8:35 a.m.
Hi all,
I'm encountering an issue after upgrading to Samba 4.12.2. I can no longer
login with an Active Directory account from a terminal or gnome. I'm
prompted with a "System error" message.
When I downgrade to samba 4.11.3 everything works fine. AD authentication
works OK with the same account from a Windows machine.
"getent passwd my_username" works well, as "getent passwd
<group>". kinit
my_username(a)DOMAIN.NET works OK too. Logging in in with "su <username>"
from a local account works too.
SSSD version: 2.2.3. This is from an Arch Linux package, that has been
patched
<https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/ss...
by its maintainer for compatibility with Samba 4.12 (I also compiled sssd
from the current git source code, but encountered the same cryptic error.)
Samba version: 4.12.2
Operating system: Arch Linux (fully upgraded)
Any idea how I could fix this / investigate this further? Please find
sssd.conf and logs below - I couldn't find anything interesting in there
but I'm no expert :)
Thanks a lot!
=== sssd.conf ===
[sssd]
config_file_version = 2
domains = domain.net
services = nss, pam
debug_level = 6
[domain/domain.net]
ad_hostname = computer.domain.net
krb5_realm = DOMAIN.NET
cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_schema = ad
default_shell = /bin/zsh
fallback_homedir = /home/DOMAIN/%u
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
debug_level = 6
#enumerate = true
[pam]
debug_level = 6
[nss]
debug_level = 6
=== sssd_domain.net.log ===
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [Initgroups #17]: New request. Flags [0x0001].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=domain,DC=net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Save user
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_primary_name]
(0x0400): Processing object MY_USERNAME
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Processing user MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes of [
MY_USERNAME(a)domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Storing info for user MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user]
(0x0400): User "MY_USERNAME(a)domain.net" has been stored
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][CN=My Username,OU=Users,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_idmap_sid_to_unix]
(0x0400): Object SID [S-1-5-32-545] is a built-in one.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in
object.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done]
(0x0400): Primary group already cached, nothing to do.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [Initgroups #17]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [Initgroups #17]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #17]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to
update memory cache
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
(0x0100): Got request with the following data
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): domain: domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): user: MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): service: login
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): ruser:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): rhost:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): authtok type: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): cli_pid: 70306
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): logon name: not set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [PAM Authenticate #18]: New request. Flags [0000].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
(0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[be_resolve_server_process] (0x0200): Found address for server
ADDC.domain.net: [192.168.5.4] TTL 900
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler]
(0x0100): child [71170] finished successfully.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'ADDC.domain.net' as 'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[set_server_common_status] (0x0100): Marking server 'ADDC.domain.net' as
'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'ADDC.domain.net' as
'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [PAM Authenticate #18]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [PAM Authenticate #18]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [PAM Authenticate #18]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
(0x0400): Target selinux is not configured
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.pamHandler: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
(0x0100): Got request with the following data
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): domain: domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): user: MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): service: login
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): ruser:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): rhost:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): authtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): cli_pid: 70306
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): logon name: not set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [PAM Account #19]: New request. Flags [0000].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send]
(0x0400): Performing access check for user [MY_USERNAME(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_account_expired_ad]
(0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send]
(0x0400): service login maps to Interactive
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is COMPUTER$
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=domain][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_next_done] (0x0400): Found SID
[S-1-5-21-3635097336-3991203712-2063481127].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_name_retrieval_done] (0x0400): Using AD site 'cn=Domain'.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Computers,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][OU=Computers,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Computers,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send]
(0x0400): Searching entry
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
using SD
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
scope is set to base.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd]
(0x0020): Failed to pull security descriptor
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_sd_process_attrs]
(0x0040): ad_gpo_parse_sd() failed
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_process_gpo_done]
(0x0040): Unable to get GPO list: [22](Invalid argument)
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done]
(0x0040): GPO-based access control failed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [PAM Account #19]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [PAM Account #19]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #19]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
(0x0400): Target selinux is not configured
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.pamHandler: Success
=== sssd_pam.log ====
(Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Operation not supported].
Please, consider enabling SELinux in your system.
(Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400): Client
[0x5606d6371860][19] connected to privileged pipe!
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12:
New request 'Initgroups by name'
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400):
CR #12: Parsing input name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
#12: Setting name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400):
CR #12: Performing a multi-domain search
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400):
CR #12: Search will bypass the cache and check the data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR
#12: Using domain [domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
(0x0400): CR #12: Preparing input data for domain [domain.net] rules
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#12: Looking up my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #12: Checking negative cache for [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #12: [my_username(a)domain.net] is not present in negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR
#12: Looking up [my_username(a)domain.net] in data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send] (0x0400):
Creating request for [domain.net
][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
CR #12: Looking up [my_username(a)domain.net] in cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
(0x0400): CR #12: This request type does not support filtering result by
negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400): CR
#12: Returning updated object [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
(0x0400): CR #12: Found 4 entries in domain domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12:
Finished: Success
(Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
User's primary name is my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
received: [0 (Success)][domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200):
Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set
[cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [0]:
Success to the client
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering pam_cmd_acct_mgmt
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13:
New request 'Initgroups by name'
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400):
CR #13: Parsing input name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
#13: Setting name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400):
CR #13: Performing a multi-domain search
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400):
CR #13: Search will check the cache and check the data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR
#13: Using domain [domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
(0x0400): CR #13: Preparing input data for domain [domain.net] rules
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#13: Looking up my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #13: Checking negative cache for [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #13: [my_username(a)domain.net] is not present in negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
CR #13: Looking up [my_username(a)domain.net] in cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#13: Returning [my_username(a)domain.net] from cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
(0x0400): CR #13: This request type does not support filtering result by
negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
(0x0400): CR #13: Found 4 entries in domain domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13:
Finished: Success
(Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
User's primary name is my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
received: [4 (System error)][domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [4]:
System error to the client
(Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
8:09 p.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
On 5/8/20 7:35 AM, Thibault Boyeux wrote:
Hi all,
I'm encountering an issue after upgrading to Samba 4.12.2. I can no
longer login with an Active Directory account from a terminal or gnome.
I'm prompted with a "System error" message.
When I downgrade to samba 4.11.3 everything works fine. AD
authentication works OK with the same account from a Windows machine.
"getent passwd my_username" works well, as "getent passwd
<group>".
kinit my_username(a)DOMAIN.NET <http://DOMAIN.NET> works OK too. Logging
in in with "su <username>" from a local account works too.
SSSD version: 2.2.3. This is from an Arch Linux package, that has been
patched
<https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/ss...
by its maintainer for compatibility with Samba 4.12 (I also compiled
sssd from the current git source code, but encountered the same cryptic
error.)
Samba version: 4.12.2
Operating system: Arch Linux (fully upgraded)
Any idea how I could fix this / investigate this further? Please find
sssd.conf and logs below - I couldn't find anything interesting in there
but I'm no expert :)
It looks like your sssd_domain.log snippet is missing the lines from the
second SSS_PAM_ACCT_MGMT request which is the one that failed.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
4:06 a.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
Hi all,
I'm encountering an issue after upgrading to Samba 4.12.2. I can no longer
login with an Active Directory account from a terminal or gnome. I'm
prompted with a "System error" message.
When I downgrade to samba 4.11.3 everything works fine. AD authentication
works OK with the same account from a Windows machine.
"getent passwd my_username" works well, as "getent passwd
<group>". kinit
my_username(a)DOMAIN.NET works OK too. Logging in in with "su <username>"
from a local account works too.
SSSD version: 2.2.3. This is from an Arch Linux package, that has been
patched
<https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/ss...
by its maintainer for compatibility with Samba 4.12 (I also compiled sssd
from the current git source code, but encountered the same cryptic error.)
Samba version: 4.12.2
Operating system: Arch Linux (fully upgraded)
Hi,
do I understand correctly that you recompiled SSSD after updating Samba
to version 4.12.2 or did you use the same SSSD binary you used with
Samba 4.11.3?
According to the logs the error most probably happened in
ad_gpo_ndr_pull_security_descriptor(). Can you step through this
function with gdb to see which operation failed (please add 'timeout =
999999' to the [domain/...] section of sssd.conf to not run into issues
with the watchdog and gdb)? If not I can try to reproduce this locally.
bye,
Sumit
Any idea how I could fix this / investigate this further? Please find
sssd.conf and logs below - I couldn't find anything interesting in there
but I'm no expert :)
Thanks a lot!
=== sssd.conf ===
[sssd]
config_file_version = 2
domains = domain.net
services = nss, pam
debug_level = 6
[domain/domain.net]
ad_hostname = computer.domain.net
krb5_realm = DOMAIN.NET
cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ldap_schema = ad
default_shell = /bin/zsh
fallback_homedir = /home/DOMAIN/%u
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
debug_level = 6
#enumerate = true
[pam]
debug_level = 6
[nss]
debug_level = 6
=== sssd_domain.net.log ===
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_get_account_info_send] (0x0200): Got request for
[0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [Initgroups #17]: New request. Flags [0x0001].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_initgr_next_base] (0x0400): Searching for users with base
[DC=domain,DC=net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Save user
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_primary_name]
(0x0400): Processing object MY_USERNAME
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Processing user MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes of [
MY_USERNAME(a)domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
(0x0400): Storing info for user MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user]
(0x0400): User "MY_USERNAME(a)domain.net" has been stored
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
filter][CN=My Username,OU=Users,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_idmap_sid_to_unix]
(0x0400): Object SID [S-1-5-32-545] is a built-in one.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping built-in
object.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done]
(0x0400): Primary group already cached, nothing to do.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [Initgroups #17]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [Initgroups #17]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [Initgroups #17]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to
update memory cache
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.getAccountInfo: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
(0x0100): Got request with the following data
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): command: SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): domain: domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): user: MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): service: login
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): ruser:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): rhost:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): authtok type: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): cli_pid: 70306
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): logon name: not set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [PAM Authenticate #18]: New request. Flags [0000].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
(0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'AD'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send]
(0x0200): The status of SRV lookup is resolved
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[be_resolve_server_process] (0x0200): Found address for server
ADDC.domain.net: [192.168.5.4] TTL 900
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler]
(0x0400): All data has been sent!
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler]
(0x0100): child [71170] finished successfully.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler]
(0x0400): EOF received, client finished
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'ADDC.domain.net' as 'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[set_server_common_status] (0x0100): Marking server 'ADDC.domain.net' as
'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'ADDC.domain.net' as
'working'
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
(0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has set [cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [PAM Authenticate #18]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [PAM Authenticate #18]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [PAM Authenticate #18]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
(0x0400): Target selinux is not configured
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.pamHandler: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
(0x0100): Got request with the following data
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): command: SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): domain: domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): user: MY_USERNAME(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): service: login
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): ruser:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): rhost:
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): authtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): cli_pid: 70306
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): logon name: not set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
(0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
DP Request [PAM Account #19]: New request. Flags [0000].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req] (0x0400):
Number of active DP request: 1
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send]
(0x0400): Performing access check for user [MY_USERNAME(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_account_expired_ad]
(0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send]
(0x0400): service login maps to Interactive
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done]
(0x0400): sam_account_name is COMPUTER$
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[objectclass=domain][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_next_done] (0x0400): Found SID
[S-1-5-21-3635097336-3991203712-2063481127].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_name_retrieval_done] (0x0400): Using AD site 'cn=Domain'.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
OU=Computers,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][OU=Computers,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn:
OU=Computers,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next SOM
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send]
(0x0400): Searching entry
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
using SD
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
scope is set to base.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd]
(0x0020): Failed to pull security descriptor
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_sd_process_attrs]
(0x0040): ad_gpo_parse_sd() failed
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_process_gpo_done]
(0x0040): Unable to get GPO list: [22](Invalid argument)
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done]
(0x0040): GPO-based access control failed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done] (0x0400):
DP Request [PAM Account #19]: Request handler finished [0]: Success
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv] (0x0400):
DP Request [PAM Account #19]: Receiving request data.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): DP Request [PAM Account #19]: Request removed.
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
(0x0400): Number of active DP request: 0
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
(0x0400): Target selinux is not configured
(Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sbus_issue_request_done]
(0x0400): sssd.dataprovider.pamHandler: Success
=== sssd_pam.log ====
(Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Operation not supported].
Please, consider enabling SELinux in your system.
(Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400): Client
[0x5606d6371860][19] connected to privileged pipe!
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Received client version [3].
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
Offered version [3].
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
entering pam_cmd_authenticate
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12:
New request 'Initgroups by name'
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400):
CR #12: Parsing input name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
#12: Setting name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400):
CR #12: Performing a multi-domain search
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400):
CR #12: Search will bypass the cache and check the data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR
#12: Using domain [domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
(0x0400): CR #12: Preparing input data for domain [domain.net] rules
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#12: Looking up my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #12: Checking negative cache for [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #12: [my_username(a)domain.net] is not present in negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR
#12: Looking up [my_username(a)domain.net] in data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send] (0x0400):
Creating request for [domain.net
][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
CR #12: Looking up [my_username(a)domain.net] in cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
(0x0400): CR #12: This request type does not support filtering result by
negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400): CR
#12: Returning updated object [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
(0x0400): CR #12: Found 4 entries in domain domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12:
Finished: Success
(Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
User's primary name is my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
received: [0 (Success)][domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200):
Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has set
[cache, ts_cache] attrs.
(Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [0]:
Success to the client
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
entering pam_cmd_acct_mgmt
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13:
New request 'Initgroups by name'
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input] (0x0400):
CR #13: Parsing input name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
(0x0200): name 'my_username' matched without domain, user is my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
#13: Setting name [my_username]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains] (0x0400):
CR #13: Performing a multi-domain search
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains] (0x0400):
CR #13: Search will check the cache and check the data provider
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400): CR
#13: Using domain [domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
(0x0400): CR #13: Preparing input data for domain [domain.net] rules
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#13: Looking up my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #13: Checking negative cache for [my_username(a)domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache] (0x0400):
CR #13: [my_username(a)domain.net] is not present in negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
CR #13: Looking up [my_username(a)domain.net] in cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400): CR
#13: Returning [my_username(a)domain.net] from cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
(0x0400): CR #13: This request type does not support filtering result by
negative cache
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
(0x0400): CR #13: Found 4 entries in domain domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13:
Finished: Success
(Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
User's primary name is my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending
request with the following data:
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_ACCT_MGMT
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
my_username(a)domain.net
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): service:
login
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty: tty4
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
not set
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
newauthtok type: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
70306
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
name: my_username
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags: 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
pam_dp_send_req returned 0
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
received: [4 (System error)][domain.net]
(Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31
(Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning [4]:
System error to the client
(Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
9:55 a.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
Hi Sumit
Thanks a lot for your email. Apologies for the late answer, it took me a
little time to get used to how gdb works ;)
Anyway, after debugging the latest git version, it looks like the issue
systematically happens line 237 of *ad_gpo_ndr.c, *in the
*ndr_pull_security_ace_object_ctr()* method, calling Samba's new
ndr_pull_steal_switch_value method (introduced in 4.12 according to this
<https://github.com/SSSD/sssd/pull/976>):
237: NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
This check systematically returns NDR_ERR_TOKEN (instead, I guess, of
NDR_ERR_SUCCESS), which then makes all other methods fail in the following
order: ndr_pull_security_ace() (line 320), ndr_pull_security_acl() (line
372) and ad_gpo_ndr_pull_security_descriptor() (line 513). See gdb logs
below
Anything I could do to investigate this further?
Thanks again,
Best,
Thibault
Breakpoint 15, ndr_pull_security_ace_object_ctr (ndr=0x5581d6ddd5b0,
ndr_flags=512, r=0x5581d6e2147c) at src/providers/ad/ad_gpo_ndr.c:237
237 NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
(gdb) fin
Run till exit from #0 ndr_pull_security_ace_object_ctr
(ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e2147c) at
src/providers/ad/ad_gpo_ndr.c:237
0x00007f18aa8cf0d2 in ndr_pull_security_ace (ndr=0x5581d6ddd5b0,
ndr_flags=512, r=0x5581d6e21470) at src/providers/ad/ad_gpo_ndr.c:320
320 NDR_CHECK(ndr_pull_security_ace_object_ctr
Value returned is $123 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8cf0d2 in ndr_pull_security_ace
(ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e21470) at
src/providers/ad/ad_gpo_ndr.c:320
0x00007f18aa8cf576 in ndr_pull_security_acl (ndr=0x5581d6ddd5b0,
ndr_flags=768, r=0x5581d6de3230) at src/providers/ad/ad_gpo_ndr.c:372
372 NDR_CHECK(ndr_pull_security_ace
Value returned is $124 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8cf576 in ndr_pull_security_acl
(ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x5581d6de3230) at
src/providers/ad/ad_gpo_ndr.c:372
0x00007f18aa8d03ee in ad_gpo_ndr_pull_security_descriptor
(ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x7ffdec42d870) at
src/providers/ad/ad_gpo_ndr.c:513
513 NDR_CHECK(ndr_pull_security_acl(ndr,
Value returned is $125 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8d03ee in
ad_gpo_ndr_pull_security_descriptor (ndr=0x5581d6ddd5b0, ndr_flags=768,
r=0x7ffdec42d870) at src/providers/ad/ad_gpo_ndr.c:513
0x00007f18aa8ca867 in ad_gpo_parse_sd (mem_ctx=0x5581d6e0cf50,
data=0x5581d6e171d0 "\001", length=256, _gpo_sd=0x5581d6e0cf50) at
src/providers/ad/ad_gpo.c:3925
3925 ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull,
Value returned is $126 = NDR_ERR_TOKEN
On Mon, May 11, 2020 at 11:07 AM Sumit Bose <sbose(a)redhat.com> wrote:
On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
> Hi all,
>
> I'm encountering an issue after upgrading to Samba 4.12.2. I can no
longer
> login with an Active Directory account from a terminal or gnome. I'm
> prompted with a "System error" message.
