sssd-users September 2017

sssd-users@lists.fedorahosted.org

16 participants
23 discussions

sssd performance on large domains
by zfnoctis＠gmail.com 03 Feb '22

03 Feb '22

Hi, I'm wondering if there are any plans to improve sssd performance on large active directory domains (100k+ users, 40k+ groups), or if there are settings I am not aware of that can greatly improve performance, specifically for workstation use cases. Currently if I do not set "ignore_group_members = True" in sssd.conf, logins can take upwards of 6 minutes and "sssd_be" will max the CPU for up to 20 minutes after logon, which makes it a non-starter. The reason I want to allow group members to be seen is that I want certain domain groups to be able to perform elevated actions using polkit. If I ignore group members, polkit reports that the group is empty and so no one can elevate in the graphical environment. Ultimately this means that Linux workstations are at a severe disadvantage since they cannot be bound to the domain and have the normal set of access features users and IT expect from macOS or Windows. Distributions used: Ubuntu 16.04 (sssd 1.13.4-1ubuntu1.1), Ubuntu 16.10 (sssd 1.13.4-3) and Fedora 24 (sssd-1.13.4-3.fc24). All exhibit the same problems. I've also tried "ldap_group_nesting_level = 1" without seeing any noticeable improvement with respect to performance. Putting the database on /tmp isn't viable as these are workstations that will reboot semi-frequently, and I don't believe this is an I/O bound performance issue anyways. Thanks for your time.

6 29

Enumerate users from external group from AD trust
by Bolke de Bruin 29 Nov '19

29 Nov '19

Hello, I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain. One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using “getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not: [root@master centos]# getent group ad_users ad_users:*:1950000004: [root@master centos]# id bolke(a)ad.local UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test@ad.local) [root@master centos]# getent group ad_users ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local> If I clear the cache (sss_cache -E) the entry is gone again: [root@master centos]# getent group ad_users ad_users:*:1950000004: My question is how do I get sssd to enumerate *all users* in a group consistently? Thanks! Bolke * https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-gro…

3 15

SSSD for one-way trusted AD domain
by Ondrej Valousek 15 May '18

15 May '18

Hi List, Question, we have joined machine into AD domain B. This domain has one way trust to domain A. No direct connection from domain B network to DCs in domain A is possible. Can we use SSSD to authenticate members in domain A. In windows, this works - but can't get it working in Linux via SSSD (Fedora 25, used realmd for AD join). Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

3 2

Does anyone use id_provider=local ?
by Jakub Hrozek 17 Oct '17

17 Oct '17

Hi, are there any SSSD users who actively use a configuration with: id_provider=local ? If so, what is your use-case? We're considering deprecating and eventually removing this provider upstream. The replacemant for id_provider=local would be id_provider=files: https://fedorahosted.org/sssd/wiki/DesignDocs/FilesProvider which is already under review and later extension of the SSSD's D-Bus interface to allow manipulating custom user attributes. My current plan for deprecating the local provider is to only build the provider and the tools around it if a configure-time flag is provided. This flag would be disabled by default. Then, if noone complains, eventually just remove the code.

