Thanks for the instructions. In nsswitch.conf I switched back from ladp to sss and restared sssd. No nscd started. In sssd.conf, I add debug_level=4 in each section. I ran "getent passwd yli28". Still not output.
Here are the error messages from sssd log files /var/log/sssd/sssd_default.log (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=yli28] (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level t o [4] (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'usmkemsi107.ra-int. com' as 'working' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'usmkemsi107.ra-int.com' a s 'working' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed o n the connection., data 0, v1db1 (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/ output error (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level t o [4] (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'usmkemsi107.ra-int. com' as 'working' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'usmkemsi107.ra-int.com' a s 'working' (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed o n the connection., data 0, v1db1 (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/ output error (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,5,User lookup fail ed :::::::::::::: /var/log/sssd/sssd_nss.log (Thu Apr 30 10:17:56 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [yli28] from [<ALL>] (Thu Apr 30 10:17:56 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [yli28@default] (Thu Apr 30 10:17:56 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 5, User lookup failed Will try to return what we have in cache It looks like binddn and bindpw should be set. It seems that IT LDAP server request for binddn and bindpw for getent operation. In my local test env, ldap server did request binddn and bindpw from ladp client getent operation. It works. But Howard Chu said in OpenLDAP, ldap.conf file cannot set binddn and bindpw. Ldapsearch I can use -D -w to set binddn and bindpw. What else can I do to make getent work? Thanks, Yingbo -----Original Message----- From: Andrew Findlay [mailto:[email protected]] Sent: Thursday, April 30, 2015 6:56 AM To: Yingbo Li Cc: [email protected] Subject: Re: getent passwd only catch local user passwd On Thu, Apr 30, 2015 at 01:06:54AM +0000, Yingbo Li wrote: > If you find anything wrong, please let me know. I can only configure the > client side, the LDAP server controlled by IT. You need to find out what each component in the stack is doing. If you have access to the LDAP server logs, try looking there to see what operations are performed. If not, consider setting up your own LDAP server so that you can run it at a high log-level. Another way to check LDAP operations is to use tcpdump and/or wireshark to capture and analyse network traffic. You will need to disable TLS for that to be useful. There is a fair amount of advice about debugging SSSD issues on the web, e.g.: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html https://fedoraproject.org/wiki/How_to_debug_SSSD_problems I would advise turning OFF nscd. It is not helpful when sssd is in use, and can cause great confusion and problems of its own. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
