Re: Error No matching domain found for 5001 in sssd_nss.log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2010 01:08 AM, John Nissley wrote:
> I will admit that getting fedora 13 to authenticate against my dirsrv 
> ldap server has been an interesting experience.  I still do not think I 
> have it right since getent passwd does not display the ldap users but 
> for some reason I am able to log in with my ldap user name and password 
> and the home directory mapping is pulled out of ldap.

By default, SSSD does not return answers to 'getpwent' requests, only
'getpwuid' and 'getpwnam' (and the group equivalents). This is to avoid
returning ridiculous numbers of replies from very large deployments.

If you want this behavior, add 'enumerate=true' to the
[domain/<yourdomain>] section in /etc/sssd/sssd.conf  (<yourdomain> is
usually 'default', unless you created it manually)

> 
> This error is in my sssd.nss.log file after reboot when I try to log in.
> [sssd[nss]] [nss_cmd_getgrgid_callback] (0): No matching domain found 
> for [5001], fail!
> The interesting thing is that the uid for the user trying to 
> authenticate is 5001 so that must be coming back from the ldap server.
> 

Note the error message. It's performing a getgrgid request, not a
getpwuid request. That means that it's looking for a group in ldap with
the same ID (5001) that it cannot find. Probably this means that your
user is specified as having UID=5001, primary GID=5001, but LDAP doesn't
actually have a group stored with GID=5001

<snip>
> 
> Can some on please help me straighten out my network login via ldap 
> problem I am having.  I was doing the same network login to the same 
> ldap server with Fedora 12 and had no issues at all.  Fedora 13 requires 
> tls or ldaps which is where my problems started.  I was not using either 
> of them when using Fedora 12.

SSSD doesn't allow you to perform authentication without using TLS or
LDAPS because doing so sends your password unencrypted over the
internet. The old way of doing things - nss_ldap - used to allow this.
When we developed the SSSD we decided to be more strict, since no good
can come of allowing unencrypted passwords on the wire.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxEX0kACgkQeiVVYja6o6PRhACfbcPAex0rpMMrMNrCtZJ8/EFS
CusAoJUa/NnI5OjdRlstY/X4J3gzSkBq
=kO0b
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux