Hello, Thank you for your guide for the next step.
2014-08-06 4:17 GMT+09:00 Jakub Hrozek <[email protected]>: > Can you try this ldapsearch? > > ldapsearch -Y GSSAPI -H > ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com -b '' -s base > '(&(DnsDomain=LABSSO)(NtVer=\14\00\00\00))' netlogon > > The attribute would not be human-readable if found. > > Are you aware of any non-standard access control on your server? All AD servers (LABROOT, LABSSO, LABBU) are Windows 2008 R2 SP1. The current AD servers are configured by other engineer and I'm not familiar with AD server. I logon to LABSSO AD server and confirmed "LABSSO : labsso.labroot.isops.example.com" has the trusts on "LABBU : labbu.labsso.labroot.isops.example.com" as "Child" and on "LABROOT : labroot.isops.example.com" as "Parent". So I believe AD subtree (forest) configuration is OK. As for access control, I believe it should use standard access control. To avoid access control issue, I used administrators account for the following ldapseach. > > Can you run the same search against a different server, maybe the forest > root? Here is the result of base object search against LABSSO and LABROOT (the forest root). I could not find "netlogon" attribute. So I'm afraid our AD configuration is something wrong, but I have no idea why "netlogon" attribute is missing. << LABSSO AD >> [root@jpbl0-in00-is11 ~]# ldapsearch -x -D 'labroot\admin' -W -H ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com -b '' -s base '(&(DnsDomain=LABSSO)(NtVer=\14\00\00\00))' netlogon # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (&(DnsDomain=LABSSO)(NtVer=\14\00\00\00)) # requesting: netlogon # # search result search: 2 result: 0 Success # numResponses: 1 << LABROOT AD >> [root@jpbl0-in00-is11 ~]# ldapsearch -x -D 'labroot\admin' -W -H ldap://jpbw0-in00-is83.labroot.isops.example.com -b '' -s base '(&(DnsDomain=LABSSO)(NtVer=\14\00\00\00))' netlogon # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (&(DnsDomain=LABSSO)(NtVer=\14\00\00\00)) # requesting: netlogon # # search result search: 2 result: 0 Success # numResponses: 1 ================================================================== << Full baseObject List - LABSSO >> [root@jpbl0-in00-is11 ~]# ldapsearch -x -D 'labsso\admin' -W -H ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com -b '' -s base # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: currentTime: 20140806042727.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=labroot,DC=isops ,DC=example,DC=com dsServiceName: CN=NTDS Settings,CN=JPBW0-IN00-IS82,CN=Servers,CN=NK1,CN=Sites, CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=labsso,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=labsso,DC=labroot,DC=isops,DC=example,DC=com defaultNamingContext: DC=labsso,DC=labroot,DC=isops,DC=example,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC= com configurationNamingContext: CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com rootDomainNamingContext: DC=labroot,DC=isops,DC=example,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent highestCommittedUSN: 5282424 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: jpbw0-in00-is82.labsso.labroot.isops.example.com ldapServiceName: labroot.isops.example.com:[email protected] BM.COM serverName: CN=JPBW0-IN00-IS82,CN=Servers,CN=NK1,CN=Sites,CN=Configuration,DC= labroot,DC=isops,DC=example,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 4 forestFunctionality: 4 domainControllerFunctionality: 4 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ================================================================== << Full baseObject List : LABROOT >> [root@jpbl0-in00-is11 ~]# ldapsearch -x -D 'labroot\admin' -w 'Tak3m3aLab!' -H ldap://jpbw0-in00-is83.labroot.isops.example.com -b '' -s base # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: ALL # # dn: currentTime: 20140806042954.0Z subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=labroot,DC=isops ,DC=example,DC=com dsServiceName: CN=NTDS Settings,CN=JPBW0-IN00-IS83,CN=Servers,CN=NK1,CN=Sites, CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=labroot,DC=isops,DC=example,DC=com namingContexts: CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=DomainDnsZones,DC=labroot,DC=isops,DC=example,DC=com namingContexts: DC=ForestDnsZones,DC=labroot,DC=isops,DC=example,DC=com defaultNamingContext: DC=labroot,DC=isops,DC=example,DC=com schemaNamingContext: CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC= com configurationNamingContext: CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com rootDomainNamingContext: DC=labroot,DC=isops,DC=example,DC=com supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent highestCommittedUSN: 5373198 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 dnsHostName: jpbw0-in00-is83.labroot.isops.example.com ldapServiceName: labroot.isops.example.com:[email protected] serverName: CN=JPBW0-IN00-IS83,CN=Servers,CN=NK1,CN=Sites,CN=Configuration,DC= labroot,DC=isops,DC=example,DC=com supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 4 forestFunctionality: 4 domainControllerFunctionality: 4 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Regards, Shoji _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
