full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
sssd-ldap caching issue ?
by Thomas Hummel
Hello,
I'm using sssd-ldap-1.11.6 (from the official CentOS repo) on CentOS release
6.6 (Final) on a cluster of compute nodes running the slurm scheduler
(http://slurm.schedmd.com/) in 14.11 version.
Sssd is configured without enumerate, with cache_credential and default various
cache timeout values.
It works fine except in the following case where there seem to be a caching
issue :
[ the following is 100% reproducible ]
a) I clear the cache with the following commands :
. /etc/init.d/sssd stop
. rm -rf /var/lib/sss/mc/* /var/lib/sss/db/*
. /etc/init.d/sssd start
b) I launch a "job array" consisting of 100 or so simple task. Basically this
will execute in batch many instances (each one called a task) of the same
program in parallel on the compute node.
Such a job write its output in a .out text file owned by <user>:<gid>.
-> so many processes end up querying sssd in parallel to retrieve the user groups
What happens is that :
. the first task completes without error
. tasks 2 and 3 (or something like that) fail with a "permission denied" message
. tasks > 3 complete without error
. also if we ask slurm to launch each task one after the other instead of in
a parallel fashion, the pb does not occur
Note :
- the job array is very fast since each task is very simple. Many tasks can be
completed under a second of time.
- if I don't clear sssd cache or if I just issue sss_cache -E or -g, the
problem occurs randomly and may be hard to reproduce.
At full debug level, sssd shows ldap answer correcty and sssd, only for entries
not already in cache, is adding so called "fake groups" :
ex : 'Adding fake group gensoft to sysdb'
A simple patch to slurm in order to print (with getgroups(2)) the number of
group of user shows that, for failed tasks, the number of groups retrieved for <user>
is incomplete, which explains the "permission denied" message.
In fact, the missing groups seem to be the "fake" groups which seem to be first
put in sssd cache by the first task.
So my guess is that :
. task 1 fetches groups missing from cache and first flag them as "fake"
. before task1 finishes "resolving" fake groups entry, tasks 2 and 3 discard
those incomplete entries
. task 1 finishes replacing fake by real groups
. following tasks behave as expected regarding groups
Any ideas ?
Thanks
Here is my sssd.conf file :
[sssd]
config_file_version = 2
services = nss, pam
domains = pasteur_ldap_home
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/pasteur_ldap_home]
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_schema = rfc2307
ldap_search_base = xxxx
ldap_group_search_base = xxxx
id_provider = ldap
ldap_id_use_start_tls = True
# We do not authorize password change
chpass_provider = none
ldap_uri = ldap://xxxx/
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_network_timeout = 3
# getent passwd will only list /etc/passwd, but id or getent passwd login will query ldap
#enumerate = True
ldap_page_size = 500
#debug_level = 0x02F0
debug_level = 0x77F0
--
Thomas Hummel | Institut Pasteur
<hummel(a)pasteur.fr> | Groupe Exploitation et Infrastructure
8 years, 6 months
sssd able to login the user but failed on sudo
by Karim
Hi Team,
i have two forests both working fine in terms of authentication.
I added a user to sudoers from one of the domains and he is getting access denied.
the user is able to login with no problem, sudo is not working.
in the secure log it shows "account is expired"
in the SSSD logs it shows error
"attempting to kinit for realm xxxxxx" then
"clients credentials has been revoked"
i checked the account and it is not expired nor locked.
additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false
but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
8 years, 7 months
net ads join & custom keytab
by Ondrej Valousek
Hi List,
Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location:
Krb5.conf:
[libdefaults]
default_keytab_name = /var/lib/sss/krb5.keytab
But when I try to join domain via "net -d 10 ads join", I get this:
....
smb_krb5_open_keytab: krb5_kt_default_name returned FILE:/etc/krb5.keytab
smb_krb5_open_keytab: resolving: WRFILE:/etc/krb5.keytab
....
? Looks like samba successfully ignores the default_keytab_name parameter
Does anyone know what could be wrong?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 7 months
SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
by Sterling Sahaydak
I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap
proxy to Active Directory.
I have working getent passwd <username> and getent group <group name>,
id <username> etc. not a problem.
So, trying to get ssh to work as well.
*** I keep running in the issue:
"PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)"
and unclear of how to resolve this!
I've listed below:
*sssd.conf
*password-auth-ac
*sshd
*sshd log
Any help/suggestions is GREATLY appreciated!!!
Sterling
sssd.conf:
[root@ldap sssd]# cat sssd.conf
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.va.example.com
ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd]
config_file_version = 2
services = nss, pam, sudo
domains = LDAP
[nss]
filter_users = root
filter_groups = root
[pam]
[sudo]
[domain/LDAP]
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
id_provider = ldap
sudo_provider = ldap
debug_level = 9
cache_credentials = true
enumerate = false
ldap_uri = ldaps://ad-va.ad.example.com
ldap_default_bind_dn =
cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = <password here!>
ldap_access_filter = ou=example,dc=ad,dc=example,dc=com
ldap_search_base = dc=ad,dc=example,dc=com
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_fullname = displayName
ldap_user_name = sAMAccountName
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_objectsid = objectSid
ldap_group_object_class = group
ldap_group_objectsid = objectSid
ldap_group_member = member
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt
[root@ldap pam.d]# cat password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session optional pam_sss.so
session required pam_unix.so
[root@ldap pam.d]# cat sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
Here is my log:
[root@ldap ~]# /usr/sbin/sshd -D -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 602
debug2: parse_server_config: config /etc/ssh/sshd_config len 602
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password
debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication
no
debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no
debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no
debug3: /etc/ssh/sshd_config:98 setting UsePAM yes
debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE
LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG
debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME
LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION
LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no
debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp
/usr/libexec/openssh/sftp-server
debug3: /etc/ssh/sshd_config:140 setting UseDNS no
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 602
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.41.0.145 port 42145
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 28180
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 840 bytes for a total of 861
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
debug2: kex_parse_kexinit: none,zlib(a)openssh.com
debug2: kex_parse_kexinit: none,zlib(a)openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr
debug2: kex_parse_kexinit:
ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00(a)openssh.com,ss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri
debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug3: mm_request_send entering: type 78
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug3: mm_request_send entering: type 78
debug3: monitor_read: checking request 78
debug3: mm_request_send entering: type 79
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 79
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 152 bytes for a total of 1013
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 484/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 518/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x7f74f925a0d0(271)
debug3: mm_request_send entering: type 6
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 720 bytes for a total of 1733
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 48 bytes for a total of 1781
debug1: userauth-request for user abrown service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 602
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for abrown
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 50
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: mm_inform_authrole entering
debug3: mm_request_send entering: type 4
debug2: input_userauth_request: try method none
debug3: Wrote 64 bytes for a total of 1845
debug3: monitor_read: checking request 50
debug1: PAM: initializing for "abrown"
debug1: PAM: setting PAM_RHOST to "10.41.0.145"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 50 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user abrown service ssh-connection method
password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for abrown
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 12
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: mm_auth_password: user authenticated
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 51
debug3: mm_request_receive_expect entering: type 52
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
debug3: mm_request_send entering: type 52
Failed password for abrown from 10.41.0.145 port 42145 ssh2
debug3: mm_do_pam_account returning 0
Access denied for user abrown by PAM account configuration
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug3: mm_request_send entering: type 80
debug3: mm_request_receive_expect entering: type 81
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 80
debug3: mm_request_send entering: type 81
debug3: mm_request_receive entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
8 years, 7 months
Referral problem with sssd on RHEL-6
by Ondrej Valousek
Hi List,
I am experiencing a strange error with sssd-1.11.6-30 on RHEL-6 machine it produces error:
(Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points
ref 1: 'ad.example.com'
(Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [ad_subdomains_get_slave_domain_done] (0x0040): sdap_get_generic_send request failed.
And it also produces incomplete list of groups for user (via id -a)
Trying the same configuration on Centos-7 and sssd-1.12.2-58 is working just fine.
My configuration:
[sssd]
services = autofs, nss, pam
config_file_version = 2
debug_level = 5
domains = default
[nss]
[domain/default]
debug_level = 5
ldap_id_mapping = False
ad_domain = PRAGUE.AD.EXAMPLE.COM
id_provider = ad
auth_provider = ad
chpass_provider = ad
autofs_provider = ldap
cache_credentials = True
# ldap_sasl_authid = RH6HOST$(a)PRAGUE.AD.EXAMPLE.COM
dns_discovery_domain = prague.ad.example.com
krb5_realm = PRAGUE.AD.EXAMPLE.COM
krb5_canonicalize = False
# interval (in seconds) to renew Kerberos TGTs
krb5_renew_interval = 3600
# request renewable Kerberos tickets
krb5_renewable_lifetime = 30d
ldap_sasl_mech = GSSAPI
ldap_referrals = False
ldap_autofs_entry_key = cn
ldap_autofs_entry_object_class = nisObject
ldap_autofs_entry_value = nisMapEntry
ldap_autofs_map_name = nisMapName
ldap_autofs_map_object_class = nisMap
Is there something wrong with my setup or the sssd is broken in RH-6?
Please advise.
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 7 months
uidNumber=4294967295 is being appearing in the log frequently
by Majid Khan
Hi,
I am getting the following from some of the clients machine I'm not sure why some of them sending this info otherwise my authentication and login all is working fine but I'm concern why its happening and my log is full of the following kind of message:
Apr 28 05:58:44 server1 slapd[23003]: conn=5235 op=22 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(uidNumber=4294967295)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Apr 28 05:58:44 server1 slapd[23003]: conn=5235 op=22 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap
Server info: CentOS release 6.6
LDAP version: openldap-2.4.40
Client info: CentOS release 6.2
Client using SSSD: sssd-1.11.6 (installed through yum)
Best regards,
Majid.
8 years, 7 months
sbus dispatch - Connection is not open for dispatching
by Sterling Sahaydak
I'm using sssd with pam, OpenLDAP and OpenLDAP proxy to Active Directory
in a sub-domain (sj)
[root@ldap ~]# sssd --version
1.11.6
sssd.conf(sj) => slapd.conf(sj) => AD-sj
and noticing a message in the sssd logs:
[sssd[be[LDAP]]] [sbus_dispatch] (0x0080): Connection is not open for
dispatching
Shown in the log: (servers are in the sub-domain sj)
ORIG - sssd.sj point to ldap.sj and AD-sj
================================================
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_resolve_server_process]
(0x0200): Found address for server ad-sj.ad.example.com: [10.47.100.15]
TTL 7200
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_uri_callback]
(0x0400): Constructed uri 'ldaps://ad-sj.ad.example.com'
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sss_ldap_init_send]
(0x4000): Using file descriptor [18] for LDAP connection.
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sss_ldap_init_send]
(0x0400): Setting 6 seconds timeout for connecting
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch]
(0x2000): 0xab3a60/0xab2010
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch]
(0x2000): 0xab3a60/0xab3cf0
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0xac0d30
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x0080):
Connection is not open for dispatching.
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_client_destructor]
(0x0400): Removed SUDO client
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch]
(0x2000): 0xac5610/0xac4650
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch]
(0x2000): 0xac5610/0xac4600
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0xac5090
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x0080):
Connection is not open for dispatching.
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_client_destructor]
(0x0400): Removed PAM client
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldaps://ad-sj.ad.example.com:636/??base] with fd [18].
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_send]
(0x4000): Getting rootdse
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [*]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [altServer]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [namingContexts]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedControl]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedExtension]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedFeatures]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedLDAPVersion]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedSASLMechanisms]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [domainControllerFunctionality]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [defaultNamingContext]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [lastUSN]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [highestCommittedUSN]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 1
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_id_op_destroy]
(0x4000): releasing operation connection
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_ptask_destructor]
(0x0400): Terminating periodic task [Cleanup of LDAP]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_handle_release]
(0x2000): Trace: sh[0xad5450], connected[1], ops[(nil)], ldap[0xac5780],
destructor_lock[0], release_memory[0]
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [remove_connection_callback]
(0x4000): Successfully removed connection callback.
(Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch]
(0x2000): 0xab6360/0xa9da20
***This appears to be preventing additional ldap search requests to
Active Directory for user information to be running as the logs
basically stop.
***Unclear of what 'sbus_dispatch' is using to request information and
if the requests are getting to the Active Directory server and/or the
requests back from the Active Directory server are blocked or something
else???
***Are there any ports or network info that sbus_dispatch is using that
may be blocked or something with issues across sub-domains???
The AD-sj(primary) and AD-va(secondary) are in their own sub-domain(ad)
and replicate each other.
Next, I pointed sssd.conf file from the above sub-domain(sj) to another
OpenLDAP server in a different sub domain(va) along with a different
Active Directory server in the same sub domain(va) and seeing this in
the logs which appears to be correct and not seeing the error message
"Connection is not open for dispatching" but instead below seeing
"Dispatching" which is allowing ldap search requests to be running
against Active Directory.
sssd.conf(sj) => slapd.conf(sj) => AD-va
test 1 - sssd.sj point to ldap.va and ad-va (pointing sssd in the sj
sub-domain to the va sub-domain)
==============================================================
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x873c70
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x877680
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [RegisterService]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [RegisterService]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [client_registration]
(0x0100): Cancel DP ID timeout [0x877fa0]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [client_registration]
(0x0100): Added Frontend client [SUDO]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x877680
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [getDomains]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [getDomains]
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [be_get_subdomains]
(0x2000): Undefined backend target.
(Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
dbus conn: 0x877680
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldaps://ad-va.ad.example.com:636/??base] with fd [16].
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_send]
(0x4000): Getting rootdse
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [*]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [altServer]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [namingContexts]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedControl]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedExtension]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedFeatures]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedLDAPVersion]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedSASLMechanisms]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [domainControllerFunctionality]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [defaultNamingContext]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [lastUSN]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [highestCommittedUSN]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 1
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x86ef80], connected[1], ops[0x92ee20],
ldap[0x8722d0]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_entry] (0x4000):
OriginalDN: [].
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [currentTime]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [subschemaSubentry]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [dsServiceName]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [namingContexts]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [defaultNamingContext]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [schemaNamingContext]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [configurationNamingContext]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [rootDomainNamingContext]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedControl]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedLDAPVersion]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedLDAPPolicies]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [highestCommittedUSN]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedSASLMechanisms]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [dnsHostName]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [ldapServiceName]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [serverName]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedCapabilities]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [isSynchronized]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [isGlobalCatalogReady]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [supportedExtension]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [domainFunctionality]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [forestFunctionality]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000):
No sub-attributes for [domainControllerFunctionality]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_result]
(0x2000): Trace: sh[0x86ef80], connected[1], ops[0x92ee20],
ldap[0x8722d0]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_done]
(0x2000): Got rootdse
8 years, 7 months
simple_allow_groups does not work: 4 (system error )
by Domenico Viggiani
Hi,
on a Red hat 7.1 machine with latest updates, sssd/realmd authentication
against AD works until I try to use simple_allow_groups, when access is
denied for all with this error:
pam_sss(sshd:account): Access denied for user testuser: 4 (System error)
Setting debug_level = 7, at the end of the log, I see:
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_resolve_group_check] (0x1000): The group is still non-POSIX
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_resolve_group_done] (0x0040): Refresh failed
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_check_get_groups_next] (0x0040): Could not resolve name of group
with GID 684028039
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[simple_access_check_done] (0x0040): Could not collect groups of user
testuser
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
[Success]
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Sending result [4][MYDOMAIN.COM]
(Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]]
[be_pam_handler_callback] (0x0100): Sent result [4][MYDOMAIN.COM]
Full log is available but I need to "sanitize" it.
Any help?
Thanks in advance
--
Mimmo
8 years, 7 months
Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
by Bobby Prins
Hi there,
I thought I’d revive this thread since I’m more or less having the same issues as the initial poster (https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002667....). I was not able to test the patch supplied by Sumit, but I can provide some additional logging.
>On Fri, Mar 06, 2015 at 03:16:52PM +0000, Aviolat Romain wrote:
>> Hi Sumit,
>>
>> I tried your patch, it seems that it still fails to download always the same groups as before.
>>
>> Here's the part where sysdb_set_entry_attr fails:
>>
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Processing group my group1 at ad.domain2.net
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Filtering AD group [my group1 at ad.domain2.net].
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Storing info for group my group1 at ad.domain2.net
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
>
>Can you set debug_level to 9? Then there should be a dump of the
>attributes in the logs.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=example,dc=corp]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_print_server] (0x2000): Searching 192.168.141.5
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1848557837-2917031290-480500741-7748)(objectClass=group)(name=*))][dc=example,dc=corp].
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 161
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56ac750], connected[1], ops[(nil)], ldap[0x7f24f56c42d0]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=PUB_R,OU=Groups,DC=example,DC=corp].
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [member]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [name]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000004.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0!
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=PUB_R,OU=Groups,DC=example,DC=corp] into hash table [groups]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=PUB_R,OU=Groups,DC=example,DC=corp]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp))
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f579c230
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f585b670
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f579c230 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f585b670 "ltdb_timeout"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f579c230 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_users] (0x2000): No such entry
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp))
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5820910
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5767620
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5820910 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5767620 "ltdb_timeout"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5820910 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_split_members] (0x4000): [CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp] found in cache, skipping
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_process_send] (0x2000): Looking up 0/1 members of group [CN=PUB_R,OU=Groups,DC=example,DC=corp]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 1)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_primary_name] (0x0400): Processing object PUB_R(a)example.corp
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Processing group PUB_R(a)example.corp
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x4000): AD group [PUB_R(a)example.corp] has type flags 0x80000004.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Filtering AD group [PUB_R(a)example.corp].
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=PUB_R,OU=Groups,DC=example,DC=corp] to attributes of [PUB_R(a)example.corp].
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130427135353.0Z] to attributes of [PUB_R(a)example.corp].
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_ghost_members] (0x0400): The group has 1 members
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_ghost_members] (0x0400): Group has 1 members
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Storing info for group PUB_R(a)example.corp
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5741710
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5741840
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5741710 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5741840 "ltdb_timeout"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5741710 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5712a30
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5712af0
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5712a30 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5714950
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f584cd20
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5712af0 "ltdb_timeout"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5712a30 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5714950 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f584cd20 "ltdb_timeout"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5714950 "ltdb_callback"
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_store_group] (0x1000): sysdb_set_group_attr failed.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_store_group_with_gid] (0x0040): Could not store group PUB_R(a)example.corp
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0080): Failed to save group [PUB_R(a)example.corp]: [File exists]
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring.
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): commit ldb transaction (nesting: 1)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_done] (0x4000): releasing operation connection
>
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists)
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_store_group_with_gid] (0x0040): Could not store group my group1 at ad.domain2.net
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists]
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Failed to save group [my group1 at ad.domain2.net]: [File exists]
>> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_groups] (0x0040): Failed to store group 14. Ignoring.
>>
>> Every time it still tries to download the same groups.
>>
>> About the pam systemd thing, I don't have such option set in my sssd conf file.
>
>This is not configured in sssd.conf. In a default Fedora installation
>you can find it in /etc/pam.d/password-auth. But if you do not see any
>pam_systemd(sshd:session) timeout messages in the journal or
>/var/log/secure you do not need to change anything here.
>
>bye,
>Sumit
8 years, 7 months