On Mon, 2011-06-20 at 16:01 -0400, Johnny Tan wrote:
> This indicates that your hypothesis is probably correct. For one
reason
> or another, the SSSD is operating in offline mode, and because the user
> has not previously logged in, they are not being granted access via
> cached credentials. sssd_LDAP.log will allow us to see why the
> connection is being considered offline.
Ok, I've included the sssd_LDAP.log for both a successful connection
(user = jt) and a failed connection (user = iambot). The successful
user pastebin:
http://pastebin.com/v105Tnbx
Failed user pastebin:
http://pastebin.com/Dghdhcsy
I see that the latter shows "backend" is offline, yet the former (just
13 seconds earlier) shows it's "working" and returning info.
What's going on?
Here's the relevant portion of the log.
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]] [sldb_request_callback] (6):
LDB Error: 20 (member: value #0 already exists)
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]] [sysdb_op_default_done] (6):
Error: 14 (Bad address)
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]]
[sysdb_add_group_member_done] (6): Error: 14 (Bad address)
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]] [sdap_get_initgr_done] (9):
Initgroups done
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]] [ldb] (9): cancel ldb
transaction (nesting: 0)
(Mon Jun 20 19:33:28 2011) [sssd[be[LDAP]]] [be_mark_offline] (8): Going
offline!
What's happening is that a critical failure is occurring when dealing
with this user (the "member: value #0 already exists" error) and this is
percolating up to SSSD as an offline error (because the data provider
cannot complete it's operation, our best move is to attempt offline auth
to keep the user experience pleasant).
I'm not sure why you're seeing that particular error, but it should no
longer be present in the current releases of SSSD (which saw a total
rewrite of the related code to fix quite a lot of bugs).
In your original email, you showed that you were using SSSD on CENTOS
5.5. I'd strongly suggest trying out SSSD from the RHEL 5.7 beta, which
contains a great many bugfixes.
You will need to grab a few other packages as well though (for
dependencies): openldap24-libs, libdhash, libini_config and
libcollection.