On Fri, Mar 29, 2013 at 12:11:42PM +0000, Rowland Penny wrote:
On 29/03/13 11:21, Jakub Hrozek wrote:
>On Thu, Mar 28, 2013 at 09:22:32PM +0000, Rowland Penny wrote:
>>Hello, I am trying to use sssd instead of winbind against a samba 4
>>AD server. After looking around the internet, I have got to the
>>point where I can get a domain users info with 'getent passwd
>><domainuser>' and 'id <domainuser>'. I can also create a
directory
>>and chmod it <domainuser>:users, what I cannot do is login into the
>>computer through ssh or the login GUI on the computer. This is on
>>Linux Mint 14 using sssd 1.9.1.
>>
>>Does anybody have any idea why sssd seems to work but fails in a
>>very important way.
>Can you paste or attach tail of /var/log/secure, your (sanitized)
>sssd.conf and the relevant portion of /var/log/sssd/sssd_$domain.log
>after raising debug_level to 6 or higher in the domain section?
>_______________________________________________
>sssd-users mailing list
>sssd-users(a)lists.fedorahosted.org
>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
OK, as requested here are the three files. Sorry but the domain
logfile is a bit large.
No problem.
getent passwd testuser
testuser:*:3000016:100:testuser:/home/HOME/testuser:/bin/bash
id testuser
uid=3000016(testuser) gid=100(users) groups=100(users)
but testuser cannot login via ssh or the login gui
/var/log/auth.log
^^ thanks, I always forget how is the file called on Debian derivatives.
Mar 29 11:27:23 mint-VirtualBox mdm[1061]: pam_sss(mdm:auth):
received for user testuser: 9 (Authentication service cannot
retrieve authentication info)
Looks like SSSD couldn't connect to the authentication server..
/etc/sssd/sssd.conf
[sssd]
#debug_level = 3
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
domains = DOMAIN
services = nss, pam
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system
accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
[domain/DOMAIN]
description = LDAP domain with AD server
debug_level = 9
cache_credentials = true
enumerate = False
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
# Uncomment if service discovery is not working
ldap_uri = ldap://adserver.domain.lan/
# Define these only if anonymous binds are not allowed and no keytab
is available
ldap_default_bind_dn = CN=Administrator,CN=Users,DC=domain,DC=lan
ldap_default_authtok_type = password
ldap_default_authtok = P4$$w0rd*
ldap_schema = rfc2307bis
ldap_search_base = dc=domain,dc=lan
# It looks like the ?sub?search notation is also accepted:
http://sgallagh.wordpress.com/2011/12/22/sssd-tips-and-tricks-vol-2-ldap/
#ldap_user_search_base = cn=Users,dc=domain,dc=lan?sub?uid=*
ldap_user_search_base = cn=Users,dc=domain,dc=lan
ldap_user_object_class = person
ldap_user_domain_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uuid = objectGUID
ldap_user_modify_timestamp = whenChanged
ldap_group_search_base = dc=domain,dc=lan
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_uuid = objectGUID
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 2
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
ldap_pwd_policy = none
#krb5_server = domain.lan
Did you comment out krb5_server in order to use service discovery on
purpose? It's a valid usecase, just checking if it was the intent.
krb5_realm = DOMAIN.LAN
dns_discovery_domain = domain.lan
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
# Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is
not available
#ldap_sasl_authid=MINT-VIRTUALBOX$(a)DOMAIN.LAN
/var/log/sssd/sssd_DOMAIN.log
<snip first part of the log>
Here comes the account request...
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_get_account_info]
(0x0100): Got request for [4099][1][name=mdm]
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[sdap_id_op_connect_step] (0x4000): beginning to connect
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status]
(0x1000): Status of server 'adserver.domain.lan' is 'name not
resolved'
..sssd begins to connect..
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_port_status]
(0x1000): Port status of port 389 for server 'adserver.domain.lan'
is 'neutral'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set
to 10 seconds
...triggers name resolution..
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status]
(0x1000): Status of server 'adserver.domain.lan' is 'name not
resolved'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_is_address]
(0x4000): [adserver.domain.lan] does not look like an IP address
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_step] (0x2000): Querying files
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A
record of 'adserver.domain.lan' in files
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[set_server_common_status] (0x0100): Marking server
'adserver.domain.lan' as 'resolving name'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_step] (0x2000): Querying files
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA
record of 'adserver.domain.lan' in files
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_next] (0x0200): No more address families to
retry
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_step] (0x2000): Querying DNS
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A
record of 'adserver.domain.lan' in DNS
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[schedule_request_timeout] (0x2000): Scheduling a timeout of 5
seconds
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout
watcher
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[resolv_gethostbyname_done] (0x0040): querying hosts database failed
[5]: Input/output error
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_done] (0x0020): Failed to resolve server
'adserver.domain.lan': Could not contact DNS servers
And fails because the underlying resolver library cannot contact DNS
servers.
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[set_server_common_status] (0x0100): Marking server
'adserver.domain.lan' as 'not working'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server
(adserver.domain.lan), resolver returned (5)
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status]
(0x1000): Status of server 'adserver.domain.lan' is 'not working'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status]
(0x1000): Status of server 'adserver.domain.lan' is 'not working'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'LDAP'
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]]
[sdap_id_op_connect_done] (0x0020): Failed to connect, going offline
(5 [Input/output error])
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_mark_offline]
(0x2000): Going offline!
As a result of failed DNS resolution, the sssd goes offline.
Later in the logfiles I see that the SSSD succeeded in connecting to the
LDAP server, but the only authentication request captured in the logs
is:
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_pam_handler]
(0x1000): Wait queue of user [testuser] is empty, running request
immediately.
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000):
tevent: Added timed event "ltdb_callback": 0x99a7ae0
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000):
tevent: Added timed event "ltdb_timeout": 0x99a7ba8
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000):
tevent: Destroying timer event 0x99a7ba8 "ltdb_timeout"
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000):
tevent: Ending timer event 0x99a7ae0 "ltdb_callback"
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send]
(0x0100): No ccache file for user [testuser] found.
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send]
(0x4000): Ccache_file is [not set] and is not active and TGT is not
valid.
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'neutral'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set
to 10 seconds
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is neutral
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send]
(0x0400): SRV resolution of service 'KERBEROS'. Will use DNS
discovery domain 'domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont]
(0x0100): Searching for servers via SRV query
'_KERBEROS._udp.domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send]
(0x0100): Trying to resolve SRV record of
'_KERBEROS._udp.domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[schedule_request_timeout] (0x2000): Scheduling a timeout of 5
seconds
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout
watcher
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done]
(0x0020): SRV query failed: [Could not contact DNS servers]
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'neutral'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set
to 10 seconds
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is neutral
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send]
(0x0400): SRV resolution of service 'KERBEROS'. Will use DNS
discovery domain 'domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont]
(0x0100): Searching for servers via SRV query
'_KERBEROS._tcp.domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send]
(0x0100): Trying to resolve SRV record of
'_KERBEROS._tcp.domain.lan'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[schedule_request_timeout] (0x2000): Scheduling a timeout of 5
seconds
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout
watcher
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done]
(0x0020): SRV query failed: [Could not contact DNS servers]
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status]
(0x0100): Marking port 0 of server '(no name)' as 'not working'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status]
(0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
lookup meta-server), resolver returned (5)
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_process] (0x1000): Trying with the next one!
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'not
working'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status]
(0x1000): Port status of port 0 for server '(no name)' is 'not
working'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[fo_resolve_service_send] (0x0020): No available servers for service
'KERBEROS'
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]]
[be_resolve_server_done] (0x1000): Server resolution failed: 5
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_mark_offline]
(0x2000): Going offline!
^^ Which fails after the service resolution via DNS failed.
Does authentication work if you set krb5_server to adserver.domain.lan ?