Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man sssd-ad) instead. You simplify the configuration and it would work :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 3:31 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I tried switching to ad provider, but then it wants kerberos setup as well (and the client must have a valid keytab file also - a rather manual and timeconsuming process).
Also - on some hosts, I use mod_auth_kerb in apache - and need to run that (and ONLY that) against a test AD domain - and mod_auth_kerb can only use /etc/krb5.conf - so if sssd can also only use /etc/krb5.conf (is that the case?) - then those would conflict - hence my desire to use LDAP only for now :)
I can't see anywhere in the man page for sssd-ad, if I can disable kerberos/keytab part?
Ondrej Valousek said the following on 05/03/2013 03:55 PM:
Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man sssd-ad) instead. You simplify the configuration and it would work :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 3:31 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Yes, Kerberos binding is in use in case of the ad provider. But you can override Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in krb5.conf - I do not see the conflict). All you need is valid machine principal in /etc/krb5.keytab which can be easily obtained with 'net ads join'. To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
That said, the ldap provider should work, too Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 4:05 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
I tried switching to ad provider, but then it wants kerberos setup as well (and the client must have a valid keytab file also - a rather manual and timeconsuming process).
Also - on some hosts, I use mod_auth_kerb in apache - and need to run that (and ONLY that) against a test AD domain - and mod_auth_kerb can only use /etc/krb5.conf - so if sssd can also only use /etc/krb5.conf (is that the case?) - then those would conflict - hence my desire to use LDAP only for now :)
I can't see anywhere in the man page for sssd-ad, if I can disable kerberos/keytab part?
Ondrej Valousek said the following on 05/03/2013 03:55 PM:
Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man sssd-ad) instead. You simplify the configuration and it would work :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 3:31 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44G m44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Also, many options from the ldap provider works for ad provider, too - it is a little secret :) O.
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, May 03, 2013 4:14 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] finding user - but says ldap result empty
Yes, Kerberos binding is in use in case of the ad provider. But you can override Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in krb5.conf - I do not see the conflict). All you need is valid machine principal in /etc/krb5.keytab which can be easily obtained with 'net ads join'. To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
That said, the ldap provider should work, too Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 4:05 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
I tried switching to ad provider, but then it wants kerberos setup as well (and the client must have a valid keytab file also - a rather manual and timeconsuming process).
Also - on some hosts, I use mod_auth_kerb in apache - and need to run that (and ONLY that) against a test AD domain - and mod_auth_kerb can only use /etc/krb5.conf - so if sssd can also only use /etc/krb5.conf (is that the case?) - then those would conflict - hence my desire to use LDAP only for now :)
I can't see anywhere in the man page for sssd-ad, if I can disable kerberos/keytab part?
Ondrej Valousek said the following on 05/03/2013 03:55 PM:
Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man sssd-ad) instead. You simplify the configuration and it would work :)
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen Sent: Friday, May 03, 2013 3:31 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this: # klavs, Konsulenter, Brugere, My Company, sub.example.dk dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: klavs sn: Klavsen l: Hvidovre title: Ekstern description: valid user postalCode: 2650 givenName: Klavs Thun distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=ks, DC=kk,DC=dk instanceType: 4 whenCreated: 20121128112538.0Z whenChanged: 20130429063611.0Z displayName: Klavs Klavsen uSNCreated: 282284965 memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk uSNChanged: 296661668 streetAddress:: SMOmZGVyZGFsc3Zlag== name: klavs objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 130117003214581477 lastLogoff: 0 lastLogon: 130120372138372081 scriptPath: logon.bat pwdLastSet: 130077321450480274 primaryGroupID: 513 userParameters:: ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44G m44Cy44 ...(more chars) Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i 045Sz45iz45i144Cw objectSid:: AQ...[cut] accountExpires: 9223372036854775807 logonCount: 722 sAMAccountName: klavs sAMAccountType: 805306368 userPrincipalName: klavs@sub.example.dk objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk lastLogonTimestamp: 130116909538305016 mail: klavs@vsen.dk mobile: 61000000 gidNumber: 5000 uidNumber: 5002 unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs@SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap@sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell
[sssd] services = nss, pam config_file_version = 2
domains = default
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Ondrej Valousek said the following on 05/03/2013 04:16 PM:
Also, many options from the ldap provider works for ad provider, too - it is a little secret :) O.
work - as in setting an ldap_.. setting - is also used by ad provider - os do I rename the settting to ad_.. ?
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, May 03, 2013 4:14 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] finding user - but says ldap result empty
Yes, Kerberos binding is in use in case of the ad provider. But you can override Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in krb5.conf - I do not see the conflict). All you need is valid machine principal in /etc/krb5.keytab which can be easily obtained with 'net ads join'. To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
I would like to do that - but it still requires me to manually login to 100+ servers, and add them to the domain :(
I'll try to make it work with the ad provider - while hoping someone knows whats up with the ldap provider, so I can use puppet to rollout ldap config to all for now (and then setup puppet to switch to ad provider - if the host has been joined to the AD :)
should I use samba3 or samb4 version - for net ads join ? (does it matter).
AFAIK samba3 should be fine - when I'm only going to have linux clients, right?
Nope. Keep ldap notation. O.
Odesláno ze Samsung Mobile
Klavs Klavsen kl@vsen.dk napsal: Ondrej Valousek said the following on 05/03/2013 04:16 PM:
Also, many options from the ldap provider works for ad provider, too - it is a little secret :) O.
work - as in setting an ldap_.. setting - is also used by ad provider - os do I rename the settting to ad_.. ?
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: Friday, May 03, 2013 4:14 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] finding user - but says ldap result empty
Yes, Kerberos binding is in use in case of the ad provider. But you can override Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in krb5.conf - I do not see the conflict). All you need is valid machine principal in /etc/krb5.keytab which can be easily obtained with 'net ads join'. To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
I would like to do that - but it still requires me to manually login to 100+ servers, and add them to the domain :(
I'll try to make it work with the ad provider - while hoping someone knows whats up with the ldap provider, so I can use puppet to rollout ldap config to all for now (and then setup puppet to switch to ad provider - if the host has been joined to the AD :)
should I use samba3 or samb4 version - for net ads join ? (does it matter).
AFAIK samba3 should be fine - when I'm only going to have linux clients, right?
-- Regards, Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org