Hi, for testing i've installed an FreeIPA-Server with a trust to an AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com', on IdM member client not.
AD-Domain is Server 2012R2 as 'example.com' IdM is latest CentOS 7 with ipa-server-4.4.0-14.el7.centos.7.x86_64 as 'ipa.example.com' IdM member client is latest CentOS 7 with sssd-client-1.14.0-43.el7_3.18.x86_64 Here an example on an Centos 7 client: ipa-member> id usern...@example.com id: 'usern...@example.com': no such user Logmessages, with log_level=10, shows: ipa-member> tail -f /var/log/sssd/sssd_ipa.example.com.log | grep s2n (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13 (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Success(0), (null). (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14 (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. (Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. Running on IdM: ipa-server> id usern...@example.com uid=299801104(username) gid=299801104(username) Gruppen=299801104(username),299800513(domänen-benutzer),299801109(mitarbeiter),556800008(ad_users) Any help is welcome. Michael ----- /etc/sssd.conf on ipa-member ----- [domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-server.ipa.example.com chpass_provider = ipa dyndns_update = True ipa_server = _srv_, ipa-server.ipa.example.com dyndns_iface = eth0 ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 10 [sssd] debug_level = 10 services = nss, sudo, pam, ssh domains = ipa.example.com [nss] debug_level = 10 homedir_substring = /home [pam] debug_level = 10 [sudo] [autofs] [ssh] [pac] debug_level = 10 [ifp] ----- /etc/sssd.conf on ipa-server ----- [domain/ipa.example.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-server.ipa.example.com chpass_provider = ipa ipa_server = ipa-server.ipa.example.com chpass_provider = ipa ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt subdomain_homedir = /home/%u shell_fallback = /bin/bash debug_level = 10 [sssd] services = nss, sudo, pam, ssh domains = ipa.example.com [nss] memcache_timeout = 600 homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] ----- complete log messages for 'id usern...@example.com' on ipa-member ----- (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [usern...@example.com] found. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done] (0x0400): DP Request [Account #5]: Request handler finished [0]: Erfolg (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #5]: Receiving request data. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #5]: Finished. Success. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #5]: Returning [Success]: 0,0,Success (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:1:U:ipa.example.com:name=usern...@example.com] from reply table (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1], ops[(nil)], ldap[0x7f14ec409710] (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f14ec428290 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch] (0x4000): Dispatching. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][1][name=usern...@example.com] (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req] (0x0400): DP Request [Account #6]: New request. Flags [0x0001]. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_add] (0x2000): New operation 12 timeout 6 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1], ops[0x7f14ec40ca10], ldap[0x7f14ec409710] (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED] (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_destructor] (0x2000): Operation 12 finished (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done] (0x0400): DP Request [Account #6]: Request handler finished [0]: Erfolg (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv] (0x0400): DP Request [Account #6]: Receiving request data. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #6]: Finished. Success. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_reply_std] (0x1000): DP Request [Account #6]: Returning [Success]: 0,0,Success (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:1:U:webtrekk.com:name=usern...@example.com] from reply table (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed. (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1], ops[(nil)], ldap[0x7f14ec409710] (Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list --
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org