Rocky 9.3 + SSSD + Active Directory Domain Users

I am facing issue with Domain Users ( AD 2012R2 ) in rocky 9.3 with sssd configuration.
only user with Domain Admin are able to login, other users ie Domain Users

sssd config file

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
debug_level = 9

[domain/example.com]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = example.com
use_fully_qualified_names = False
ldap_id_mapping = False
access_provider = ad
enumerate = True

log messages in sssd_nss.log

[nss] [sysdb_enumpwent_filter] (0x1000): [CID#9] Searching timestamp cache with [(objectCategory=user)]

• (2024-02-05 12:44:22): [nss] [sysdb_cache_search_users] (0x2000): [CID#9] Search users with filter: (&(objectCategory=user)(objectCategory=user))

[nss] [cache_req_search_ncache_filter] (0x0400): [CID#8] CR #14: This request type does not support filtering result by negative cache

[nss] [cache_req_create_and_add_result] (0x0400): [CID#10] CR #17: Found 27 entries in domain

Domain Users entries are not getting listed when " getent passwd " command is run.

How many users are in your domain (at least approximately)?

And do you get results running getent passwd {username} for specific domain users?

If your domain is large, enumeration will cause trouble for you. And “large” in this case is likely to be a lot smaller than you would think.

around 200+ users are there in the domain, I enable enumerate for checking even after removing and try to fetch the user for the getent passwd username out put is blank . when i did try with my user name its getting the data, my user is of Domain Admin.

[root@rocky-01 ~]# getent passwd mkarigowda
mkarigowda:*:20835:400:Muralidhara Karigowda:/home/mkarigowda:/bin/tcsh
[root@rocky-01 ~]# getent passwd vgali

if I do ldapsearch for the user user data is getting dispalyed.

[root@rocky-01 ~]# /usr/bin/ldapsearch -LLL -x -H ldap://xxxx.com -D “CN=ldapadmin,OU=service-accounts,OU=systems,OU=users,OU=active,OU=xxxxx,DC=xxxx,DC=com” -b “DC=xxxx,DC=com” -s sub “sAMAccountName=vgali” cn uidNumber gidNumber unixHomeDirectory -W
Enter LDAP Password:
dn: CN=vgali,OU=Enable_USB_DVD_Access,OU=users,OU=active,OU=xxxx,DC=xxxx,DC=com
cn: vgali
uidNumber: 21153
gidNumber: 400
unixHomeDirectory: /home/vgali

#refldap://ForestDnsZones.xxxxx.com/DC=ForestDnsZones,DC=xxxxx,DC=com

#refldap://DomainDnsZones.xxxxx.com/DC=DomainDnsZones,DC=xxxx,DC=com

#refldap://xxxx.com/CN=Configuration,DC=xxxx,DC=com

output of ldapsearch for my user.

dn: CN=Muralidhara Karigowda,OU=users,OU=systems,OU=users,OU=active,OU=xxxx,DC=xxxxx,DC=com
cn: Muralidhara Karigowda
uidNumber: 20835
gidNumber: 400
unixHomeDirectory: /home/mkarigowda

Here are some steps I’d recommend to troubleshoot the issue.

1. Check permissions on the active directory objects to make sure object permissions are not the problem. For both the mkarigowda and vgali accounts, check the effective permissions that your rocky-01 computer object has on the accounts. (You should see read access to many attributes, but mostly you’ll want to confirm whether effective access is the same to both accounts.)

2. Try to get some “clean” log data from when the system queries one of the accounts that you’re having trouble with (e.g. vgali).

   • Turn off enumeration
   • Leave your debug_level setting unchanged
   • Restart sssd
   • Clear sssd’s cache (i.e. run sss_cache -E)
   • Wait a minute or two without running anything that would cause a user lookup
   • Run date; getent passwd vgali; date

Use the timestamps output from the date commands to help identify relevant entries from the sssd logs.

Object permission for both mkarigowda and vgali are having the same, as suggest cleared log and after i run the command not out put in the terminal and no logs generated for that time stamp.
checked all log file cssd_xxx.domain.log,sssd.log,sssd_pac.log,sssd_pam.log,sssd_nss.log .

I was check sssd_xxxx.com.log i came across below message.

• (2024-02-06 2:20:21): [be[xxxxx.com]] [sysdb_set_entry_attr] (0x0080): Cannot set TS attrs for name=mkarigowda@xxxxx.com,cn=users,cn=xxxxx.com,cn=sysdb
• (2024-02-06 2:20:21): [be[xxxxx.com]] [sysdb_set_entry_attr] (0x0200): Entry [name=mkarigowda@xxx.com,cn=users,cn=xxxxx.com,cn=sysdb] has set [cache] attrs.

Try adding debug_level = 9 under the [domain/example.com] section in your SSSD config file.

It may also be worthwhile manually clearing SSSD’s cache before running date; getent passwd vgali; date, i.e.:

systemctl stop sssd
rm /var/lib/sss/db/*
systemctl start sssd

Enable debug_level = 9 under the [domain/example.com], did cleared the log by executing the command systemctl stop sssd ; rm -rf /var/db/nscd/* ; rm -rf /var/lib/sss/mc/* ; rm -rf /var/lib/sss/db/* ; systemctl start sssd .
find the sssd_examle.com.log

(2024-02-08 18:35:44): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.
(2024-02-08 18:35:44): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.
(2024-02-08 18:35:44): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2024-02-08 18:35:44): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
(2024-02-08 18:35:44): [be[example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=vgali@example.com]
(2024-02-08 18:35:44): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] DP Request [Account #2]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2024-02-08 18:35:44): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] Number of active DP request: 1
(2024-02-08 18:35:44): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 18:35:44): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 18:35:44): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#2] reusing cached connection
(2024-02-08 18:35:44): [be[example.com]] [sdap_id_conn_data_not_idle] (0x4000): [RID#2] Marking connection as not idle
(2024-02-08 18:35:44): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#2] Searching for users with base [DC=example,DC=com]
(2024-02-08 18:35:44): [be[example.com]] [sdap_print_server] (0x2000): [RID#2] Searching 10.184.2.1:389
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#2] calling ldap_search_ext with [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=example,DC=com].
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectClass]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [sAMAccountName]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixUserPassword]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uidNumber]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gidNumber]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gecos]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixHomeDirectory]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [loginShell]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userPrincipalName]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [name]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [memberOf]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectGUID]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectSID]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [primaryGroupID]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [whenChanged]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uSNChanged]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [accountExpires]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userAccountControl]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userCertificate;binary]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [mail]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [altSecurityIdentities]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#2] ldap_search_ext called, msgid = 16
(2024-02-08 18:35:44): [be[example.com]] [sdap_op_add] (0x2000): [RID#2] New operation 16 timeout 6
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5654f2bdfb30], connected[1], ops[0x5654f2bc8d60], ldap[0x5654f2c7a1f0]
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:35:44): [be[example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [16][server: [10.184.2.1:389] filter: [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] base: [DC=example,DC=com]] took [0.690] milliseconds.
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5654f2bdfb30], connected[1], ops[0x5654f2bc8d60], ldap[0x5654f2c7a1f0]
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5654f2bdfb30], connected[1], ops[0x5654f2bc8d60], ldap[0x5654f2c7a1f0]
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5654f2bdfb30], connected[1], ops[0x5654f2bc8d60], ldap[0x5654f2c7a1f0]
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_RESULT]
(2024-02-08 18:35:44): [be[example.com]] [sdap_get_generic_op_finished] (0x0400): [RID#2] Search result: Success(0), no errmsg set
(2024-02-08 18:35:44): [be[example.com]] [sdap_op_destructor] (0x2000): [RID#2] Operation 16 finished
(2024-02-08 18:35:44): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2] Request included referrals which were ignored.
(2024-02-08 18:35:44): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 18:35:44): [be[example.com]] [sdap_search_user_process] (0x0400): [RID#2] Search for users, returned 0 results.
(2024-02-08 18:35:44): [be[example.com]] [sdap_search_user_process] (0x2000): [RID#2] Retrieved total 0 users
(2024-02-08 18:35:44): [be[example.com]] [sdap_id_op_done] (0x4000): [RID#2] releasing operation connection
(2024-02-08 18:35:44): [be[example.com]] [sdap_id_conn_data_idle] (0x4000): [RID#2] Marking connection as idle
(2024-02-08 18:35:44): [be[example.com]] [sysdb_search_by_name] (0x0400): [RID#2] No such entry
(2024-02-08 18:35:44): [be[example.com]] [sysdb_cache_search_groups] (0x2000): [RID#2] Search groups with filter: (&(objectCategory=group)(ghost=vgali@example.com))
(2024-02-08 18:35:44): [be[example.com]] [sysdb_cache_search_groups] (0x2000): [RID#2] No such entry
(2024-02-08 18:35:44): [be[example.com]] [sysdb_delete_user] (0x0400): [RID#2] Error: 2 (No such file or directory)
(2024-02-08 18:35:44): [be[example.com]] [dp_req_done] (0x0400): [RID#2] DP Request [Account #2]: Request handler finished [0]: Success
(2024-02-08 18:35:44): [be[example.com]] [dp_req_done] (0x20000): [RID#2] DP Request [Account #2]: Handling request took [1.111] milliseconds.
(2024-02-08 18:35:44): [be[example.com]] [_dp_req_recv] (0x0400): [RID#2] DP Request [Account #2]: Receiving request data.
(2024-02-08 18:35:44): [be[example.com]] [dp_req_destructor] (0x0400): [RID#2] DP Request [Account #2]: Request removed.
(2024-02-08 18:35:44): [be[example.com]] [dp_req_destructor] (0x0400): [RID#2] Number of active DP request: 0
(2024-02-08 18:35:44): [be[example.com]] [dp_req_reply_std] (0x1000): [RID#2] DP Request [Account #2]: Returning [Success]: 0,0,Success
(2024-02-08 18:35:44): [be[example.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x5654f2bdfb30], connected[1], ops[(nil)], ldap[0x5654f2c7a1f0]
(2024-02-08 18:35:44): [be[example.com]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(2024-02-08 18:35:44): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.

find the sssd_example.com.log for the user mkarigowda

(2024-02-08 18:52:34): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.
(2024-02-08 18:52:34): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.
(2024-02-08 18:52:34): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2024-02-08 18:52:34): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
(2024-02-08 18:52:34): [be[example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=mkarigowda@example.com]
(2024-02-08 18:52:34): [be[example.com]] [dp_attach_req] (0x0400): [RID#3] DP Request [Account #3]: REQ_TRACE: New request. [sssd.nss CID #2] Flags [0x0001].
(2024-02-08 18:52:34): [be[example.com]] [dp_attach_req] (0x0400): [RID#3] Number of active DP request: 1
(2024-02-08 18:52:34): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#3] Domain example.com is Active
(2024-02-08 18:52:34): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#3] Domain example.com is Active
(2024-02-08 18:52:34): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#3] reusing cached connection
(2024-02-08 18:52:34): [be[example.com]] [sdap_id_conn_data_not_idle] (0x4000): [RID#3] Marking connection as not idle
(2024-02-08 18:52:34): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#3] Searching for users with base [DC=example,DC=com]
(2024-02-08 18:52:34): [be[example.com]] [sdap_print_server] (0x2000): [RID#3] Searching 10.184.2.1:389
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#3] calling ldap_search_ext with [(&(sAMAccountName=mkarigowda)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=example,DC=com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [objectClass]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [sAMAccountName]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [unixUserPassword]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [uidNumber]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [gidNumber]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [gecos]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [unixHomeDirectory]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [loginShell]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userPrincipalName]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [name]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [memberOf]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [objectGUID]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [objectSID]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [primaryGroupID]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [whenChanged]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [uSNChanged]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [accountExpires]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userAccountControl]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userCertificate;binary]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [mail]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [altSecurityIdentities]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#3] ldap_search_ext called, msgid = 13
(2024-02-08 18:52:34): [be[example.com]] [sdap_op_add] (0x2000): [RID#3] New operation 13 timeout 6
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[0x560c1ee0c430], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_message] (0x4000): [RID#3] Message type: [LDAP_RES_SEARCH_ENTRY]
(2024-02-08 18:52:34): [be[example.com]] [sdap_call_op_callback] (0x20000): [RID#3] Handling LDAP operation [13][server: [10.184.2.1:389] filter: [(&(sAMAccountName=mkarigowda)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))] base: [DC=example,DC=com]] took [1.855] milliseconds.
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_entry] (0x1000): [RID#3] OriginalDN: [CN=Muralidhara Karigowda,OU=users,OU=systems,OU=users,OU=active,OU=example,DC=example,DC=com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [objectClass]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [whenChanged]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [memberOf]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [uSNChanged]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [name]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [objectGUID]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [userAccountControl]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [primaryGroupID]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [objectSid]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [accountExpires]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [sAMAccountName]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [userPrincipalName]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [mail]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [uidNumber]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [gidNumber]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [unixHomeDirectory]
(2024-02-08 18:52:34): [be[example.com]] [sdap_parse_range] (0x2000): [RID#3] No sub-attributes for [loginShell]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[0x560c1ee0c430], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_message] (0x4000): [RID#3] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#3] Additional References: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[0x560c1ee0c430], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_message] (0x4000): [RID#3] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#3] Additional References: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[0x560c1ee0c430], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_message] (0x4000): [RID#3] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#3] Additional References: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[0x560c1ee0c430], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_message] (0x4000): [RID#3] Message type: [LDAP_RES_SEARCH_RESULT]
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_generic_op_finished] (0x0400): [RID#3] Search result: Success(0), no errmsg set
(2024-02-08 18:52:34): [be[example.com]] [sdap_op_destructor] (0x2000): [RID#3] Operation 13 finished
(2024-02-08 18:52:34): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#3] Request included referrals which were ignored.
(2024-02-08 18:52:34): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#3]     Ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#3]     Ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#3]     Ref: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 18:52:34): [be[example.com]] [sdap_search_user_process] (0x0400): [RID#3] Search for users, returned 1 results.
(2024-02-08 18:52:34): [be[example.com]] [sdap_search_user_process] (0x2000): [RID#3] Retrieved total 1 users
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x0400): [RID#3] Save user
(2024-02-08 18:52:34): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#3] Domain example.com is Active
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_primary_name] (0x0400): [RID#3] Processing object mkarigowda
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x0400): [RID#3] Processing user mkarigowda@example.com
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x2000): [RID#3] Adding originalDN [CN=Muralidhara Karigowda,OU=users,OU=systems,OU=users,OU=active,OU=example,DC=example,DC=com] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x0400): [RID#3] Adding original memberOf attributes to [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding original mod-Timestamp [20240201101402.0Z] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x0400): [RID#3] Adding user principal [mkarigowda@D2-INDIA.COM] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowLastChange is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowMin is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowMax is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowWarning is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowInactive is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowExpire is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] shadowFlag is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] krbLastPwdChange is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] krbPasswordExpiration is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] pwdAttribute is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] authorizedService is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding adAccountExpires [9223372036854775807] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding adUserAccountControl [512] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] nsAccountLock is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] authorizedHost is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] authorizedRHost is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] ndsLoginDisabled is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] ndsLoginExpirationTime is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] ndsLoginAllowedTimeMap is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] sshPublicKey is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] authType is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] userCertificate is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] Adding mail [mkarigowda@d2.com] to attributes of [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#3] userPasskey is not available for [mkarigowda@example.com].
(2024-02-08 18:52:34): [be[example.com]] [sysdb_attrs_get_aliases] (0x2000): [RID#3] Domain is case-insensitive; will add lowercased aliases
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_user] (0x0400): [RID#3] Storing info for user mkarigowda@example.com
(2024-02-08 18:52:34): [be[example.com]] [sysdb_search_by_name] (0x0400): [RID#3] No such entry
(2024-02-08 18:52:34): [be[example.com]] [sysdb_store_user] (0x1000): [RID#3] User mkarigowda@example.com does not exist.
(2024-02-08 18:52:34): [be[example.com]] [sysdb_search_user_by_uid] (0x0400): [RID#3] No such entry
(2024-02-08 18:52:34): [be[example.com]] [sysdb_ldb_msg_difference] (0x2000): [RID#3] Added attr [objectSIDString] to entry [name=mkarigowda@example.com,cn=users,cn=example.com,cn=sysdb]
(2024-02-08 18:52:34): [be[example.com]] [sysdb_set_entry_attr] (0x0200): [RID#3] Entry [name=mkarigowda@example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(2024-02-08 18:52:34): [be[example.com]] [sysdb_store_user] (0x0400): [RID#3] User "mkarigowda@example.com" has been stored
(2024-02-08 18:52:34): [be[example.com]] [sdap_save_users] (0x4000): [RID#3] User 0 processed!
(2024-02-08 18:52:34): [be[example.com]] [sdap_get_users_done] (0x4000): [RID#3] Saving 1 Users - Done
(2024-02-08 18:52:34): [be[example.com]] [sdap_id_op_done] (0x4000): [RID#3] releasing operation connection
(2024-02-08 18:52:34): [be[example.com]] [sdap_id_conn_data_idle] (0x4000): [RID#3] Marking connection as idle
(2024-02-08 18:52:34): [be[example.com]] [dp_req_done] (0x0400): [RID#3] DP Request [Account #3]: Request handler finished [0]: Success
(2024-02-08 18:52:34): [be[example.com]] [dp_req_done] (0x20000): [RID#3] DP Request [Account #3]: Handling request took [55.899] milliseconds.
(2024-02-08 18:52:34): [be[example.com]] [_dp_req_recv] (0x0400): [RID#3] DP Request [Account #3]: Receiving request data.
(2024-02-08 18:52:34): [be[example.com]] [dp_req_destructor] (0x0400): [RID#3] DP Request [Account #3]: Request removed.
(2024-02-08 18:52:34): [be[example.com]] [dp_req_destructor] (0x0400): [RID#3] Number of active DP request: 0
(2024-02-08 18:52:34): [be[example.com]] [dp_req_reply_std] (0x1000): [RID#3] DP Request [Account #3]: Returning [Success]: 0,0,Success
(2024-02-08 18:52:34): [be[example.com]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x560c1ed6aff0], connected[1], ops[(nil)], ldap[0x560c1edfcdb0]
(2024-02-08 18:52:34): [be[example.com]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(2024-02-08 18:52:34): [be[example.com]] [sbus_dispatch] (0x4000): Dispatching.

Please use the formatting tools when posting thx. Otherwise posts end up way too long instead of putting the logs or whatever in a code section. I’ve edited both your above posts, so you can see how it’s done.

I enabled ldap_id_mapping = True, terminal output for getent passwd vgali [root@rocky-01 ~]# date ; getent passwd vgali ; date
Thu Feb 8 07:20:52 PM IST 2024
vgali:*:246402469:246400513:vgali:/home/vgali@example.com:/bin/bash
Thu Feb 8 07:20:52 PM IST 2024
find the sssd log output for vgali .

(2024-02-08 19:18:11): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2024-02-08 19:18:11): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
(2024-02-08 19:18:11): [be[example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=vgali@example.com]
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] DP Request [Account #2]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] Number of active DP request: 1
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#2] reusing cached connection
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_conn_data_not_idle] (0x4000): [RID#2] Marking connection as not idle
(2024-02-08 19:18:11): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#2] Searching for users with base [DC=example,DC=com]
(2024-02-08 19:18:11): [be[example.com]] [sdap_print_server] (0x2000): [RID#2] Searching 10.184.2.1:389
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#2] calling ldap_search_ext with [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixUserPassword]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gecos]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixHomeDirectory]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [loginShell]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [memberOf]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectSID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [whenChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uSNChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [accountExpires]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userAccountControl]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userCertificate;binary]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [mail]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [altSecurityIdentities]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#2] ldap_search_ext called, msgid = 7
(2024-02-08 19:18:11): [be[example.com]] [sdap_op_add] (0x2000): [RID#2] New operation 7 timeout 6
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_ENTRY]
(2024-02-08 19:18:11): [be[example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [7][server: [10.184.2.1:389] filter: [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))] base: [DC=example,DC=com]] took [1.406] milliseconds.
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_entry] (0x1000): [RID#2] OriginalDN: [CN=vgali,OU=Enable_USB_DVD_Access,OU=users,OU=active,OU=example,DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectSid]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2024-02-08 19:18:11): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
(2024-02-08 19:18:11): [be[example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=vgali@example.com]
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] DP Request [Account #2]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] Number of active DP request: 1
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#2] reusing cached connection
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_conn_data_not_idle] (0x4000): [RID#2] Marking connection as not idle
(2024-02-08 19:18:11): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#2] Searching for users with base [DC=example,DC=com]
(2024-02-08 19:18:11): [be[example.com]] [sdap_print_server] (0x2000): [RID#2] Searching 10.184.2.1:389
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#2] calling ldap_search_ext with [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixUserPassword]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gecos]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixHomeDirectory]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [loginShell]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [memberOf]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectSID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [whenChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uSNChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [accountExpires]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userAccountControl]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userCertificate;binary]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [mail]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [altSecurityIdentities]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#2] ldap_search_ext called, msgid = 7
(2024-02-08 19:18:11): [be[example.com]] [sdap_op_add] (0x2000): [RID#2] New operation 7 timeout 6
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_ENTRY]
(2024-02-08 19:18:11): [be[example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [7][server: [10.184.2.1:389] filter: [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))] base: [DC=example,DC=com]] took [1.406] milliseconds.
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_entry] (0x1000): [RID#2] OriginalDN: [CN=vgali,OU=Enable_USB_DVD_Access,OU=users,OU=active,OU=example,DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectSid]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd
(2024-02-08 19:18:11): [be[example.com]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
(2024-02-08 19:18:11): [be[example.com]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=vgali@example.com]
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] DP Request [Account #2]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2024-02-08 19:18:11): [be[example.com]] [dp_attach_req] (0x0400): [RID#2] Number of active DP request: 1
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_op_connect_step] (0x4000): [RID#2] reusing cached connection
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_conn_data_not_idle] (0x4000): [RID#2] Marking connection as not idle
(2024-02-08 19:18:11): [be[example.com]] [sdap_search_user_next_base] (0x0400): [RID#2] Searching for users with base [DC=example,DC=com]
(2024-02-08 19:18:11): [be[example.com]] [sdap_print_server] (0x2000): [RID#2] Searching 10.184.2.1:389
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x0400): [RID#2] calling ldap_search_ext with [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixUserPassword]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gidNumber]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [gecos]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [unixHomeDirectory]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [loginShell]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [memberOf]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [objectSID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [whenChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [uSNChanged]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [accountExpires]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userAccountControl]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [userCertificate;binary]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [mail]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x1000): [RID#2] Requesting attrs: [altSecurityIdentities]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_step] (0x2000): [RID#2] ldap_search_ext called, msgid = 7
