[Freeipa-users] RHEL 5 client?

[Alexander Bokovoy]

On Fri, 03 Apr 2015, Guertin, David S. wrote:
>> The sequence to emulate what SSSD does would be
>>
>>kinit -k host/`hostname`
>>ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
>>           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
>>           '(uid=admin at middlebury.edu)'
>>
>>As result, we have 'admin at middlebury.edu' inserted in the compat tree, and
>>can do a bind as
>>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
>>=edu'
>>
>>ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
>>           -D
>>'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc
>>=edu' \
>>           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
>>           '(uid=admin at middlebury.edu)'
>>
>>This would reproduce what SSSD was supposed to do. If you get these
>>ldapsearches to work, we can look at what is SSSD doing.
>
>Thanks. Yes, both of those ldapsearch commands work. I can search for the user (I'm using a different user here):
>
>-----------------------------
># ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)'
>SASL/GSSAPI authentication started
>SASL username: host/yakko.ipa.middlebury.edu at IPA.MIDDLEBURY.EDU
>SASL SSF: 56
>SASL installing layers
># extended LDIF
>#
># LDAPv3
># base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
># filter: (uid=juser at middlebury.edu)
># requesting: ALL
>#
>
># juser at middlebury.edu, users, compat, ipa.middlebury.edu
>dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
>objectClass: posixAccount
>objectClass: top
>cn: juser
>gidNumber: 435021613
>gecos: juser
>uidNumber: 435021613
>homeDirectory: /home/middlebury.edu/juser
>uid: juser at middlebury.edu
>
># search result
>search: 4
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>-----------------------------
>
>And I can bind as that user (after adding the -W flag to prompt for a password):
>
>-----------------------------
># ldapsearch -x -H ldap://genet.ipa.middlebury.edu -D 'uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub '(uid=juser at middlebury.edu)' -W
>Enter LDAP Password:
># extended LDIF
>#
># LDAPv3
># base <cn=compat,dc=ipa,dc=middlebury,dc=edu> with scope subtree
># filter: (uid=juser at middlebury.edu)
># requesting: ALL
>#
>
># juser at middlebury.edu, users, compat, ipa.middlebury.edu
>dn: uid=juser at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu
>objectClass: posixAccount
>objectClass: top
>cn: juser
>gidNumber: 435021613
>gecos: juser
>uidNumber: 435021613
>homeDirectory: /home/middlebury.edu/juser
>uid: juser at middlebury.edu
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>-----------------------------
>
>But the user still cannot SSH in to the client:
>
>-----------------------------
>$ ssh -l 'MIDD\juser' yakko.ipa.middlebury.edu
>MIDD\juser at yakko.ipa.middlebury.edu's password:
>Permission denied, please try again.
>MIDD\juser at yakko.ipa.middlebury.edu's password:
>Permission denied, please try again.
>MIDD\juser at yakko.ipa.middlebury.edu's password:
>Permission denied (publickey,gssapi-with-mic,password).
>-----------------------------
>
>The sssd debug_level is set to 10. I've attached sssd_default.log and sssd_nss.log
I don't see any request going to sssd. 

Can you try with juser at middlebury.edu? Old SSSD is incapable to see
MIDD\juser being the same as juser at middlebury.edu.



-- 
/ Alexander Bokovoy