Hi,

Trying to configure SSSD on a CentOS server and running into some issues. Hoping to get some guidance here...

All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on AD(Windows). But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)

(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD'
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline

I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.

Although when I try to use ldapsearch directly, it gives the same SASL error.

]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

Here is sssd.conf:

[sssd]
domains = XYZ.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/xyz.local]
debug_level=2
ad_server = AD-Server.xyz.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = XYZ.LOCAL
ldap_uri = ldap://AD-Server.xyz.local
ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
ldap_user_search_base = dc=xyz,dc=local
ldap_user_object_class = user
ldap_group_search_base = ou=Groups,dc=xyz,dc=local
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = ...
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOSTNAME$@XYZ.LOCAL

Valid starting     Expires            Service principal
04/04/17 13:58:20 04/04/17 23:58:05 krbtgt/XYZ.LOCAL@XYZ.LOCAL
        renew until 04/11/17 13:58:20
04/04/17 14:00:09 04/04/17 23:58:05 ldap/AD-server.xyz.local@XYZ.LOCAL
        renew until 04/11/17 13:58:20



# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/hostname.xyz.local@XYZ.LOCAL
   2 host/hostname.xyz.local@XYZ.LOCAL
   2 host/hostname.xyz.local@XYZ.LOCAL
   2 host/hostname.xyz.local@XYZ.LOCAL
   2 host/hostname.xyz.local@XYZ.LOCAL
   2 host/hostname@XYZ.LOCAL
   2 host/hostname@XYZ.LOCAL
   2 host/hostname@XYZ.LOCAL
   2 host/hostname@XYZ.LOCAL
   2 host/hostname@XYZ.LOCAL
   2 HOSTNAME$@XYZ.LOCAL
   2 HOSTNAME$@XYZ.LOCAL
   2 HOSTNAME$@XYZ.LOCAL
   2 HOSTNAME$@XYZ.LOCAL
   2 HOSTNAME$@XYZ.LOCAL

# net ads testjoin
Join is OK

Please let me know if I need to increase logging level to capture additional details.

Many Thanks,

~ Abhi