On (14/02/14 23:11), Richard Connon wrote:
> On 14/02/2014 21:37, Lukas Slebodnik wrote:
>> On (14/02/14 21:19), Richard Connon wrote:
>>> On 14/02/2014 21:13, Dmitri Pal wrote:
>>>> On 02/14/2014 04:00 PM, Richard Connon wrote:
>>>>> Hi,
>>>>>
>>>>> I'm using sssd 1.8.4 (debian package) as a client for a samba4
domain,
>>>>> currently with one DC. The domain has unix UIDs and GIDs stored so
no
>>>>> idmapping is required.
>>>>>
>>>>> The config I have (so far) is this:
>>>>>
>>>>> [sssd]
>>>>> config_file_version = 2
>>>>> services = nss, pam
>>>>> domains = DOMAIN
>>>>>
>>>>> [nss]
>>>>>
>>>>> [pam]
>>>>>
>>>>> [domain/DOMAIN]
>>>>> auth_provider = krb5
>>>>> chgpass_provider = krb5
>>>>> dns_search_domain = ads.domain.tld
>>>>> id_provider = ldap
>>>>> krb5_realm = ADS.DOMAIN.TLD
>>>>> ldap_sasl_authid = HOST$(a)ADS.DOMAIN.TLD
>>>>> ldap_sasl_mech = GSSAPI
>>>>> ldap_schema = rfc2307bis
>>>>> ldap_user_name = sAMAccountName
>>>>>
>>>>>
>>>>> So far NSS seems to be working (kind of) but is very slow to
retrieve
>>>>> each user/group the first time and is very slow for queries where
the
>>>>> user/group does not exist.
>> What does it mean very slow?
>> Do you need to wait 10 seconds?
>>
>> Did you run "getent passwd user" or "id user"?
>>
>
> Yes it's more than 10 seconds.
> I ran getent passwd user but id user does the same.
>
>>>>>
>>>>> The only messages appearing in any relevant logs are the following
2:
>>>>> In sssd_DOMAIN.log:
>>>>> (Fri Feb 14 18:07:37 2014) [sssd[be[DOMAIN]]] [load_backend_module]
>>>>> (0x0010): Error (2) in module (ldap) initialization
>>>>> (sssm_ldap_autofs_init)!
>>>>> In syslog file auth.log:
>>>>> Feb 14 19:20:06 unifi sssd_be: GSSAPI Error: Miscellaneous failure
(see
>>>>> text) (Matching credential (ldap/ads.domain.tld(a)DOMAIN.TLD) not
found)
>>>>>
>>>>> The former seems to be quite harmless but the latter repeats quite
>>>>> frequently and seems to suggest SSSD is trying to use an invalid
>>>>> kerberos ticket for the LDAP connection.
>>>>> This principal name is invalid for two reasons, first there is no
LDAP
>>>>> service on "ads.domain.tld" it is on
"dc02.ads.domain.tld", second
>>>>> "DOMAIN.TLD" is not the name of my realm, it is
"ADS.DOMAIN.TLD"
>>>>>
>>>>> Does anyone have any idea what causes the latency in responding to
NSS
>>>>> queries and whether I need to worry about the GSSAPI errors?
>>>>>
>>>>> Finally I have not yet succeeded in getting this setup to work for
PAM.
>>>>> I haven't been able to try very easily due to the NSS latency
issues.
>>>>>
>>>>> Thanks in advance,
>>>>> Richard
>>>>
>>>> Any chance you can use a later version of SSSD? Samba DC acts as AD and
>>>> SSSD 1.9 and later have special features for AD integration. It would be
>>>> much easier to configure.
>>>> I suspect that the issue is related to resolving group memberships and
>>>> with 1.9 there are some tricks that take advantage of AD being on the
>>>> other side rather than generic LDAP. I of cause assume that Samba DC
>>>> implemented same controls and capabilities that help with group lookups
>>>> as the AD.
>>>>
>>> Using 1.9 or later would be possible but I wanted to give 1.8.x as good
>>> a go as I could. Given sssd is so integral to system security I'm
>>> hesitant to stray away from packages maintained by my distribution.
>>>
>>> I believe the rfc2307bis schema option in 1.8 should be sufficient to
>>> handle the group memberships in my DC LDAP schema.
>>>
>>> The issues I'm seeing don't seem to be relating to group memberships
>>> since they affect passwd lookups the same as group ones. Do you have
>>> reason to believe this is related to the problem?
>> If you don't mind and there is not any conflict you can try to install
>> sssd 1.9.4 from ppa
https://launchpad.net/~sssd/+archive/updates/
>>
>
> I am using debian not ubuntu. I could package 1.9.4 but as I said above
> I'm hesitant to do so since it would mean tracking sssd upstream myself
> for security issues.
>
>> It will be great if you can send full log files with debug_level 7 in the
>> domain and nss section (like Dimitri wrote in another mail)
>>
>
> Log files produced from starting sssd then running "getent passwd user"
> with debug_level = 7 in [nss] and [domain/DOMAIN] can be found here:
>
http://www.irconan.co.uk/sssd-log.tar
>
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ads.domain.tld/CN=Configuration,DC=ads,DC=domain,DC=tld] with fd [22].
[sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
[sdap_rebind_proc] (0x1000): Failed to bind to
[ldap://ads.domain.tld/CN=Configuration,DC=ads,DC=domain,DC=tld].
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ads.domain.tld/DC=DomainDnsZones,DC=ads,DC=domain,DC=tld] with fd [22].
[sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
[sdap_rebind_proc] (0x1000): Failed to bind to
[ldap://ads.domain.tld/DC=DomainDnsZones,DC=ads,DC=domain,DC=tld].
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldap://ads.domain.tld/DC=ForestDnsZones,DC=ads,DC=domain,DC=tld] with fd [22].
[sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
[sdap_rebind_proc] (0x1000): Failed to bind to
[ldap://ads.domain.tld/DC=ForestDnsZones,DC=ads,DC=domain,DC=tld].
There was 37 seconds delay due to these failed binds.
Could you try to manually set search bases for users and group?
ldap_user_search_base
ldap_group_search_base
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users