SSSD with different AD UPN Suffixes - sssd-users - Fedora mailing-lists

3 Feb 2015


      Hi,
I'm trying to authenticate Active Directory users with different UPN  
suffixes on my Linux machine.
As described in article (http://jhrozek.livejournal.com/3019.html) SSSD  
should support for enterprise logins:
"some users in AD might use a different Kerberos Principal suffix than the  
default one".
I have two users with different UPN - user1@domain.example.com and  
user2@department.example.com
#getent passwd user1@domain.example.com
returns valid user entry, but
#getent passwd user2@department.example.com
returns nothing...
What's wrong? Can anyone help me with this issue? Thanks!
Target system:
Red Hat Enterprise Linux Server release 7.0 (Maipo)
host1.domain.example.com 3.10.0-123.13.2.el7.x86_64 x86_64 x86_64 x86_64  
GNU/Linux
sssd-1.11.2-68.el7_0.6.x86_64
---------------------------------------------------------------
Active Directory Domain:
schema:  2008 R2
tld:     domain.example.com
---------------------------------------------------------------
Linux machine joined AD using command:
#adcli join domain.example.com -U admin -S dc1.domain.example.com -H  
host1.domain.example.com -v -W
---------------------------------------------------------------
sssd.conf:
[sssd]
config_file_version = 2
services = nss, pam
domains = DOMAIN.EXAMPLE.COM
[nss]
[pam]
[domain/DOMAIN.EXAMPLE.COM]
  debug_level = 10
  id_provider = ad
  auth_provider = ad
  chpass_provider = ad
  access_provider = ad
ad_domain = domain.example.com
  ad_server = dc1.domain.example.com,10.0.0.2
  ad_hostname = host1.domain.example.com
  ldap_id_mapping = false
  ldap_schema = rfc2307
  krb5_use_enterprise_principal = true
  enumerate = false
  entry_cache_timeout = 60
  fallback_homedir = /home/org/users/%u
  shell_fallback = /bin/false
  dyndns_update = true
---------------------------------------------------------------
krb5.conf:
[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
  default_realm = DOMAIN.EXAMPLE.COM
  default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = false
[realms]
DOMAIN.EXAMPLE.COM = {
   kdc = dc1.domain.example.com
   kdc = 10.0.0.2
   admin_server = dc1.domain.example.com
   admin_server = 10.0.0.2
   default_domain = domain.example.com
}
[domain_realm]
  .domain.example.com = DOMAIN.EXAMPLE.COM
   domain.example.com = DOMAIN.EXAMPLE.COM
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}
---------------------------------------------------------------
sssd_DOMAIN.EXAMPLE.COM.log:
[sbus_dispatch] (0x4000): dbus conn: 0x7f75d0504770
[sbus_dispatch] (0x4000): Dispatching.
[sbus_message_handler] (0x4000): Received SBUS method [ping]
[sbus_dispatch] (0x4000): dbus conn: 0x7f75d0519b20
[sbus_dispatch] (0x4000): Dispatching.
[sbus_message_handler] (0x4000): Received SBUS method [getDomains]
[be_get_subdomains] (0x0400): Got get subdomains  
[forced][department.example.com]
[be_queue_request] (0x4000): Queue is empty, running request immediately.
[be_queue_request] (0x4000): Adding request to queue.
[sdap_id_op_connect_step] (0x4000): reusing cached connection
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with  
[objectclass=domain][DC=domain,DC=example,DC=com].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052de50], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_parse_entry] (0x4000): OriginalDN: [DC=domain,DC=example,DC=com].
[sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052de50], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg  
set
[ad_master_domain_next_done] (0x0400): Found SID  
[S-1-5-21-1505972566-2156897661-2636268315].
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with  
[(&(DnsDomain=domain.example.com)(NtVer=\14\00\00\00))][].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d0530150], ldap[0x7f75d0521980]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d0530150], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
[sdap_parse_entry] (0x4000): OriginalDN: [].
[sdap_parse_range] (0x2000): No sub-attributes for [netlogon]
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d0530150], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg  
set
[ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
[ad_master_domain_netlogon_done] (0x0400): Found forest  
[domain.example.com].
[ad_subdomains_master_dom_done] (0x0400): Connected to forest root,  
looking up child domains..
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with  
[(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))][DC=domain,DC=example,DC=com].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [flatName]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustPartner]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:  
[securityIdentifier]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustType]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustAttributes]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052e870], ldap[0x7f75d0521980]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052e870], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052e870], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052e870], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[0x7f75d052e870], ldap[0x7f75d0521980]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg  
set
[sdap_id_op_done] (0x4000): releasing operation connection
[ad_subdomains_get_slave_domain_done] (0x1000): There are no changes
[get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>)  
[Success]
[be_queue_next_request] (0x4000): Request queue is empty.
[sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1],  
ops[(nil)], ldap[0x7f75d0521980]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[be_ptask_execute] (0x0400): Task [Cleanup of DOMAIN.EXAMPLE.COM]:  
executing task, timeout 10800 seconds
---------------------------------------------------------------
-- 
With best regards, Eugene JONIK Peregudov
mailto: eugene.peregudov@gmail.com