3 5

Kerberos Tickets not obtained until restart of SSSD
by Sam Weston 11 Oct '17

11 Oct '17

Hi again, The issue with password caching seems to have been solved. However with my 1.15.2 deployment still has one problem which is not present with 1.13. If you log in to a machine when it is offline, you have to reboot the machine or restart the sssd service for any Kerberos tickets to be obtained from the KDC when the machine comes back online. If I originally login when the machine is offline, I get this ticket: sweston@sflt28:~$ klist Ticket cache: FILE:/tmp/krb5cc_1117605638_HtMNOv Default principal: sweston(a)SMALLBUSINESS.LAN Valid starting Expires Service principal 01/01/70 01:00:00 01/01/70 01:00:00 krbtgt/SMALLBUSINESS.LAN(a)SMALLBUSINESS.LAN If I log out and login again with the network cable plugged in, I still only have the above ticket. The logs look like this: Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=sweston(a)smallbusiness.lan] (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [Initgroups #329]: New request. Flags [0x0001]. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #329]: Receiving request data. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_reply_gen_error] (0x0080): DP Request [Initgroups #329]: Finished. Backend is currently offline. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::SMALLBUSINESS.LAN:name=sweston@smallbusiness.lan] from reply table (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #329]: Request removed. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): domain: SMALLBUSINESS.LAN (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): user: sweston(a)smallbusiness.lan (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): service: sudo (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): ruser: sweston (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): rhost: (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): priv: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): cli_pid: 3849 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): logon name: not set (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #330]: New request. Flags [0000]. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [krb5_auth_send] (0x0100): Home directory for user [sweston(a)smallbusiness.lan] not known. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_set_entry_attr] (0x0200): Entry [name=sweston(a)smallbusiness.lan,cn=users,cn=SMALLBUSINESS.LAN,cn=sysdb] has set [ts_cache] attrs. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_cache_auth] (0x0100): Hashes do match! (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #330]: Request handler finished [0]: Success (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #330]: Receiving request data. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #330]: Request removed. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [3857] finished successfully. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_disable] (0x0400): Task [Subdomains Refresh]: disabling task (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): domain: SMALLBUSINESS.LAN (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): user: sweston(a)smallbusiness.lan (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): service: sudo (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): tty: /dev/pts/0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): ruser: sweston (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): rhost: (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): priv: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): cli_pid: 3849 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): logon name: not set (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [PAM Account #331]: New request. Flags [0000]. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_access_send] (0x0400): Performing access check for user [sweston(a)smallbusiness.lan] (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [sweston(a)smallbusiness.lan] (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_send] (0x0400): service sudo maps to Permitted (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_done] (0x0400): DP Request [PAM Account #331]: Request handler finished [0]: Success (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #331]: Receiving request data. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #331]: Request removed. (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_disable] (0x0400): Task [SUDO Smart Refresh]: disabling task (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_disable] (0x0400): Task [SUDO Full Refresh]: disabling task (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.SMALLBUSINESS.LAN], [2][No such file or directory] (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.SMALLBUSINESS.LAN], [2][No such file or directory] (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_offline_cb] (0x0400): Back end is offline (Tue Sep 12 17:17:08 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_ptask_disable] (0x0400): Task [AD machine account password renewal]: disabling task If I restart the sssd service and then lock the screen and login again everything works correctly. I get the ticket that I want: Ticket cache: FILE:/tmp/krb5cc_1117605638_HtMNOv Default principal: sweston(a)SMALLBUSINESS.LAN Valid starting Expires Service principal 12/09/17 17:21:24 13/09/17 03:21:24 krbtgt/SMALLBUSINESS.LAN(a)SMALLBUSINESS.LAN renew until 13/09/17 17:21:24 Logs: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_get_account_info_handler] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=sweston(a)smallbusiness.lan] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [Initgroups #1]: New request. Flags [0x0001]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_srv_plugin_send] (0x0400): About to find domain controllers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got 2 servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_get_dc_servers_done] (0x0400): Found 2 domain controllers in domain SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_connect_host_send] (0x0400): Resolving host sfbackup02.smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'sfbackup02.smallbusiness.lan' in files (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'sfbackup02.smallbusiness.lan' in files (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'sfbackup02.smallbusiness.lan' in DNS (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://sfbackup02.smallbusiness.lan:389 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://sfbackup02.smallbusiness.lan:389 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=SMALLBUSINESS.LAN)(NtVer=\14\00\00\00))][]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_get_client_site_done] (0x0400): Found