Learn more about these different git repos.
Other Git URLs
Hello! Found something, can't fix it myself.
Steps to: 1. Setup IPA Server 2. Setup trust with AD 3. Setup IPA auth on spacewalk 4. Try to login as AD user to spacewalk webUI 5. Fail.
From httpd error log:
[DATE] [:notice] [pid number] mod_authnz_pam: PAM authentication passed for user aduser@ad.com [DATE] [:error] [pid number] dbus call GetUserAttr returned value 0 instead of DBUS_TYPE_DICT_ENTRY
Check on spacewalk server: IPAUSER - works flawlessly
# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:ipauser array:string:email,firstname,lastname,ou,gecos method return sender=:1.7 -> dest=:1.31 reply_serial=2 array [ dict entry( string "email" variant array [ string "ipauser@ipa.local" ] ) dict entry( string "firstname" variant array [ string "John" ] ) dict entry( string "lastname" variant array [ string "Doe" ] ) dict entry( string "ou" variant array [ string "Corp Inc" ] ) dict entry( string "gecos" variant array [ string "John Doe" ] ) ] # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:ipauser method return sender=:1.7 -> dest=:1.33 reply_serial=2 array [ string "admins" string "spacewalk_admins" string "ipausers" string "trust admins" ]
ADUSER - not working as aspected
# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:aduser@ad.com array:string:email,firstname,lastname,ou,gecos method return sender=:1.7 -> dest=:1.34 reply_serial=2 array [ dict entry( string "gecos" variant array [ string "Doe John Surname" ] ) ] # dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:aduser@ad.com method return sender=:1.7 -> dest=:1.32 reply_serial=2 array [ string "spacewalk admins@ad.com" string "domain admins@ad.com" string "domain users@ad.com" string "vpnusers@ad.com" string "acl-git@ad.com" string "ad_admins" string "admins" string "spacewalk_admins" ]
spacewalk sssd config:
[domain/ipa.local] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = spacewalk.ipa.local chpass_provider = ipa dyndns_update = True ipa_server = _srv_, dc3.ipa.local dyndns_iface = ens192 ldap_tls_cacert = /etc/ipa/ca.crt ldap_user_extra_attrs = email:mail, firstname:givenname, lastname:sn, ou subdomains_provider = ipa debug_level = 6 [sssd] services = nss, sudo, pam, ssh, ifp, pac config_file_version = 2 domains = ipa.local [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] allowed_uids = apache, root user_attributes = +email, +firstname, +lastname, +ou, +mail
Suppose IFP won't work on trusted domains, with additional attributes, only default ones.
Am i missed something in config with IPA and trusts?
Thank you!
Yes you did, the user requests for AD trusted users are routed through the IPA server, so you need to put the same user_attributes and ldap_user_extra_attrs to the server side's sssd.conf as well.
btw sorry this is not obvious. I'm juggling several things at the moment, but writing this setup up in docs and a blog post is on my todo list..
The reporter confirmed on IRC that adding the attributes to the server side sssd.conf helped. Closing.
resolution: => worksforme status: new => closed
Metadata Update from @doctor: - Issue set to the milestone: SSSD 1.13 backlog
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4060
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.