Sterling Sahaydak
2015-04-08 20:10:57 UTC
***Thanks in advance for taking the time to help and respond! - greatly
appreciated!!!!
I've setup Active Directory Windows Server 2012 R2 and trying to get ssh
and sudo access working from CentOS 6.6 (Final) and using sssd 1.11.6
Note: NOT using Kerberos, samba, adcli,realmd, etc.
Using: sssd, pam, nsswitch
I'm using also OpenLDAP 2.4.39 and was able to get ssh and sudo working
against it, so familar with the process.
Now, switching the process to work with AD, I've installed the
sudo.schema, rule in AD and added a user,
***but the underlying issue is can't seem to get users to authenticate
nor retrieve group information.
ldap_search_ext called, msgid = 8
Search result: No such object(32), no errmsg set
Search for users, returned 0 results.
Failed to retrieve users
---------------------------------------------------
[***@ldap users]# cat /etc/*release
CentOS release 6.6 (Final)
[***@ldap users]# sssd --version
1.11.6
I setup a user in AD with the following configuration attributes:
For the User:
cn=abrown
displayName = Angela Brown
distinguishName = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
gidNunber = 1500
givenName = Angela
homeDirectory = /home/abrown
mail = ***@example.com
objectCategory =
CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
objectClass = top,organizationPerson,person,user
objectGUID = F8 B2 23 2D AD B7 26 48 81 29 D0 DA 3D 00 DC B5
objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8
FA EA AC 43 66 06 00 00
primaryGroupID = 513 = (GROUP_RID_USERS)
sAMAccountName = abrown
sAMAccountType = 805306368 = (NORMAL_USER_ACCOUNT)
sn = Brown
uid = abrown
userPrincipalName = ***@example.com
For the Group:
cn = allowedusers
distinguishName =
CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com
gidNumber = 1500
member = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
objectCategory =
CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
objectClass = top; group
objectGUID = 45 47 DA 79 D7 9E 5E 4B 87 17 E4 7C 71 D0 2E 1F
objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8
FA EA AC 43 3D 08 00 00
sAMAccountName = allowedusers
sAMAccountType = 268435456 = (GROUP_OBJECT)
------------------------------------------
THE ISSUE(S):
So, when I run the 'ls -l' command it's not displaying the name for the
user = 2000 and Group name = 1500.
When I do this connected to OpenLDAP it will display as abrown and
allowedusers, but not to AD as shown:
[***@ldap users]# ls -l
total 24
drwxr-xr-x. 2 2000 1500 4096 Apr 8 13:46 abrown
I had to manually add this: mkdir abrown
and then: chown 2000:1500 abrown
but if I: "getent passwd abrown" - nothing comes back!
Running sssd:
[***@ldap log]# /usr/sbin/sssd -i
.....
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_get_account_info]
(0x0100): Got request for [4097][1][idnumber=2000]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_req_set_domain]
(0x0400): Changing request domain from [LDAP] to [LDAP]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base
[ou=Users,ou=example,dc=ad,dc=example,dc=com]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uidNumber=2000)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=Users,ou=example,dc=ad,dc=example,dc=com].
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sAMAccountName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixUserPassword]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixHomeDirectory]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [msSFU30LoginShell]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPrincipalName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [displayName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectSid]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [primaryGroupID]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [whenChanged]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uSNChanged]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 8
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x1cc4a30], connected[1], ops[0x1cc4990],
ldap[0x1cbda50]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0400): Search result: No such object(32), no errmsg set
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_process]
(0x0400): Search for users, returned 0 results.
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_users_done]
(0x0040): Failed to retrieve users
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000):
releasing operation connection
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1d80d70
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1d81850
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Running
timer event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1d81850 "ltdb_timeout"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_search_user_by_uid]
(0x0400): No such entry
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x1cc4a30], connected[1], ops[(nil)],
ldap[0x1cbda50]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x1cbe2b0
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
....
