On Fri, Jan 10, 2014 at 01:57:07AM -0800, Chris Gray wrote: > All of my providers are AD; ID, access, auth and chgpass. I use the AD > provider for all 4 settings in 1.9 as well, seems to work fine. > > I have my ldap_id_mapping set to true.
Then I need to full SSSD domain log. If you prefer you can send it to me directly. bye, Sumit > > So, neither of those existing issues fit my setup, but thanks for the > effort! > Chris > > > On Fri, Jan 10, 2014 at 1:12 AM, Sumit Bose <[email protected]> wrote: > > > On Fri, Jan 10, 2014 at 01:03:35AM -0800, Chris Gray wrote: > > > Hello all, > > > > > > I've been using SSSD 1.9 for a while now, and it works great. I'm setting > > > up a Fedora 19 laptop which came with a newer version of SSSD, 1.11.3-1. > > > > > > I configured it much like I configure the installs of 1.9, using the ad > > > provider for everything, and using msktutil to handle joining to my AD > > > domain. > > > > > > When I attempted to login, I got access denied, so I increased the > > logging, > > > restarted SSSD, and tried again. In the log, everything's looking good, > > > until I get to sdap_save_user. > > > > > > [sdap_save_user] (0x0400) : Save user > > > [sdap_save_user] (0x0040) : SID (redacted, but it is the correct SID for > > my > > > account) does not belong to any known domain > > > [sdap_save_users] (0x0040) : Failed to store user 0. Ignoring. > > > > I guess you are using id_provider=ldap. If yes, this issue is already > > know, see https://fedorahosted.org/sssd/ticket/2172 and > > https://fedorahosted.org/sssd/ticket/2175 and patches are currently > > reviewed on the list. > > > > Since you are using AD I would suggest to try the AD ID provider with > > 1.11. > > > > HTH > > > > bye, > > Sumit > > > > > > > > My AD environment is a forest, and my Fedora laptop is joined to a child > > > domain. SSSD is only configured for the child domain as well, I haven't > > > tried multiple domain setups. So, SSSD should only know about the single > > > domain. > > > > > > In sssd.conf, I do have ad_domain set to the FQDN. > > > > > > I'm sure this is probably something simple. Or it's related to the > > changes > > > made in 1.11.2 for sdap_save_user: try to determine domain by SID. > > > > > > The domain portion of my SID is correct as well, and running psgetsid > > > sidvalue for both my account and the domain SID returns the correct > > > information. > > > > > > It finds my GC via DNS, and correctly uses the two local servers as the > > > primary GC servers, with 32 backup servers. I'm sure that my laptop can't > > > actually connect to all 34 domain controllers, due to firewalls. DNS > > > contains the _gc entries for the remote GC servers, but has no current > > way > > > to resolve the hosts. > > > > > > I'm currently assuming that the lack of connection to the other GC's > > cause > > > it to fail to find out which domain the domain portion of my account's > > SID > > > belongs to. > > > > > > Any help in pointing me towards a resolution would be appreciated. > > > > > > Thanks, > > > Chris > > > > > _______________________________________________ > > > sssd-users mailing list > > > [email protected] > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > _______________________________________________ > > sssd-users mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > -- > Intelligence is a matter of opinion. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
