On Tue, 10 Aug 2010, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/10/2010 10:29 AM, Timo Aaltonen wrote:
On Thu, 5 Aug 2010, Stephen Gallagher wrote:
Someone else just reported this same issue to me :(
Can you attach the /var/log/sssd/sssd_<domain>.log and /var/log/sssd/ldap_child.log for this?
I suspect you'll see the ldap_child.log report that it couldn't find a KDC for the realm.
I can now enumerate the user, but auth fails because of this:
/var/log/sssd/krb5_child.log: (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [get_and_save_tgt] (1): 524: [-1765328230][Cannot find KDC for requested realm] (Tue Aug 10 16:54:10 2010) [[sssd[krb5_child[13472]]]] [tgt_req_child] (1): 756: [-1765328230][Cannot find KDC for requested realm]
Yes, exactly the same errors with SSSD_KRB5_LOCATOR_DEBUG=1. I have the KDC's in /etc/krb5.conf, btw.
also, I don't know what to use for searching the group information :) So it cannot find the name for the default group. I checked from AD that the values below should be correct.
ldap_schema = rfc2307bis ldap_search_base = dc=org,dc=aalto,dc=fi ldap_user_object_class = person ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = ou=Users,dc=org,dc=aalto,dc=fi ldap_group_object_class = group
I'm almost certain your value for ldap_group_search_base is wrong. In fact, you probably don't need ldap_group_search_base at all. The ldap_search_base is enough here.
hah, I'm pretty sure I tried without that, but yep that did the trick :)
nexus6 sssd # groups tjaalton tjaalton : Domain Users
though I'm 'memberOf' several other groups as well, but if they don't have gidNumber set they won't be shown here, right?
sssd-devel@lists.fedorahosted.org