>
> When I downgrade to samba 4.11.3 everything works fine. AD authentication
> works OK with the same account from a Windows machine.
>
> "getent passwd my_username" works well, as "getent passwd
<group>". kinit
> my_username(a)DOMAIN.NET works OK too. Logging in in with "su
<username>"
> from a local account works too.
>
> SSSD version: 2.2.3. This is from an Arch Linux package, that has been
> patched
> <
https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd
>
> by its maintainer for compatibility with Samba 4.12 (I also compiled sssd
> from the current git source code, but encountered the same cryptic
error.)
> Samba version: 4.12.2
> Operating system: Arch Linux (fully upgraded)
Hi,
do I understand correctly that you recompiled SSSD after updating Samba
to version 4.12.2 or did you use the same SSSD binary you used with
Samba 4.11.3?
According to the logs the error most probably happened in
ad_gpo_ndr_pull_security_descriptor(). Can you step through this
function with gdb to see which operation failed (please add 'timeout =
999999' to the [domain/...] section of sssd.conf to not run into issues
with the watchdog and gdb)? If not I can try to reproduce this locally.
bye,
Sumit
>
> Any idea how I could fix this / investigate this further? Please find
> sssd.conf and logs below - I couldn't find anything interesting in there
> but I'm no expert :)
>
> Thanks a lot!
>
> === sssd.conf ===
>
> [sssd]
> config_file_version = 2
> domains = domain.net
> services = nss, pam
> debug_level = 6
>
> [domain/domain.net]
> ad_hostname = computer.domain.net
> krb5_realm = DOMAIN.NET
> cache_credentials = true
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
> ldap_schema = ad
> default_shell = /bin/zsh
> fallback_homedir = /home/DOMAIN/%u
> dyndns_update = true
> dyndns_refresh_interval = 43200
> dyndns_update_ptr = true
> dyndns_ttl = 3600
> debug_level = 6
> #enumerate = true
>
> [pam]
> debug_level = 6
>
> [nss]
> debug_level = 6
>
>
> === sssd_domain.net.log ===
>
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_get_account_info_send] (0x0200): Got request for
> [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> DP Request [Initgroups #17]: New request. Flags [0x0001].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> Number of active DP request: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> [DC=domain,DC=net]
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> (0x0400): Save user
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_primary_name]
> (0x0400): Processing object MY_USERNAME
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> (0x0400): Processing user MY_USERNAME(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> (0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net
].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes
of [
> MY_USERNAME(a)domain.net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> (0x0400): Storing info for user MY_USERNAME(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
,cn=sysdb]
> has set [ts_cache] attrs.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user]
> (0x0400): User "MY_USERNAME(a)domain.net" has been stored
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
> filter][CN=My Username,OU=Users,DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_idmap_sid_to_unix]
> (0x0400): Object SID [S-1-5-32-545] is a built-in one.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping
built-in
> object.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done]
> (0x0400): Primary group already cached, nothing to do.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
(0x0400):
> DP Request [Initgroups #17]: Request handler finished [0]: Success
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
(0x0400):
> DP Request [Initgroups #17]: Receiving request data.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): DP Request [Initgroups #17]: Request removed.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): Number of active DP request: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to
> update memory cache
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
,cn=sysdb]
> has set [ts_cache] attrs.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sbus_issue_request_done]
> (0x0400): sssd.dataprovider.getAccountInfo: Success
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> (0x0100): Got request with the following data
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): command: SSS_PAM_AUTHENTICATE
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): domain: domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): user: MY_USERNAME(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): service: login
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): tty: tty4
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): ruser:
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): rhost:
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): authtok type: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): cli_pid: 70306
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): logon name: not set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): flags: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> DP Request [PAM Authenticate #18]: New request. Flags [0000].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> Number of active DP request: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
> (0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[fo_resolve_service_send]
> (0x0100): Trying to resolve service 'AD'
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send]
> (0x0200): The status of SRV lookup is resolved
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [be_resolve_server_process] (0x0200): Found address for server
> ADDC.domain.net: [192.168.5.4] TTL 900
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler]
> (0x0400): All data has been sent!
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler]
> (0x0100): child [71170] finished successfully.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler]
> (0x0400): EOF received, client finished
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> (0x0100): Marking port 389 of server 'ADDC.domain.net' as 'working'
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [set_server_common_status] (0x0100): Marking server 'ADDC.domain.net' as
> 'working'
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> (0x0400): Marking port 389 of duplicate server 'ADDC.domain.net' as
> 'working'
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
,cn=sysdb]
> has set [cache, ts_cache] attrs.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
,cn=sysdb]
> has set [cache, ts_cache] attrs.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
(0x0400):
> DP Request [PAM Authenticate #18]: Request handler finished [0]: Success
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
(0x0400):
> DP Request [PAM Authenticate #18]: Receiving request data.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): DP Request [PAM Authenticate #18]: Request removed.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): Number of active DP request: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> (0x0400): Target selinux is not configured
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sbus_issue_request_done]
> (0x0400): sssd.dataprovider.pamHandler: Success
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> (0x0100): Got request with the following data
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): command: SSS_PAM_ACCT_MGMT
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): domain: domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): user: MY_USERNAME(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): service: login
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): tty: tty4
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): ruser:
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): rhost:
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): authtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): cli_pid: 70306
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): logon name: not set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> (0x0100): flags: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> DP Request [PAM Account #19]: New request. Flags [0000].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
(0x0400):
> Number of active DP request: 1
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send]
> (0x0400): Performing access check for user [MY_USERNAME(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_account_expired_ad]
> (0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send]
> (0x0400): service login maps to Interactive
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done]
> (0x0400): sam_account_name is COMPUTER$
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [objectclass=domain][DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_master_domain_next_done] (0x0400): Found SID
> [S-1-5-21-3635097336-3991203712-2063481127].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site 'cn=Domain'.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
> OU=Computers,DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
> DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
> cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][OU=Computers,DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_populate_gplink_list] (0x0400): som_dn:
> OU=Computers,DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> [(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next
SOM
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
>
cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send]
> (0x0400): Searching entry
>
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
> using SD
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
> scope is set to base.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
>
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> errmsg set
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd]
> (0x0020): Failed to pull security descriptor
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_sd_process_attrs]
> (0x0040): ad_gpo_parse_sd() failed
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_process_gpo_done]
> (0x0040): Unable to get GPO list: [22](Invalid argument)
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done]
> (0x0040): GPO-based access control failed.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
(0x0400):
> DP Request [PAM Account #19]: Request handler finished [0]: Success
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
(0x0400):
> DP Request [PAM Account #19]: Receiving request data.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): DP Request [PAM Account #19]: Request removed.
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> (0x0400): Number of active DP request: 0
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> (0x0400): Target selinux is not configured
> (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sbus_issue_request_done]
> (0x0400): sssd.dataprovider.pamHandler: Success
>
>
> === sssd_pam.log ====
>
> (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The
> following failure is expected to happen in case SELinux is disabled:
> SELINUX_getpeercon failed [95][Operation not supported].
> Please, consider enabling SELinux in your system.
> (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400):
Client
> [0x5606d6371860][19] connected to privileged pipe!
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> Received client version [3].
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> Offered version [3].
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
> entering pam_cmd_authenticate
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> (0x0200): name 'my_username' matched without domain, user is my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
command:
> SSS_PAM_AUTHENTICATE
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
service:
> login
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
tty4
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid:
> 70306
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12:
> New request 'Initgroups by name'
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
(0x0400):
> CR #12: Parsing input name [my_username]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> (0x0200): name 'my_username' matched without domain, user is my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> #12: Setting name [my_username]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
(0x0400):
> CR #12: Performing a multi-domain search
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
(0x0400):
> CR #12: Search will bypass the cache and check the data provider
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
CR
> #12: Using domain [domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> (0x0400): CR #12: Preparing input data for domain [domain.net] rules
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
CR
> #12: Looking up my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
(0x0400):
> CR #12: Checking negative cache for [my_username(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
(0x0400):
> CR #12: [my_username(a)domain.net] is not present in negative cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR
> #12: Looking up [my_username(a)domain.net] in data provider
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send]
(0x0400):
> Creating request for [domain.net
> ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> CR #12: Looking up [my_username(a)domain.net] in cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> (0x0400): CR #12: This request type does not support filtering result by
> negative cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400):
CR
> #12: Returning updated object [my_username(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> (0x0400): CR #12: Found 4 entries in domain domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12:
> Finished: Success
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> User's primary name is my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending
> request with the following data:
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
command:
> SSS_PAM_AUTHENTICATE
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
service:
> login
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
tty4
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid:
> 70306
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> received: [0 (Success)][domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200):
> Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has
set
> [cache, ts_cache] attrs.
> (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> [pam_response_filter] not available, not fatal.
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
[0]:
> Success to the client
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> entering pam_cmd_acct_mgmt
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> (0x0200): name 'my_username' matched without domain, user is my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
command:
> SSS_PAM_ACCT_MGMT
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
service:
> login
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
tty4
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid:
> 70306
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13:
> New request 'Initgroups by name'
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
(0x0400):
> CR #13: Parsing input name [my_username]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> (0x0200): name 'my_username' matched without domain, user is my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> #13: Setting name [my_username]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
(0x0400):
> CR #13: Performing a multi-domain search
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
(0x0400):
> CR #13: Search will check the cache and check the data provider
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
CR
> #13: Using domain [domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> (0x0400): CR #13: Preparing input data for domain [domain.net] rules
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
CR
> #13: Looking up my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
(0x0400):
> CR #13: Checking negative cache for [my_username(a)domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
(0x0400):
> CR #13: [my_username(a)domain.net] is not present in negative cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> CR #13: Looking up [my_username(a)domain.net] in cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
CR
> #13: Returning [my_username(a)domain.net] from cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> (0x0400): CR #13: This request type does not support filtering result by
> negative cache
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> (0x0400): CR #13: Found 4 entries in domain domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13:
> Finished: Success
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> User's primary name is my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
Sending
> request with the following data:
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
command:
> SSS_PAM_ACCT_MGMT
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> my_username(a)domain.net
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
service:
> login
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
tty4
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> not set
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> newauthtok type: 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
cli_pid:
> 70306
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> name: my_username
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> pam_dp_send_req returned 0
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> received: [4 (System error)][domain.net]
> (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> [pam_response_filter] not available, not fatal.
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31
> (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
[4]:
> System error to the client
> (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client
> disconnected!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
8:25 a.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
On Sat, May 16, 2020 at 04:55:08PM +0200, Thibault Boyeux wrote:
Hi Sumit
Thanks a lot for your email. Apologies for the late answer, it took me a
little time to get used to how gdb works ;)
Anyway, after debugging the latest git version, it looks like the issue
systematically happens line 237 of *ad_gpo_ndr.c, *in the
*ndr_pull_security_ace_object_ctr()* method, calling Samba's new
ndr_pull_steal_switch_value method (introduced in 4.12 according to this
<https://github.com/SSSD/sssd/pull/976>):
237: NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
This check systematically returns NDR_ERR_TOKEN (instead, I guess, of
NDR_ERR_SUCCESS), which then makes all other methods fail in the following
order: ndr_pull_security_ace() (line 320), ndr_pull_security_acl() (line
372) and ad_gpo_ndr_pull_security_descriptor() (line 513). See gdb logs
below
Anything I could do to investigate this further?
