On Thu, Jun 08, 2017 at 12:05:55PM -0400, Abhijit Tikekar wrote:
Hi,
We are unable to connect one machine (CentOS 6.9) to Active Directory using SSSD. It is
giving the following error whenever we attempt the join. Exact same settings are working
for other servers.
# net ads join -k
Failed to join domain: failed to lookup DC info for domain X.Y.LOCAL' over rpc:
NT_STATUS_CONNECTION_RESET
But testjoin shows OK.
# net ads testjoin
Join is OK
Even though join says OK, users are not able to authenticate
# net ads info
LDAP server: x.x.x.x
LDAP server name: AD-Server.x.y.local
Realm: X.Y.LOCAL
Bind Path: dc=X,dc=Y,dc=LOCAL
LDAP port: 389
Server time: Thu, 08 Jun 2017 11:18:41 EDT
KDC server: x.x.x.x
Server time offset: 0
“id” and “getent passwd <username>” return nothing.
DNS entries are correct under /etc/resolv.conf
Here is sanitized sssd_domain.log file (Log Level – 5)
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_res_get_opts] (0x0100): Lookup
order: ipv4_first
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [recreate_ares_channel] (0x0100):
Initializing new c-ares channel
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sysdb_domain_init_internal] (0x0200):
DB File for x.y.local: /var/lib/sss/db/cache_x.y.local.ldb
...
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]]
[sbus_server_init_new_connection] (0x0200): Adding connection 0xbec7b0.
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection]
(0x0200): Got a connection
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up
Backend ID timeout [0xbee680]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [get_naming_context] (0x0200): Using
value from [defaultNamingContext] as naming context.
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting
option [ldap_search_base] to [DC=x,DC=y,DC=local].
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100):
Search base added: [DEFAULT][DC=x,DC=y,DC=local][SUBTREE][]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting
option [ldap_netgroup_search_base] to [DC=x,DC=y,DC=local].
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100):
Search base added: [NETGROUP][DC=x,DC=y,DC=local][SUBTREE][]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting
option [ldap_service_search_base] to [DC=x,DC=y,DC=local].
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100):
Search base added: [SERVICE][DC=x,DC=y,DC=local][SUBTREE][]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting
option [ldap_autofs_search_base] to [DC=x,DC=y,DC=local].
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100):
Search base added: [AUTOFS][DC=x,DC=y,DC=local][SUBTREE][]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse]
(0x0100): Setting AD compatibility level to [6]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200):
Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel
DP ID timeout [0xbee680]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added
Frontend client [SUDO]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child
[14490] finished successfully.
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_kinit_done] (0x0100): Could not
get TGT: 14 [Bad address]
Please check the ldap_child.log file. SSSD is not able to get a Kerberos
ticket with the help of the system keytab /etc/krb5.keytab.
bye,
Sumit
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'AD-Server.x.y.local' as 'not working'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No
available servers for service 'AD'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020):
Failed to connect, going offline (5 [Input/output error])
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going
offline. Running callbacks.
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080):
No AD server is available, cannot get the subdomain list while offline
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No
available servers for service 'AD'
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020):
Failed to connect, going offline (5 [Input/output error])
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_ptask_enable] (0x0080): Task [Check
if online (periodic)]: already enabled
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going
offline. Running callbacks.
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080):
No AD server is available, cannot get the subdomain list while offline
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel
DP ID timeout [0xbe97f0]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added
Frontend client [NSS]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could
not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could
not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory]
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could
not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]
(Thu Jun 8 10:40:00 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is
not open for dispatching.
(Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is
not open for dispatching.
(Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is
not open for dispatching.
(Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could
not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory]
(Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could
not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]
Capture when net ads join fails. .66 is the ad server and .109 is the CentOS machine.
Sanitized contents of sssd.conf, krb5.conf and smb.conf
sssd.conf
[sssd]
domains = X.Y.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 5
[nss]
[pam]
debug_level=5
[sudo]
debug_level=0
[domain/x.y.local]
debug_level=5
ad_server = AD-Server.x.y.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_use_tokengroups = False
krb5_realm = X.Y.LOCAL
ldap_uri = ldap://AD-Server.x.y.local
ldap_sudo_search_base
ldap_user_search_base
ldap_group_search_base
ldap_access_order = filter, expire
ad_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = X.Y.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[realms]
X.Y.LOCAL = {
kdc = AD-Server.x.y.local:88
admin_server = AD-Server.x.y.local:749
}
[domain_realm]
.x.y.local = X.Y.LOCAL
x.y.local = X.Y.LOCAL
smb.conf
[global]
workgroup = X
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = X.Y.LOCAL
security = ads
log file = /var/log/samba/log.%m
max log size = 50
min protocol = SMB2
Thanks,
~ abhi
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org