Hi, I setup an IPA realm (under rhel7) with an trust relationship to a Windows domain. All users in AD have an idoverride to override uid and gid. Originally, everything was working like expected: servers could resolve IPA and external (trusted) users, I could create kerberos tickets, log-in via ssh... Same for IPA clients. But recently (two weeks ago?), I tried login to an IPA client using an external user and got denied... Debugging, I saw that id and getent wasn't returning any external users, but could return IPA users. Digging a bit more: the ipa servers themselves could resolve both IPA and external users like before. I tried fumbling around in the sssd, but to no avail... I bumped the debug level of the sssd to 9 on the client and the server and this is what I can observe:
0) configure sssd on client to only point to a single IPA server (easier to debug), on that specific IPA server, only point to a single AD server, clear cache and logs, restart sssd on server and client 1) on client, issue 'id myuser' (no domain name, I configured use_fully_qualified_names to False for the domain) -> user unknown 2) client logs: [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=myuser@ipa.domain] -> it then saw it's an external user: [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=myuser@ad.domain] -> so it sent the request to IPA: [sssd[be[ipa.domain]]] [ipa_s2n_get_acct_info_send] (0x0400): Sending request_type: [REQ_FULL_WITH_MEMBERS] for trust user [myuser@ad.domain] to IPA server Spoiler-alert: it fails with: [sssd[be[ipa.domain]]] [sysdb_search_user_by_upn] (0x0400): No entry with upn [myuser@ad.domain] found. On the server-side, I receive the request: [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=myuser@ad.domain] It resolves the user - fetch all its groups in Windows and seems to process everything correctly (sid resolve...) but I can't find what's the return/status of the request. Seems like this: (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [get_ldap_conn_from_sdom_pvt] (0x4000): Returning LDAP connection for user lookup. (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_ad.domain.root' (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [get_server_status] (0x1000): Status of server 'a08238.ad.domain.root' is 'name resolved' (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [get_server_status] (0x1000): Status of server 'a08238.ad.domain.root' is 'name resolved' (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [be_resolve_server_process] (0x0200): Found address for server a08238.ad.domain.root: [10.121.129.9] TTL 1236 (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sssd_async_socket_init_send] (0x4000): Using file descriptor [29] for the connection. (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sdap_process_result] (0x2000): Trace: sh[0x558da736b2f0], connected[1], ops[(nil)], ldap[0x558da7367cb0] (Thu Oct 10 11:27:32 2019) [sssd[be[ipa.domain]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list Could you please help me on this? Thanks in advance! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org