Hi,
thanks for the details, but I still have no idea what might be wrong.
Can you send me the binary data used as 'data' variable in
ad_gpo_parse_sd()? Then I can try on my own with different versions of
Samba.
bye,
Sumit
Thanks again,
Best,
Thibault
Breakpoint 15, ndr_pull_security_ace_object_ctr (ndr=0x5581d6ddd5b0,
ndr_flags=512, r=0x5581d6e2147c) at src/providers/ad/ad_gpo_ndr.c:237
237 NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
(gdb) fin
Run till exit from #0 ndr_pull_security_ace_object_ctr
(ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e2147c) at
src/providers/ad/ad_gpo_ndr.c:237
0x00007f18aa8cf0d2 in ndr_pull_security_ace (ndr=0x5581d6ddd5b0,
ndr_flags=512, r=0x5581d6e21470) at src/providers/ad/ad_gpo_ndr.c:320
320 NDR_CHECK(ndr_pull_security_ace_object_ctr
Value returned is $123 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8cf0d2 in ndr_pull_security_ace
(ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e21470) at
src/providers/ad/ad_gpo_ndr.c:320
0x00007f18aa8cf576 in ndr_pull_security_acl (ndr=0x5581d6ddd5b0,
ndr_flags=768, r=0x5581d6de3230) at src/providers/ad/ad_gpo_ndr.c:372
372 NDR_CHECK(ndr_pull_security_ace
Value returned is $124 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8cf576 in ndr_pull_security_acl
(ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x5581d6de3230) at
src/providers/ad/ad_gpo_ndr.c:372
0x00007f18aa8d03ee in ad_gpo_ndr_pull_security_descriptor
(ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x7ffdec42d870) at
src/providers/ad/ad_gpo_ndr.c:513
513 NDR_CHECK(ndr_pull_security_acl(ndr,
Value returned is $125 = NDR_ERR_TOKEN
(gdb) fin
Run till exit from #0 0x00007f18aa8d03ee in
ad_gpo_ndr_pull_security_descriptor (ndr=0x5581d6ddd5b0, ndr_flags=768,
r=0x7ffdec42d870) at src/providers/ad/ad_gpo_ndr.c:513
0x00007f18aa8ca867 in ad_gpo_parse_sd (mem_ctx=0x5581d6e0cf50,
data=0x5581d6e171d0 "\001", length=256, _gpo_sd=0x5581d6e0cf50) at
src/providers/ad/ad_gpo.c:3925
3925 ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull,
Value returned is $126 = NDR_ERR_TOKEN
On Mon, May 11, 2020 at 11:07 AM Sumit Bose <sbose(a)redhat.com> wrote:
> On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
> > Hi all,
> >
> > I'm encountering an issue after upgrading to Samba 4.12.2. I can no
> longer
> > login with an Active Directory account from a terminal or gnome. I'm
> > prompted with a "System error" message.
> >
> > When I downgrade to samba 4.11.3 everything works fine. AD authentication
> > works OK with the same account from a Windows machine.
> >
> > "getent passwd my_username" works well, as "getent passwd
<group>". kinit
> > my_username(a)DOMAIN.NET works OK too. Logging in in with "su
<username>"
> > from a local account works too.
> >
> > SSSD version: 2.2.3. This is from an Arch Linux package, that has been
> > patched
> > <
> https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd
> >
> > by its maintainer for compatibility with Samba 4.12 (I also compiled sssd
> > from the current git source code, but encountered the same cryptic
> error.)
> > Samba version: 4.12.2
> > Operating system: Arch Linux (fully upgraded)
>
> Hi,
>
> do I understand correctly that you recompiled SSSD after updating Samba
> to version 4.12.2 or did you use the same SSSD binary you used with
> Samba 4.11.3?
>
> According to the logs the error most probably happened in
> ad_gpo_ndr_pull_security_descriptor(). Can you step through this
> function with gdb to see which operation failed (please add 'timeout =
> 999999' to the [domain/...] section of sssd.conf to not run into issues
> with the watchdog and gdb)? If not I can try to reproduce this locally.
>
> bye,
> Sumit
>
> >
> > Any idea how I could fix this / investigate this further? Please find
> > sssd.conf and logs below - I couldn't find anything interesting in there
> > but I'm no expert :)
> >
> > Thanks a lot!
