edu's password: Permission denied (publickey,gssapi-with-mic,password). ----------------------------- The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log David Guertin
sssd_default.log
Description: sssd_default.log
sssd_nss.log
Description: sssd_nss.log
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project