Hi Jakub,

Thanks for clarifying some of these items. I am relatively new to SSSD so I apologize in advance if I miss something basic in logs & configs.

I tried checking using "id" and "getent". "getent" does not return any output, whereas "id" returns with the following:

id: first.last: No such user

RODC has the same group structure as our writable domain controller and we have kept the SSSD config entries(access filters etc) the same as those on CentOS servers connected to writable DC where SSSD works fine. So I believe the ldap_access_filter & search_base is correct for the user trying to authenticate.

When we created the keytab from the writable domain controller for this machine, we used the "rndpass" but on the server itself, kinit never asked for the password. Do you think there could be some issue here and sssd is not able to authenticate successfully in the first place?  but I would assume keytab is good because direct ldapsearch works using the same keytab file.

Following is received in SSSD logs when trying id "first.last".



(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x4000): dbus conn: 0xa7a280
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=first.last]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [x.y.local] to [x.y.local]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=x,dc=y,dc=local]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_print_server] (0x2000): Searching <RODC IP>
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=first.last)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=x,dc=y,dc=local].
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_op_add] (0x2000): New operation 8 timeout 6
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://abc.x.y.local/DC=abc,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://training.x.y.local/DC=training,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.x.y.local/DC=DomainDnsZones,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_op_destructor] (0x2000): Operation 8 finished
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000):     Ref: ldap://abc.x.y.local/DC=abc,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000):     Ref: ldap://training.x.y.local/DC=training,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000):     Ref: ldap://DomainDnsZones.x.y.local/DC=DomainDnsZones,DC=x,DC=y,DC=local
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xa841a0
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xa926e0
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Running timer event 0xa841a0 "ltdb_callback"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Destroying timer event 0xa926e0 "ltdb_timeout"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Ending timer event 0xa841a0 "ltdb_callback"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=first.last))
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xa84390
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xa80fd0
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Running timer event 0xa84390 "ltdb_callback"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Destroying timer event 0xa80fd0 "ltdb_timeout"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Ending timer event 0xa84390 "ltdb_callback"
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_groups] (0x2000): No such entry
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[(nil)], ldap[0xa6c050]
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!