On Mon, 2012-05-14 at 15:58 +0200, Daniel Löw wrote: > Hello! > > I'am using sssd 1.8 on an Ubuntu 12.04 laptop. So that I can login > even when I am offline. > Everyting works great, but if I take the laptop home with me, and > connect it to my home network, i cant login. > Then it says that i have the wrong password. then if I want to be able > to login i need to connect the laptop to my office network, then I can > login. Login offline works great, unless i connect the laptop to a > network that isn't my office network. > > I'am getting my password from Kerberos, and my account information > from LDAP.
Is this happening with ANY network that isn't your office network? I have a suspicion that what's happening is that you network has a very "special" configuration that is evil. My guess is that the set of entries that can be looked up in LDAP from within the office network is different from the set of entries that can be looked up if you're connecting from outside the office network. In other words, let's say your username is dlow and you have an LDAP entry "uid=dlow,cn=Users,cn=Accounts,dc=EXAMPLE,dc=COM" in LDAP. When you're inside the corporate firewall, an LDAP search against '(uid=dlow)' will return that entry. However, if your LDAP server detects that you are connecting from OUTSIDE the corporate firewall, it may just return "no such user". This is a situation that SSSD cannot handle, because from its point of view, you are "online" and the LDAP server answered the request with a definitive statement of "this user does not exist or was deleted". So for security reasons, we must remove the user locally (which also deletes cached credentials). One thing that you can do to check this is to run the following commands while at work and at home: 1) Install the openldap client tools package (I'm not sure what the package name is on Ubuntu, but on Fedora it would be openldap-clients) 2) Run the command: ldapsearch -H ldap://corporate.ldapserver.example.com \ -b "<user_search_base>" \ "(uid=<yourusername>)" Obviously, substitute corporate.ldapserver.example.com with the value from ldap_uri in sssd.conf, <user_search_base> with ldap_user_search_base from sssd.conf and <yourusername> with your actual username.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
