Hello,
Thank you for your kind help.
I could not see it (successfully subdomains discovering) in the logs.
It seems the subdmains forced set null.
<< log part 1 >>
[sssd[be[labsso]]] [client_registration] (0x0100): Cancel DP ID
timeout [0x1acb120]
[sssd[be[labsso]]] [client_registration] (0x0100): Added Frontend client [PAM]
[sssd[be[labsso]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][]
[sssd[be[labsso]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
[sssd[be[labsso]]] [get_server_status] (0x1000): Status of server
'jpbw0-in00-is82.labsso.labroot.isops.example.com' is 'name not
resolved'
[sssd[be[labsso]]] [get_port_status] (0x1000): Port status of port 0
for server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' is
'neutral'
[sssd[be[labsso]]] [get_server_status] (0x1000): Status of server
'jpbw0-in00-is82.labsso.labroot.isops.example.com' is 'name not
resolved'
[sssd[be[labsso]]] [resolv_gethostbyname_files_send] (0x0100): Trying
to resolve A record of
'jpbw0-in00-is82.labsso.labroot.isops.example.com' in files
[sssd[be[labsso]]] [set_server_common_status] (0x0100): Marking server
'jpbw0-in00-is82.labsso.labroot.isops.example.com' as 'resolving name'
[sssd[be[labsso]]] [resolv_gethostbyname_files_send] (0x0100): Trying
to resolve AAAA record of
'jpbw0-in00-is82.labsso.labroot.isops.example.com' in files
[sssd[be[labsso]]] [resolv_gethostbyname_next] (0x0200): No more
address families to retry
[sssd[be[labsso]]] [resolv_gethostbyname_dns_query] (0x0100): Trying
to resolve A record of
'jpbw0-in00-is82.labsso.labroot.isops.example.com' in DNS
<< end log part 1 >>
I also found an error (malformed search filter) when searching
trustedDomain with "cn=(null)".
<< log part 2 >>
[sssd[be[labsso]]] [fo_set_port_status] (0x0400): Marking port 0 of
duplicate server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' as
'working'
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[objectclass=domain][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com].
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [objectSID]
[sssd[be[labsso]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
[sssd[be[labsso]]] [sdap_get_generic_ext_done] (0x0400): Search
result: Success(0), no errmsg set
[sssd[be[labsso]]] [ad_master_domain_next_done] (0x0400): Found SID
[S-1-5-21-1401708884-2744904820-804000056].
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with [(&(DnsDomain=LABSSO)(NtVer=\14\00\00\00))][].
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [netlogon]
[sssd[be[labsso]]] [sdap_get_generic_ext_done] (0x0400): Search
result: Success(0), no errmsg set
[sssd[be[labsso]]] [ad_master_domain_netlogon_done] (0x0080): No
netlogon data available. Flat name might not be usable
[sssd[be[labsso]]] [ad_subdomains_master_dom_done] (0x0400): SSSD
needs to look up the forest root domain
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))(cn=(null)))][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com].
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [flatName]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [trustPartner]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [securityIdentifier]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [trustType]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [trustAttributes]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0080):
ldap_search_ext failed: Bad search filter
[sssd[be[labsso]]] [sdap_get_generic_done] (0x0100):
sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter
[sssd[be[labsso]]] [ad_subdomains_get_root_domain_done] (0x0040):
sdap_get_generic_send request failed.
[sssd[be[labsso]]] [get_subdomains_callback] (0x0400): Backend
returned: (3, 1432158235, <NULL>) [Internal Error (Unknown PAM error)]
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[objectclass=domain][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com].
[sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting
attrs: [objectSID]
[sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider
- DP error code: 3 errno: 1432158235 error message: Internal Error
(Unknown PAM error)
[sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for
[0x40cf30:domains@labbu]
[sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains
request for [labbu][forced][]
[sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request
[0x40cf30:domains@labbu]
[sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x40cf30:domains@labsso]
[sssd[be[labbu]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][]
[sssd[be[labbu]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
<< end of log part 2 >>
May I missed something on subdomain configuration on AD side ?
# I can see correct hierarchy (labroot -> labsso -> labbu) thru
"Active Directory Domains and Trusts" on Windows.
Could you kindly how to check the subdomain configuration on AD side ?
Also how sssd AD provider discover subdomains ?
Thank you for your kind support.
Shoji
2014-08-04 21:55 GMT+09:00 Jakub Hrozek <jhrozek(a)redhat.com>:
On Fri, Aug 01, 2014 at 08:20:16PM +0900, 杉山昌治 wrote:
> Hello Jakub,
>
> 2014-07-31 18:02 GMT+09:00 Jakub Hrozek <jhrozek(a)redhat.com>:
> > On Wed, Jul 30, 2014 at 01:18:40PM +0900, 杉山昌治 wrote:
> >> Hello Jakub,
> >>
> >> Thank you for your quick reply and explanation.
