Suggest upgrading to the latest version of sssd in CentOS and use the AD provider (man
sssd-ad) instead.
You simplify the configuration and it would work :)
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Klavs Klavsen
Sent: Friday, May 03, 2013 3:31 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] finding user - but says ldap result empty
Ohh - and an ldapsearch for same users gives this:
# klavs, Konsulenter, Brugere, My Company, sub.example.dk
dn: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,dc=sub,dc=example,DC=dk
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: klavs
sn: Klavsen
l: Hvidovre
title: Ekstern
description: valid user
postalCode: 2650
givenName: Klavs Thun
distinguishedName: CN=klavs,OU=Konsulenter,OU=Brugere,OU=My
Company,DC=ks, DC=kk,DC=dk
instanceType: 4
whenCreated: 20121128112538.0Z
whenChanged: 20130429063611.0Z
displayName: Klavs Klavsen
uSNCreated: 282284965
memberOf: CN=AutomatiseringsRepository-WriteAccess,OU=Grupper,OU=My
Company,dc=sub,dc=example,DC=dk
memberOf: CN=Linux-Users,OU=Grupper,OU=My Company,dc=sub,dc=example,DC=dk
uSNChanged: 296661668
streetAddress:: SMOmZGVyZGFsc3Zlag==
name: klavs
objectGUID:: HdeNtrTkd0iRRGGDfF6ZMw==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130117003214581477
lastLogoff: 0
lastLogon: 130120372138372081
scriptPath: logon.bat
pwdLastSet: 130077321450480274
primaryGroupID: 513
userParameters::
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
CAgUAcaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm44Cy44
...(more chars)
Sy5oi244y35pSy5oi25oi25pSy45C25oi25oy144C344i35pi245i246S25oy245S245Cy5oy144i
045Sz45iz45i144Cw
objectSid:: AQ...[cut]
accountExpires: 9223372036854775807
logonCount: 722
sAMAccountName: klavs
sAMAccountType: 805306368
userPrincipalName: klavs(a)sub.example.dk
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=dk
lastLogonTimestamp: 130116909538305016
mail: klavs(a)vsen.dk
mobile: 61000000
gidNumber: 5000
uidNumber: 5002
unixHomeDirectory: /home/klavs
Klavs Klavsen said the following on 05/03/2013 03:24 PM:
Hi,
I'm trying to make sssd work on CentOS-6.
It seems to find the user in AD (Win 2003) - but it ends ups saying:
ldap_result found nothing!
I'm hoping someone can give me an idea, as to why :(
Output (with debug_level=9 - slightly sanitized and anonymized) is:
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing
cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_users_next_base] (0x0400): Searching for users with base
[ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My
Company,dc=sub,dc=example,dc=dk].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[unixHomeDirectory]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPrincipalName]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May
3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowLastChange]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbLastPwdChange]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[krbPasswordExpiration]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[authorizedService]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userAccountControl]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri
May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs:
[loginExpirationTime]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[loginAllowedTimeMap]
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid =
8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60],
ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_entry]
(0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My
Company,DC=sub,DC=example,DC=dk].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [userAccountControl] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [userPrincipalName] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_parse_range]
(0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60],
ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search
result: Success(0), no errmsg set (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for
users, returned 1 results.
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start
ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_save_user]
(0x4000): Save user
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My
Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x1000): Adding original memberOf attributes to [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp
[20130429063553.0Z] to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x1000): Adding user principal [klavs(a)SUB.EXAMPLE.DK] to attributes
of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires
[9223372036854775807] to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512]
to attributes of [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available
for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not
available for [klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for
[klavs].
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user]
(0x0400): Storing info for user klavs
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May
3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May
3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri
May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedService] from [klavs] (Fri May
3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3
15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May
3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs]
(0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs]
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel
ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting:
2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000):
commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_save_users]
(0x4000): User 0 processed!
(Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit
ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users
- Done (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_id_op_done]
(0x4000): releasing operation connection (Fri May 3 15:10:25 2013)
[sssd[be[default]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25
2013) [sssd[be[default]]] [sdap_process_result]
(0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)],
ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]]
[sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
sssd.conf:
[domain/default]
debug_level = 9
enumerate = false
min_id = 5000
ldap_id_use_start_tls = False
cache_credentials = True
#these two are ACTUALLY written with
EXAMPLE.COM - as I don't want
kerberos right now - just LDAP krb5_realm =
EXAMPLE.COM krb5_server =
kerberos.example.com id_provider = ldap auth_provider = ldap
chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true
ldap_default_bind_dn = ldap(a)sub.example.dk ldap_default_authtok_type =
password ldap_default_authtok = mypassword
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory ldap_user_principal =
userPrincipalName ldap_user_search_scope = sub ldap_user_search_base =
ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base =
OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base =
ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk
ldap_group_object_class = group ldap_access_order = expire
ldap_account_expire_policy = ad ldap_force_upper_case_realm = true
ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber ldap_user_gecos = displayName
#ldap_user_shell = msSFU30LoginShell
[sssd]
services = nss, pam
config_file_version = 2
domains = default
--
Regards,
Klavs Klavsen, GSEC - kl(a)vsen.dk -
http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users