On Mon, 2012-05-14 at 10:09 -0400, Stephen Gallagher wrote:
> On Mon, 2012-05-14 at 15:58 +0200, Daniel Löw wrote:
>> I'am using sssd 1.8 on an Ubuntu 12.04 laptop. So that I can login
>> even when I am offline.
>> Everyting works great, but if I take the laptop home with me, and
>> connect it to my home network, i cant login.
>> Then it says that i have the wrong password. then if I want to be able
>> to login i need to connect the laptop to my office network, then I can
>> login. Login offline works great, unless i connect the laptop to a
>> network that isn't my office network.
>> I'am getting my password from Kerberos, and my account information
>> from LDAP.
> Is this happening with ANY network that isn't your office network? I
> have a suspicion that what's happening is that you network has a very
> "special" configuration that is evil. My guess is that the set of
> entries that can be looked up in LDAP from within the office network is
> different from the set of entries that can be looked up if you're
> connecting from outside the office network.
> In other words, let's say your username is dlow and you have an LDAP
> entry "uid=dlow,cn=Users,cn=Accounts,dc=EXAMPLE,dc=COM" in LDAP. When
> you're inside the corporate firewall, an LDAP search against
> '(uid=dlow)' will return that entry. However, if your LDAP server
> detects that you are connecting from OUTSIDE the corporate firewall, it
> may just return "no such user".
> This is a situation that SSSD cannot handle, because from its point of
> view, you are "online" and the LDAP server answered the request with a
> definitive statement of "this user does not exist or was deleted". So
> for security reasons, we must remove the user locally (which also
> deletes cached credentials).
> One thing that you can do to check this is to run the following commands
> while at work and at home:
> 1) Install the openldap client tools package (I'm not sure what the
> package name is on Ubuntu, but on Fedora it would be openldap-clients)
> 2) Run the command:
> ldapsearch -H ldap://corporate.ldapserver.example.com
> -b "<user_search_base>" \
> Obviously, substitute corporate.ldapserver.example.com
with the value
> from ldap_uri in sssd.conf,<user_search_base> with
> ldap_user_search_base from sssd.conf and<yourusername> with your actual
Sorry, I forgot to mention what you're looking for. You want to make
sure that what you get back from ldapsearch from both locations is
Also, I forgot to say you may need to authenticate to your LDAP server
using whichever method your sssd.conf is using. (Use '-x' for anonymous
bind, '-x -D "DN of bind user" -W' for LDAP simple bind, or '-Y
for Kerberos/GSSAPI bind, which you would need to kinit as ahead of
If you send us your sssd.conf, I can make these instructions more clear,
if you're having trouble.
sssd-devel mailing list
It works now, the problems was
as you said, the ldap-server was had an evil configuration, because when I tried to
connect to the ldap-server from the outside, ive got an replay that it was an ldap-server,
but i didn't get any info about the user
So when i blocked the ldap-server in the firewall, i couldn't connect to the
ldap-server at all, and that solved the problem, because now I can login offline and from
my home network.