> >> I understand the domain local group defined in the sub-domain
> >> (
LABBU=labbu.sso.example.com) is not able to be a group for a user who
> >> enrolled
> >> So, I created a new universal group (U-Role-Labbu-Test) in the LABBU
> >> domain and assigned "U-Role-ISOps-Server" (in LABSSO domain) as a
> >> member.
> >> Thru Windows server, I can see "U-Role-Labbu-Test (LABBU)" in
"Member
> >> Of" tab of "U-Role-ISOps-Server (LABSSO)" group.
> >> So I believed I could get the new group information thru LABSSO domain
server.
> >>
> >> User/Groups in Domain
sso.example.com
> >> ========================
> >> User test_user (MemberOf=G-Group-Server)
> >> Group G-Role-ISOps-Server (Type: Global Group,
> >> Members=test_user,MemberOf=U-Role-ISOps-Server)
> >> Group U-Role-ISOps-Server (Type: Universal
> >> Group,Members=G-Role-ISOps-Server,MemberOf=U-Role-Labbu-Test)
> >>
> >> User/Groups in Domain
labbu.sso.example.com
> >> ========================
> >> Group D-Role-ISOps-Server (Type: Domain Local
> >> Group,Members=U-Role-ISOps-Server)
> >> Group U-Role-Labbu-Test (Type: Universal
> >> Group,Members=U-Role-ISOps-Server)
> >
> > OK, but which domain is the client enrolled with? You'll only see
> > domain-local groups of the same domain. If your client is enrolled with
> >
labbu.sso.example.com then I would expect to see the group, if it's
> > enrolled with
sso.example.com then I don't think you would be listed as
> > a group member..
>
> Yes, the client enrolled with "labbu.sso.example.com".
> So the domain local group should not be listed up.
>
> >
> >>
> >> I also confirmed the "MemberOf" attribute is set.
> >>
> >> << ldapsearch result >>
> >> [root@jpbl0-in00-is11 ~]# ldapsearch -Y GSSAPI -LLL -H
> >> "ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268" -b
> >> "DC=labsso,DC=labroot,DC=isops,DC=example,DC=com"
> >> "(&(name=u-role-isops-server)(objectclass=group)(name=*))"
> >>
> >> SASL/GSSAPI authentication started
> >> SASL username:
host/jpbl0-in00-is11.lab.isops.example.com(a)LABSSO.LABROOT.ISOPS.EXAMPLE.COM
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >> dn:
CN=U-Role-ISOps-Server,OU=UGroups,OU=BU0-ISOps,OU=Roles,DC=labsso,DC=labro
> >> ot,DC=isops,DC=example,DC=com
> >> objectClass: top
> >> objectClass: group
> >> cn: U-Role-ISOps-Server
> >> description: Server Team in Troy's Org
> >> member:
CN=G-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labsso,DC=labroot,DC=i
> >> sops,DC=example,DC=com
> >> distinguishedName:
CN=U-Role-ISOps-Server,OU=UGroups,OU=BU0-ISOps,OU=Roles,DC=
> >> labsso,DC=labroot,DC=isops,DC=example,DC=com
> >> instanceType: 4
> >> whenCreated: 20131029182314.0Z
> >> whenChanged: 20140709064747.0Z
> >> uSNCreated: 17692
> >> memberOf:
CN=U-Role-Labbu-Test,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=lab
> >> root,DC=isops,DC=example,DC=com
> >> uSNChanged: 4548023
> >> name: U-Role-ISOps-Server
> >> objectGUID:: RQlz+uYst0mHr6qbRRXZ+A==
> >> objectSid:: AQUAAAAAAAUVAAAAVGGMU3Tsm6M4EewvXgQAAA==
> >> sAMAccountName: U-Role-ISOps-Server
> >> sAMAccountType: 268435456
> >> groupType: -2147483640
> >> objectCategory:
> >> CN=Group,CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example
> >> ,DC=com
> >> dSCorePropagationData: 16010101000000.0Z
> >>
> >> Then I modified sssd.config only use "LABSSO" domain and tried to
> >> retrieve group information of "U-Role-Labbu-Test" by "getent
group
> >> U-Role-Labbu-Test" command. But it returned nothing. I tried both case
> >> "ad_enable_gc=False" and "ad_enable_gct=True", but the
result was the
> >> same.
> >>
> >> I checked log message when invoked "getent group
U-Role-Labbu-Test" command.
> >> It looks like the AD provider used normal LDAP port for
> >> ldap_search_ext() rather global catalog port (3268).
> >> It also looks like the AD provider checks the AD server with global
> >> catalog port (3268) to detect its compatibility level.
> >> I believed the AD provider tried to search in the global catalog first
> >> to search a specified group name.
