On Thu, May 17, 2018 at 08:22:27AM +0000, JOHE (John Hearns) wrote:
> I recently posted to this list regarding a very slow response when getting the groups for a user.
>
> The fix was to set
>
> ldap_schema = rfc2307bis
>
>
> Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?
>
>
> The problem is now that my account cannot log in... My account is valid, and I can do 'id johe' and 'getent passwd johe' where johe is my account name. I just can't log in with my password.
>
> I am almost 100% sure my password is valid, as I can LDAP bind to the AD controller and perform ldap searches.
>
>
> Any help on debugging this issue is welcome.
>
> BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from what I can see in the sssd logs.

Please have a look at
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.pagure.org%2FSSSD.sssd%2Fusers%2Ftroubleshooting.html&data=01%7C01%7Cjohe%40novozymes.com%7Ca5aa5f9ffd85454921f908d5bbd1211f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=EuZ72a8oJKi9%2FtbmzHpP7aDdc7bGV3%2FNsBLdLaN5HvE%3D&reserved=0.

In your case the most interesting log files would be sssd_pam.log and
sssd_your.domain.name.log (and krb5_child.log if you use Kerberors
authentication). To get the most details here add debug_level=9 to the
[pam] and [domain/...] sections of sssd.conf.

bye,
Sumit

>
>
>
>

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org