forest: SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'Default-First-Site-Name._sites.SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Default-First-Site-Name._sites.SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got 2 servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_servers_primary_done] (0x0400): Looking up backup servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'gc'. Will use DNS discovery domain 'SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.SMALLBUSINESS.LAN' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_discover_srv_done] (0x0400): Got 2 servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_srv_plugin_servers_done] (0x0400): Got 2 primary and 2 backup servers (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'sfpdc.smallbusiness.lan:3268' to service 'AD_GC' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'sfbackup02.smallbusiness.lan:3268' to service 'AD_GC' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_add_server_to_list] (0x0400): Server 'sfbackup02.smallbusiness.lan:3268' for service 'AD_GC' is already present (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_add_server_to_list] (0x0400): Server 'sfpdc.smallbusiness.lan:3268' for service 'AD_GC' is already present (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'sfpdc.smallbusiness.lan' in files (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_server_common_status] (0x0100): Marking server 'sfpdc.smallbusiness.lan' as 'resolving name' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'sfpdc.smallbusiness.lan' in files (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'sfpdc.smallbusiness.lan' in DNS (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_server_common_status] (0x0100): Marking server 'sfpdc.smallbusiness.lan' as 'name resolved' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_resolve_server_process] (0x0200): Found address for server sfpdc.smallbusiness.lan: [192.168.1.7] TTL 3600 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://sfpdc.smallbusiness.lan' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://sfpdc.smallbusiness.lan:3268' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, SFLT28$, SMALLBUSINESS.LAN, 86400) (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_resolve_server_process] (0x0200): Found address for server sfbackup02.smallbusiness.lan: [192.168.1.3] TTL 3600 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 48 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4718] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_SMALLBUSINESS.LAN], expired on [1505269284] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: SFLT28$ (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_cli_connect_recv] (0x0400): Connection established. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'sfpdc.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_server_common_status] (0x0100): Marking server 'sfpdc.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_set_port_status] (0x0400): Marking port 3268 of duplicate server 'sfpdc.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=SMALLBUSINESS,DC=LAN] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=sweston)(objectclass=user)(objectSID=*))][DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_save_user] (0x0400): Save user (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_primary_name] (0x0400): Processing object sweston (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_save_user] (0x0400): Processing user sweston(a)smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [sweston(a)smallbusiness.lan] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_save_user] (0x0400): Adding user principal [sweston(a)SMALLBUSINESS.LAN] to attributes of [sweston(a)smallbusiness.lan] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_save_user] (0x0400): Storing info for user sweston(a)smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_set_entry_attr] (0x0200): Entry [name=sweston(a)smallbusiness.lan,cn=users,cn=SMALLBUSINESS.LAN,cn=sysdb] has set [ts_cache] attrs. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=Sam Weston,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-550] is a built-in one. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-545] is a built-in one. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-544] is a built-in one. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-549] is a built-in one. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_idmap_sid_to_unix] (0x0400): Object SID [S-1-5-32-574] is a built-in one. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in object. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_initgr_done] (0x0400): Primary group already cached, nothing to do. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_set_entry_attr] (0x0200): Entry [name=sweston(a)smallbusiness.lan,cn=users,cn=SMALLBUSINESS.LAN,cn=sysdb] has set [ts_cache] attrs. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_done] (0x0400): DP Request [Initgroups #1]: Request handler finished [0]: Success (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [Initgroups #1]: Receiving request data. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_initgr_pp] (0x0400): Ordering NSS responder to update memory cache (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_reply_list_success] (0x0400): DP Request [Initgroups #1]: Finished. Success. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:3::SMALLBUSINESS.LAN:name=sweston@smallbusiness.lan] from reply table (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [Initgroups #1]: Request removed. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): domain: SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): user: sweston(a)smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): service: gdm-password (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): ruser: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): rhost: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): priv: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): cli_pid: 4714 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): logon name: not set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [PAM Authenticate #2]: New request. Flags [0000]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [krb5_auth_send] (0x0100): Home directory for user [sweston(a)smallbusiness.lan] not known. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [be_resolve_server_process] (0x0200): Found address for server sfbackup02.smallbusiness.lan: [192.168.1.3] TTL 3600 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'sfbackup02.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [set_server_common_status] (0x0100): Marking server 'sfbackup02.