Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man sssd-ad) instead. You simplify the configuration and it would work :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 3:31 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users