Hello, I have a trust established between Windows Active Directory and IPA. From the IPA server I can get details about AD users but not from a server configured as an IPA client.
[root@ipa_server ~]# getent passwd ad_user@ad_domain ad_user@ad_domain:*:1869402973:1869402973:ADUser Name:/home/ad_domain/ad_user: Trying to access details about AD users from a server configured as an IPA client, no results. [root@ipa_client server ~]# getent passwd ad_user@ad_domain [root@ipa_client server ~]# I've enabled debugging of sssd. I believe this is the relevant information from /var/log/sssd/sssd_<ipa_domain>.log (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=ad_user] (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [be_req_set_domain] (0x0400): Changing request domain from [ipa_domain] to [ad_domain] (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=ad_user))]. (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_print_server] (0x2000): Searching <IP of IPA server> (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=ad_user))][cn=Default Trust View,cn=views,cn=accounts,d c=sub_domain,dc=domain]. (Mon Jan 25 09:37:39 2016) [sssd[be[ipa_domain]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 9 (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa957b0], ldap[0xa8a650] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_get_ad_override_done] (0x4000): No override found with filter [(&(objectClass=ipaUserOverride)(uid=ad_user))]. (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 10 (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0], ldap[0xa8a650] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: sh[0xa88e70], connected[1], ops[0xa9d0c0], ldap[0xa8a650] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: sh[0xa88e70], connected[1], ops[(nil)], ldap[0xa8a650] (Mon Jan 25 09:37:40 2016) [sssd[be[ipa_domain]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! I see two issues, " ldap_extended_operation result: No such object(32), (null)" and "ldap_result found nothing!" Using ldapsearch to execute the query from the ipa_server or the ipa_client_server produces no results: [root@ipa_client_server sssd]# ldapsearch -Y GSSAPI "(&(objectClass=ipaUserOverride)(uid=ad_user))" SASL/GSSAPI authentication started SASL username: admin@<ipa_domain> SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=sub_domain,dc=domain> (default) with scope subtree # filter: (&(objectClass=ipaUserOverride)(uid=ad_user)) # requesting: ALL # # search result search: 4 result: 0 Success # numResponses: 1 Any help would be greatly appreciated. Cameron
signature.asc
Description: This is a digitally signed message part
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project