-------------------------------
If I take the filter from within the debug of:
(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0)))
and perform a ldapsearch, it pulls back the correct results:
[***@ldap ~]# ldapsearch -D
"cn=adaccess,ou=adaccts,ou=example,dc=ad,dc=example,dc=com" -w 'password
here' -b "DC=ad,DC=example,DC=com" -h adservername.example.com
'(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=example,DC=com> with scope subtree
# filter:
(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# allowedusers, Groups, example, ad.example.com
dn: CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com
objectClass: top
objectClass: group
cn: allowedusers
member: CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
distinguishedName:
CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=
com
instanceType: 4
whenCreated: 20150408174301.0Z
whenChanged: 20150408174359.0Z
uSNCreated: 81925
uSNChanged: 81931
name: allowedusers
objectGUID:: RUfaedeeXkuHF+R8cdAuHw==
objectSid:: AQUAAAAAAAUVAAAA+fLYrK7/f7j66qxDPQgAAA==
sAMAccountName: allowedusers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 1500
# search reference
ref:
ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example
,DC=com
# search reference
ref:
ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example
,DC=com
# search reference
ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
--------------------------------------
Setup of sssd.conf
[***@ldap sssd]# cat sssd.conf
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.va.example.com
ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
debug_level = 9
cache_credentials = true
enumerate = false
ldap_uri = ldaps://ldapservername.example.com
ldap_default_bind_dn = CN=Manager,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = passwordhere
ldap_access_filter = ou=users,ou=example,dc=ad,dc=example,dc=com
ldap_search_base = dc=example,dc=com
ldap_schema = ad
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_user_objectsid = objectSid
ldap_group_object_class = group
ldap_group_objectsid = objectGUID
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_user_search_base = ou=Users,ou=example,dc=ad,dc=example,dc=com
ldap_group_search_base = ou=Groups,ou=example,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certnamehere.crt
appreciated!!!!
I've setup Active Directory Windows Server 2012 R2 and trying to get ssh
and sudo access working from CentOS 6.6 (Final) and using sssd 1.11.6
Note: NOT using Kerberos, samba, adcli,realmd, etc.
Using: sssd, pam, nsswitch
I'm using also OpenLDAP 2.4.39 and was able to get ssh and sudo working
against it, so familar with the process.
Now, switching the process to work with AD, I've installed the
sudo.schema, rule in AD and added a user,
***but the underlying issue is can't seem to get users to authenticate
nor retrieve group information.
ldap_search_ext called, msgid = 8
Search result: No such object(32), no errmsg set
Search for users, returned 0 results.
Failed to retrieve users
---------------------------------------------------
[***@ldap users]# cat /etc/*release
CentOS release 6.6 (Final)
[***@ldap users]# sssd --version
1.11.6
I setup a user in AD with the following configuration attributes:
For the User:
cn=abrown
displayName = Angela Brown
distinguishName = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
gidNunber = 1500
givenName = Angela
homeDirectory = /home/abrown
mail = ***@example.com
objectCategory =
CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
objectClass = top,organizationPerson,person,user
objectGUID = F8 B2 23 2D AD B7 26 48 81 29 D0 DA 3D 00 DC B5
objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8
FA EA AC 43 66 06 00 00
primaryGroupID = 513 = (GROUP_RID_USERS)
sAMAccountName = abrown
sAMAccountType = 805306368 = (NORMAL_USER_ACCOUNT)
sn = Brown
uid = abrown
userPrincipalName = ***@example.com
For the Group:
cn = allowedusers
distinguishName =
CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com
gidNumber = 1500
member = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
objectCategory =
CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
objectClass = top; group
objectGUID = 45 47 DA 79 D7 9E 5E 4B 87 17 E4 7C 71 D0 2E 1F
objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8
FA EA AC 43 3D 08 00 00
sAMAccountName = allowedusers
sAMAccountType = 268435456 = (GROUP_OBJECT)
------------------------------------------
THE ISSUE(S):
So, when I run the 'ls -l' command it's not displaying the name for the
user = 2000 and Group name = 1500.
