On Thu, May 09, 2013 at 09:39:07AM -0400, Will_Darton@navyfederal.org wrote:
If this comes across as HTML sorry.. gotta find a better mail client for mailing lists... :/ I grabbed these logs right after attempting a su - espadmin, so that should narrow down whats there. I should mention this happens on any RHEL5 server, not just this specific one, but it only happens with a couple of accounts from the Global Catalog, not all of them... Which leads me to believe its something specific to RHEL5 and these two accounts.. just not sure what is missing that RHEL5 is expecting?
Thanks for the assist.
Here is one peculiar thing - the SSSD was searching for a user entry and got two results. Are you sure you're not seeing a similar message on the RHEL6 clients?
(Thu May 9 09:34:47 2013) [sssd[be[nfcu]]] [sdap_get_initgr_user] (2): Expected one user entry and got 2
The other interesting point I found in the logs is:
(Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (9): Save user (Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (1): no uid provided for [ESPAdmin] in domain [nfcu].
It seems that the SSSD didn't find the UID number..are you sure the SSSD is configured to read the correct attributes (and you're not missing a mapping to e.g. msSFU30UidNumber) ?
Can you check if the POSIX attributes are replicated to the Global Catalog (sorry, in a rush right now, can't check).
Can you simulate the search using ldapsearch?
Something like: $ ldapsearch -H ldap://your.server:3268 -D "bind_dn" -w "bind_pwd" -b DC=nfcu,DC=net '(&(cn=espadmin)(objectclass=user)'