On Tue, Feb 03, 2015 at 04:17:39PM +0600, Eugene Peregudov wrote:
>
> Hi,
>
> I'm trying to authenticate Active Directory users with different UPN
> suffixes on my Linux machine.
> As described in article (http://jhrozek.livejournal.com/3019.html) SSSD
> should support for enterprise logins:
> "some users in AD might use a different Kerberos Principal suffix than the
> default one".
>
> I have two users with different UPN - [email protected] and
> [email protected]
>
> #getent passwd [email protected]
>
> returns valid user entry, but
>
> #getent passwd [email protected]
>
> returns nothing...
>
> What's wrong? Can anyone help me with this issue? Thanks!
Can you send the related sssd_nss logs with debug_level 10 as well?
bye,
Sumit
>
> Target system:
> Red Hat Enterprise Linux Server release 7.0 (Maipo)
> host1.domain.example.com 3.10.0-123.13.2.el7.x86_64 x86_64 x86_64 x86_64
> GNU/Linux
> sssd-1.11.2-68.el7_0.6.x86_64
> ---------------------------------------------------------------
> Active Directory Domain:
> schema: 2008 R2
> tld: domain.example.com
> ---------------------------------------------------------------
> Linux machine joined AD using command:
> #adcli join domain.example.com -U admin -S dc1.domain.example.com -H
> host1.domain.example.com -v -W
> ---------------------------------------------------------------
> sssd.conf:
>
> [sssd]
> config_file_version = 2
> services = nss, pam
> domains = DOMAIN.EXAMPLE.COM
>
> [nss]
>
> [pam]
>
> [domain/DOMAIN.EXAMPLE.COM]
> debug_level = 10
> id_provider = ad
> auth_provider = ad
> chpass_provider = ad
> access_provider = ad
>
> ad_domain = domain.example.com
> ad_server = dc1.domain.example.com,10.0.0.2
> ad_hostname = host1.domain.example.com
> ldap_id_mapping = false
> ldap_schema = rfc2307
> krb5_use_enterprise_principal = true
> enumerate = false
> entry_cache_timeout = 60
> fallback_homedir = /home/org/users/%u
> shell_fallback = /bin/false
> dyndns_update = true
> ---------------------------------------------------------------
> krb5.conf:
>
> [libdefaults]
> dns_lookup_realm = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> rdns = false
> default_realm = DOMAIN.EXAMPLE.COM
> default_ccache_name = KEYRING:persistent:%{uid}
>
> dns_lookup_kdc = false
> [realms]
>
> DOMAIN.EXAMPLE.COM = {
> kdc = dc1.domain.example.com
> kdc = 10.0.0.2
> admin_server = dc1.domain.example.com
> admin_server = 10.0.0.2
> default_domain = domain.example.com
> }
>
> [domain_realm]
> .domain.example.com = DOMAIN.EXAMPLE.COM
> domain.example.com = DOMAIN.EXAMPLE.COM
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> ---------------------------------------------------------------
> sssd_DOMAIN.EXAMPLE.COM.log:
>
> [sbus_dispatch] (0x4000): dbus conn: 0x7f75d0504770
> [sbus_dispatch] (0x4000): Dispatching.
> [sbus_message_handler] (0x4000): Received SBUS method [ping]
> [sbus_dispatch] (0x4000): dbus conn: 0x7f75d0519b20
> [sbus_dispatch] (0x4000): Dispatching.
> [sbus_message_handler] (0x4000): Received SBUS method [getDomains]
> [be_get_subdomains] (0x0400): Got get subdomains
> [forced][department.example.com]
> [be_queue_request] (0x4000): Queue is empty, running request immediately.
> [be_queue_request] (0x4000): Adding request to queue.
> [sdap_id_op_connect_step] (0x4000): reusing cached connection
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [objectclass=domain][DC=domain,DC=example,DC=com].
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052de50], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
> [sdap_parse_entry] (0x4000): OriginalDN: [DC=domain,DC=example,DC=com].
> [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052de50], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
> set
> [ad_master_domain_next_done] (0x0400): Found SID
> [S-1-5-21-1505972566-2156897661-2636268315].
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(DnsDomain=domain.example.com)(NtVer=\14\00\00\00))][].
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d0530150], ldap[0x7f75d0521980]
> [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d0530150], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
> [sdap_parse_entry] (0x4000): OriginalDN: [].
> [sdap_parse_range] (0x2000): No sub-attributes for [netlogon]
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d0530150], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
> set
> [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
> [ad_master_domain_netlogon_done] (0x0400): Found forest
> [domain.example.com].
> [ad_subdomains_master_dom_done] (0x0400): Connected to forest root, looking
> up child domains..
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))][DC=domain,DC=example,DC=com].
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [flatName]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustPartner]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [securityIdentifier]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustType]
> [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustAttributes]
> [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052e870], ldap[0x7f75d0521980]
> [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052e870], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052e870], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052e870], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[0x7f75d052e870], ldap[0x7f75d0521980]
> [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
> [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
> set
> [sdap_id_op_done] (0x4000): releasing operation connection
> [ad_subdomains_get_slave_domain_done] (0x1000): There are no changes
> [get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)
> [Success]
> [be_queue_next_request] (0x4000): Request queue is empty.
> [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],
> ops[(nil)], ldap[0x7f75d0521980]
> [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
> [be_ptask_execute] (0x0400): Task [Cleanup of DOMAIN.EXAMPLE.COM]: executing
> task, timeout 10800 seconds
> ---------------------------------------------------------------
>
>
> --
> With best regards, Eugene JONIK Peregudov
> mailto: [email protected]
> _______________________________________________
> sssd-users mailing list
> [email protected]
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
