Hi,
We're getting this referral related error in our sssd installation. Some environment
information:
* CentOS 6.6 clients, sssd v1.11.6
* Windows 2012R2 domain controllers, 2008R2 functional level, single domain forest.
Let's call it
ad.example.com.
* We have one-way trusts to several other domains/forests, a.foo,com,
b.bar.com and
c.baz.com
We've joined the clients with adcli, and we can successfully authenticate with
accounts from the
ad.example.com domain. It is also possible to
kinit myuser(a)A.FOO.COM
but this fails:
getent passwd myuser(a)a.foo.com
Looking at the logs (after setting debug_level=8), I can see this error message:
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000):
Trace: sh[0xda3140], connected[1], ops[0xda1480], ldap[0xda3720]
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access
points
ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done]
(0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data
0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100):
sdap_get_generic_ext_recv failed [5]: Input/output error
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040):
Failed to retrieve users
(There's also a row slightly after, "[ad_account_info_complete] (0x0010): Bug:
dp_error is OK on failed request", unclear if this is related, or actually a separate
bug)
I first interpreted this as indicating that I needed to allow referral chasing, but when I
turn that on (via ldap_referrals = true), but aside from taking much longer, it still
errors:
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]]
[sdap_process_result] (0x2000): Trace: sh[0xe4b9b0], connected[1], ops[0xe4c540],
ldap[0xe50a40]
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_ldap_connect_callback_add]
(0x1000): New LDAP connection to [
ldap://a.foo.com/dc=a,dc=foo,dc=com] with fd [25].
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x0020):
ldap_sasl_interactive_bind_s failed (-2)[Local error]
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x1000): Failed
to bind to [
ldap://a.foo.com/dc=a,dc=foo,dc=com].
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access
points
ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done]
(0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data
0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100):
sdap_get_generic_ext_recv failed [5]: Input/output error
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040):
Failed to retrieve users
I also suspected networking issues a while, but a Windows client on the same subnet can
authenticate fine (we only do subnet filtering in our firewalls).
Here are my configuration files:
sssd.conf:
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains =
AD.EXAMPLE.COM
[nss]
override_homedir = /home/%d/%u
override_shell = /bin/bash
[
domain/AD.EXAMPLE.COM]
debug_level = 8
id_provider = ad
use_fully_qualified_names = TRUE
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
AD.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# I found documentation indicating that these should be commented out while
troubleshooting
# Commenting in/out does not seem to affect the problem, however.
[realms]
#
AD.EXAMPLE.COM = {
# kdc =
ad102.ad.example.com
# kdc =
ad201.ad.example.com
# admin_server =
ad201.ad.example.com
# }
[domain_realm]
# .ad.example.com =
AD.EXAMPLE.COM
#
ad.example.com =
AD.EXAMPLE.COM
What have we done wrong?
Best regards,
Carl