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'sfbackup02.smallbusiness.lan' as 'working' (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_set_entry_attr] (0x0200): Entry [name=sweston(a)smallbusiness.lan,cn=users,cn=SMALLBUSINESS.LAN,cn=sysdb] has set [ts_cache] attrs. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_set_entry_attr] (0x0200): Entry [name=sweston(a)smallbusiness.lan,cn=users,cn=SMALLBUSINESS.LAN,cn=sysdb] has set [cache, ts_cache] attrs. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #2]: Request handler finished [0]: Success (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #2]: Receiving request data. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #2]: Request removed. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4719] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): domain: SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): user: sweston(a)smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): service: gdm-password (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): ruser: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): rhost: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): priv: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): cli_pid: 4714 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): logon name: not set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): DP Request [PAM Account #3]: New request. Flags [0000]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_access_send] (0x0400): Performing access check for user [sweston(a)smallbusiness.lan] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [sweston(a)smallbusiness.lan] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_send] (0x0400): service gdm-password maps to Interactive (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_connect_done] (0x0400): sam_account_name is SFLT28$ (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=SFLT28$))][dc=smallbusiness,dc=lan]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=domain][DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_master_domain_next_done] (0x0400): Found SID [S-1-5-21-3845744863-2409227386-3211111987]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=SMALLBUSINESS.LAN)(NtVer=\14\00\00\00))][]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_master_domain_netlogon_done] (0x0400): Found flat name [SMALLBUSINESS]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_master_domain_netlogon_done] (0x0400): Found site [Default-First-Site-Name]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_master_domain_netlogon_done] (0x0400): Found forest [SMALLBUSINESS.LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[3]->som_dn is DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[4]->som_dn is cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=Computers,OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: OU=MyBusiness,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn: CN={7D28B004-B249-49B0-A8CE-BA2A0B9F56EA},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn: CN={7F8D8A41-8831-4EF1-990F-3AECF333E735},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[2]->gpo_dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[3]->gpo_dn: cn={BA4389F2-AD33-4678-BF30-44D81E900008},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[4]->gpo_dn: cn={5F743845-71B6-4CDF-965F-20360E51C01A},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[5]->gpo_dn: cn={8FC54817-BD35-4D6F-AB72-E799C66667E8},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[6]->gpo_dn: cn={CED4E066-9ADF-47A5-8F92-BBDDB522A034},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[7]->gpo_dn: cn={6ECD6877-791E-4F38-9945-EFAF733C3475},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[8]->gpo_dn: cn={CE7CA45B-21CC-4C6C-A9F6-DCED4A0D7C93},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[9]->gpo_dn: cn={57EF63D0-BF6F-4079-BD9B-9D896BB9A495},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[10]->gpo_dn: cn={29274130-3B70-4A97-AB38-25EA9D8D0F67},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[11]->gpo_dn: cn={D6B5C6DF-114E-49FC-976E-5B8893FA1E27},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[12]->gpo_dn: cn={3452D745-B138-4799-A555-1EBFB3654704},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[13]->gpo_dn: cn={B42D8E08-C289-436C-8E31-BD3DD2A415DC},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[14]->gpo_dn: cn={355444B3-99ED-4D77-B9EC-BAF3EAA17AA7},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [CN={7D28B004-B249-49B0-A8CE-BA2A0B9F56EA},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][CN={7D28B004-B249-49B0-A8CE-BA2A0B9F56EA},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [CN={7F8D8A41-8831-4EF1-990F-3AECF333E735},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][CN={7F8D8A41-8831-4EF1-990F-3AECF333E735},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={BA4389F2-AD33-4678-BF30-44D81E900008},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={BA4389F2-AD33-4678-BF30-44D81E900008},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={5F743845-71B6-4CDF-965F-20360E51C01A},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={5F743845-71B6-4CDF-965F-20360E51C01A},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={8FC54817-BD35-4D6F-AB72-E799C66667E8},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={8FC54817-BD35-4D6F-AB72-E799C66667E8},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={CED4E066-9ADF-47A5-8F92-BBDDB522A034},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={CED4E066-9ADF-47A5-8F92-BBDDB522A034},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={6ECD6877-791E-4F38-9945-EFAF733C3475},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={6ECD6877-791E-4F38-9945-EFAF733C3475},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={CE7CA45B-21CC-4C6C-A9F6-DCED4A0D7C93},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={CE7CA45B-21CC-4C6C-A9F6-DCED4A0D7C93},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={57EF63D0-BF6F-4079-BD9B-9D896BB9A495},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={57EF63D0-BF6F-4079-BD9B-9D896BB9A495},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={29274130-3B70-4A97-AB38-25EA9D8D0F67},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={29274130-3B70-4A97-AB38-25EA9D8D0F67},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={D6B5C6DF-114E-49FC-976E-5B8893FA1E27},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={D6B5C6DF-114E-49FC-976E-5B8893FA1E27},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={3452D745-B138-4799-A555-1EBFB3654704},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={3452D745-B138-4799-A555-1EBFB3654704},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={B42D8E08-C289-436C-8E31-BD3DD2A415DC},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={B42D8E08-C289-436C-8E31-BD3DD2A415DC},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_sd_search_send] (0x0400): Searching entry [cn={355444B3-99ED-4D77-B9EC-BAF3EAA17AA7},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN] using SD (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because scope is set to base. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][cn={355444B3-99ED-4D77-B9EC-BAF3EAA17AA7},cn=policies,cn=system,DC=SMALLBUSINESS,DC=LAN]. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[0]->gpo_guid is {7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[1]->gpo_guid is {7F8D8A41-8831-4EF1-990F-3AECF333E735} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[2]->gpo_guid is {BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[3]->gpo_guid is {5F743845-71B6-4CDF-965F-20360E51C01A} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[4]->gpo_guid is {8FC54817-BD35-4D6F-AB72-E799C66667E8} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[5]->gpo_guid is {CED4E066-9ADF-47A5-8F92-BBDDB522A034} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[6]->gpo_guid is {6ECD6877-791E-4F38-9945-EFAF733C3475} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[7]->gpo_guid is {CE7CA45B-21CC-4C6C-A9F6-DCED4A0D7C93} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[8]->gpo_guid is {57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[9]->gpo_guid is {29274130-3B70-4A97-AB38-25EA9D8D0F67} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[10]->gpo_guid is {D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[11]->gpo_guid is {3452D745-B138-4799-A555-1EBFB3654704} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[12]->gpo_guid is {B42D8E08-C289-436C-8E31-BD3DD2A415DC} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): dacl_filtered_gpos[13]->gpo_guid is {355444B3-99ED-4D77-B9EC-BAF3EAA17AA7} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[0]->gpo_guid is {7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[1]->gpo_guid is {BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[2]->gpo_guid is {57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): cse_filtered_gpos[3]->gpo_guid is {D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_process_gpo_done] (0x0400): num_cse_filtered_gpos: 4 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_gpo_delete_gpo_result_object] (0x0400): Deleting GPO Result object (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[0]->gpo_guid is {7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://sfpdc.smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_path: /SMALLBUSINESS.LAN/Policies/{7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{7D28B004-B249-49B0-A8CE-BA2A0B9F56EA}] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: 655593 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [gpo_cse_done] (0x0400): sysvol_gpt_version: 655593 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {7D28B004-B249-49B0-A8CE-BA2A0B9F56EA} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[1]->gpo_guid is {BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://sfpdc.smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_path: /SMALLBUSINESS.LAN/Policies/{BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{BA4389F2-AD33-4678-BF30-44D81E900008}] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: 10 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4722] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [gpo_cse_done] (0x0400): sysvol_gpt_version: 10 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {BA4389F2-AD33-4678-BF30-44D81E900008} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_store_policy_settings] (0x0020): [/var/lib/sss/gpo_cache/SMALLBUSINESS.LAN/Policies/{BA4389F2-AD33-4678-BF30-44D81E900008}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 7: Equal sign is missing. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 8: Equal sign is missing. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[2]->gpo_guid is {57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://sfpdc.smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_path: /SMALLBUSINESS.LAN/Policies/{57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{57EF63D0-BF6F-4079-BD9B-9D896BB9A495}] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: 8 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4724] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [gpo_cse_done] (0x0400): sysvol_gpt_version: 8 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {57EF63D0-BF6F-4079-BD9B-9D896BB9A495} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Storing setting: key [SeDenyInteractiveLogonRight] value [*S-1-5-21-3845744863-2409227386-3211111987-3806] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_gpo_store_gpo_result_setting] (0x0400): Updating setting: key [SeDenyRemoteInteractiveLogonRight] value [*S-1-5-21-3845744863-2409227386-3211111987-3806] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cse filtered_gpos[3]->gpo_guid is {D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_server: smb://sfpdc.smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_share: /SysVol (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): smb_path: /SMALLBUSINESS.LAN/Policies/{D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): gpo_guid: {D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): retrieving GPO from cache [{D6B5C6DF-114E-49FC-976E-5B8893FA1E27}] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): send_to_child: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_step] (0x0400): cached_gpt_version: 262220 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0020): waitpid did not found a child with changed status. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4726] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [gpo_cse_done] (0x0400): sysvol_gpt_version: 262220 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {D6B5C6DF-114E-49FC-976E-5B8893FA1E27} (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeInteractiveLogonRight] value [(null)] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [parse_policy_setting_value] (0x0400): No value for key [SeInteractiveLogonRight] found in gpo result (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [sysdb_gpo_get_gpo_result_setting] (0x0400): key [SeDenyInteractiveLogonRight] value [*S-1-5-21-3845744863-2409227386-3211111987-3806] (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): RESULTANT POLICY: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): gpo_map_type: Interactive (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): allowed_size = 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): denied_size = 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): denied_sids[0] = S-1-5-21-3845744863-2409227386-3211111987-3806 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): CURRENT USER: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-3845744863-2409227386-3211111987-5638 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-3845744863-2409227386-3211111987-5652 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-21-3845744863-2409227386-3211111987-5656 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[2] = S-1-5-21-3845744863-2409227386-3211111987-3798 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[3] = S-1-5-21-3845744863-2409227386-3211111987-5655 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[4] = S-1-5-21-3845744863-2409227386-3211111987-5659 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[5] = S-1-5-21-3845744863-2409227386-3211111987-5653 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[6] = S-1-5-21-3845744863-2409227386-3211111987-5660 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[7] = S-1-5-21-3845744863-2409227386-3211111987-5663 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[8] = S-1-5-21-3845744863-2409227386-3211111987-5732 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[9] = S-1-5-21-3845744863-2409227386-3211111987-3722 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[10] = S-1-5-21-3845744863-2409227386-3211111987-5709 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[11] = S-1-5-21-3845744863-2409227386-3211111987-512 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[12] = S-1-5-21-3845744863-2409227386-3211111987-3823 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[13] = S-1-5-21-3845744863-2409227386-3211111987-5654 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[14] = S-1-5-21-3845744863-2409227386-3211111987-513 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[15] = S-1-5-21-3845744863-2409227386-3211111987-3665 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[16] = S-1-5-21-3845744863-2409227386-3211111987-3737 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[17] = S-1-5-21-3845744863-2409227386-3211111987-3754 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[18] = S-1-5-21-3845744863-2409227386-3211111987-5665 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[19] = S-1-5-21-3845744863-2409227386-3211111987-3715 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[20] = S-1-5-21-3845744863-2409227386-3211111987-5661 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[21] = S-1-5-21-3845744863-2409227386-3211111987-3812 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[22] = S-1-5-21-3845744863-2409227386-3211111987-572 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[23] = S-1-5-21-3845744863-2409227386-3211111987-3610 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[24] = S-1-5-21-3845744863-2409227386-3211111987-1182 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[25] = S-1-5-21-3845744863-2409227386-3211111987-1627 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[26] = S-1-5-21-3845744863-2409227386-3211111987-1630 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[27] = S-1-5-21-3845744863-2409227386-3211111987-1767 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[28] = S-1-5-21-3845744863-2409227386-3211111987-1628 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[29] = S-1-5-21-3845744863-2409227386-3211111987-2354 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[30] = S-1-5-21-3845744863-2409227386-3211111987-1625 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[31] = S-1-5-21-3845744863-2409227386-3211111987-1766 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[32] = S-1-5-21-3845744863-2409227386-3211111987-1768 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[33] = S-1-5-21-3845744863-2409227386-3211111987-3667 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[34] = S-1-5-21-3845744863-2409227386-3211111987-3759 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): group_sids[35] = S-1-5-11 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): POLICY DECISION: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): access_granted = 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_check] (0x0400): access_denied = 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [ad_gpo_access_done] (0x0400): GPO-based access control successful. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_done] (0x0400): DP Request [PAM Account #3]: Request handler finished [0]: Success (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [_dp_req_recv] (0x0400): DP Request [PAM Account #3]: Receiving request data. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): DP Request [PAM Account #3]: Request removed. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_method_enabled] (0x0400): Target selinux is not configured (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [child_sig_handler] (0x0100): child [4728] finished successfully. (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [dp_pam_handler] (0x0100): Got request with the following data (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): command: SSS_PAM_SETCRED (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): domain: SMALLBUSINESS.LAN (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): user: sweston(a)smallbusiness.lan (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): service: gdm-password (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): tty: /dev/tty2 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): ruser: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): rhost: (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): authtok type: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): priv: 1 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): cli_pid: 4714 (Tue Sep 12 17:21:24 2017) [sssd[be[SMALLBUSINESS.LAN]]] [pam_print_data] (0x0100): logon name: not set My config: [sssd] config_file_version = 2 reconnection_retries = 3 services = nss,pam domains = SMALLBUSINESS.LAN offline_timeout = 10 debug_level = 6 [nss] debug_level = 6 [pam] debug_level = 6 [domain/SMALLBUSINESS.LAN] debug_level = 6 access_provider = ad ad_domain = SMALLBUSINESS.LAN ad_gpo_access_control = permissive cache_credentials = True default_shell = /bin/bash fallback_homedir = /home/%u id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True realmd_tags = manages-system joined-with-samba The offline_timeout line is a recent addition which doesn't seem to have helped. I guess my question is why I have to restart SSSD for it "realise" that it's back online. Ideally I would like it to get a kerberos ticket as soon as it comes online which I guess it should do with the krb5_store_password_if_offline option set? Thanks for all your help Sam

