Hi,
I'm trying to authenticate Active Directory users with different UPN suffixes on my Linux machine. As described in article (http://jhrozek.livejournal.com/3019.html) SSSD should support for enterprise logins: "some users in AD might use a different Kerberos Principal suffix than the default one".
I have two users with different UPN - user1@domain.example.com and user2@department.example.com
#getent passwd user1@domain.example.com
returns valid user entry, but
#getent passwd user2@department.example.com
returns nothing...
What's wrong? Can anyone help me with this issue? Thanks!
Target system: Red Hat Enterprise Linux Server release 7.0 (Maipo) host1.domain.example.com 3.10.0-123.13.2.el7.x86_64 x86_64 x86_64 x86_64 GNU/Linux sssd-1.11.2-68.el7_0.6.x86_64 --------------------------------------------------------------- Active Directory Domain: schema: 2008 R2 tld: domain.example.com --------------------------------------------------------------- Linux machine joined AD using command: #adcli join domain.example.com -U admin -S dc1.domain.example.com -H host1.domain.example.com -v -W --------------------------------------------------------------- sssd.conf:
[sssd] config_file_version = 2 services = nss, pam domains = DOMAIN.EXAMPLE.COM
[nss]
[pam]
[domain/DOMAIN.EXAMPLE.COM] debug_level = 10 id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad
ad_domain = domain.example.com ad_server = dc1.domain.example.com,10.0.0.2 ad_hostname = host1.domain.example.com ldap_id_mapping = false ldap_schema = rfc2307 krb5_use_enterprise_principal = true enumerate = false entry_cache_timeout = 60 fallback_homedir = /home/org/users/%u shell_fallback = /bin/false dyndns_update = true --------------------------------------------------------------- krb5.conf:
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = DOMAIN.EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = false [realms]
DOMAIN.EXAMPLE.COM = { kdc = dc1.domain.example.com kdc = 10.0.0.2 admin_server = dc1.domain.example.com admin_server = 10.0.0.2 default_domain = domain.example.com }
[domain_realm] .domain.example.com = DOMAIN.EXAMPLE.COM domain.example.com = DOMAIN.EXAMPLE.COM
[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --------------------------------------------------------------- sssd_DOMAIN.EXAMPLE.COM.log:
[sbus_dispatch] (0x4000): dbus conn: 0x7f75d0504770 [sbus_dispatch] (0x4000): Dispatching. [sbus_message_handler] (0x4000): Received SBUS method [ping] [sbus_dispatch] (0x4000): dbus conn: 0x7f75d0519b20 [sbus_dispatch] (0x4000): Dispatching. [sbus_message_handler] (0x4000): Received SBUS method [getDomains] [be_get_subdomains] (0x0400): Got get subdomains [forced][department.example.com] [be_queue_request] (0x4000): Queue is empty, running request immediately. [be_queue_request] (0x4000): Adding request to queue. [sdap_id_op_connect_step] (0x4000): reusing cached connection [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=domain][DC=domain,DC=example,DC=com]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 11 [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052de50], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] [sdap_parse_entry] (0x4000): OriginalDN: [DC=domain,DC=example,DC=com]. [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052de50], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set [ad_master_domain_next_done] (0x0400): Found SID [S-1-5-21-1505972566-2156897661-2636268315]. [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=domain.example.com)(NtVer=\14\00\00\00))][]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 12 [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d0530150], ldap[0x7f75d0521980] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d0530150], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] [sdap_parse_entry] (0x4000): OriginalDN: []. [sdap_parse_range] (0x2000): No sub-attributes for [netlogon] [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d0530150], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN]. [ad_master_domain_netlogon_done] (0x0400): Found forest [domain.example.com]. [ad_subdomains_master_dom_done] (0x0400): Connected to forest root, looking up child domains.. [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))][DC=domain,DC=example,DC=com]. [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [flatName] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustPartner] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [securityIdentifier] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustType] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustAttributes] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13 [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052e870], ldap[0x7f75d0521980] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052e870], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052e870], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052e870], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[0x7f75d052e870], ldap[0x7f75d0521980] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set [sdap_id_op_done] (0x4000): releasing operation connection [ad_subdomains_get_slave_domain_done] (0x1000): There are no changes [get_subdomains_callback] (0x0400): Backend returned: (0, 0, <NULL>) [Success] [be_queue_next_request] (0x4000): Request queue is empty. [sdap_process_result] (0x2000): Trace: sh[0x7f75d05225d0], connected[1], ops[(nil)], ldap[0x7f75d0521980] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! [be_ptask_execute] (0x0400): Task [Cleanup of DOMAIN.EXAMPLE.COM]: executing task, timeout 10800 seconds ---------------------------------------------------------------
sssd-users@lists.fedorahosted.org