Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the
data provider mentioned in step 4 ("If the command is reaching the NSS responder,
does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username>
command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/MYDOMAIN.ca/root] to negative cache permanently
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41eb90:domains@MYDOMAIN.ca]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client
version [1].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version
[1].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command
[17][SSS_NSS_GETPWNAM] with input [admin].
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'admin' matched without domain, user is admin
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for
[admin] from [<ALL>]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info
for [admin(a)MYDOMAIN.ca]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view,
continuing with provided values.
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x41d420:1:admin@MYDOMAIN.ca]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request
for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41d420:1:admin@MYDOMAIN.ca]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get
information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41d420:1:admin@MYDOMAIN.ca]
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
Thanks!
Thomas
________________________________________
From: Jakub Hrozek <jhrozek(a)redhat.com>
Sent: Monday, June 24, 2019 4:19 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 18, 2019 at 06:57:14PM +0000, Thomas Beaudry wrote:
Hi Guys,
i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf and output
of "realm list" is identical for both servers. However, one of them can't
seem to find the AD users, so ssh fails. I tried doing id <user> and getent passwd
<user> and it doesn't find them.
Do you know what the issue might be?
Not without logs, see:
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thanks,
Thomas
Here is my sssd.conf:
# cat /etc/sssd/sssd.conf
[autofs]
debug_level=1
[krb5]
debug_level=1
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
debug_level=1
[sssd]
domains = MYDOMAIN.ca
config_file_version = 2
services = nss, pam, ssh, autofs
debug_level=1
[domain/MYDOMAIN.ca]
ad_domain = MYDOMAIN.ca
krb5_realm = MYDOMAIN.CA
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
override_homedir = /NAS/home/%u
fallback_homedir = /home/%u
access_provider = simple
debug_level=1
ignore_group_members=True
simple_allow_groups = perform_hpc
and output of realm list:
# realm list
MYDOMAIN.ca
type: kerberos
realm-name: MYDOMAIN.CA
domain-name: MYDOMAIN?.ca
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups:
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...