On Fri, 03 Apr 2015, Guertin, David S. wrote:
The sequence to emulate what SSSD does would be
kinit -k host/`hostname`
ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
-b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
'([email protected])'
As result, we have '[email protected]' inserted in the compat tree, and
can do a bind as
'[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc
=edu'
ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
-D
'[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc
=edu' \
-b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
'([email protected])'
This would reproduce what SSSD was supposed to do. If you get these
ldapsearches to work, we can look at what is SSSD doing.
Thanks. Yes, both of those ldapsearch commands work. I can search for the user
(I'm using a different user here):
-----------------------------
# ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b
cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '([email protected])'
SASL/GSSAPI authentication started
SASL username: host/[email protected]
SASL SSF: 56
SASL installing layers
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: ([email protected])
# requesting: ALL
#
# [email protected], users, compat, ipa.middlebury.edu
dn: [email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: [email protected]
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------
And I can bind as that user (after adding the -W flag to prompt for a password):
-----------------------------
# ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D
'[email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b
cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '([email protected])' -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
# filter: ([email protected])
# requesting: ALL
#
# [email protected], users, compat, ipa.middlebury.edu
dn: [email protected],cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
objectClass: posixAccount
objectClass: top
cn: juser
gidNumber: 435021613
gecos: juser
uidNumber: 435021613
homeDirectory: /home/middlebury.edu/juser
uid: [email protected]
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------
But the user still cannot SSH in to the client:
-----------------------------
$ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu
MIDD\[email protected]'s password:
Permission denied, please try again.
MIDD\[email protected]'s password:
Permission denied, please try again.
MIDD\[email protected]'s password:
Permission denied (publickey,gssapi-with-mic,password).
-----------------------------
The sssd debug_level is set to 10. I've attached sssd_default.log and
sssd_nss.log
I don't see any request going to sssd.
Can you try with [email protected]? Old SSSD is incapable to see
MIDD\juser being the same as [email protected].
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