> >
> > === sssd.conf ===
> >
> > [sssd]
> > config_file_version = 2
> > domains = domain.net
> > services = nss, pam
> > debug_level = 6
> >
> > [domain/domain.net]
> > ad_hostname = computer.domain.net
> > krb5_realm = DOMAIN.NET
> > cache_credentials = true
> > id_provider = ad
> > auth_provider = ad
> > access_provider = ad
> > chpass_provider = ad
> > ldap_schema = ad
> > default_shell = /bin/zsh
> > fallback_homedir = /home/DOMAIN/%u
> > dyndns_update = true
> > dyndns_refresh_interval = 43200
> > dyndns_update_ptr = true
> > dyndns_ttl = 3600
> > debug_level = 6
> > #enumerate = true
> >
> > [pam]
> > debug_level = 6
> >
> > [nss]
> > debug_level = 6
> >
> >
> > === sssd_domain.net.log ===
> >
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [dp_get_account_info_send] (0x0200): Got request for
> > [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > DP Request [Initgroups #17]: New request. Flags [0x0001].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > Number of active DP request: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> > [DC=domain,DC=net]
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> >
>
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > (0x0400): Save user
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_primary_name]
> > (0x0400): Processing object MY_USERNAME
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > (0x0400): Processing user MY_USERNAME(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > (0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net
> ].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes
> of [
> > MY_USERNAME(a)domain.net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > (0x0400): Storing info for user MY_USERNAME(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> ,cn=sysdb]
> > has set [ts_cache] attrs.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user]
> > (0x0400): User "MY_USERNAME(a)domain.net" has been stored
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
> > filter][CN=My Username,OU=Users,DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_idmap_sid_to_unix]
> > (0x0400): Object SID [S-1-5-32-545] is a built-in one.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping
> built-in
> > object.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done]
> > (0x0400): Primary group already cached, nothing to do.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> (0x0400):
> > DP Request [Initgroups #17]: Request handler finished [0]: Success
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> (0x0400):
> > DP Request [Initgroups #17]: Receiving request data.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): DP Request [Initgroups #17]: Request removed.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): Number of active DP request: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to
> > update memory cache
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> ,cn=sysdb]
> > has set [ts_cache] attrs.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sbus_issue_request_done]
> > (0x0400): sssd.dataprovider.getAccountInfo: Success
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> > (0x0100): Got request with the following data
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): command: SSS_PAM_AUTHENTICATE
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): domain: domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): user: MY_USERNAME(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): service: login
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): tty: tty4
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): ruser:
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): rhost:
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): authtok type: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): cli_pid: 70306
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): logon name: not set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): flags: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > DP Request [PAM Authenticate #18]: New request. Flags [0000].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > Number of active DP request: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
> > (0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [fo_resolve_service_send]
> > (0x0100): Trying to resolve service 'AD'
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send]
> > (0x0200): The status of SRV lookup is resolved
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [be_resolve_server_process] (0x0200): Found address for server
> > ADDC.domain.net: [192.168.5.4] TTL 900
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler]
> > (0x0400): All data has been sent!
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler]
> > (0x0100): child [71170] finished successfully.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler]
> > (0x0400): EOF received, client finished
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> > (0x0100): Marking port 389 of server 'ADDC.domain.net' as
'working'
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [set_server_common_status] (0x0100): Marking server 'ADDC.domain.net'
as
> > 'working'
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> > (0x0400): Marking port 389 of duplicate server 'ADDC.domain.net' as
> > 'working'
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> ,cn=sysdb]
> > has set [cache, ts_cache] attrs.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> ,cn=sysdb]
> > has set [cache, ts_cache] attrs.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> (0x0400):
> > DP Request [PAM Authenticate #18]: Request handler finished [0]: Success
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> (0x0400):
> > DP Request [PAM Authenticate #18]: Receiving request data.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): DP Request [PAM Authenticate #18]: Request removed.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): Number of active DP request: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> > (0x0400): Target selinux is not configured
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sbus_issue_request_done]
> > (0x0400): sssd.dataprovider.pamHandler: Success
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> > (0x0100): Got request with the following data
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): command: SSS_PAM_ACCT_MGMT
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): domain: domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): user: MY_USERNAME(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): service: login
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): tty: tty4
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): ruser:
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): rhost:
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): authtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): cli_pid: 70306
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): logon name: not set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > (0x0100): flags: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > DP Request [PAM Account #19]: New request. Flags [0000].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> (0x0400):
> > Number of active DP request: 1
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send]
> > (0x0400): Performing access check for user [MY_USERNAME(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_account_expired_ad]
> > (0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send]
> > (0x0400): service login maps to Interactive
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done]
> > (0x0400): sam_account_name is COMPUTER$
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [objectclass=domain][DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_master_domain_next_done] (0x0400): Found SID
> > [S-1-5-21-3635097336-3991203712-2063481127].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site 'cn=Domain'.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(objectclass=*)][].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
> > OU=Computers,DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
> > DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
> > cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(objectclass=*)][OU=Computers,DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_populate_gplink_list] (0x0400): som_dn:
> > OU=Computers,DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(objectclass=*)][DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > [(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next
> SOM
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
> >
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
> >
> cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send]
> > (0x0400): Searching entry
> >
> [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
> > using SD
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
> > scope is set to base.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> >
>
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > errmsg set
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd]
> > (0x0020): Failed to pull security descriptor
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_sd_process_attrs]
> > (0x0040): ad_gpo_parse_sd() failed
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_process_gpo_done]
> > (0x0040): Unable to get GPO list: [22](Invalid argument)
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done]
> > (0x0040): GPO-based access control failed.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> (0x0400):
> > DP Request [PAM Account #19]: Request handler finished [0]: Success
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> (0x0400):
> > DP Request [PAM Account #19]: Receiving request data.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): DP Request [PAM Account #19]: Request removed.
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > (0x0400): Number of active DP request: 0
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> > (0x0400): Target selinux is not configured
> > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sbus_issue_request_done]
> > (0x0400): sssd.dataprovider.pamHandler: Success
> >
> >
> > === sssd_pam.log ====
> >
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The
> > following failure is expected to happen in case SELinux is disabled:
> > SELINUX_getpeercon failed [95][Operation not supported].
> > Please, consider enabling SELinux in your system.
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400):
> Client
> > [0x5606d6371860][19] connected to privileged pipe!
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> > Received client version [3].
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> > Offered version [3].
