I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it works fine. I can also login directly as an AD user as well.
For my RHEL5 system, I can login as a IPA user but can not su - or login as a AD user. -sh-3.2$ su - ad_user su: user goul09 does not exist As I mentioned before, queries to the compat part of the tree do not return any matches either. On my RHEL6 client, I saw this, which indicates there’s a different approach used. (Tue May 12 12:10:10 2015) [sssd[be[unix.osumc.edu]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ad_user)(objectclass=user)(sAMAccountName=*)(objectSID=* ))][dc=example,dc=com]. On 5/12/15, 5:24 PM, "Dmitri Pal" <[email protected]> wrote: >On 05/12/2015 04:48 PM, Gould, Joshua wrote: >>Hopefully I¹m missing something simple. >> >>For an IPA user: >>$ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b >>dc=ipa,dc=example,dc=com >> >>This returns a match. >> >>For an AD user: >>$ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b >>cn=compat,dc=ipa,dc=example,dc=com >> >>Does not return any matches. >> >>I verified that all my IPA servers have the compatibility plugin enabled. >> >># ipa-compat-manage status >>Directory Manager password: >> >>Plugin Enabled >># > > >Can you log into a server as an IPA user and then su to an AD user with >authentication? >If that works it means that trust is actually working. I would start >with confirming that part. >If we know that the trust is actually working we can move to debugging >the compat-plugin. If it is not working we would know why nothing is >showing up in the tree. >Looking at SSSD trace on IPA server that corresponds to the time when >you run the LDAP search might shed some light on what is going on. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