3 2

Fw: sssd email login performance
by Galen Johnson 06 Oct '17

06 Oct '17

Adding the list since Sumit appears to be busy. The info is anonymized so it should be ok. Hopefully, the gz file makes it through. =G=? ________________________________ From: Galen Johnson Sent: Thursday, September 21, 2017 5:36 PM To: Sumit Bose Cc: Philip Holman Subject: sssd email login performance Hi Sumit, I'm finally getting a chance to follow up on the email thread (of the same title) from the sssd list. We've seen some delays (multi-second) for auth requests when users use their email address versus their id. I've attached a tar file with several log files. Phil may need to explain the summary file if you have any questions about it. We are running Centos 7.4 now but I'm fairly certain that it's the same binaries as RHEL 7.4. These logs were taken while on 7.3. I noticed that sssd bumped to 1.15 with 7.4. Some outstanding questions we have are: 1. The cache appears to not be used for the email attribute. Why is this not used? 2. We're also curious why the ldap requests add 2 seconds when performing the same query from the command-line returns almost immediately. 3. Is it possible to have SSSD ignore the domain and just immediately look up the address? We see "is_email_from_domain" in the domain log (reflected in the nss log). We checked the man pages and nothing really jumped out as a config option. It should be noted that we also moved the sssd db cache to tmpfs (per a blog from Jakub). ? Thanks for any insight =G=? Phil's analysis follows: To wrap up, I took one more look at one of the very slow email logins to pull out a trace of what it was doing. The attached files are the log snippets with line breaks marking off the incoming requests to make it more clear what each module was servicing when. The summary.txt shows the summarized entry for the connection and also gives an abridged combined view of the logs marking where the 7 seconds appear to have gone. So this seemed enough info to share if we have the opportunity for a consult with someone. The short version is that 1 second roughly went to the bind that tests the user, but the other 6 appear to have likely been the result of interacting with local caches rather than the DCs. So that makes the cache files and related configuration look suspicious. It also makes more sense that our earlier checks (against logs or live tests) of the Exnet interactions have failed to show any latency issues on those step. Possibly the fiddling we've already done with the cache files and cache config resolved this, but it is probably still worth passing this along to someone knowledgeable who might be able to explain what about the setup likely made everything go sideways. Otherwise, we might be facing some kind of build-up pattern where it will always look rosy after a restart and gradually degrade over time as state builds up. It might also be a good idea to bounce and clear out sssd/pam state on the weekly restarts just to protect against any possible build-up (unless we want to intentionally avoid that for now to see if it does degrade over time).

3 13

how to call SSS_NSS_GETIDBYSID from other programs?
by James Ralston 05 Oct '17

05 Oct '17

I have a storage appliance that needs local passwd/group files loaded onto it, which need to match the entries we get by using sssd's ldap_id_mapping feature. So I need some way to enumerate or synthesize passwd/group entries, for every user/group object in our domain, using LDIF dumps from AD that includes all users/groups, along with their respective objectSid attributes. We know (from experience, and from discussion on this list) that enabling enumeration in sssd is problematic, so that's out. I could just issue individual getpwnam()/getgrnam() calls for every user/group object, and let sssd synthesize the entries. But this would require careful tuning of sssd's cache configuration options to avoid significant delays, and even then, this would pound our AD domain controllers with thousands and thousands of lookup requests every time we regenerate the synthesized passwd/group files (which will probably be hourly). From digging around in the sssd source code, I see that sssd has a SSS_NSS_GETIDBYSID API call that looks to be exactly what I need. But it's not clear to me whether that's a public or private API, and additionally, it looks like I'd be limited to C for my implementation, as I see no other language bindings for those functions. Has anyone already rolled (Python, Ruby, Perl, et. al.) bindings for sssd's API calls, specifically the ID-SID mapping calls? One potential option would be to just re-implement sssd's id mapping code in Python. I could "cheat" in our implementation, because I know that the only options that vary across our domains are (ldap_idmap_range_max, ldap_idmap_range_min, ldap_idmap_range_size). But re-implementation opens the door for a subtle error that would cause my mapping code to return different results from sssd in some corner cases, which I definitely don't want. So leveraging sssd's SSS_NSS_GETIDBYSID API call would be best… if that's possible. Another option would be to bypass the API and talk directly to the NSS responder via its listening socket, which is easy enough to do in other languages. But this would require me to speak the protocol exactly the way sssd expects, and any API changes would break my code. Thoughts? Suggestions?

3 6

SSSD + database
by Galen Johnson 24 Sep '17

24 Sep '17

Hey, Pretty sure the answer is no but there are some packages that allow you to set up your systems to use a database as the provider for nss and pam (libnss_mysql, libpam_mysql)...does sssd support this configuration? thx =G=

