8:24 a.m.
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying:
ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is:
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_users_next_base] (0x0400): Searching for users with base
[ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My
Company,dc=sub,dc=example,dc=dk].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginExpirationTime]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60],
ldap[0x17e97a0]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry]
(0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My
Company,DC=sub,DC=example,DC=dk].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [displayName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [uSNChanged]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [userAccountControl]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accountExpires]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sAMAccountName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [userPrincipalName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimeStamp]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [uidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [unixHomeDirectory]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60],
ldap[0x17e97a0]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process]
(0x0400): Search for users, returned 1 results.
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb
transaction (nesting: 0)
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x4000): Save user
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My
Company,DC=sub,DC=example,DC=dk] to attributes o
f [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x1000): Adding original memberOf attributes to [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp
[20130429063553.0Z] to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x1000): Adding user principal [klavs(a)SUB.EXAMPLE.DK] to attributes of
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires
[9223372036854775807] to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512]
to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [userPassword] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [loginShell] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [uniqueID] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowLastChange] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMin] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMax] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowWarning] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowInactive] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowExpire] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowFlag] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbLastPwdChange] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbPasswordExpiration] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [pwdAttribute] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedService] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [nsAccountLock] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedHost] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginDisabled] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel
ldb transaction (nesting: 3)
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit
ldb transaction (nesting: 2)
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit
ldb transaction (nesting: 1)
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users]
(0x4000): User 0 processed!
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit
ldb transaction (nesting: 0)
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process]
(0x4000): Saving 1 Users - Done
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
sssd.conf:
[domain/default]
debug_level = 9
enumerate = false
min_id = 5000
ldap_id_use_start_tls = False
cache_credentials = True
#these two are ACTUALLY written with EXAMPLE.COM - as I don't want
kerberos right now - just LDAP
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://dc01.sub.example.dk
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_referrals = true
ldap_default_bind_dn = ldap(a)sub.example.dk
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_search_scope = sub
ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk
ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk
ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = displayName
#ldap_user_shell = msSFU30LoginShell
[sssd]
services = nss, pam
config_file_version = 2
domains = default
--
Regards,
Klavs Klavsen, GSEC - kl(a)vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer