On Mon, Oct 23, 2017 at 10:11:50AM +0200, Jeremy Monnet wrote:
> Hi,
>
>
>
> On Sat, Oct 21, 2017 at 8:56 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:
>
> > On Fri, Oct 20, 2017 at 04:39:54PM +0200, Jeremy Monnet wrote:
> > > Hi,
> > >
> > > I have that error message that I do not understand, because I have 2
> > ubuntu
> > > servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04).
> > Ubuntu
> > > 14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can
> > > list users and groups but I cannot authenticate nor sudo. And I see in
> > the
> > > sssd_domain.log :
> > >
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
> > > (0x0100): Trying to resolve service 'AD'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
> > (0x1000):
> > > Status of server '<servername>' is 'name resolved'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
> > > Port status of port 389 for server '<servername>' is 'not working'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
> > (0x1000):
> > > Status of server '<servername2>' is 'name resolved'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000):
> > > Port status of port 389 for server '<servername2>' is 'not working'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send]
> > > (0x0020): No available servers for service 'AD'
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done]
> > > (0x1000): Server resolution failed: 5
> > > (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done]
> > > (0x0020): Failed to connect, going offline (5 [Input/output error])
> > >
> > >
> > > Of course, port 389 is indeed reachable, and I have joined and re-joined
> > > the domain several times, deleted the object computer in AD, checked
> > > several times that the keytab was created, and that I could kinit with
> > it...
> > >
> > > One thing is that I join a child AD domain and tries to login with an
> > > account from the main domain, that is probably an issue, but as that work
> > > on the other Ubuntu with the same setup, I am stuck...
> >
> > Can you show the whole log or the first time the not working message
> > appeared since sssd restart?
> >
> > I have tried to sanitize the whole log file, but therareis too many
> acccounts, servers, etc appearing in the logs, so I will try to provide you
> just the required snippets. In parallel I will open a new thread because I
> am not sure of the setup I use, and I haven't been to find the recommended
> way of configuring an AD auth in real life (i.e. with multiple domains,
> firewalls blocking the ports, etc...).
>
> So I have restarted sssd this morning, clearing the logs in between, and I
> get :
> root@server:/var/log/sssd# grep "Port status of port" sssd_<domain>.log
> (Mon Oct 23 09:37:28 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 0 for server '(no name)' is 'neutral'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'neutral'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'not working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'not working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'not working'
> (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'not working'
> (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'working'
> (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'working'
> (Mon Oct 23 09:39:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'working'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad2>.<domain>' is 'neutral'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'working'
> (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'working'
> (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 3268 for server '<ad1>.<domain>' is 'neutral'
> (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000):
> Port status of port 389 for server '<ad1>.<domain>' is 'working'
>
> In the attached snippet you will find all (Mon Oct 23 09:39:12 2017)

This sounds wrong:
     [sdap_kinit_send] (0x0400): Attempting kinit (default, host/<servername>.<subdomain>.<domain>, <SUBDOMAIN>.<DOMAIN>, 86400)
with AD, you normally want to use the SHORTNAME$REALM principal, not the
host/hostname principal, because the latter is only a service principal,
not a user/computer one.

But since you're using id_provider=ad, then sssd should have already picked
up that principal..is the SHORTNAME$@REALM principal in your keytab at all?