[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View
Am Tue, Jun 15, 2021 at 02:38:23PM - schrieb iulian roman via FreeIPA-users: > I have attached some sssd logs snippets with debug_level activated in > sssd.conf (some lines have been truncated) : > > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_get_account_info_send] > (0x0200): Got request for [0x1][BE_REQ_USER][name=test_u...@example.com] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_attach_req] (0x0400): DP > Request [Account #1]: New request. Flags [0x0001]. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_attach_req] (0x0400): > Number of active DP request: 1 > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain ipa.example.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain EXAMPLE.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain ipa.example.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain EXAMPLE.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] > (0x4000): reusing cached connection > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] > (0x4000): reusing cached connection > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] > [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view > [Default Trust View] with filter > [(&(objectClass=ipaUserOverride)(uid=test_user))]. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_print_server] > (0x2000): Searching 10.10.100.121:389 > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=test_user))][cn=Default Trust > View,cn=views,cn=accounts,dc= > ipa,dc=example,dc=com]. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_get_generic_ext_step] > (0x2000): ldap_search_ext called, msgid = 16 > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_op_add] (0x2000): New > operation 16 timeout 6 > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_result] > (0x2000): Trace: sh[0x55756a96b460], connected[1], ops[0x55756a964f90], > ldap[0x55756a9618f0] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_entry] (0x1000): > OriginalDN: > [ipaanchoruuid=:SID:S-1-5-21-1695049048-159329179-1862793928-25318,cn=Default > Trust View,cn=views,cn=accounts,dc=ipa,d > c=example,dc=com]. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [ipaSshPubKey] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [ipaAnchorUUID] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [uid] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [uidNumber] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [objectClass] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): > No sub-attributes for [ipaOriginalUid] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_result] > (0x2000): Trace: sh[0x55756a96b460], connected[1], ops[0x55756a964f90], > ldap[0x55756a9618f0] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_op_destructor] > (0x2000): Operation 16 finished > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_get_ad_override_done] > (0x4000): Found override for object with filter > [(&(objectClass=ipaUserOverride)(uid=test_user))]. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_destroy] > (0x4000): releasing operation connection > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] > [ipa_subdomain_account_got_override] (0x4000): Processing override. > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain ipa.example.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] > (0x1000): Domain EXAMPLE.com is Active > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] > (0x4000): reusing cached connection > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_s2n_get_acct_info_send] > (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user > [S-1-5-21-1695049048-159329179-1862793928-25318] to IPA ser > ver > (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_s2n_exop_send] > (0x0400):
[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View
I have attached some sssd logs snippets with debug_level activated in sssd.conf (some lines have been truncated) : (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=test_u...@example.com] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_attach_req] (0x0400): DP Request [Account #1]: New request. Flags [0x0001]. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain ipa.example.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain EXAMPLE.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain ipa.example.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain EXAMPLE.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_get_ad_override_connect_done] (0x4000): Searching for overrides in view [Default Trust View] with filter [(&(objectClass=ipaUserOverride)(uid=test_user))]. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_print_server] (0x2000): Searching 10.10.100.121:389 (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=test_user))][cn=Default Trust View,cn=views,cn=accounts,dc= ipa,dc=example,dc=com]. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 16 (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_op_add] (0x2000): New operation 16 timeout 6 (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55756a96b460], connected[1], ops[0x55756a964f90], ldap[0x55756a9618f0] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_entry] (0x1000): OriginalDN: [ipaanchoruuid=:SID:S-1-5-21-1695049048-159329179-1862793928-25318,cn=Default Trust View,cn=views,cn=accounts,dc=ipa,d c=example,dc=com]. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaSshPubKey] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaAnchorUUID] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_parse_range] (0x2000): No sub-attributes for [ipaOriginalUid] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55756a96b460], connected[1], ops[0x55756a964f90], ldap[0x55756a9618f0] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_op_destructor] (0x2000): Operation 16 finished (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_get_ad_override_done] (0x4000): Found override for object with filter [(&(objectClass=ipaUserOverride)(uid=test_user))]. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_subdomain_account_got_override] (0x4000): Processing override. (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain ipa.example.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sss_domain_get_state] (0x1000): Domain EXAMPLE.com is Active (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [S-1-5-21-1695049048-159329179-1862793928-25318] to IPA ser ver (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 17 (Tue Jun 15 16:09:02 2021) [be[ipa.example.com]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue
[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View
Hi Sumit, I do not override the primary gid (because I had this issue before and per your advise I removed the gid override) , only the UID. The same setup works with the older sssd version, as I mentioned and that's why i thought that something might have changed in sssd. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-users] Re: sssd version 2.2.3 issues with AD Trust View
Am Mon, Jun 14, 2021 at 11:50:44AM - schrieb iulian roman via FreeIPA-users: > Hello everybody, > > I have an IPA setup with AD trust configured and Trust View defined on the > IPA server. Everything works properly on Ubuntu 18 clients with sssd 1.16.1 > but it doesn't on Ubuntu 20 with sssd version 2.2.3. I can list /query the > AD accounts which are not part of the default Trust View, but not those > accounts which have the id overriden in the Trust View. > > Is that a known issue, or any idea what do I need to change /where to look ? Hi, which attributes are you overriding? If you change the primary GID of a user you have to make sure that there is a group in AD with a matching GID or a group where the GID is overridden with this value. HTH bye, Sumit > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure