Re: [Freeipa-users] Unable to resolve AD users from IPA clients
On Wed, Jan 04, 2017 at 04:19:04PM +0100, Jan Karásek wrote: > Hi, > thank you for help. > > I have tried to add > > subdomain_inherit = ignore_group_members > ignore_group_members = True > > into sssd.conf on server but problem still persists. > > >By the way, did you install 7.3 cleanly or did you upgrade? > It has been upgraded. > > >D id you ever removed the cache post-upgrade on the server? > Yes I did it couple of times both on server and client > > I find out that when client return value from id it differ from id output on > server: I'm sorry but I would need to see the whole logs to give a qualified answer, really. Could you please remove or invalidate the caches on the server and the client, then run: date; id tst99...@example.com; date and then attach or send directly to me the logs from both the server and the client so I can match the logs with the date timestamps? Feel free to obfuscate the domain, user and group names in the logs. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to resolve AD users from IPA clients
On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote: > Hi, > > I have trouble with resolving AD users from my IPA clients. > > Environment: 2x IPA server with trust into AD - both IPA servers and clients > running latest rhel 7.3. > > IPA domain: vs.example.com > AD domain: example.com, cen.example.com > > All tstx users are in cen.example.com but their UPN is set to > tstxx...@example.com > > I can run id and getent passwd commands without problem from both IPA > servers: > > id tst99...@example.com > uid=20018(tst99...@cen.example.com) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) > > getent tst99...@example.com > tst99...@cen.example.com:*:20018:5001:ipa_test:/home/cen.example.com/tst99655:/bin/bash > > > But from client: > > root@trh7clnt02:~# id tst99...@example.com > id: tst99...@example.com: no such user > root@trh7clnt02:~#getent passwd tst99...@example.com > ... no reply > > > But when I run on client: > getent group csu...@cen.example.com - it takes more then 30s > csu...@cen.example.com:*:5001: and really long list of users > > Then again from client: > > root@trh7clnt02:~# id tst99...@example.com > uid=20018(tst99...@cen.example.com) gid=5001(csunix) groups=5001(csunix) > > root@trh7clnt02:~# getent passwd tst99...@example.com > tst99...@cen.example.com:*:20018:5001:ipatest:/home/cen.example.com/tst99655:/bin/bash > > > This time it works and it keeps working until I clean the sssd cache on > client. Then I have to run that getent group csunix command again. > > I would say it is some timeout issue with enumerating csunix group. I have > tried to fix it by adding: > > ldap_search_timeout = 50 I don't think this would be related to the searches timing out but probably parsing and storing the entries on the server and the client. Could you try adding this on the server side's sssd.conf? [domain/domname] subdomain_inherit = ignore_group_members ignore_group_members = True By the way, did you install 7.3 cleanly or did you upgrade? And if you upgraded, did you ever removed the cache post-upgrade on the server? There's been some improvements related to performance in 7.3 and even more are coming in 7.4. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to resolve AD users from IPA
Ok thank you. Wonder why it's a problem only on clients - IPA servers are quite ok with that. Jan -- Message: 1 Date: Wed, 19 Oct 2016 12:28:31 +0200 From: Sumit Bose To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA Message-ID: <20161019102831.GC9339@p.Speedport_W_724V_Typ_A_05011603_00_009> Content-Type: text/plain; charset=iso-8859-1 On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Kar?sek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = tidmipa02.vs.example.cz > chpass_provider = ipa > ipa_server = tidmipa02.vs.example.cz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = vs.example.cz > [nss] > debug_level = 7 > memcache_timeout = 600 > homedir_substring = /home > > [pam] > debug_level = 7 > [sudo] > debug_level = 7 > [autofs] > debug_level = 7 > [ssh] > debug_level = 7 > [pac] > debug_level = 7 > [ifp] > debug_level = 7 > > > I can resolve all groups from client : > > SERVER: id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) > > CLIENT: > getent group 5001 > csunix:x:5001: > > getent group 93008 > final_test_group:*:93008: > > getent group final_test_gr...@vs.example.cz > final_test_group:*:93008: > > getent group csu...@cen.example.cz > No reply - can't resolve that group from client. > > ... > > Also I find out that in AD there are multiple objects with gidNumber=5001 This might be the issue each gidNumber (and each uidNumber as well) should be unique in the whole environment. Please check with the AD administrators why it was done this way and if it can be changed. HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to resolve AD users from IPA
On Wed, Oct 19, 2016 at 12:08:01PM +0200, Jan Karásek wrote: > Hi, > > thank you for help. > > This is my sssd.conf from server : > > [domain/vs.example.cz] > debug_level = 7 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = vs.example.cz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = tidmipa02.vs.example.cz > chpass_provider = ipa > ipa_server = tidmipa02.vs.example.cz > ipa_server_mode = True > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > services = nss, sudo, pam, ssh > config_file_version = 2 > > domains = vs.example.cz > [nss] > debug_level = 7 > memcache_timeout = 600 > homedir_substring = /home > > [pam] > debug_level = 7 > [sudo] > debug_level = 7 > [autofs] > debug_level = 7 > [ssh] > debug_level = 7 > [pac] > debug_level = 7 > [ifp] > debug_level = 7 > > > I can resolve all groups from client : > > SERVER: id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) > > CLIENT: > getent group 5001 > csunix:x:5001: > > getent group 93008 > final_test_group:*:93008: > > getent group final_test_gr...@vs.example.cz > final_test_group:*:93008: > > getent group csu...@cen.example.cz > No reply - can't resolve that group from client. > > ... > > Also I find out that in AD there are multiple objects with gidNumber=5001 This might be the issue each gidNumber (and each uidNumber as well) should be unique in the whole environment. Please check with the AD administrators why it was done this way and if it can be changed. HTH bye, Sumit > > ldapsearch > (&(gidNumber=5001)(objectClass=group)(sAMAccountName=*)(&(gidNumber=*)(!(gidNumber=0 > > /tmp/csunix_dump > cat /tmp/csunix_dump > dn: CN=csunix_0,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_0 > ... > gidNumber: 5001 > > dn: CN=csunix_1,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_1 > > gidNumber: 5001 > > dn: CN=csunix_2,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_2 > ... > gidNumber: 5001 > > dn: CN=csunix_3,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_3 > ... > gidNumber: 5001 > > dn: CN=csunix_4,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_4 > ... > gidNumber: 5001 > > dn: CN=csunix_5,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix_5 > ... > gidNumber: 5001 > > dn: CN=csunix,OU=POSIXGroups,OU=Groups,DC=cen,DC=example,DC=cz > objectClass: top > objectClass: posixGroup > objectClass: group > cn: csunix > ... > gidNumber: 5001 > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Unable to resolve AD users from IPA
t_step] (0x1000): Requesting attrs: [uSNChanged] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_parse_entry] > (0x1000): OriginalDN: [CN=tst99654,OU=CSUsers,DC=cen,DC=example,DC=cz]. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_add_references] (0x1000): Additional References: > ldap://DomainDnsZones.cen.example.cz/DC=DomainDnsZones,DC=cen,DC=example,DC=cz > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_search_user_process] (0x0400): Search for users, returned 1 results. > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] [sdap_save_user] > (0x0400): Save user > ... > > > I can provide full log from IPA server, but its quite long. Could you point > me what else I could try ? > > Thank you . > > Jan > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Message: 2 Date: Mon, 17 Oct 2016 13:51:41 +0200 From: Jakub Hrozek To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Unable to resolve AD users from IPA client Message-ID: <20161017115141.ug26fx7rhhaijrgj@hendrix> Content-Type: text/plain; charset=iso-8859-1 On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Kar?sek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in > cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > > 3 ranges matched > > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 9880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 6880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 93000 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > > Number of entries returned 3 > > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99...@cen.example.cz > id: tst99...@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] > (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust > View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry &
Re: [Freeipa-users] Unable to resolve AD users from IPA client
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in > cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > > 3 ranges matched > > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 9880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 6880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 93000 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > > Number of entries returned 3 > > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) - this is correct > > but from IPA client: > root#:id tst99...@cen.example.cz > id: tst99...@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] > (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust > View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand > kerberos works fine - I can do kinit with AD users both on IPA servers and > clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is > captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz]. > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] > (Mo
Re: [Freeipa-users] Unable to resolve AD users from IPA client
On Mon, Oct 17, 2016 at 01:27:40PM +0200, Jan Karásek wrote: > Hi, > please can you help me with troubleshooting IPA clients in IPA - AD trust > scenario ? We have two IPA servers and couple of clients running on RHEl 6 > and 7. IPA is running on RHEL 7.2. > AD servers are in domains example.cz, cen.example.cz. Test users sits in > cen.example.cz. IPA is subdomain of AD - vs.example.cz. > Trust is set as one-way trust. User's POSIX attributes are stored in AD. > > ipa idrange-find > > 3 ranges matched > > Range name: CEN.EXAMPLE.CZ > First Posix ID of the range: 9880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-527237240-1482476501-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: EXAMPLE.CZ_id_range > First Posix ID of the range: 6880 > Number of IDs in the range: 20 > Domain SID of the trusted domain: S-1-5-21-73586283-1958367476-682003330 > Range type: Active Directory trust range with POSIX attributes > > Range name: VS.EXAMPLE.CZ_id_range > First Posix ID of the range: 93000 > Number of IDs in the range: 20 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 1 > Range type: local domain range > > Number of entries returned 3 > > > I have no problem to resolve AD users from both IPA server: > > IPA Server: > root#:id tst99...@cen.example.cz > uid=20019(tst99...@cen.example.cz) gid=5001(csunix) > groups=5001(csunix),93008(final_test_group) - this is correct Can you send your sssd.conf from the server? I wonder why the AD groups are returned with a short name 'csunix' while the user is returned with the full name (tst99...@cen.example.cz). bye, Sumit > > but from IPA client: > root#:id tst99...@cen.example.cz > id: tst99...@cen.example.cz: no such user > > ==> sssd_vs.example.cz.log <== > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_get_account_info] > (0x0200): Got request for [0x1001][1][name=tst99654] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [be_req_set_domain] > (0x0400): Changing request domain from [vs.example.cz] to [cen.example.cz] > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(objectClass=ipaUserOverride)(uid=tst99654))][cn=Default Trust > View,cn=views,cn=accounts,dc=vs,dc=example,dc=cz]. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0400): ldap_extended_operation result: Success(0), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [sysdb_search_by_name] > (0x0400): No such entry > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_send] > (0x0400): Executing extended operation > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [ipa_s2n_exop_done] > (0x0040): ldap_extended_operation result: No such object(32), (null). > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] > [ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed. > (Mon Oct 17 12:24:29 2016) [sssd[be[vs.example.cz]]] [acctinfo_callback] > (0x0100): Request processed. Returned 0,0,Success (Success) > > All IPA clients have the same result - No such user. On the other hand > kerberos works fine - I can do kinit with AD users both on IPA servers and > clients. All IPA clients use the same DNS server as IPA servers. > > > On IPA server, I can see that it is able to find test user in AD. Log is > captured during IPA client request for id: > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(sAMAccountName=tst99654)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0][dc=cen,dc=example,dc=cz]. > > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]] > [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] > (Mon Oct 17 12:26:05 2016) [sssd[be[vs.example.cz]]]
