'no primary group ID provided' when trying to use ldap mode against AD
by Daniel Hermans
Hi,
i'd like to use sssd in ldap mode against Active Directory so I have defined:
id_provider = ldap
auth_provider = ldap
Yes krb5 would be better but i only have a BIND account and cannot add computer objects.
This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using:
ldap_id_mapping = true
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
sssd can bind with LDAPS and can seem to get user info from the domain:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users
The UID mapping seems to succeed:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID
But it gets no further with this message:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev].
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser]
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ).
Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is.
This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this:
(Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain
Thanks in advance!!
7 years
Force LDAP SSL
by Troels Hansen
I'm trying to force SSSD to only communicate encrypted, because of company rules.
I think i'm missing something:
SSSD configured with: id_provider = ad
and DNS service resolution is enabled (default)
I have tried about every combination of:
ldap_id_use_start_tls = true
ldap_service_port = 636
ldap_tls_reqcert = allow
in sssd.conf [domain] section.
However, I can see SSSD LDAP connection over port 389.
# netstat -tanp | grep sssd_be
tcp 0 0 172.16.5.202:53520 172.16.1.241:389 ESTABLISHED 18080/sssd_be
Have I just missed something?
Do I need to pull the certificates from AD to make it work. I'm not really interested in verifying the certificates but only ensuring an encrypted channel.
7 years, 1 month
Conf.d merging
by Lesley Kimmel
All;
I'm using Puppet to configure sssd domains. Generally I am trying to add
them via separate files under /etc/sssd/conf.d/. The question I have is how
the [sssd]/domains parameter is merged. My guess is that the highest
numbered config file under conf.d will take precedence.
If that is the case I think my best bet would be to exclude this parameter
from all conf.d files and only use the parameter in sssd.conf to control
which domains get configured.
It would be very useful if the domains parameter could be merged across all
conf.d files so one could simply drop a new domain configuration and have
it be used.
Thoughts?
Thanks!
-LJK
7 years, 1 month
SSSD finds group in AD but doesn't return it
by Joshua Schaeffer
Wondering if somebody can help me decipher why I don't get a anything back
when I run a getent group command, but in the SSSD logs I see that SSSD
finds a group in Active Directory. I'm running this command, which returns
nothing.
root@ultralisk:~# getent group 'WINNT\Domain Admins'
When I run that command, two SSSD logs get updated; my domain's log
(sssd_WINNT.log) and the nss service log (sssd_nss.log). In the domain log
I get the following
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [be_get_account_info]
(0x0100): Got request for [4098][1][name=domain admins]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [be_req_set_domain]
(0x0400): Changing request domain from [WINNT] to [WINNT]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[DC=winnt,DC=harmonywave,DC=com]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(name=domain\20admins)(objectClass=group)(name=*))][DC=winnt,DC=harmonywave,DC=com].
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 10
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[0x1df69b0],
ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [member]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [whenChanged]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [uSNChanged]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [name]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectSid]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [groupType]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[0x1df69b0],
ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[0x1df69b0],
ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[0x1df69b0],
ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[0x1df69b0],
ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
* (Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_get_groups_process]
(0x0400): Search for groups, returned 1 results.*
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_has_deref_support]
(0x0400): The server supports deref method ASQ
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and
setting GID=0!
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_nested_group_process_send] (0x2000): About to process group
[CN=Domain Admins,CN=Users,DC=winnt,DC=harmonywave,DC=com]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=CN=Administrator,CN=Users,DC=winnt,DC=harmonywave,DC=com))
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): No such entry
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_groups]
(0x2000): Search groups with filter:
(&(objectclass=group)(originalDN=CN=Administrator,CN=Users,DC=winnt,DC=harmonywave,DC=com))
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_groups]
(0x2000): No such entry
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_nested_group_process_send] (0x2000): Looking up 1/1 members of group
[CN=Domain Admins,CN=Users,DC=winnt,DC=harmonywave,DC=com]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_nested_group_process_send] (0x2000): Members of group [CN=Domain
Admins,CN=Users,DC=winnt,DC=harmonywave,DC=com] will be processed
individually
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=user)][CN=Administrator,CN=Users,DC=winnt,DC=harmonywave,DC=com].
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1de3360], connected[1], ops[(nil)], ldap[0x1de9a20]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1ddff30], connected[1], ops[0x1df7fe0],
ldap[0x1de7fd0]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sAMAccountName]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1ddff30], connected[1], ops[0x1df7fe0],
ldap[0x1de7fd0]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg
set
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_nested_group_recv]
(0x0400): 1 users found in the hash table
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_nested_group_recv]
(0x0400): 1 groups found in the hash table
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_get_primary_name]
(0x0400): Processing object Administrator
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(originalDN=CN=Administrator,CN=Users,DC=winnt,DC=harmonywave,DC=com))
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): No such entry
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_get_primary_name]
(0x0400): Processing object Domain Admins
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_save_group]
(0x0400): Processing group Domain Admins
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_save_group]
(0x1000): Mapping group [Domain Admins] objectSID
[S-1-5-21-2962426039-599259981-477356674-512] to unix ID
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_attrs_add_ldap_attr]
(0x2000): Adding original DN [CN=Domain
Admins,CN=Users,DC=winnt,DC=harmonywave,DC=com] to attributes of [Domain
Admins].
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_attrs_add_ldap_attr]
(0x2000): Adding original mod-Timestamp [20170410191631.0Z] to attributes
of [Domain Admins].
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_process_ghost_members] (0x0400): The group has 1 members
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_process_ghost_members] (0x0400): Group has 1 members
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]]
[sdap_process_ghost_members] (0x0400): Adding ghost member for group
[Administrator]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_save_group]
(0x0400): Storing info for group Domain Admins
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_get_primary_name]
(0x0400): Processing object Domain Admins
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_save_grpmem]
(0x0400): Processing group Domain Admins
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): Search users with filter:
(&(objectclass=user)(gidNumber=526800512))
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sysdb_search_users]
(0x2000): No such entry
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_save_grpmem]
(0x0400): Adding member users to group [Domain Admins]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: sh[0x1ddff30], connected[1], ops[(nil)], ldap[0x1de7fd0]
(Tue Apr 11 16:13:42 2017) [sssd[be[WINNT]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
You can see a result is returned and I can perform the an ldapsearch with
the same filter and get results myself. The sssd_nss.log file shows the
following.
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [accept_fd_handler] (0x0400):
Client connected!
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0400):
Running command [33] with input [WINNT\Domain Admins].
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'WINNT\Domain Admins' matched expression for domain 'WINNT',
user is Domain Admins
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [Domain Admins] from [WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GROUP/WINNT/domain admins]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [nss_cmd_getgrnam_search]
(0x0100): Requesting info for [domain admins@WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x4189f0:2:domain admins@WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_dp_get_account_msg]
(0x0400): Creating request for [WINNT][4098][1][name=domain admins]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sbus_add_timeout] (0x2000):
0x225c8e0
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_dp_internal_get_send]
(0x0400): Entering request [0x4189f0:2:domain admins@WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sbus_remove_timeout] (0x2000):
0x225c8e0
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GROUP/WINNT/domain admins]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [nss_cmd_getgrnam_search]
(0x0100): Requesting info for [domain admins@WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/GROUP/WINNT/domain admins] to negative cache
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [nss_cmd_getgrnam_search]
(0x0040): No results for getgrnam call
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x4189f0:2:domain admins@WINNT]
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Tue Apr 11 16:19:12 2017) [sssd[nss]] [client_destructor] (0x2000):
Terminated client [0x226bc00][24]
I see a few odd items in the logs, but not really sure I understand what
they're saying. Does anyone see why I wouldn't get anything back from
getent? By the way I can do a getent on users and I get results back.
Thanks,
Joshua Schaeffer
7 years, 1 month
groups
by Thomas Beaudry
Hi,
Sometimes when I ssh to a Ubuntu machine that is using sssd to connect to a windows AD, I get the following error:
groups: cannot find name for group ID 891504278
groups: cannot find name for group ID 891504279
groups: cannot find name for group ID 891504280
groups: cannot find name for group ID 891504527
This problem doesn't always happen (maybe 1 out of 10 logins). Is there a way to troubleshoot this? Or cache this group information?
Thanks,
Thomas
7 years, 1 month
Well known SIDs and sssd
by smfrench@gmail.com
The sssd man page notes limited support for Well-Known SIDs "SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a special hardcoded meaning. Since the generic users and groups related to those Well-Known SIDs have no equivalent in a Linux/UNIX environment no POSIX IDs are available for those objects" - but doesn't indicate which ones are supported see https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85...
In a typical environment (or does RHEL have an ad script for this already) do you do as we have been doing and manually map these to posix groups "net groupmap add Administrators ..." and "net groupmap add Users ..." and "net groupmap add Guests ..." and "net groupmap add Authenticated Users ..." or does sssd with the winbind plugin take care of this in a different way?
7 years, 1 month
GSSAPI errors after configuring SSSD.
by Abhijit Tikekar
Hi,
Trying to configure SSSD on a CentOS server and running into some issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin"
confirms that join is valid. Computer object gets created on AD(Windows).
But authentication attempts result in access denied and, following is
recorded under the logs(Log level for domain set to 2)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No selinux module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No host info module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
[1432158234]: Dynamic DNS update not possible while offline
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and "
Failed to connect, going offline (5 [Input/output error])" although not
sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL
error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
"dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server
not found in Kerberos database)
Here is sssd.conf:
[sssd]
domains = XYZ.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/xyz.local]
debug_level=2
ad_server = AD-Server.xyz.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = XYZ.LOCAL
ldap_uri = ldap://AD-Server.xyz.local
ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
ldap_user_search_base = dc=xyz,dc=local
ldap_user_object_class = user
ldap_group_search_base = ou=Groups,dc=xyz,dc=local
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = ...
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOSTNAME$(a)XYZ.LOCAL
Valid starting Expires Service principal
04/04/17 13:58:20 04/04/17 23:58:05 krbtgt/XYZ.LOCAL(a)XYZ.LOCAL
renew until 04/11/17 13:58:20
04/04/17 14:00:09 04/04/17 23:58:05 ldap/AD-server.xyz.local(a)XYZ.LOCAL
renew until 04/11/17 13:58:20
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
# net ads testjoin
Join is OK
Please let me know if I need to increase logging level to capture
additional details.
Many Thanks,
~ Abhi
7 years, 1 month