sssd-users April 2015

sssd-users@lists.fedorahosted.org

30 participants
21 discussions

full_name_format and supplemental groups
by Orion Poplawski 25 Oct '16

25 Oct '16

Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways. On the IPA server: Without full_name_format: # id orion(a)ad.nwra.com uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com) groups=470202603(orion(a)ad.nwra.com),470200513(domain users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas admins(a)ad.nwra.com) With: # id orion(a)ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion) If I add: default_domain_suffix = ad.nwra.com # id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users) Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups. But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com) # id orion(a)ad.nwra.com id: orion(a)ad.nwra.com: no such user # id orion id: orion: no such user >From looking at the server logs, it looks like only the IPA domain is searched If I reset the server back to normal (drop full_name_format and default_domain_suffix): # id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion) I don't get any supplemental groups. I see sssd errors like: (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping. Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb" -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 http://www.nwra.com

3 7

sssd-ldap caching issue ?
by Thomas Hummel 11 May '15

11 May '15

Hello, I'm using sssd-ldap-1.11.6 (from the official CentOS repo) on CentOS release 6.6 (Final) on a cluster of compute nodes running the slurm scheduler (http://slurm.schedmd.com/) in 14.11 version. Sssd is configured without enumerate, with cache_credential and default various cache timeout values. It works fine except in the following case where there seem to be a caching issue : [ the following is 100% reproducible ] a) I clear the cache with the following commands : . /etc/init.d/sssd stop . rm -rf /var/lib/sss/mc/* /var/lib/sss/db/* . /etc/init.d/sssd start b) I launch a "job array" consisting of 100 or so simple task. Basically this will execute in batch many instances (each one called a task) of the same program in parallel on the compute node. Such a job write its output in a .out text file owned by <user>:<gid>. -> so many processes end up querying sssd in parallel to retrieve the user groups What happens is that : . the first task completes without error . tasks 2 and 3 (or something like that) fail with a "permission denied" message . tasks > 3 complete without error . also if we ask slurm to launch each task one after the other instead of in a parallel fashion, the pb does not occur Note : - the job array is very fast since each task is very simple. Many tasks can be completed under a second of time. - if I don't clear sssd cache or if I just issue sss_cache -E or -g, the problem occurs randomly and may be hard to reproduce. At full debug level, sssd shows ldap answer correcty and sssd, only for entries not already in cache, is adding so called "fake groups" : ex : 'Adding fake group gensoft to sysdb' A simple patch to slurm in order to print (with getgroups(2)) the number of group of user shows that, for failed tasks, the number of groups retrieved for <user> is incomplete, which explains the "permission denied" message. In fact, the missing groups seem to be the "fake" groups which seem to be first put in sssd cache by the first task. So my guess is that : . task 1 fetches groups missing from cache and first flag them as "fake" . before task1 finishes "resolving" fake groups entry, tasks 2 and 3 discard those incomplete entries . task 1 finishes replacing fake by real groups . following tasks behave as expected regarding groups Any ideas ? Thanks Here is my sssd.conf file : [sssd] config_file_version = 2 services = nss, pam domains = pasteur_ldap_home [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/pasteur_ldap_home] ldap_tls_reqcert = allow auth_provider = ldap ldap_schema = rfc2307 ldap_search_base = xxxx ldap_group_search_base = xxxx id_provider = ldap ldap_id_use_start_tls = True # We do not authorize password change chpass_provider = none ldap_uri = ldap://xxxx/ cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_network_timeout = 3 # getent passwd will only list /etc/passwd, but id or getent passwd login will query ldap #enumerate = True ldap_page_size = 500 #debug_level = 0x02F0 debug_level = 0x77F0 -- Thomas Hummel | Institut Pasteur <hummel(a)pasteur.fr> | Groupe Exploitation et Infrastructure

5 56

sssd able to login the user but failed on sudo
by Karim 06 May '15

06 May '15

Hi Team, i have two forests both working fine in terms of authentication. I added a user to sudoers from one of the domains and he is getting access denied. the user is able to login with no problem, sudo is not working. in the secure log it shows "account is expired" in the SSSD logs it shows error "attempting to kinit for realm xxxxxx" then "clients credentials has been revoked" i checked the account and it is not expired nor locked. additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers. I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false but the problem remains. what could be the reason behind being able to access and later getting clients credential revoked for sudoes? Thanks

4 11

net ads join & custom keytab
by Ondrej Valousek 30 Apr '15

30 Apr '15

Hi List, Just trying to make sssd working in the diskless environment. As such, I need to create Kerberos keytab on non-standard location: Krb5.conf: [libdefaults] default_keytab_name = /var/lib/sss/krb5.keytab But when I try to join domain via "net -d 10 ads join", I get this: .... smb_krb5_open_keytab: krb5_kt_default_name returned FILE:/etc/krb5.keytab smb_krb5_open_keytab: resolving: WRFILE:/etc/krb5.keytab .... ? Looks like samba successfully ignores the default_keytab_name parameter Does anyone know what could be wrong? Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

4 8

SSH - sssd: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)
by Sterling Sahaydak 29 Apr '15

29 Apr '15

I'm setup in Centos 6.6 with sssd 1.11.6 using openldap and openldap proxy to Active Directory. I have working getent passwd <username> and getent group <group name>, id <username> etc. not a problem. So, trying to get ssh to work as well. *** I keep running in the issue: "PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied)" and unclear of how to resolve this! I've listed below: *sssd.conf *password-auth-ac *sshd *sshd log Any help/suggestions is GREATLY appreciated!!! Sterling sssd.conf: [root@ldap sssd]# cat sssd.conf [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs [sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP [nss] filter_users = root filter_groups = root [pam] [sudo] [domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false ldap_uri = ldaps://ad-va.ad.example.com ldap_default_bind_dn = cn=accessacct,ou=serviceaccounts,ou=example,dc=ad,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = <password here!> ldap_access_filter = ou=example,dc=ad,dc=example,dc=com ldap_search_base = dc=ad,dc=example,dc=com ldap_schema = rfc2307bis ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_uid_number = uidNumber ldap_user_objectsid = objectSid ldap_group_object_class = group ldap_group_objectsid = objectSid ldap_group_member = member ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com ldap_tls_cacert = /etc/pki/tls/certs/certificatename.crt [root@ldap pam.d]# cat password-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_sss.so session required pam_unix.so [root@ldap pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session required pam_selinux.so close session required pam_loginuid.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth Here is my log: [root@ldap ~]# /usr/sbin/sshd -D -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 602 debug2: parse_server_config: config /etc/ssh/sshd_config len 602 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV debug3: /etc/ssh/sshd_config:43 setting PermitRootLogin without-password debug3: /etc/ssh/sshd_config:65 setting PasswordAuthentication yes debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no debug3: /etc/ssh/sshd_config:74 setting KerberosAuthentication no debug3: /etc/ssh/sshd_config:81 setting GSSAPIAuthentication no debug3: /etc/ssh/sshd_config:98 setting UsePAM yes debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAG debug3: /etc/ssh/sshd_config:102 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT debug3: /etc/ssh/sshd_config:103 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE debug3: /etc/ssh/sshd_config:104 setting AcceptEnv XMODIFIERS debug3: /etc/ssh/sshd_config:109 setting X11Forwarding no debug3: /etc/ssh/sshd_config:133 setting Subsystem sftp /usr/libexec/openssh/sftp-server debug3: /etc/ssh/sshd_config:140 setting UseDNS no debug1: sshd version OpenSSH_5.3p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-ddd' debug3: oom_adjust_setup Set /proc/self/oom_score_adj from 0 to -1000 debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug3: fd 5 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 602 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 10.41.0.145 port 42145 debug1: Client protocol version 2.0; client software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28180 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: permanently_set_uid: 74/74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 840 bytes for a total of 861 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib(a)openssh.com debug2: kex_parse_kexinit: none,zlib(a)openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-gr debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64(a)openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug3: mm_request_send entering: type 78 debug3: monitor_read: checking request 78 debug3: mm_request_send entering: type 79 debug3: mm_request_receive entering debug3: mm_request_receive_expect entering: type 79 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug3: Wrote 152 bytes for a total of 1013 debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 484/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 518/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 5 debug3: monitor_read: checking request 5 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x7f74f925a0d0(271) debug3: mm_request_send entering: type 6 debug2: monitor_read: 5 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 6 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 720 bytes for a total of 1733 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Wrote 48 bytes for a total of 1781 debug1: userauth-request for user abrown service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 7 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 8 debug3: mm_request_receive entering debug3: monitor_read: checking request 7 debug3: mm_answer_pwnamallow debug2: parse_server_config: config reprocess config len 602 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 8 debug2: monitor_read: 7 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for abrown debug3: mm_start_pam entering debug3: mm_request_send entering: type 50 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: mm_inform_authrole entering debug3: mm_request_send entering: type 4 debug2: input_userauth_request: try method none debug3: Wrote 64 bytes for a total of 1845 debug3: monitor_read: checking request 50 debug1: PAM: initializing for "abrown" debug1: PAM: setting PAM_RHOST to "10.41.0.145" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 50 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authrole: role= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user abrown service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for abrown debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 51 debug3: mm_request_receive_expect entering: type 52 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 6 (Permission denied) debug3: mm_request_send entering: type 52 Failed password for abrown from 10.41.0.145 port 42145 ssh2 debug3: mm_do_pam_account returning 0 Access denied for user abrown by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 80 debug3: mm_request_receive_expect entering: type 81 debug3: mm_request_receive entering debug3: mm_request_receive entering debug3: monitor_read: checking request 80 debug3: mm_request_send entering: type 81 debug3: mm_request_receive entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering

4 10

Referral problem with sssd on RHEL-6
by Ondrej Valousek 29 Apr '15

29 Apr '15

Hi List, I am experiencing a strange error with sssd-1.11.6-30 on RHEL-6 machine it produces error: (Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-03100742, data 0, 1 access points ref 1: 'ad.example.com' (Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [ad_subdomains_get_slave_domain_done] (0x0040): sdap_get_generic_send request failed. And it also produces incomplete list of groups for user (via id -a) Trying the same configuration on Centos-7 and sssd-1.12.2-58 is working just fine. My configuration: [sssd] services = autofs, nss, pam config_file_version = 2 debug_level = 5 domains = default [nss] [domain/default] debug_level = 5 ldap_id_mapping = False ad_domain = PRAGUE.AD.EXAMPLE.COM id_provider = ad auth_provider = ad chpass_provider = ad autofs_provider = ldap cache_credentials = True # ldap_sasl_authid = RH6HOST$(a)PRAGUE.AD.EXAMPLE.COM dns_discovery_domain = prague.ad.example.com krb5_realm = PRAGUE.AD.EXAMPLE.COM krb5_canonicalize = False # interval (in seconds) to renew Kerberos TGTs krb5_renew_interval = 3600 # request renewable Kerberos tickets krb5_renewable_lifetime = 30d ldap_sasl_mech = GSSAPI ldap_referrals = False ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap Is there something wrong with my setup or the sssd is broken in RH-6? Please advise. Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

3 3

uidNumber=4294967295 is being appearing in the log frequently
by Majid Khan 28 Apr '15

28 Apr '15

Hi, I am getting the following from some of the clients machine I'm not sure why some of them sending this info otherwise my authentication and login all is working fine but I'm concern why its happening and my log is full of the following kind of message: Apr 28 05:58:44 server1 slapd[23003]: conn=5235 op=22 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(uidNumber=4294967295)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))" Apr 28 05:58:44 server1 slapd[23003]: conn=5235 op=22 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap Server info: CentOS release 6.6 LDAP version: openldap-2.4.40 Client info: CentOS release 6.2 Client using SSSD: sssd-1.11.6 (installed through yum) Best regards, Majid.

2 8

sbus dispatch - Connection is not open for dispatching
by Sterling Sahaydak 22 Apr '15

22 Apr '15

I'm using sssd with pam, OpenLDAP and OpenLDAP proxy to Active Directory in a sub-domain (sj) [root@ldap ~]# sssd --version 1.11.6 sssd.conf(sj) => slapd.conf(sj) => AD-sj and noticing a message in the sssd logs: [sssd[be[LDAP]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching Shown in the log: (servers are in the sub-domain sj) ORIG - sssd.sj point to ldap.sj and AD-sj ================================================ (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_resolve_server_process] (0x0200): Found address for server ad-sj.ad.example.com: [10.47.100.15] TTL 7200 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldaps://ad-sj.ad.example.com' (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x4000): Using file descriptor [18] for LDAP connection. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch] (0x2000): 0xab3a60/0xab2010 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch] (0x2000): 0xab3a60/0xab3cf0 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xac0d30 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_client_destructor] (0x0400): Removed SUDO client (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch] (0x2000): 0xac5610/0xac4650 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch] (0x2000): 0xac5610/0xac4600 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xac5090 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_client_destructor] (0x0400): Removed PAM client (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldaps://ad-sj.ad.example.com:636/??base] with fd [18]. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of LDAP] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sdap_handle_release] (0x2000): Trace: sh[0xad5450], connected[1], ops[(nil)], ldap[0xac5780], destructor_lock[0], release_memory[0] (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Tue Apr 21 05:46:27 2015) [sssd[be[LDAP]]] [sbus_remove_watch] (0x2000): 0xab6360/0xa9da20 ***This appears to be preventing additional ldap search requests to Active Directory for user information to be running as the logs basically stop. ***Unclear of what 'sbus_dispatch' is using to request information and if the requests are getting to the Active Directory server and/or the requests back from the Active Directory server are blocked or something else??? ***Are there any ports or network info that sbus_dispatch is using that may be blocked or something with issues across sub-domains??? The AD-sj(primary) and AD-va(secondary) are in their own sub-domain(ad) and replicate each other. Next, I pointed sssd.conf file from the above sub-domain(sj) to another OpenLDAP server in a different sub domain(va) along with a different Active Directory server in the same sub domain(va) and seeing this in the logs which appears to be correct and not seeing the error message "Connection is not open for dispatching" but instead below seeing "Dispatching" which is allowing ldap search requests to be running against Active Directory. sssd.conf(sj) => slapd.conf(sj) => AD-va test 1 - sssd.sj point to ldap.va and ad-va (pointing sssd in the sj sub-domain to the va sub-domain) ============================================================== (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x873c70 (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x877680 (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [RegisterService] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [RegisterService] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [client_registration] (0x0100): Cancel DP ID timeout [0x877fa0] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x877680 (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getDomains] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getDomains] (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [be_get_subdomains] (0x2000): Undefined backend target. (Tue Apr 21 06:31:44 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x877680 (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldaps://ad-va.ad.example.com:636/??base] with fd [16]. (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_send] (0x4000): Getting rootdse (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 1 (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x86ef80], connected[1], ops[0x92ee20], ldap[0x8722d0] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_entry] (0x4000): OriginalDN: []. (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [currentTime] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [subschemaSubentry] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [dsServiceName] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [namingContexts] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [defaultNamingContext] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [schemaNamingContext] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [configurationNamingContext] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [rootDomainNamingContext] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedControl] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPVersion] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedLDAPPolicies] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [highestCommittedUSN] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedSASLMechanisms] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [dnsHostName] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [ldapServiceName] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [serverName] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedCapabilities] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [isSynchronized] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [isGlobalCatalogReady] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [supportedExtension] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainFunctionality] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [forestFunctionality] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [domainControllerFunctionality] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x86ef80], connected[1], ops[0x92ee20], ldap[0x8722d0] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Tue Apr 21 06:31:45 2015) [sssd[be[LDAP]]] [sdap_get_rootdse_done] (0x2000): Got rootdse

2 1

simple_allow_groups does not work: 4 (system error )
by Domenico Viggiani 21 Apr '15

21 Apr '15

Hi, on a Red hat 7.1 machine with latest updates, sssd/realmd authentication against AD works until I try to use simple_allow_groups, when access is denied for all with this error: pam_sss(sshd:account): Access denied for user testuser: 4 (System error) Setting debug_level = 7, at the end of the log, I see: (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [simple_resolve_group_check] (0x1000): The group is still non-POSIX (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [simple_resolve_group_done] (0x0040): Refresh failed (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [simple_check_get_groups_next] (0x0040): Could not resolve name of group with GID 684028039 (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [simple_access_check_done] (0x0040): Could not collect groups of user testuser (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [be_pam_handler_callback] (0x0100): Sending result [4][MYDOMAIN.COM] (Mon Mar 16 16:57:52 2015) [sssd[be[CERVEDGROUP.COM]]] [be_pam_handler_callback] (0x0100): Sent result [4][MYDOMAIN.COM] Full log is available but I need to "sanitize" it. Any help? Thanks in advance -- Mimmo

