On Tue, Jun 25, 2019 at 08:25:44PM +0000, Thomas Beaudry wrote:
Hi again,
Okay so i look at my sssd_MYDOMAIN log i get:
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400):
Deleting request watch
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got
answer. Processing...
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got 5
servers
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_dc_servers_done] (0x0400):
Found 5 domain controllers in domain MYDOMAIN.ca
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_dcs_done] (0x0400):
About to locate suitable site
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_send] (0x0400):
Resolving host dc.MYDOMAIN.ca
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send]
(0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in files
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send]
(0x0100): Trying to resolve AAAA record of 'dc.MYDOMAIN.ca' in files
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_next] (0x0200):
No more address families to retry
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_dns_query]
(0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in DNS
Looks like it took 2 seconds here to resolve a DNS record..
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]]
[request_watch_destructor] (0x0400): Deleting request watch
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_resolv_done]
(0x0400): Connecting to ldap://dc.MYDOMAIN.ca:389
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sss_ldap_init_send] (0x0400): Setting
6 seconds timeout for connecting
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_done] (0x0400):
Successful connection to ldap://dc.MYDOMAIN.ca:389
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with [(&(DnsDomain=MYDOMAIN.ca)(NtVer=\14\00\00\00))][].
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_client_site_done] (0x0400):
Found site: Default-First-Site-Name
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_site_done] (0x0400):
About to discover primary and backup servers
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_servers_send] (0x0400):
Looking up primary servers
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_discover_srv_next_domain]
(0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain
'Default-First-Site-Name._sites.MYDOMAIN.ca'
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_getsrv_send] (0x0100): Trying
to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.ca'
..and then another 2 seconds here, which caused a timeout in the server
discovery.
Does it help to increase the dns_resolver_timeout from its default of 6
seconds? Please see the note in man sssd-ad, there are several timeouts
that might need to be increased in unison, can you try e.g.:
ldap_opt_timeout = 20
dns_resolver_timeout = 10
(This might even be too high, but let's see..)
> (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [fo_resolve_service_timeout]
(0x0080): Service resolving timeout reached
> (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor]
(0x0400): Deleting request watch
> (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]
>
>
> Thanks!
> Thomas
> ________________________________________
> From: Jakub Hrozek <jhrozek(a)redhat.com>
> Sent: Tuesday, June 25, 2019 3:56 PM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: id / getent not finding AD users
>
> On Tue, Jun 25, 2019 at 07:25:45PM +0000, Thomas Beaudry wrote:
> > Hi Jakub,
> >
> > Thanks for the link so i followed the troubleshooting and I notice i can't
reach the data provider mentioned in step 4 ("If the command is reaching the NSS
responder, does it get forwarded to the Data Provider?")
> >
> >
> > If i look at my sssd_nss log i get with a timestamp that matches my id
<username> command:
> >
> > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'root' matched without domain, user is root
> > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/MYDOMAIN.ca/root] to negative cache permanently
> > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'root' matched without domain, user is root
> > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently
> > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41eb90:domains@MYDOMAIN.ca]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received
client version [1].
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered
version [1].
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17][SSS_NSS_GETPWNAM] with input [admin].
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200):
name 'admin' matched without domain, user is admin
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting
info for [admin] from [<ALL>]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [admin(a)MYDOMAIN.ca]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing
request for [0x41d420:1:admin@MYDOMAIN.ca]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
>
> The request gets forwarded to the data provider here..
>
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x41d420:1:admin@MYDOMAIN.ca]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040):
Unable to get information from Data Provider
> > Error: 1, 11, Fast reply - offline
>
> ..but the data provider replies immediately because it had switched to
> the offline mode. For one reason or another, sssd_be couldn't reach any
> of the configured or auto-discovered servers.
>
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x41d420:1:admin@MYDOMAIN.ca]
> > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
> >
> >
> > What would be the next step?
>
> I would suggest looking at the sssd_MYDOMAIN.log files and look for
> messages that contain strings like "marking server XYZ as NOT_WORKING"
> or "Going offline". Then look for the request a little earlier, that's
> what causes sssd to go offline.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...