All of my providers are AD; ID, access, auth and chgpass. I use the AD provider for all 4 settings in 1.9 as well, seems to work fine.
I have my ldap_id_mapping set to true. So, neither of those existing issues fit my setup, but thanks for the effort! Chris On Fri, Jan 10, 2014 at 1:12 AM, Sumit Bose <[email protected]> wrote: > On Fri, Jan 10, 2014 at 01:03:35AM -0800, Chris Gray wrote: > > Hello all, > > > > I've been using SSSD 1.9 for a while now, and it works great. I'm setting > > up a Fedora 19 laptop which came with a newer version of SSSD, 1.11.3-1. > > > > I configured it much like I configure the installs of 1.9, using the ad > > provider for everything, and using msktutil to handle joining to my AD > > domain. > > > > When I attempted to login, I got access denied, so I increased the > logging, > > restarted SSSD, and tried again. In the log, everything's looking good, > > until I get to sdap_save_user. > > > > [sdap_save_user] (0x0400) : Save user > > [sdap_save_user] (0x0040) : SID (redacted, but it is the correct SID for > my > > account) does not belong to any known domain > > [sdap_save_users] (0x0040) : Failed to store user 0. Ignoring. > > I guess you are using id_provider=ldap. If yes, this issue is already > know, see https://fedorahosted.org/sssd/ticket/2172 and > https://fedorahosted.org/sssd/ticket/2175 and patches are currently > reviewed on the list. > > Since you are using AD I would suggest to try the AD ID provider with > 1.11. > > HTH > > bye, > Sumit > > > > > My AD environment is a forest, and my Fedora laptop is joined to a child > > domain. SSSD is only configured for the child domain as well, I haven't > > tried multiple domain setups. So, SSSD should only know about the single > > domain. > > > > In sssd.conf, I do have ad_domain set to the FQDN. > > > > I'm sure this is probably something simple. Or it's related to the > changes > > made in 1.11.2 for sdap_save_user: try to determine domain by SID. > > > > The domain portion of my SID is correct as well, and running psgetsid > > sidvalue for both my account and the domain SID returns the correct > > information. > > > > It finds my GC via DNS, and correctly uses the two local servers as the > > primary GC servers, with 32 backup servers. I'm sure that my laptop can't > > actually connect to all 34 domain controllers, due to firewalls. DNS > > contains the _gc entries for the remote GC servers, but has no current > way > > to resolve the hosts. > > > > I'm currently assuming that the lack of connection to the other GC's > cause > > it to fail to find out which domain the domain portion of my account's > SID > > belongs to. > > > > Any help in pointing me towards a resolution would be appreciated. > > > > Thanks, > > Chris > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > -- Intelligence is a matter of opinion.
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
