ldapsearch finds my account/user, sssd does not

Question

I am trying to setup a new Server(Ubuntu 22.04 LTS) and authenticate users using organization accounts.

This is the public Documentation provided: https://www.hs-regensburg.de/supportwiki/doku.php?id=en:public:netz:auth

When executing ldapsearch like it is specified in the Troubleshooting section I can find my user in the format abc12345 and all the available data that is available.

ldapsearch \
-A 
-H 'ldaps://adldap.hs-regensburg.de' \
-b 'DC=hs-regensburg,DC=de' \
-D 'abc12345@hs-regensburg.de' \
-W -z 0 -LLL -E pr=1000/noprompt sAMAccountName=abc12345

Output-->Appendix 1

However when executing getent passwd abc12345 i get no Output and the logging files in Appendix 2-3. I would say that ldap simply does not find the given username abc12345.

Here is my sssd.conf:

[sssd]
config_file_version = 2
domains = hs-regensburg.de

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = abc12345@hs-regensburg.de
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false

What changes do i have to make to my sssd.conf so that sssd also finds my users, like ldapsearch does?
What exactly is sAMAccountName/samAccountName?
What benefit would it have if i setup my Authentication like this: https://ubuntu.com/server/docs/service-sssd-ldap-krb
Is the provided documentation even enough to setup such a system?

I am grateful for any help. If you need further information from me, I will be happy to provide anything you need.

Appendix 1

Enter LDAP Password:
dn: CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
objectClass:
cn:
sn:
c:
l:
st:
title:
postalCode:
givenName:
distinguishedName:
instanceType:
whenCreated:
whenChanged:
displayName:
uSNCreated:
memberOf:
uSNChanged:
department:
proxyAddresses:
streetAddress:
name:
objectGUID:
userAccountControl:
badPwdCount:
codePage:
countryCode:
homeDirectory:
homeDrive:
badPasswordTime:
lastLogoff:
lastLogon:
pwdLastSet:
primaryGroupID:
profilePath:
objectSid:
accountExpires:
logonCount:
sAMAccountName:
sAMAccountType:
showInAddressBook:
legacyExchangeDN:
userPrincipalName:
objectCategory:
dSCorePropagationData:
lastLogonTimestamp:
uid:
mail:
uidNumber:
gidNumber:
unixHomeDirectory:
loginShell:
mDBUseDefaults:
msExchWhenMailboxCreated:
extensionAttribute9:
msExchUMDtmfMap:
msExchMailboxSecurityDescriptor:
hsrInternalMail:
msExchArchiveWarnQuota:
msExchHomeServerName:
msExchTextMessagingState:
msExchPoliciesExcluded:
msExchDumpsterQuota:
msExchRBACPolicyLink:
msExchUserAccountControl:
msExchMobileMailboxFlags:
msExchArchiveQuota:
msExchDumpsterWarningQuota:
mailNickname:
msExchUserCulture:
msExchVersion:
msExchELCMailboxFlags:
homeMDB:
msExchMailboxGuid:
msExchRecipientTypeDetails:
msExchRecipientDisplayType:
msExchCalendarLoggingQuota:

# refldaps://hs-regensburg.de/CN=Configuration,DC=hs-regensburg,DC=de

# pagedresults: cookie=

Appendix 2 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep --color 'abc12345\|$'

(2022-08-24  2:02:44): [nss] [accept_fd_handler] (0x0400): [CID#6] Client [cmd getent][uid 1001][0x55e3a007a380][21] connected!
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Received client version [1].
(2022-08-24  2:02:44): [nss] [sss_cmd_get_version] (0x0200): [CID#6] Offered version [1].
(2022-08-24  2:02:44): [nss] [nss_getby_name] (0x0400): [CID#6] Input name: abc12345
(2022-08-24  2:02:44): [nss] [cache_req_send] (0x0400): [CID#6] CR #7: REQ_TRACE: New request [CID #6] 'User by name'
(2022-08-24  2:02:44): [nss] [cache_req_process_input] (0x0400): [CID#6] CR #7: Parsing input name [abc12345]
(2022-08-24  2:02:44): [nss] [sss_parse_name_for_domains] (0x0200): [CID#6] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:02:44): [nss] [nss_get_object_send] (0x0400): [CID#6] Client [0x55e3a007a380][21]: sent cache request #7
(2022-08-24  2:02:44): [nss] [cache_req_set_name] (0x0400): [CID#6] CR #7: Setting name [abc12345]
(2022-08-24  2:02:44): [nss] [cache_req_select_domains] (0x0400): [CID#6] CR #7: Performing a multi-domain search
(2022-08-24  2:02:44): [nss] [cache_req_search_domains] (0x0400): [CID#6] CR #7: Search will check the cache and check the data provider
(2022-08-24  2:02:44): [nss] [cache_req_set_domain] (0x0400): [CID#6] CR #7: Using domain [hs-regensburg.de]
(2022-08-24  2:02:44): [nss] [cache_req_prepare_domain_data] (0x0400): [CID#6] CR #7: Preparing input data for domain [hs-regensburg.de] rules
(2022-08-24  2:02:44): [nss] [cache_req_search_send] (0x0400): [CID#6] CR #7: Looking up abc12345@hs-regensburg.de
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24  2:02:44): [nss] [cache_req_search_ncache] (0x0400): [CID#6] CR #7: [abc12345@hs-regensburg.de] does not exist (negative cache)
(2022-08-24  2:02:44): [nss] [cache_req_process_result] (0x0400): [CID#6] CR #7: Finished: Not found
(2022-08-24  2:02:44): [nss] [client_recv] (0x0200): [CID#6] Client disconnected!