> >>
> >> << log messages >>
> >> [sssd[be[sso-ad-ad]]] [be_resolve_server_process] (0x0200): Found
> >> address for server
jpbw0-in00-is82.labsso.labroot.isops.example.com:
> >> [10.58.30.95] TTL 3600
> >> [sssd[be[sso-ad-ad]]] [ad_resolve_callback] (0x0100): Constructed uri
> >> 'ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com'
> >> [sssd[be[sso-ad-ad]]] [ad_resolve_callback] (0x0100): Constructed GC
> >> uri 'ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268'
> >> [sssd[be[sso-ad-ad]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds
> >> timeout for connecting
> >> [sssd[be[sso-ad-ad]]] [sdap_ldap_connect_callback_add] (0x1000): New
> >> LDAP connection to
> >> [ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268/??base]
> >> with fd [17].
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x0400): calling
> >> ldap_search_ext with [(objectclass=*)][].
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [*]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [altServer]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [namingContexts]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [supportedControl]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [supportedExtension]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [supportedFeatures]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [supportedLDAPVersion]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [supportedSASLMechanisms]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [domainControllerFunctionality]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [defaultNamingContext]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [lastUSN]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [highestCommittedUSN]
> >> [sssd[be[sso-ad-ad]]] [sdap_parse_entry] (0x1000): OriginalDN: [].
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_done] (0x0400): Search
> >> result: Success(0), no errmsg set
> >> [sssd[be[sso-ad-ad]]] [sdap_get_server_opts_from_rootdse] (0x0100):
> >> Setting AD compatibility level to [4]
> >> << snipped >>
> >> [sssd[be[sso-ad-ad]]] [sdap_get_groups_next_base] (0x0400): Searching
> >> for groups with base [DC=labsso,DC=labroot,DC=isops,DC=example,DC=com]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x0400): calling
> >> ldap_search_ext with
> >>
[(&(name=u-role-labbu-test)(objectclass=group)(name=*))][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com].
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [objectClass]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [name]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [gidNumber]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [member]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [objectSID]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [whenChanged]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [uSNChanged]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting
> >> attrs: [groupType]
> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_done] (0x0400): Search
> >> result: Success(0), no errmsg set
> >> [sssd[be[sso-ad-ad]]] [sdap_get_groups_process] (0x0400): Search for
> >> groups, returned 0 results.
> >> [sssd[be[sso-ad-ad]]] [sysdb_search_group_by_name] (0x0400): No such entry
> >> [sssd[be[sso-ad-ad]]] [sysdb_delete_group] (0x0400): Error: 2 (No such
> >> file or directory)
> >> [sssd[be[sso-ad-ad]]] [acctinfo_callback] (0x0100): Request processed.
> >> Returned 0,0,Success
> >>
> >> Could you kindly help me what's wrong on my configuration or the AD
> >> provider to get the new grouop (U-Role-Labbu-Test : defined in LABBU
> >> sub-domain) thru LABSSO domain ?
> >>
> >> Regards,
> >> Shoji
> >
> > The above search ran to completion but didn't find anything. Can you check
> > if the domain-local group u-role-labbu-test is present in GC? I suspect
> > it wouldn't..
> >
> > You can try if disabling GC makes a difference here:
> > ad_enable_gc = False
>
> I checked sssd log file and found "Domain not found for SID
> S-1-5......-1149" as below.
>
> << log file >>
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000):
> Processing membership SID
> [S-1-5-21-1401708884-2744904820-804000056-1172]
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000):
> SID [S-1-5-21-1401708884-2744904820-804000056-1172] maps to GID
> [638201172]
> [sssd[be[sso]]] [sysdb_search_group_by_gid] (0x0400): No such entry
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000):
> Processing membership SID
> [S-1-5-21-1176919450-1931656763-3149421143-1149]
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080):
> Domain not found for SID
> S-1-5-21-1176919450-1931656763-3149421143-1149
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000):
> Processing membership SID
> [S-1-5-21-1401708884-2744904820-804000056-1170]
> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000):
> SID [S-1-5-21-1401708884-2744904820-804000056-1170] maps to GID
> [638201170]
> [sssd[be[sso]]] [sysdb_search_group_by_gid] (0x0400): No such entry
>
> Where
> SID S-1-*-1172 = U-Role-LABSSO (SSO domain, Universal Group)
> SID S-1-*-1170 = G-Role-LABSSO (SSO domain, Global Group)
> SID S-1-*-1149 = U-Role-LABBU (BU domain, Universal Group)
>
> So it looks like sssd failed to get domain of U-Role-LABBU.
> I suspect this is a possible cause.
> Is there any hint why the domain was not found ?
I think earlier in the logs where we discover the subdomains, all SIDs
should be listed, do you see the one that SSSD later claims matches no
domain?
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users