Hello SSSD guru`s!
I want to set up Active Directory domain authorization in my CentOS 7.2 servers with
SSSD.
For this I use SSSD as described here:
https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-dire...
I have set up for several servers and everything works well.
But on the last one server SSSD does not work as they should.
I attached this server to the domain using the realm utility.
It looks nice.
[root@KOM-OVIRT1 ~]# realm list
ad.holding.com
type: kerberos
realm-name:
AD.HOLDING.COM
domain-name:
ad.holding.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U(a)ad.holding.com
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: KOM-SRV-Linux-Admins(a)ad.holding.com
However, getent does not return information about domain accounts:
[root@KOM-OVIRT1 ~]# getent passwd aleksey(a)ad.holding.com
[root@KOM-OVIRT1 ~]#
getent for local accounts work:
[root@KOM-OVIRT1 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash
My /etc/sssd/sssd.conf:
------------------------------------------------
[sssd]
domains =
ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix =
ad.holding.com
[nss]
debug_level=9
[
domain/ad.holding.com]
ad_server =
kom-dc01.ad.holding.com,
kom-dc02.ad.holding.com
ad_domain =
ad.holding.com
krb5_realm =
AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level=9
------------------------------------------------
/var/log/sssd/sssd_nss.log:
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request
for [ad.holding.com][4097][1][name=aleksey]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x7f8792bce0d0:1:aleksey@ad.holding.com]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x7f8794b5b120
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data
Provider - DP error code: 1 errno: 11 error message: Fast reply - offline
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get
information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x7f8792bce0d0:1:aleksey@ad.holding.com]
------------------------------------------------
/var/log/sssd/sssd_ad.holding.com.log
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] (0x0200): Got
request for [0x1001][1][name=aleksey]
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] (0x0100):
Request processed. Returned 1,11,Fast reply - offline
What could be the problem?