My tests with new ipa client is done. With 'default_domain_suffix' and 'full_name_format' on server's sssd.conf, trust user's are not known on ipa client's site. If i disable them on server's side and run 'sss_cache -E', trust user's are known. From my point of view it's not important to have these options on server side, so i will will still left them.

Thanks for help !

Michael

Am 18.08.2017 um 14:00 schrieb Michael Gusek via FreeIPA-users:

Hello Jakub,

with my first tries i'v had following entries in /etc/sss/sssd.conf on server side:

[sssd]
services = nss, sudo, pam, ssh
default_domain_suffix = example.com
full_name_format = %1$s
domains = ipa.example.com
debug_level = 10

With writing my first mail, i've disabled 'default_domain_suffix' and 'full_name_format', with no success on ipa-member.

In the meanwhile, i did some test's on ipa-member:

ipa-member> systemctl restart sssd
ipa-member> sss_cache -E
ipa-member> systemctl restart sssd
ipa-member> id username@example.com
uid=299801104(username@example.com) gid=299801104(username@example.com) Gruppen=299801104(username@example.com),299800513(domänen-benutzer@example.com),299801109(mitarbeiter@example.com),556800008(ad_users@example.com)

So it work's as expected. Now i've enabled 'default_domain_suffix' and 'full_name_format' on server's sssd.conf, restart sssd and run sss_cache. It's still working. I'm not sure, if 'sss_cache' does some magical things. I will setup an other ipa client and test behavior on it.

Thanks,

Michael

Am 18.08.2017 um 12:07 schrieb Jakub Hrozek via FreeIPA-users:

On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users wrote:

Hi,

for testing i've installed an FreeIPA-Server with a trust to an
AD-Server. On IdM i can resolve AD-users with 'id username@example.com',
on IdM member client not.

AD-Domain is Server 2012R2 as 'example.com'
IdM is latest CentOS 7 with ipa-server-4.4.0-14.el7.centos.7.x86_64 as
'ipa.example.com'
IdM member client is latest CentOS 7 with
sssd-client-1.14.0-43.el7_3.18.x86_64

Here an example on an Centos 7 client:
ipa-member> id username@example.com
id: 'username@example.com': no such user

Logmessages, with log_level=10, shows:
ipa-member> tail -f /var/log/sssd/sssd_ipa.example.com.log | grep s2n
(Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x0400): Executing extended operation
(Fri Aug 18 11:38:08 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 13
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_done] (0x0400): ldap_extended_operation result:
Success(0), (null).
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x0400): Executing extended operation
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 14
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_get_fqlist_next] (0x0040): s2n exop request failed.
(Fri Aug 18 11:38:09 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_get_fqlist_done] (0x0040): s2n get_fqlist request failed.

Running on IdM:
ipa-server> id username@example.com
uid=299801104(username) gid=299801104(username)
Gruppen=299801104(username),299800513(domänen-benutzer),299801109(mitarbeiter),556800008(ad_users)

The s2n operation triggers, through a DS plugin on the IPA side, a
lookup through the SSSD NSS interface. So, tailing the sssd_nss logs
on the server would be a good start to make sure all the NSS operations
succeed.

By the way, the name resolution of the users from the trusted domain
does not include the domain name, just the username. How is that? Are
you sure you're not using some hacks like full_name_format = $1 on the
server side?

Any help is welcome.

Michael

----- /etc/sssd.conf on ipa-member -----
[domain/ipa.example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-server.ipa.example.com
chpass_provider = ipa
dyndns_update = True
ipa_server = _srv_, ipa-server.ipa.example.com
dyndns_iface = eth0
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10

[sssd]
debug_level = 10
services = nss, sudo, pam, ssh
domains = ipa.example.com

[nss]
debug_level = 10
homedir_substring = /home

[pam]
debug_level = 10

[sudo]

[autofs]

[ssh]

[pac]
debug_level = 10

[ifp]

----- /etc/sssd.conf on ipa-server -----
[domain/ipa.example.com]

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-server.ipa.example.com
chpass_provider = ipa
ipa_server = ipa-server.ipa.example.com
chpass_provider = ipa
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
subdomain_homedir = /home/%u
shell_fallback = /bin/bash
debug_level = 10

[sssd]
services = nss, sudo, pam, ssh
domains = ipa.example.com

[nss]
memcache_timeout = 600
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]


----- complete log messages for 'id username@example.com' on ipa-member
-----
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sysdb_search_user_by_upn] (0x0400): No entry with upn
[username@example.com] found.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending
request
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
(0x0400): DP Request [Account #5]: Request handler finished [0]: Erfolg
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
(0x0400): DP Request [Account #5]: Receiving request data.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_reply_list_success] (0x0400): DP Request [Account #5]: Finished.
Success.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_reply_std] (0x1000): DP Request [Account #5]: Returning
[Success]: 0,0,Success
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:1:1:U:ipa.example.com:name=username@example.com] from reply
table
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_destructor] (0x0400): DP Request [Account #5]: Request removed.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_destructor] (0x0400): Number of active DP request: 0
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
ops[(nil)], ldap[0x7f14ec409710]
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_result] (0x2000): Trace: end of ldap_result list
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
(0x4000): dbus conn: 0x7f14ec428290
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sbus_dispatch]
(0x4000): Dispatching.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sbus_message_handler] (0x2000): Received SBUS method
org.freedesktop.sssd.dataprovider.getAccountInfo on path
/org/freedesktop/sssd/dataprovider
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_get_account_info_handler] (0x0200): Got request for
[0x1][BE_REQ_USER][1][name=username@example.com]
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
(0x0400): DP Request [Account #6]: New request. Flags [0x0001].
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_attach_req]
(0x0400): Number of active DP request: 1
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x0400): Executing extended operation
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_op_add]
(0x2000): New operation 12 timeout 6
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
ops[0x7f14ec40ca10], ldap[0x7f14ec409710]
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such
object(32), (null).
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_op_destructor] (0x2000): Operation 12 finished
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [dp_req_done]
(0x0400): DP Request [Account #6]: Request handler finished [0]: Erfolg
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]] [_dp_req_recv]
(0x0400): DP Request [Account #6]: Receiving request data.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_reply_list_success] (0x0400): DP Request [Account #6]: Finished.
Success.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_reply_std] (0x1000): DP Request [Account #6]: Returning
[Success]: 0,0,Success
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_table_value_destructor] (0x0400): Removing
[0:1:0x0001:1:1:U:webtrekk.com:name=username@example.com] from reply table
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_destructor] (0x0400): DP Request [Account #6]: Request removed.
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[dp_req_destructor] (0x0400): Number of active DP request: 0
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_result] (0x2000): Trace: sh[0x7f14ec425550], connected[1],
ops[(nil)], ldap[0x7f14ec409710]
(Fri Aug 18 11:54:05 2017) [sssd[be[ipa.example.com]]]
[sdap_process_result] (0x2000): Trace: end of ldap_result list

--

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

________________________________________________

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

________________________________________________