Hello Sumit,

Please find attach the trace as requested.

I use debian 8 with sernet SAMBA 4 , backend bind_DLZ. POSIX attributs are active and working.

Regarding SSSD:

It's running on the last Centos 7. here are the packages :

[root@gtwdcsmb ~]# rpm -qa | grep -E "sssd|realm"
sssd-client-1.13.0-40.el7_2.2.x86_64
sssd-common-pac-1.13.0-40.el7_2.2.x86_64
sssd-krb5-1.13.0-40.el7_2.2.x86_64
sssd-debuginfo-1.13.0-40.el7_2.2.x86_64
python-sssdconfig-1.13.0-40.el7_2.2.noarch
sssd-krb5-common-1.13.0-40.el7_2.2.x86_64
sssd-ipa-1.13.0-40.el7_2.2.x86_64
sssd-ldap-1.13.0-40.el7_2.2.x86_64
sssd-proxy-1.13.0-40.el7_2.2.x86_64
realmd-0.16.1-5.el7.x86_64
sssd-common-1.13.0-40.el7_2.2.x86_64
sssd-ad-1.13.0-40.el7_2.2.x86_64
sssd-1.13.0-40.el7_2.2.x86_64


Also, regarding sssd,  DNS registration ( forward and reverse ) and the registration of the computer in a specific OU with realm are working when sssd is starting. Or when a Machine is joining the Domain.

Currently, Authenfication is working but the GPO are not applicated / called. Same as prviously, things gpo_child.log is not growing and the GPO does not seems to be called...

I hope the trace will help you to identify the source of the problem.

As I mention earlier, as a test, I also setup a POC with windows 2012 as DC. SSSD is working without problem, GPO too.

If you need anything else please let me know and thank for your help.



On Thu, Apr 21, 2016 at 1:41 PM, Rolla Matthieu <rolla.matthieu@gmail.com> wrote:
No not with samba 4. Will try now but not what's the benefited of it. 


On Thursday, 21 April 2016, Sumit Bose <sbose@redhat.com> wrote:
On Thu, Apr 21, 2016 at 08:28:21AM +0200, Rolla Matthieu wrote:
> Solved.

Everything?

bye,
Sumit

>
> On Thu, Apr 21, 2016 at 7:16 AM, Rolla Matthieu <rolla.matthieu@gmail.com>
> wrote:
>
> > Hello,
> >
> > I use debian jessy with the testing package for sssd as I did not find a
> > version in the backport above 1.12, as I need the GPO functionnality.
> >
> > The debuginfo seems to be available only with RPM.
> >
> > However, I configured a 2012 DC and got other issue, some that I could fix
> > but I got similar situation with the GPO.
> >
> > I decided to installed a Centos 7 with sssd and the GPO are working fine.
> > I will give a try and build a VM with a new DC with samba 4. Maybe it will
> > be better wilt the centos 7.
> >
> > Just one question, I can authenticate with user@domain, is there a way to
> > omit the suffix ( @domain ) ?
> >
> >
> >
> > thanks by advance.
> >
> >
> > On Wed, Apr 20, 2016 at 5:43 PM, Sumit Bose <sbose@redhat.com> wrote:
> >
> >> On Wed, Apr 20, 2016 at 03:54:46PM +0200, Rolla Matthieu wrote:
> >> > Hello,
> >> >
> >> > I think the problem come from my DC and the GPO part. I can install a
> >>
> >> That's what I'm thinking too. But I expect that the response from your DC
> >> is valid but unexpected by SSSD. So it would be good to see what data
> >> the DC returned which SSSD failed to parse. The gdb steps below should
> >> show this data. If you prefer to just run a test build with additional
> >> debug output please let me know which version you currently use.
> >>
> >> > windows DC to perform test, would you recommend 2008 or 2012 ?
> >>
> >> I think it is not necessary to perform additional tests here.
> >>
> >> bye,
> >> Sumit
> >>
> >> >
> >> > Thanks by advance.
> >> >
> >> > On Wed, Apr 20, 2016 at 1:39 PM, Sumit Bose <sbose@redhat.com> wrote:
> >> >
> >> > > On Wed, Apr 20, 2016 at 12:11:05PM +0200, Rolla Matthieu wrote:
> >> > > > Hello,
> >> > > >
> >> > > > Thank you for your answer. The file gpo_child is empty :
> >> > > >
> >> > > > root@gtw-template:/var/log/sssd# ls -ltr
> >> > > > total 14656
> >> > > > -rw------- 1 root root        0 Apr 19 21:44 gpo_child.log
> >> > > > -rw------- 1 root root     3050 Apr 19 23:16 sssd_pam.log
> >> > > > -rw------- 1 root root     3050 Apr 19 23:16 sssd_nss.log
> >> > > > -rw------- 1 root root    21970 Apr 19 23:22 sssd.log
> >> > > > -rw------- 1 root root    49771 Apr 19 23:22 ldap_child.log
> >> > > > -rw------- 1 root root   112878 Apr 19 23:22 krb5_child.log
> >> > > > -rw------- 1 root root 14800060 Apr 20 00:33 sssd_hq.mydc.com.log
> >> > > >
> >> > > > Do you want me to attach an other one ?
> >> > >
> >> > > No, I just realized that the error happens even before the child is
> >> > > called. It looks like some unexpected data is received.
> >> > >
> >> > > I wonder if you can try to following using gdb after installing the
> >> sssd
> >> > > debuginfo file?
> >> > >
> >> > >     gdb -p $(pidof sssd_be)
> >> > >     (gdb) break ad_gpo_parse_machine_ext_names
> >> > >     (gdb) continue
> >> > >
> >> > > try to authenticate while keeping gdb running, whenever gdb show the
> >> > > prompt again please type
> >> > >
> >> > >     (gdb) bt full
> >> > >     (gdb) continue
> >> > >
> >> > > until the authentication finally fails. Please send me the gdb output.
> >> > >
> >> > > If this won't work for you I can try to prepare an instrumented build
> >> > > for you which writes the needed data into the logs. For this I need to
> >> > > know the exact version of the SSSD package you are using.
> >> > >
> >> > > bye,
> >> > > Sumit
> >> > >
> >> > > >
> >> > > > Thank you by advance.
> >> > >
> >> > > > _______________________________________________
> >> > > > sssd-users mailing list
> >> > > > sssd-users@lists.fedorahosted.org
> >> > > >
> >> > >
> >> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> >> > > _______________________________________________
> >> > > sssd-users mailing list
> >> > > sssd-users@lists.fedorahosted.org
> >> > >
> >> > >
> >> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> >> > >
> >>
> >> > _______________________________________________
> >> > sssd-users mailing list
> >> > sssd-users@lists.fedorahosted.org
> >> >
> >> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> >> _______________________________________________
> >> sssd-users mailing list
> >> sssd-users@lists.fedorahosted.org
> >>
> >> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> >>
> >
> >

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org