On Fri, Jan 10, 2014 at 01:03:35AM -0800, Chris Gray wrote: > Hello all, > > I've been using SSSD 1.9 for a while now, and it works great. I'm setting > up a Fedora 19 laptop which came with a newer version of SSSD, 1.11.3-1. > > I configured it much like I configure the installs of 1.9, using the ad > provider for everything, and using msktutil to handle joining to my AD > domain. > > When I attempted to login, I got access denied, so I increased the logging, > restarted SSSD, and tried again. In the log, everything's looking good, > until I get to sdap_save_user. > > [sdap_save_user] (0x0400) : Save user > [sdap_save_user] (0x0040) : SID (redacted, but it is the correct SID for my > account) does not belong to any known domain > [sdap_save_users] (0x0040) : Failed to store user 0. Ignoring.
I guess you are using id_provider=ldap. If yes, this issue is already know, see https://fedorahosted.org/sssd/ticket/2172 and https://fedorahosted.org/sssd/ticket/2175 and patches are currently reviewed on the list. Since you are using AD I would suggest to try the AD ID provider with 1.11. HTH bye, Sumit > > My AD environment is a forest, and my Fedora laptop is joined to a child > domain. SSSD is only configured for the child domain as well, I haven't > tried multiple domain setups. So, SSSD should only know about the single > domain. > > In sssd.conf, I do have ad_domain set to the FQDN. > > I'm sure this is probably something simple. Or it's related to the changes > made in 1.11.2 for sdap_save_user: try to determine domain by SID. > > The domain portion of my SID is correct as well, and running psgetsid > sidvalue for both my account and the domain SID returns the correct > information. > > It finds my GC via DNS, and correctly uses the two local servers as the > primary GC servers, with 32 backup servers. I'm sure that my laptop can't > actually connect to all 34 domain controllers, due to firewalls. DNS > contains the _gc entries for the remote GC servers, but has no current way > to resolve the hosts. > > I'm currently assuming that the lack of connection to the other GC's cause > it to fail to find out which domain the domain portion of my account's SID > belongs to. > > Any help in pointing me towards a resolution would be appreciated. > > Thanks, > Chris > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
