Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't
reach the data provider mentioned in step 4 ("If the command is reaching the
NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id
<username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'root' matched without domain, user is root
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/MYDOMAIN.ca/root] to negative cache permanently
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'root' matched without domain, user is root
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41eb90:[email protected]]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received
client version [1].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered
version [1].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17][SSS_NSS_GETPWNAM] with input [admin].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'admin' matched without domain, user is admin
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting
info for [admin] from [<ALL>]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [[email protected]]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41d420:1:[email protected]]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41d420:1:[email protected]]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040):
Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41d420:1:[email protected]]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
What would be the next step?
Thanks!
Thomas
________________________________________
From: Jakub Hrozek <[email protected]>
Sent: Monday, June 24, 2019 4:19 AM
To: [email protected]
Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 18, 2019 at 06:57:14PM +0000, Thomas Beaudry wrote:
> Hi Guys,
>
>
> i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf
> and output of "realm list" is identical for both servers. However, one of
> them can't seem to find the AD users, so ssh fails. I tried doing id <user>
> and getent passwd <user> and it doesn't find them.
>
>
> Do you know what the issue might be?
Not without logs, see:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
>
>
> Thanks,
>
> Thomas
>
>
> Here is my sssd.conf:
>
>
> # cat /etc/sssd/sssd.conf
> [autofs]
> debug_level=1
>
> [krb5]
> debug_level=1
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
> debug_level=1
>
> [sssd]
> domains = MYDOMAIN.ca
> config_file_version = 2
> services = nss, pam, ssh, autofs
> debug_level=1
>
> [domain/MYDOMAIN.ca]
> ad_domain = MYDOMAIN.ca
> krb5_realm = MYDOMAIN.CA
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> #use_fully_qualified_names = True
> override_homedir = /NAS/home/%u
> fallback_homedir = /home/%u
> access_provider = simple
> debug_level=1
> ignore_group_members=True
> simple_allow_groups = perform_hpc
>
>
> and output of realm list:
>
> # realm list
> MYDOMAIN.ca
> type: kerberos
> realm-name: MYDOMAIN.CA
> domain-name: MYDOMAIN?.ca
> configured: kerberos-member
> server-software: active-directory
> client-software: sssd
> required-package: sssd-tools
> required-package: sssd
> required-package: libnss-sss
> required-package: libpam-sss
> required-package: adcli
> required-package: samba-common-bin
> login-formats: %U
> login-policy: allow-permitted-logins
> permitted-logins:
> permitted-groups:
>
>
>
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