3 2

[SSSD] Announcing ding-libs 0.6.1
by Michal Židek 23 Sep '17

23 Sep '17

A new version of ding-libs (0.6.1) was released today! ding-libs, or "Ding is not GLib" is a a set of helpful libraries used by projects such as SSSD or gss-proxy. The tarball can be downloaded from: https://releases.pagure.org/SSSD/ding-libs/ MD5 sum is: 141ffba92d7703b7efc2595971305de7 == Highlights == * libini: Length of values in INI files is no longer limited to PATH_MAX. The current limit is the amount of memory getline is able to allocate. == Note for distribution packagers == * API and ABI is backward compatible with last release (0.6.0) == Detailed Changelog == Alexander Scheel (8): Fix build with TRACE_LEVEL Document use of basic regex in ini_config_augment INI: Fix ini_config parsing SEGVs INI: Tests for section/key name collisions INI: Prevent null return_cfg during augment INI: Add INI_MS_DETECT merge notifications INI: Extend INI_MS_DETECT to be non-exclusive INI: Test INI_MS_DETECT non-exclusive behavior Lukas Slebodnik (10): BUILD: Fix linking of ini_augment_ut_check INI: Fix usage of buiddir in ini_augment_ut_check INI: Fix memory leaks in unit test test_ini_augment_empty_dir DHASH: Suppress gcc7 warning INI: Fix warning Walloc-size-larger-than Do not define _GNU_SOURCE COLLECTION: Remove unused macros INI: Fix doxygen comment for ini_errobj_create COLLECTION: Fix misused comma DHASH: Do not use c99 structure initialisation Michal Židek (9): ini_augment: Use full path when reporting pattern mismatch DHASH: Add check based unit test GIT: Add commit template INI: Unit test for augmentation with empty dir INI: do not use readdir_r INI: Allow longer values then PATH_MAX INI: Add test for long values Bump version info Update versions before 0.6.1 release Philip Prindeville (1): DHASH: Add new key type HASH_KEY_CONST_STRING

1 0

sssd, Ubuntu 14.04, can't see users in trusted domains within same forest
by Jeff Silverman 17 Sep '17

17 Sep '17

Hi! Please help. Everything I've read has stated that this should work, but it does not. On ubuntu, that is. I set up a Centos 7 box and this *did* work. I've tried this on * Ubuntu 14.04 with sssd 1.11.8 (from the default Ubuntu 14.04 repos) -- didn't work * Ubuntu 14.04 with sssd 1.13.4 (from a PPA) -- also didn't work * Centos 7 with sssd 1.14.0 -- This worked! * Ubuntu 16.04 with sssd 1.13.4 -- this did not work *Description* I have two Active Directory domains in the same forest. * Domain "CORP" * Domain "QA" I have 2-way trusts set up between the domains. "Real users" are all in CORP Authorization into QA is handled with AD Universal Groups, but I don't think that's relevant here (especially since what I want to work does work on Centos 7+sssd) I have an Ubuntu 14.04 box set up which I joined to domain "QA" via realmd. here's the actual command I used realm join \ --install=/ \ --verbose \ --user=jsilverman(a)CORP.EXAMPLE.COM \ --client-software=sssd \ --membership-software=adcli \ --computer-ou="OU=Linux,OU=Servers,DC=qa,DC=example,DC=com" \ QA.EXAMPLE.COM Running this command, realmd * creates a kerberos keytab * sets up sssd.conf * adds the computer to the OU specified in QA.EXAMPLE.COM I then went in and added another domain to sssd.conf to configure CORP. When done, I have the following config files: ** File /etc/sssd.conf **: [sssd] domains = qa.example.com config_file_version = 2 services = nss, pam [domain/qa.example.com] ad_domain = qa.example.com krb5_realm = QA.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True [domain/corp.example.com] ad_domain = corp.example.com krb5_realm = CORP.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True ** File /etc/krb5.conf **: [libdefaults] default_realm = QA.EXAMPLE.COM [realms] QA.EXAMPLE.COM = { kdc = qadc01a.example.com kdc = qadc01b.example.com admin_server = qadc01a.example.com } CORP.EXAMPLE.COM = { kdc = corpdc01a.it.example.com kdc = corpdc01b.it.example.com admin_server = corpdc01a.it.example.com } [domain_realm] .qa.example.com = QA.EXAMPLE.COM qa.example.com = QA.EXAMPLE.COM .corp.example.com = CORP.EXAMPLE.COM corp.example.com = CORP.EXAMPLE.COM ** File /etc/realmd.conf **: [service] automatic-install = no [users] default-home = /srv/home/%U default-shell = /bin/bash [qa.example.com] computer-ou = OU=Servers,OU=Linux,DC=qa,DC=example,DC=com automatic-id-mapping = yes fully-qualified-names = no [corp.example.com] automatic-id-mapping = yes fully-qualified-names = no Finally, when I do all this on Centos 7, I am able to find users in both domains, and I'm able to authenticate as those users from both domains. Example , *on Centos 7*: # getent passwd jsilverman(a)corp.example.com jsilverman@corp.example.com:*:363201124:363201124:Jeff Silverman:/srv/home/jsilverman:/bin/bash # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin(a)qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash HOWEVER, when I do all this on Ubuntu 14.04, OR on Ubuntu 16.04, I can only see users from the QA domain. # getent passwd jsilverman(a)corp.example.com ## (Note: there is no output from this command) # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin(a)qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash Please advise!

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users September 2017