Appendix 3 root@hostname:/var/log/sssd# tail -f sssd_nss.log | grep abc12345

(2022-08-24  2:05:41): [nss] [nss_getby_name] (0x0400): [CID#7] Input name: abc12345
(2022-08-24  2:05:41): [nss] [cache_req_process_input] (0x0400): [CID#7] CR #8: Parsing input name [abc12345]
(2022-08-24  2:05:41): [nss] [sss_parse_name_for_domains] (0x0200): [CID#7] name 'abc12345' matched without domain, user is abc12345
(2022-08-24  2:05:41): [nss] [cache_req_set_name] (0x0400): [CID#7] CR #8: Setting name [abc12345]
(2022-08-24  2:05:41): [nss] [cache_req_search_send] (0x0400): [CID#7] CR #8: Looking up abc12345@hs-regensburg.de
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: Checking negative cache for [abc12345@hs-regensburg.de]
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache] (0x0400): [CID#7] CR #8: [abc12345@hs-regensburg.de] is not present in negative cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_dp] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in data provider
(2022-08-24  2:05:41): [nss] [sss_dp_get_account_send] (0x0400): [CID#7] Creating request for [hs-regensburg.de][0x1][BE_REQ_USER][name=abc12345@hs-regensburg.de:-]
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Looking up [abc12345@hs-regensburg.de] in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_cache] (0x0400): [CID#7] CR #8: Object [abc12345@hs-regensburg.de] was not found in cache
(2022-08-24  2:05:41): [nss] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#7] CR #8: Adding [abc12345@hs-regensburg.de] to negative cache
(2022-08-24  2:05:41): [nss] [sss_ncache_set_str] (0x0400): [CID#7] Adding [NCE/USER/hs-regensburg.de/abc12345@hs-regensburg.de] to negative cache

`samaccountname` is just the name of an attribute ([used on Windows systems](https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname)). In your `ldapsearch` command, you're searching for entries in which the value of `samaccountname` is `abc123456`. — larsks, Aug 24 '22 at 03:31
When using ldap i can search directly for attributes. How do I search for samaccountname with sssd? — Sammy, Aug 24 '22 at 11:27

score 0 · Accepted Answer · answered Aug 24 '22 at 12:46

It looks like you want to control what LDAP attribute SSSD uses to find your account name.

According to the sssd-ldap-attributes man page, when ldap_schema is set to rfc2307 (the default), rfc2307bis, or IPA, then ldap_user_name defaults to uid.

When ldap_schema is set to AD (for Active Directory), ldap_user_name defaults to sAMAccountName.

So possibly the simplest solution is to configure your SSSD instance to use the AD schema:

[domain/hs-regensburg.de]
id_provider = ldap
auth_provider = ldap
ldap_schema = AD

ldap_uri = ldaps://adldap.hs-regensburg.de/
ldap_search_base = dc=hs-regensburg,dc=de

ldap_default_bind_dn = CN=abc12345,OU=Studenten,OU=Benutzer,OU=EI,OU=HSR,DC=hs-regensburg,DC=de
#ldap_default_bind_dn = abc12345@hs-regensburg.de
ldap_default_authtok_type = password
ldap_default_authtok = insertPassword

cache_credentials = false

I can't test this myself (I don't have access to an AD instance). Most of the guides I've found online that document connecting SSSD to an Active Directory backend assume that you're using Kerberos authentication, so may not apply exactly to this situation, but they're probably worth reading (e.g., the sssd-ad(5) man page, the online docs, etc).

Thanks a lot man! Now that I've got a working solution I can go from there. Still learning about this stuff and probably will break it again when trying this Kerberos-thing. — Sammy, Aug 24 '22 at 14:52

ldapsearch finds my account/user, sssd does not

1 Answers1