OK, maybe it’s this:
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_print_server] (0x2000): Searching
192.168.2.105:389
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))][cn=Default
Trust View,cn=v
iews,cn=accounts,dc=fs,dc=lan].
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 21
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_add] (0x2000): New operation 21
timeout 6
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace:
sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10]
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace: end
of ldap_result list
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_result] (0x2000): Trace:
sh[0x56065d6cd580], connected[1], ops[0x56065d71df60], ldap[0x56065d6c4a10]
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_process_message] (0x4000): Message
type: [LDAP_RES_SEARCH_RESULT]
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_get_generic_op_finished] (0x0400):
Search result: Success(0), no errmsg set
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_op_destructor] (0x2000): Operation 21
finished
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_get_ad_override_done] (0x4000): No
override found with filter
[(&(objectClass=ipaOverrideAnchor)(ipaAnchorUUID=:SID:S-1-5-21-1948593278-483253815-2868158363-1029))].
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing
operation connection
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x1000):
Processing group 2/4
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_initgr_get_overrides_step] (0x0040):
The group name=domainusers(a)fs.lan,cn=groups,cn=fs.lan,cn=sysdb has no UUID attribute
objectSIDString, error!
—> here
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_id_get_groups_overrides_done] (0x0040):
IPA resolve user groups overrides failed [22].
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_dom_offline] (0x1000): Marking
subdomain start-line.local offline
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x56065d7255a0
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x56065d6f6dd0
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Running timer event
0x56065d7255a0 "ltdb_callback"
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Destroying timer event
0x56065d6f6dd0 "ltdb_timeout"
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ldb] (0x4000): Ending timer event
0x56065d7255a0 "ltdb_callback"
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [be_mark_subdom_offline] (0x1000): Marking
subdomain start-line.local as inactive
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_srv_ad_acct_lookup_done] (0x0040):
ipa_get_*_acct request failed: [22]: Недопустимый аргумент.
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [ipa_subdomain_account_done] (0x0040):
ipa_get_*_acct request failed: [22]: Недопустимый аргумент.
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [sdap_id_op_destroy] (0x4000): releasing
operation connection
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_reply_std_set] (0x0080): DP Error is OK
on failed request?
(Tue Jul 24 23:53:31 2018) [sssd[be[fs.lan]]] [dp_req_done] (0x0400): DP Request
[Initgroups #4]: Request handler finished [0]: Победа
So this group doesn’t have a SID (note that the objectSIDString is what SSSD saves into
the database, not the actual LDAP attribute. On the IPA side, all groups a trusted object
is a member of must have the attribute ipaNTSecurityIdentifier. Does the group domainusers
have one? You can check with “ipa group-show —all —raw domainusers”.
btw when you established the trust, the ipa-adtrust-install command should have given you
the option to generate SIDs for IPA objects. I don’t know exactly how to generate the
SIDs post-install, maybe one of the IPA developers would help me out. Looking at the —help
output of ipa-adtrust-install there is an option —add-sids..
On 24 Jul 2018, at 19:33, Николай Савельев via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Here logs after attempt autentication via ssh.
Also config files,
> 23.07.2018, 14:49, "Jakub Hrozek" <jhrozek(a)redhat.com>:
--
С уважением, Николай.
<conf.tgz><sssd.tgz>_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...