All of my providers are AD; ID, access, auth and chgpass. I use the AD
provider for all 4 settings in 1.9 as well, seems to work fine.
I have my ldap_id_mapping set to true.
So, neither of those existing issues fit my setup, but thanks for the
effort!
Chris
On Fri, Jan 10, 2014 at 1:12 AM, Sumit Bose <sbose(a)redhat.com> wrote:
On Fri, Jan 10, 2014 at 01:03:35AM -0800, Chris Gray wrote:
> Hello all,
>
> I've been using SSSD 1.9 for a while now, and it works great. I'm setting
> up a Fedora 19 laptop which came with a newer version of SSSD, 1.11.3-1.
>
> I configured it much like I configure the installs of 1.9, using the ad
> provider for everything, and using msktutil to handle joining to my AD
> domain.
>
> When I attempted to login, I got access denied, so I increased the
logging,
> restarted SSSD, and tried again. In the log, everything's looking good,
> until I get to sdap_save_user.
>
> [sdap_save_user] (0x0400) : Save user
> [sdap_save_user] (0x0040) : SID (redacted, but it is the correct SID for
my
> account) does not belong to any known domain
> [sdap_save_users] (0x0040) : Failed to store user 0. Ignoring.
I guess you are using id_provider=ldap. If yes, this issue is already
know, see
https://fedorahosted.org/sssd/ticket/2172 and
https://fedorahosted.org/sssd/ticket/2175 and patches are currently
reviewed on the list.
Since you are using AD I would suggest to try the AD ID provider with
1.11.
HTH
bye,
Sumit
>
> My AD environment is a forest, and my Fedora laptop is joined to a child
> domain. SSSD is only configured for the child domain as well, I haven't
> tried multiple domain setups. So, SSSD should only know about the single
> domain.
>
> In sssd.conf, I do have ad_domain set to the FQDN.
>
> I'm sure this is probably something simple. Or it's related to the
changes
> made in 1.11.2 for sdap_save_user: try to determine domain by SID.
>
> The domain portion of my SID is correct as well, and running psgetsid
> sidvalue for both my account and the domain SID returns the correct
> information.
>
> It finds my GC via DNS, and correctly uses the two local servers as the
> primary GC servers, with 32 backup servers. I'm sure that my laptop can't
> actually connect to all 34 domain controllers, due to firewalls. DNS
> contains the _gc entries for the remote GC servers, but has no current
way
> to resolve the hosts.
>
> I'm currently assuming that the lack of connection to the other GC's
cause
> it to fail to find out which domain the domain portion of my account's
SID
> belongs to.
>
> Any help in pointing me towards a resolution would be appreciated.
>
> Thanks,
> Chris
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users