When I do this connected to OpenLDAP it will display as abrown and
allowedusers, but not to AD as shown:
[***@ldap users]# ls -l
total 24
drwxr-xr-x. 2 2000 1500 4096 Apr 8 13:46 abrown
I had to manually add this: mkdir abrown
and then: chown 2000:1500 abrown
but if I: "getent passwd abrown" - nothing comes back!
Running sssd:
[***@ldap log]# /usr/sbin/sssd -i
.....
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_get_account_info]
(0x0100): Got request for [4097][1][idnumber=2000]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_req_set_domain]
(0x0400): Changing request domain from [LDAP] to [LDAP]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base
[ou=Users,ou=example,dc=ad,dc=example,dc=com]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uidNumber=2000)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=Users,ou=example,dc=ad,dc=example,dc=com].
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sAMAccountName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixUserPassword]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixHomeDirectory]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [msSFU30LoginShell]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPrincipalName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [displayName]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectSid]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [primaryGroupID]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [whenChanged]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uSNChanged]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 8
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x1cc4a30], connected[1], ops[0x1cc4990],
ldap[0x1cbda50]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0400): Search result: No such object(32), no errmsg set
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_process]
(0x0400): Search for users, returned 0 results.
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_users_done]
(0x0040): Failed to retrieve users
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000):
releasing operation connection
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1d80d70
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1d81850
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Running
timer event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1d81850 "ltdb_timeout"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_search_user_by_uid]
(0x0400): No such entry
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_delete_user]
(0x0400): Error: 2 (No such file or directory)
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x1cc4a30], connected[1], ops[(nil)],
ldap[0x1cbda50]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x1cbe2b0
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
....
-------------------------------
If I take the filter from within the debug of:
(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0)))
and perform a ldapsearch, it pulls back the correct results:
[***@ldap ~]# ldapsearch -D
"cn=adaccess,ou=adaccts,ou=example,dc=ad,dc=example,dc=com" -w 'password
here' -b "DC=ad,DC=example,DC=com" -h adservername.example.com
'(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))'
# extended LDIF
#
# LDAPv3
# base <DC=ad,DC=example,DC=com> with scope subtree
# filter:
(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))
# requesting: ALL
#
# allowedusers, Groups, example, ad.example.com
dn: CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com
objectClass: top
objectClass: group
cn: allowedusers
member: CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com
distinguishedName:
CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=
com
instanceType: 4
whenCreated: 20150408174301.0Z
whenChanged: 20150408174359.0Z
uSNCreated: 81925
uSNChanged: 81931
name: allowedusers
objectGUID:: RUfaedeeXkuHF+R8cdAuHw==
objectSid:: AQUAAAAAAAUVAAAA+fLYrK7/f7j66qxDPQgAAA==
sAMAccountName: allowedusers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
gidNumber: 1500
# search reference
ref:
ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example
,DC=com
# search reference
ref:
ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example
,DC=com
# search reference
ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
--------------------------------------
Setup of sssd.conf
[***@ldap sssd]# cat sssd.conf
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.va.example.com
ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
debug_level = 9
cache_credentials = true
enumerate = false
ldap_uri = ldaps://ldapservername.example.com
ldap_default_bind_dn = CN=Manager,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = passwordhere
ldap_access_filter = ou=users,ou=example,dc=ad,dc=example,dc=com
ldap_search_base = dc=example,dc=com
ldap_schema = ad
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_user_objectsid = objectSid
ldap_group_object_class = group
ldap_group_objectsid = objectGUID
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_user_search_base = ou=Users,ou=example,dc=ad,dc=example,dc=com
ldap_group_search_base = ou=Groups,ou=example,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certnamehere.crt