SSSD and Ldap I'm confused with latest package

I’m confused :fearful::astonished:

Working on nethserver arm i have strange results with the latest nethserver-sssd package.

The template expands to:

[sssd]
domains = havak.lan
config_file_version = 2
services = nss, pam

[domain/havak.lan]
enumerate = True
cache_credentials = True
default_shell = /usr/libexec/openssh/sftp-server
use_fully_qualified_names = True
id_provider = ldap
ldap_uri = ldap://127.0.0.1
ldap_search_base = dc=havak,dc=lan
ldap_tls_reqcert = never


[nss]

and it does not work :
make a user > enable ssh : Access Denied

edit sssd.conf:
ldap_search_base = dc=dc=directory,dc=nh

And it’s Oke, what goes wrong???

EDIT
Just guessing here: because a FQHN is set before installing nethserver-sssd?

You need to login using @.

Example:

ssh -l giacomo@nethserver.org myserver.com
1 Like

I know! Let it be for a while may it pops up in my head.

question:
isn’t DNS supposed to do this by default ?
Meaning that it should append/resolve the suffix and domain automatically?

1 Like

I can reproduce it on x86_64 (EDIT 2: sometimes :astonished:) , don’t know which “step” it is

1 install from ISO
2 give time-zone and FQDN before installing ( networking on the bottom in anaconda)
3 complete web install wizard with defaults
4 update through web UI
5 reboot
6 install Ldap
7 disable Strong password policy for Users (writing this up: maybe i forget to “summit”)
8 make group
9 make user, add to group, enable ssh, use no number in password
10 try to ssh with user@domain > Access Denied

As a mater off fact all authentication denied.

ill keep digging :smiling_imp:

EDIT: has nothing to to with stong paswords (step 7), so it must be the FQDN before installing Nethserver and accept this in the install wizard by pushing next.
EDIT2 Sill confused, sometimes it works /works not

FWIW:
I’ve done quite the same things, and also had problems logging in.
After some trial and error, I managed to logon using
username@mydomain@localIP.
Yes, 2 @ !
Didn’t dive into it, had (still) bigger issues to solve.
EDIT: localIP was left out, I think due to < > surrounding it.

What is the user’s shell?

getent passwd username@havak.lan

This suggest it could be DNS related. In my setup the NS install is not the DNS server of the lan.
Same as yours @rolf

@davidep what is the relation between SSSD and DNS(/DHCP); does it exist?

As soon as it pops up again ill “freeze” the setup to investigate.

About DHCP, it is not required that NethServer is the DHCP server.

However, if NethServer has the AD provider installed it MUST be the LAN DNS, because dnsmasq in this case is already configured to correctly forward DNS requests to the domain controller or to the upstream DNS.

2 Likes