On Mon, 2012-05-14 at 10:09 -0400, Stephen Gallagher wrote:
On Mon, 2012-05-14 at 15:58 +0200, Daniel Löw wrote:
> Hello!
>
> I'am using sssd 1.8 on an Ubuntu 12.04 laptop. So that I can login
> even when I am offline.
> Everyting works great, but if I take the laptop home with me, and
> connect it to my home network, i cant login.
> Then it says that i have the wrong password. then if I want to be able
> to login i need to connect the laptop to my office network, then I can
> login. Login offline works great, unless i connect the laptop to a
> network that isn't my office network.
>
> I'am getting my password from Kerberos, and my account information
> from LDAP.
Is this happening with ANY network that isn't your office network? I
have a suspicion that what's happening is that you network has a very
"special" configuration that is evil. My guess is that the set of
entries that can be looked up in LDAP from within the office network is
different from the set of entries that can be looked up if you're
connecting from outside the office network.
In other words, let's say your username is dlow and you have an LDAP
entry "uid=dlow,cn=Users,cn=Accounts,dc=EXAMPLE,dc=COM" in LDAP. When
you're inside the corporate firewall, an LDAP search against
'(uid=dlow)' will return that entry. However, if your LDAP server
detects that you are connecting from OUTSIDE the corporate firewall, it
may just return "no such user".
This is a situation that SSSD cannot handle, because from its point of
view, you are "online" and the LDAP server answered the request with a
definitive statement of "this user does not exist or was deleted". So
for security reasons, we must remove the user locally (which also
deletes cached credentials).
One thing that you can do to check this is to run the following commands
while at work and at home:
1) Install the openldap client tools package (I'm not sure what the
package name is on Ubuntu, but on Fedora it would be openldap-clients)
2) Run the command:
ldapsearch -H
ldap://corporate.ldapserver.example.com \
-b "<user_search_base>" \
"(uid=<yourusername>)"
Obviously, substitute
corporate.ldapserver.example.com with the value
from ldap_uri in sssd.conf, <user_search_base> with
ldap_user_search_base from sssd.conf and <yourusername> with your actual
username.
Sorry, I forgot to mention what you're looking for. You want to make
sure that what you get back from ldapsearch from both locations is
IDENTICAL.
Also, I forgot to say you may need to authenticate to your LDAP server
using whichever method your sssd.conf is using. (Use '-x' for anonymous
bind, '-x -D "DN of bind user" -W' for LDAP simple bind, or '-Y
GSSAPI'
for Kerberos/GSSAPI bind, which you would need to kinit as ahead of
time).
If you send us your sssd.conf, I can make these instructions more clear,
if you're having trouble.