Re: [Freeipa-users] Unable to resolve AD users from IPA client
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in > cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > > 3 ranges matched > > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 9880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 6880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 93000 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > > Number of entries returned 3 > > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99...@cen.example.cz > id: tst99...@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] > (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust > View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand > kerberos works fine - I can do kinit with AD users both on IPA servers and > clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is > captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz]. > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] >
Re: [Freeipa-users] Unable to resolve AD users from IPA client
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in > cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > > 3 ranges matched > > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 9880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 6880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 93000 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > > Number of entries returned 3 > > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) - this is correct Can you send your sssd.conf from the server? I wonder why the AD groups are returned with a short name 'csunix' while the user is returned with the full name (tst99...@cen.example.cz). bye, Sumit > > but from IPA client: > root#:id tst99...@cen.example.cz > id: tst99...@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] > (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust > View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand > kerberos works fine - I can do kinit with AD users both on IPA servers and > clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is > captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz]. > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]]
[Freeipa-users] Unable to resolve AD users from IPA client
Hi, please can you help me with troubleshooting IPA clients in IPA - AD trust scenario ? We have two IPA servers and couple of clients running on RHEl 6 and 7. IPA is running on RHEL 7.2. AD servers are in domains example.cz, cen.example.cz. Test users sits in cen.example.cz. IPA is subdomain of AD - vs.example.cz. Trust is set as one-way trust. User's POSIX attributes are stored in AD. ipa idrange-find 3 ranges matched Range name: CEN.EXAMPLE.CZ First Posix ID of the range: 9880 Number of IDs in the range: 20 Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 Range type: Active Directory trust range with POSIX attributes Range name: EXAMPLE.CZ_id_range First Posix ID of the range: 6880 Number of IDs in the range: 20 Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 Range type: Active Directory trust range with POSIX attributes Range name: VS.EXAMPLE.CZ_id_range First Posix ID of the range: 93000 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Number of entries returned 3 I have no problem to resolve AD users from both IPA server: IPA Server: root#:id tst99...@cen.example.cz uid=20019(tst99...@cen.example.cz) gid=5001(csunix) groups=5001(csunix),93008(final_test_group) - this is correct but from IPA client: root#:id tst99...@cen.example.cz id: tst99...@cen.example.cz: no such user ==> sssd_vs.example.cz.log <== (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=tst99654] (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) All IPA clients have the same result - No such user. On the other hand kerberos works fine - I can do kinit with AD users both on IPA servers and clients. All IPA clients use the same DNS server as IPA servers. On IPA server, I can see that it is able to find test user in AD. Log is captured during IPA client request for id: (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz]. (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Oct