4 29

Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
by Bobby Prins 17 Apr '15

17 Apr '15

Hi there, I thought I’d revive this thread since I’m more or less having the same issues as the initial poster (https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002667.ht…) I was not able to test the patch supplied by Sumit, but I can provide some additional logging. >On Fri, Mar 06, 2015 at 03:16:52PM +0000, Aviolat Romain wrote: >> Hi Sumit, >> >> I tried your patch, it seems that it still fails to download always the same groups as before. >> >> Here's the part where sysdb_set_entry_attr fails: >> >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Processing group my group1 at ad.domain2.net >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Filtering AD group [my group1 at ad.domain2.net] >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): The group has 1 members >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_process_ghost_members] (0x0400): Group has 1 members >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0400): Storing info for group my group1 at ad.domain2.net >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) > >Can you set debug_level to 9? Then there should be a dump of the >attributes in the logs. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=example,dc=corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_print_server] (0x2000): Searching 192.168.141.5 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectSID=S-1-5-21-1848557837-2917031290-480500741-7748)(objectClass=group)(name=*))][dc=example,dc=corp]. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [member] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 161 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56ac750], connected[1], ops[(nil)], ldap[0x7f24f56c42d0] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=PUB_R,OU=Groups,DC=example,DC=corp]. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [member] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_parse_range] (0x2000): No sub-attributes for [groupType] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_result] (0x2000): Trace: sh[0x7f24f56e0be0], connected[1], ops[0x7f24f5776ce0], ldap[0x7f24f56e0830] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_has_deref_support] (0x0400): The server supports deref method ASQ (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x4000): AD group has type flags 0x80000004. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x0400): Filtering AD group. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x4000): The group's gid was zero (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_group] (0x2000): Marking group as non-posix and setting GID=0! (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_hash_entry] (0x4000): Inserting [CN=PUB_R,OU=Groups,DC=example,DC=corp] into hash table [groups] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_process_send] (0x2000): About to process group [CN=PUB_R,OU=Groups,DC=example,DC=corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_users] (0x2000): Search users with filter: (&(objectclass=user)(originalDN=CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp)) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f579c230 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f585b670 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f579c230 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f585b670 "ltdb_timeout" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f579c230 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_users] (0x2000): No such entry (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(originalDN=CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp)) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5820910 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5767620 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5820910 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5767620 "ltdb_timeout" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5820910 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_split_members] (0x4000): [CN=Users_All,OU=Resources,OU=Groups,DC=example,DC=corp] found in cache, skipping (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_process_send] (0x2000): Looking up 0/1 members of group [CN=PUB_R,OU=Groups,DC=example,DC=corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_recv] (0x0400): 0 users found in the hash table (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_nested_group_recv] (0x0400): 1 groups found in the hash table (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 1) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_get_primary_name] (0x0400): Processing object PUB_R(a)example.corp (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Processing group PUB_R(a)example.corp (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x4000): AD group [PUB_R(a)example.corp] has type flags 0x80000004. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Filtering AD group [PUB_R(a)example.corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original DN [CN=PUB_R,OU=Groups,DC=example,DC=corp] to attributes of [PUB_R(a)example.corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130427135353.0Z] to attributes of [PUB_R(a)example.corp] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_ghost_members] (0x0400): The group has 1 members (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_process_ghost_members] (0x0400): Group has 1 members (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_attrs_get_aliases] (0x2000): Domain is case-insensitive; will add lowercased aliases (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0400): Storing info for group PUB_R(a)example.corp (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5741710 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5741840 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5741710 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5741840 "ltdb_timeout" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5741710 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5712a30 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f5712af0 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5712a30 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f24f5714950 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f24f584cd20 (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f5712af0 "ltdb_timeout" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5712a30 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Running timer event 0x7f24f5714950 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Destroying timer event 0x7f24f584cd20 "ltdb_timeout" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): Ending timer event 0x7f24f5714950 "ltdb_callback" (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Attribute or value exists] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_set_entry_attr] (0x0040): Error: 17 (File exists) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_store_group] (0x1000): sysdb_set_group_attr failed. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_store_group_with_gid] (0x0040): Could not store group PUB_R(a)example.corp (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_group] (0x0080): Failed to save group [PUB_R(a)example.corp] [File exists] (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_save_groups] (0x0040): Failed to store group 0. Ignoring. (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Thu Apr 16 15:51:08 2015) [sssd[be[unix.example.corp]]] [sdap_id_op_done] (0x4000): releasing operation connection > >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sysdb_store_group] (0x0400): Error: 17 (File exists) >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_store_group_with_gid] (0x0040): Could not store group my group1 at ad.domain2.net >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Could not store group with GID: [File exists] >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_group] (0x0080): Failed to save group [my group1 at ad.domain2.net] [File exists] >> (Fri Mar 6 16:02:17 2015) [sssd[be[ipa.domain1.com]]] [sdap_save_groups] (0x0040): Failed to store group 14. Ignoring. >> >> Every time it still tries to download the same groups. >> >> About the pam systemd thing, I don't have such option set in my sssd conf file. > >This is not configured in sssd.conf. In a default Fedora installation >you can find it in /etc/pam.d/password-auth. But if you do not see any >pam_systemd(sshd:session) timeout messages in the journal or >/var/log/secure you do not need to change anything here. > >bye, >Sumit

3 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users April 2015