On Wed, 2013-10-02 at 11:04 +0200, Sumit Bose wrote:
On Tue, Oct 01, 2013 at 08:42:54AM +0200, steve wrote:
Hi After a lot of trial and error, I came up with this:
I had a look at the log files you send.
About the 'Could not add new domain' log messages. These messages are expected if 'ldap_id_ampping=false' but I agree they are annoying and misleading, I'll try to fix that.
About the failing AD provider. I think the original issue is that the Global Catalog of your AD domain (it's a samba4 domain iirc) cannot be resolved. I'm currently not sure what is the reason here (failed CLDAP ping, failed DNS SRV lookup). Can you send log files with your original ipa_provider=ad configuration with a higher debug level (9 or 0xFFF0 would be best). If you think the size of the log files is not suitable for a mailing-list feel free to send them directly to me. I hope the log files will also show why SSSD is not falling back to use the LDAP port instead of the Global Catalog.
bye, Sumit
Hi Attached is a d9 log with enumerate = false.
Everything is working fine with: enumerate = true
But fails with: enumerate = false
If you could lose the: ldap_id_ampping=false errors (or as I now understand, not errors) That would make the log clearer
This is the only problem left. Thanks, Steve
[sssd] #debug_level = 6 services = nss, pam, autofs config_file_version = 2 domains = default [nss] [pam] [autofs]
[domain/default] #debug_level = 6 dyndns_update=true ad_hostname = catral.hh3.site ad_server = hh16.hh3.site ad_domain = hh3.site
ldap_schema = ad id_provider = ad access_provider = ad enumerate = true cache_credentials = true auth_provider = ad chpass_provider = ad krb5_realm = hh3.site krb5_server = hh16.hh3.site krb5_kpasswd = hh16.hh3.site
ldap_id_mapping=false ldap_referrals = false ldap_uri = ldap://hh16.hh3.site ldap_search_base = dc=hh3,dc=site ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_search_base = dc=hh3,dc=site ldap_group_name = cn ldap_group_member = member
ldap_sasl_mech = gssapi ldap_sasl_authid = CATRAL$@HH3.SITE krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true
autofs_provider=ldap
ldap_autofs_search_base = OU=automount,DC=hh3,DC=site ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation
getent passwd and domain logins now work but please note only by filling the cache with: enumerate = true
With: enumerate = false getent passwd <username> returns nothing
There messages still remain:
(Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Oct 1 08:41:33 2013) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 3, 11, Internal Error (Se ha agotado el número máximo de reintentos para el servicio) Will try to return what we have in cache (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-500] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1106] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1107] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1108] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1141] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1109] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-513] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1111] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_process_group_send] (0x0040): No Members. Done! (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_process_group_send] (0x0040): No Members. Done! (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-513] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_add_domain] (0x0020): Failed to calculate range for domain [S-1-5-21-451355595-2219208293-2714859210]: [10] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_find_new_domain] (0x0080): Could not add new domain [S-1-5-21-451355595-2219208293-2714859210] (Tue Oct 1 08:41:33 2013) [sssd[be[default]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not add new domain for sid [S-1-5-21-451355595-2219208293-2714859210-1111]
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel