Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the data provider mentioned in step 4 ("If the command is reaching the NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41eb90:domains@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [admin]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [<ALL>] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
Thanks! Thomas
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Monday, June 24, 2019 4:19 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 18, 2019 at 06:57:14PM +0000, Thomas Beaudry wrote:
Hi Guys,
i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf and output of "realm list" is identical for both servers. However, one of them can't seem to find the AD users, so ssh fails. I tried doing id <user> and getent passwd <user> and it doesn't find them.
Do you know what the issue might be?
Not without logs, see: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thanks,
Thomas
Here is my sssd.conf:
# cat /etc/sssd/sssd.conf [autofs] debug_level=1
[krb5] debug_level=1
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3 debug_level=1
[sssd] domains = MYDOMAIN.ca config_file_version = 2 services = nss, pam, ssh, autofs debug_level=1
[domain/MYDOMAIN.ca] ad_domain = MYDOMAIN.ca krb5_realm = MYDOMAIN.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = simple debug_level=1 ignore_group_members=True simple_allow_groups = perform_hpc
and output of realm list:
# realm list MYDOMAIN.ca type: kerberos realm-name: MYDOMAIN.CA domain-name: MYDOMAIN?.ca configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups:
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...