On Fri, 03 Apr 2015, Guertin, David S. wrote:
The sequence to emulate what SSSD does would be
kinit -k host/`hostname`
ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
-b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
'(uid=ad...@middlebury.edu)'
As result, we have 'ad...@middlebury.edu' inserted in the compat tree, and
can do a bind as
'uid=ad...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
=edu'
ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
-D
'uid=ad...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
=edu' \
-b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
'(uid=ad...@middlebury.edu)'
This would reproduce what SSSD was supposed to do. If you get these
ldapsearches to work, we can look at what is SSSD doing.
Thanks. Yes, both of those ldapsearch commands work. I can search for the user
(I'm using a different user here):
-----------------------------
# ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b
cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=ju...@middlebury.edu)'
SASL/GSSAPI authentication started
SASL username: host/yakko.ipa.middlebury....@ipa.middlebury.edu
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: (uid=ju...@middlebury.edu)
# requesting: ALL
#
# ju...@middlebury.edu, users, compat, ipa.middlebury.edu
dn: uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: ju...@middlebury.edu
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------
And I can bind as that user (after adding the -W flag to prompt for a password):
-----------------------------
# ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D
'uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b
cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=ju...@middlebury.edu)' -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: (uid=ju...@middlebury.edu)
# requesting: ALL
#
# ju...@middlebury.edu, users, compat, ipa.middlebury.edu
dn: uid=ju...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: ju...@middlebury.edu
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------
But the user still cannot SSH in to the client:
-----------------------------
$ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu
MIDD\ju...@yakko.ipa.middlebury.edu's password:
Permission denied, please try again.
MIDD\ju...@yakko.ipa.middlebury.edu's password:
Permission denied, please try again.
MIDD\ju...@yakko.ipa.middlebury.edu's password:
Permission denied (publickey,gssapi-with-mic,password).
-----------------------------
The sssd debug_level is set to 10. I've attached sssd_default.log and
sssd_nss.log
I don't see any request going to sssd.
Can you try with ju...@middlebury.edu? Old SSSD is incapable to see
MIDD\juser being the same as ju...@middlebury.edu.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
