On Mon, Oct 23, 2017 at 3:29 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Mon, Oct 23, 2017 at 10:11:50AM +0200, Jeremy Monnet wrote:
> Hi,
>
>
>
> On Sat, Oct 21, 2017 at 8:56 PM, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
>
> > On Fri, Oct 20, 2017 at 04:39:54PM +0200, Jeremy Monnet wrote:
> > > Hi,
> > >
> > > I have that error message that I do not understand, because I have 2
> > ubuntu
> > > servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04).
> > Ubuntu
> > > 14 is working fine, I can authenticate and sudo just fine, Ubuntu 16
can
> > > list users and groups but I cannot authenticate nor sudo. And I see
in
> > the
> > > sssd_domain.log :
> > >
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]]
[fo_resolve_service_send]
> > > (0x0100): Trying to resolve service 'AD'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
> > (0x1000):
> > > Status of server '<servername>' is 'name resolved'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status]
(0x1000):
> > > Port status of port 389 for server '<servername>' is
'not working'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
> > (0x1000):
> > > Status of server '<servername2>' is 'name resolved'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status]
(0x1000):
> > > Port status of port 389 for server '<servername2>' is
'not working'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]]
[fo_resolve_service_send]
> > > (0x0020): No available servers for service 'AD'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]]
[be_resolve_server_done]
> > > (0x1000): Server resolution failed: 5
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]]
[sdap_id_op_connect_done]
> > > (0x0020): Failed to connect, going offline (5 [Input/output error])
> > >
> > >
> > > Of course, port 389 is indeed reachable, and I have joined and
re-joined
> > > the domain several times, deleted the object computer in AD, checked
> > > several times that the keytab was created, and that I could kinit
with
> > it...
> > >
> > > One thing is that I join a child AD domain and tries to login with an
> > > account from the main domain, that is probably an issue, but as that
work
> > > on the other Ubuntu with the same setup, I am stuck...
> >
> > Can you show the whole log or the first time the not working message
> > appeared since sssd restart?
> >
> > I have tried to sanitize the whole log file, but therareis too many
> acccounts, servers, etc appearing in the logs, so I will try to provide
you
> just the required snippets. In parallel I will open a new thread because
I
> am not sure of the setup I use, and I haven't been to find the
recommended
> way of configuring an AD auth in real life (i.e. with multiple domains,
> firewalls blocking the ports, etc...).
>
> So I have restarted sssd this morning, clearing the logs in between, and
I
> get :
> root@server:/var/log/sssd# grep "Port status of port"
sssd_<domain>.log
> (Mon Oct 23 09:37:28 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'neutral'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'not
working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'not
working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'not
working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'not
working'
> (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'working'
> (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'working'
> (Mon Oct 23 09:39:31 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'working'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is
'neutral'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is
'working'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is
'working'
> (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 3268 for server '<ad1>.<domain>' is
'neutral'
> (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status]
(0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is
'working'
>
> In the attached snippet you will find all (Mon Oct 23 09:39:12 2017)
This sounds wrong:
[sdap_kinit_send] (0x0400): Attempting kinit (default,
host/<servername>.<subdomain>.<domain>,
<SUBDOMAIN>.<DOMAIN>, 86400)
with AD, you normally want to use the SHORTNAME$REALM principal, not the
host/hostname principal, because the latter is only a service principal,
not a user/computer one.
But since you're using id_provider=ad, then sssd should have already picked
up that principal..is the SHORTNAME$@REALM principal in your keytab at all?
Yes, it is
root@servername:~# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/servername.sub1.example.com(a)SUB1.EXAMPLE.COM
2 host/servername.sub1.example.com(a)SUB1.EXAMPLE.COM
2 host/servername.sub1.example.com(a)SUB1.EXAMPLE.COM
2 host/servername.sub1.example.com(a)SUB1.EXAMPLE.COM
2 host/servername.sub1.example.com(a)SUB1.EXAMPLE.COM
2 host/servername(a)SUB1.EXAMPLE.COM
2 host/servername(a)SUB1.EXAMPLE.COM
2 host/servername(a)SUB1.EXAMPLE.COM
2 host/servername(a)SUB1.EXAMPLE.COM
2 host/servername(a)SUB1.EXAMPLE.COM
2 SERVERNAME$(a)SUB1.EXAMPLE.COM
2 SERVERNAME$(a)SUB1.EXAMPLE.COM
2 SERVERNAME$(a)SUB1.EXAMPLE.COM
2 SERVERNAME$(a)SUB1.EXAMPLE.COM
2 SERVERNAME$(a)SUB1.EXAMPLE.COM
Jeremy