(2024-02-08 19:18:11): [be[example.com]] [sdap_op_add] (0x2000): [RID#2] New operation 7 timeout 6
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_ENTRY]
(2024-02-08 19:18:11): [be[example.com]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [7][server: [10.184.2.1:389] filter: [(&(sAMAccountName=vgali)(objectclass=user)(sAMAccountName=*)(objectSID=*))] base: [DC=example,DC=com]] took [1.406] milliseconds.
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_entry] (0x1000): [RID#2] OriginalDN: [CN=vgali,OU=Enable_USB_DVD_Access,OU=users,OU=active,OU=example,DC=example,DC=com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectClass]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [name]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectGUID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [primaryGroupID]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [objectSid]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [sAMAccountName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_parse_range] (0x2000): [RID#2] No sub-attributes for [userPrincipalName]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_REFERENCE]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_ext_add_references] (0x1000): [RID#2] Additional References: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_result] (0x2000): Trace: sh[0x55c4d2dcab90], connected[1], ops[0x55c4d2ed8660], ldap[0x55c4d2e6b2f0]
(2024-02-08 19:18:11): [be[example.com]] [sdap_process_message] (0x4000): [RID#2] Message type: [LDAP_RES_SEARCH_RESULT]
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_generic_op_finished] (0x0400): [RID#2] Search result: Success(0), no errmsg set
(2024-02-08 19:18:11): [be[example.com]] [sdap_op_destructor] (0x2000): [RID#2] Operation 7 finished
(2024-02-08 19:18:11): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2] Request included referrals which were ignored.
(2024-02-08 19:18:11): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [generic_ext_search_handler] (0x4000): [RID#2]     Ref: ldap://example.com/CN=Configuration,DC=example,DC=com
(2024-02-08 19:18:11): [be[example.com]] [sdap_search_user_process] (0x0400): [RID#2] Search for users, returned 1 results.
(2024-02-08 19:18:11): [be[example.com]] [sdap_search_user_process] (0x2000): [RID#2] Retrieved total 1 users
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Save user
(2024-02-08 19:18:11): [be[example.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain example.com is Active
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_primary_name] (0x0400): [RID#2] Processing object vgali
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Processing user vgali@example.com
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x1000): [RID#2] Mapping user [vgali@example.com] objectSID [S-1-5-21-1035762764-4156966091-4111642161-2469] to unix ID
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x2000): [RID#2] Adding originalDN [CN=vgali,OU=Enable_USB_DVD_Access,OU=users,OU=active,OU=example,DC=example,DC=com] to attributes of [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Original memberOf is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] original mod-Timestamp is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Original USN value is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Adding user principal [vgali@D2-INDIA.COM] to attributes of [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowLastChange is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowMin is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowMax is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowWarning is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowInactive is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowExpire is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] shadowFlag is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] krbLastPwdChange is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] krbPasswordExpiration is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] pwdAttribute is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] authorizedService is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] adAccountExpires is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] adUserAccountControl is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] nsAccountLock is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] authorizedHost is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] authorizedRHost is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] ndsLoginDisabled is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] ndsLoginExpirationTime is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] ndsLoginAllowedTimeMap is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] sshPublicKey is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] authType is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] userCertificate is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] mail is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#2] userPasskey is not available for [vgali@example.com].
(2024-02-08 19:18:11): [be[example.com]] [sysdb_attrs_get_aliases] (0x2000): [RID#2] Domain is case-insensitive; will add lowercased aliases
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_user] (0x0400): [RID#2] Storing info for user vgali@example.com
(2024-02-08 19:18:11): [be[example.com]] [sysdb_search_by_name] (0x0400): [RID#2] No such entry
(2024-02-08 19:18:11): [be[example.com]] [sysdb_store_user] (0x1000): [RID#2] User vgali@example.com does not exist.
(2024-02-08 19:18:11): [be[example.com]] [sysdb_search_user_by_uid] (0x0400): [RID#2] No such entry
(2024-02-08 19:18:11): [be[example.com]] [sysdb_ldb_msg_difference] (0x2000): [RID#2] Added attr [objectSIDString] to entry [name=vgali@example.com,cn=users,cn=example.com,cn=sysdb]
(2024-02-08 19:18:11): [be[example.com]] [sysdb_set_entry_attr] (0x0200): [RID#2] Entry [name=vgali@example.com,cn=users,cn=example.com,cn=sysdb] has set [cache, ts_cache] attrs.
(2024-02-08 19:18:11): [be[example.com]] [sysdb_store_user] (0x0400): [RID#2] User "vgali@example.com" has been stored
(2024-02-08 19:18:11): [be[example.com]] [sdap_save_users] (0x4000): [RID#2] User 0 processed!
(2024-02-08 19:18:11): [be[example.com]] [sdap_get_users_done] (0x4000): [RID#2] Saving 1 Users - Done
(2024-02-08 19:18:11): [be[example.com]] [sdap_id_op_done] (0x4000): [RID#2] releasing operation connection

If this was winbind (and sssd is based on winbind) I would turn off nscd, it can do very strange things.

Based on this last getent passwd command and the log output, it appears that the lookup for the vgali user was successful. Is the vgali user (or any other non-Domain Admin user) able to log in now?

If ldap_id_mapping is false you have to manually add POSIX attributes to AD users, otherwise sssd/getent won’t see them.

The same goes for groups, you need to add gidNumber to them. Not sure if it works for “Domain Users” as it is a special group i AD.

Its sssd, nscd is disabled and stopped.

None of non-Domain Admin user are able to login, i need to add them as domain admin wait for it sync then the user will able to login later if i remove from domain admin still he will be able to login.

POSIX attributes / Unix attributes are already present for the Domain Users.

Advgali415×546 49 KB

Are there any relevant log entries in /var/log/secure from when a non-Domain Admin tries to log in?

find the /var/log/secure for the non-domain admin.

Feb  9 09:52:06 hb-rocky-01 sshd[4141604]: Invalid user roc from 10.191.1.2 port 52624
Feb  9 09:52:12 hb-rocky-01 sshd[4141604]: pam_unix(sshd:auth): check pass; user unknown
Feb  9 09:52:12 hb-rocky-01 sshd[4141604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.1.2
Feb  9 09:52:12 hb-rocky-01 sshd[4141604]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.191.1.2 user=roc
Feb  9 09:52:12 hb-rocky-01 sshd[4141604]: pam_sss(sshd:auth): received for user roc: 10 (User not known to the underlying authentication module)
Feb  9 09:52:13 hb-rocky-01 sshd[4141604]: Failed password for invalid user roc from 10.191.1.2 port 52624 ssh2

Based on this log output, I expect that you do not see any output from getent passwd roc. Is this correct?

If you can’t get output from getent passwd {username} for a given user, then there is still a problem resolving that user and the user will not be able to log in.

Below is a description of my configuration. Even if it isn’t suitable for your needs, it may be a good reference to start from just to see if you can get it working properly.

My Configuration (For Reference)

In the configurations I use, we don’t have UNIX attributes stored in Active Directory.

I always install the packages: realmd PackageKit krb5-workstation adcli sssd-ad sssd-tools

I don’t make any manual modifications to /etc/sssd/sssd.conf. Instead, before joining the domain, I create the configuration file /etc/sssd/conf.d/ad.example.com.conf with the following content:

[domain/ad.example.com]
ldap_idmap_range_min = 800200000
ldap_idmap_range_max = 810200000
ldap_idmap_range_size = 10000000
ldap_idmap_autorid_compat = True
auto_private_groups = True
access_provider = simple
simple_allow_groups = Linux_Users
ignore_group_members = True
use_fully_qualified_names = False
override_homedir = /home/%u

(The explanation for these settings can be found in man sssd.conf, man sssd-ad, and man sssd-ldap.)

Then I join the domain with the command realm -v join --user={myusername} ad.example.com

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.