I can login to a RHEL6/7 server as an IPA user and SU to an AD user and it
works fine. I can also login directly as an AD user as well.

For my RHEL5 system, I can login as a IPA user but can not su - or login
as a AD user. 

-sh-3.2$ su - ad_user
su: user goul09 does not exist


As I mentioned before, queries to the compat part of the tree do not
return any matches either.

On my RHEL6 client, I saw this, which indicates there’s a different
approach used.

(Tue May 12 12:10:10 2015) [sssd[be[unix.osumc.edu]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=ad_user)(objectclass=user)(sAMAccountName=*)(objectSID=*
))][dc=example,dc=com].


On 5/12/15, 5:24 PM, "Dmitri Pal" <d...@redhat.com> wrote:

>On 05/12/2015 04:48 PM, Gould, Joshua wrote:
>>Hopefully I¹m missing something simple.
>>
>>For an IPA user:
>>$ ldapsearch -x ³(&(uid=ipa_user)(objectclass=posixAccount))² -b
>>dc=ipa,dc=example,dc=com
>>
>>This returns a match.
>>
>>For an AD user:
>>$ ldapsearch -x ³(&(uid=ad_user)(objectclass=posixAccount))² -b
>>cn=compat,dc=ipa,dc=example,dc=com
>>
>>Does not return any matches.
>>
>>I verified that all my IPA servers have the compatibility plugin enabled.
>>
>># ipa-compat-manage status
>>Directory Manager password:
>>
>>Plugin Enabled
>>#
>
>
>Can you log into a server as an IPA user and then su to an AD user with
>authentication?
>If that works it means that trust is actually working. I would start
>with confirming that part.
>If we know that the trust is actually working we can move to debugging
>the compat-plugin. If it is not working we would know why nothing is
>showing up in the tree.
>Looking at SSSD trace on IPA server that corresponds to the time when
>you run the LDAP search might shed some light on what is going on.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to