On Wed, Sep 18, 2019 at 04:43:18PM +0200, Hinrikus Wolf wrote:
> Hi,
> 
> 
> this is our sssd.conf
> 
> > [sssd]
> > domains = fsmpi.rwth-aachen.de
> > config_file_version = 2
> > services = nss, pam
> >
> > [pam]
> > offline_credentials_expiration = 1
> > offline_failed_login_attempts = 3
> > offline_failed_login_delay = 0
> >
> > [domain/fsmpi.rwth-aachen.de]
> > ad_domain = fsmpi.rwth-aachen.de
> > krb5_realm = FSMPI.RWTH-AACHEN.DE
> > realmd_tags = manages-system joined-with-adcli 
> > cache_credentials = True
> > id_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = False
> > use_fully_qualified_names = False
> > fallback_homedir = /home/%u
> > access_provider = ad
> > enumerate = true
> > ldap_user_fullname = displayName
> > krb5_lifetime = 48h
> > krb5_renewable_lifetime = 200h
> > krb5_renew_interval = 30m
> > ad_gpo_access_control = disabled
> > ldap_search_base = 
> > dc=fsmpi,dc=rwth-aachen,dc=de?subtree?(&(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
> 
> 
> in sssd_nss.log
> 
> > (Wed Sep 18 14:40:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The 
> > Data Provider returned an error 
> > [org.freedesktop.sssd.Error.DataProvider.Offline]
> > (Wed Sep 18 14:41:08 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The 
> > Data Provider returned an error 
> > [org.freedesktop.sssd.Error.DataProvider.Offline]
> > (Wed Sep 18 14:41:38 2019) [sssd[nss]] [sss_dp_get_reply] (0x0010): The 
> > Data Provider returned an error 
> > [org.freedesktop.sssd.Error.DataProvider.Offline]

Hi,

looks like the backend has issues to connect to an AD DC. Please add
debug_level=9 to the [domain/...] section of sssd.conf, restart SSSD,
run some tests and check sssd_domain.name.log for issues which cause the
backed to switch into offline mode (or send it).

bye,
Sumit

> 
> Best regards
> Rikus
> 
> > Sumit Bose <sb...@redhat.com> hat am 16. September 2019 18:01 geschrieben:
> > 
> >  
> > On Mon, Sep 16, 2019 at 10:37:11AM +0200, Hinrikus Wolf wrote:
> > > Hi,
> > > 
> > > 
> > > > Sumit Bose <sb...@redhat.com> hat am 16. September 2019 08:23 
> > > > geschrieben:
> > > > Hi,
> > > > 
> > > > I guess you mean that the users are still available for nss, i.e they
> > > > can be looked up with 'getent passwd username'?
> > > Yes, that's what I mean.
> > > 
> > > > 
> > > > I think you didn't answer if you already tried to run the search filter
> > > > with '!(userAccountControl:1.2.840.113556.1.4.803:=2)' manually with the
> > > > ldapsearch command. This is important to understand if the search filter
> > > > does not work at all or SSSD does not handle it properly.
> > > 
> > > The filter works. I just in case tried it again with ldapsearch but we 
> > > are using this filter for several applications which are supporting ldap.
> > 
> > Hi,
> > 
> > I tried the ldap_search_base you've sent earlier (adopted to my setup)
> > and it worked as expected, i.e. disabled users are not shown.
> > 
> > Can you share your complete sssd.conf (sanitized if needed) and if
> > possible the sssd_nss.log and the domain log both with debug_level=9?
> > 
> > bye,
> > Sumit
> > > 
> > > Best regads
> > > Rikus
> > > 
> > > > 
> > > > bye,
> > > > Sumit
> > > > > 
> > > > > But may be it is not posible?
> > > > > 
> > > > > Best regards
> > > > > Rikus
> > > > > 
> > > > > > 
> > > > > > LS
> > > > > > _______________________________________________
> > > > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > > > To unsubscribe send an email to 
> > > > > > sssd-users-le...@lists.fedorahosted.org
> > > > > > Fedora Code of Conduct: 
> > > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > > List Guidelines: 
> > > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives: 
> > > > > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > > > > 
> > > > > 
> > > > > 
> > > > > -- 
> > > > > Hinrikus Wolf
> > > > > 
> > > > > Fachschaft Mathematik/Physik/Informatik
> > > > > an der RWTH Aachen
> > > > > 
> > > > > Telefon:
> > > > > Karmanstr: +49 241 80 94506           Infozentrum: +49 241 80 26741
> > > > > f...@fsmpi.rwth-aachen.de               
> > > > > https://www.fsmpi.rwth-aachen.de
> > > > > _______________________________________________
> > > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to 
> > > > > sssd-users-le...@lists.fedorahosted.org
> > > > > Fedora Code of Conduct: 
> > > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines: 
> > > > > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives: 
> > > > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > > > Fedora Code of Conduct: 
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives: 
> > > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct: 
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: 
> > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to