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
> > entering pam_cmd_authenticate
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > (0x0200): name 'my_username' matched without domain, user is
my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> command:
> > SSS_PAM_AUTHENTICATE
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> service:
> > login
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> tty4
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > type: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> cli_pid:
> > 70306
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > name: my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12:
> > New request 'Initgroups by name'
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> (0x0400):
> > CR #12: Parsing input name [my_username]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > (0x0200): name 'my_username' matched without domain, user is
my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> > #12: Setting name [my_username]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> (0x0400):
> > CR #12: Performing a multi-domain search
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> (0x0400):
> > CR #12: Search will bypass the cache and check the data provider
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
> CR
> > #12: Using domain [domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> > (0x0400): CR #12: Preparing input data for domain [domain.net] rules
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> CR
> > #12: Looking up my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> (0x0400):
> > CR #12: Checking negative cache for [my_username(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> (0x0400):
> > CR #12: [my_username(a)domain.net] is not present in negative cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR
> > #12: Looking up [my_username(a)domain.net] in data provider
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send]
> (0x0400):
> > Creating request for [domain.net
> > ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> > CR #12: Looking up [my_username(a)domain.net] in cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> > (0x0400): CR #12: This request type does not support filtering result by
> > negative cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400):
> CR
> > #12: Returning updated object [my_username(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> > (0x0400): CR #12: Found 4 entries in domain domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12:
> > Finished: Success
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> > User's primary name is my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> Sending
> > request with the following data:
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> command:
> > SSS_PAM_AUTHENTICATE
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> service:
> > login
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> tty4
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > type: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> cli_pid:
> > 70306
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > name: my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> > pam_dp_send_req returned 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> > received: [0 (Success)][domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200):
> > Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has
> set
> > [cache, ts_cache] attrs.
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > [pam_response_filter] not available, not fatal.
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
> [0]:
> > Success to the client
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> > entering pam_cmd_acct_mgmt
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > (0x0200): name 'my_username' matched without domain, user is
my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> command:
> > SSS_PAM_ACCT_MGMT
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> service:
> > login
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> tty4
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> cli_pid:
> > 70306
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > name: my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13:
> > New request 'Initgroups by name'
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> (0x0400):
> > CR #13: Parsing input name [my_username]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > (0x0200): name 'my_username' matched without domain, user is
my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> > #13: Setting name [my_username]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> (0x0400):
> > CR #13: Performing a multi-domain search
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> (0x0400):
> > CR #13: Search will check the cache and check the data provider
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
> CR
> > #13: Using domain [domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> > (0x0400): CR #13: Preparing input data for domain [domain.net] rules
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> CR
> > #13: Looking up my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> (0x0400):
> > CR #13: Checking negative cache for [my_username(a)domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> (0x0400):
> > CR #13: [my_username(a)domain.net] is not present in negative cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> > CR #13: Looking up [my_username(a)domain.net] in cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> CR
> > #13: Returning [my_username(a)domain.net] from cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> > (0x0400): CR #13: This request type does not support filtering result by
> > negative cache
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> > (0x0400): CR #13: Found 4 entries in domain domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13:
> > Finished: Success
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> > User's primary name is my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> Sending
> > request with the following data:
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> command:
> > SSS_PAM_ACCT_MGMT
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > my_username(a)domain.net
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> service:
> > login
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> tty4
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > not set
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > newauthtok type: 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> cli_pid:
> > 70306
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > name: my_username
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> > pam_dp_send_req returned 0
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> > received: [4 (System error)][domain.net]
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > [pam_response_filter] not available, not fatal.
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
> [4]:
> > System error to the client
> > (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client
> > disconnected!
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
10:30 a.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
On Tue, May 19, 2020 at 03:25:27PM +0200, Sumit Bose wrote:
On Sat, May 16, 2020 at 04:55:08PM +0200, Thibault Boyeux wrote:
> Hi Sumit
>
> Thanks a lot for your email. Apologies for the late answer, it took me a
> little time to get used to how gdb works ;)
>
> Anyway, after debugging the latest git version, it looks like the issue
> systematically happens line 237 of *ad_gpo_ndr.c, *in the
> *ndr_pull_security_ace_object_ctr()* method, calling Samba's new
> ndr_pull_steal_switch_value method (introduced in 4.12 according to this
> <https://github.com/SSSD/sssd/pull/976>):
>
> 237: NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
>
> This check systematically returns NDR_ERR_TOKEN (instead, I guess, of
> NDR_ERR_SUCCESS), which then makes all other methods fail in the following
> order: ndr_pull_security_ace() (line 320), ndr_pull_security_acl() (line
> 372) and ad_gpo_ndr_pull_security_descriptor() (line 513). See gdb logs
> below
>
> Anything I could do to investigate this further?
Hi,
thanks for the details, but I still have no idea what might be wrong.
Can you send me the binary data used as 'data' variable in
ad_gpo_parse_sd()? Then I can try on my own with different versions of
Samba.
Hi,
thanks for privately sending the data. I was able to reproduce the issue
and there was another report about this issue as well. I create a
pull-request with the fix at https://github.com/SSSD/sssd/pull/5184. If
you have a chance to test the patch feedback would be very welcome.
bye,
Sumit
bye,
Sumit
>
> Thanks again,
>
> Best,
>
> Thibault
>
>
> Breakpoint 15, ndr_pull_security_ace_object_ctr (ndr=0x5581d6ddd5b0,
> ndr_flags=512, r=0x5581d6e2147c) at src/providers/ad/ad_gpo_ndr.c:237
> 237 NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
> (gdb) fin
> Run till exit from #0 ndr_pull_security_ace_object_ctr
> (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e2147c) at
> src/providers/ad/ad_gpo_ndr.c:237
> 0x00007f18aa8cf0d2 in ndr_pull_security_ace (ndr=0x5581d6ddd5b0,
> ndr_flags=512, r=0x5581d6e21470) at src/providers/ad/ad_gpo_ndr.c:320
> 320 NDR_CHECK(ndr_pull_security_ace_object_ctr
> Value returned is $123 = NDR_ERR_TOKEN
> (gdb) fin
> Run till exit from #0 0x00007f18aa8cf0d2 in ndr_pull_security_ace
> (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e21470) at
> src/providers/ad/ad_gpo_ndr.c:320
> 0x00007f18aa8cf576 in ndr_pull_security_acl (ndr=0x5581d6ddd5b0,
> ndr_flags=768, r=0x5581d6de3230) at src/providers/ad/ad_gpo_ndr.c:372
> 372 NDR_CHECK(ndr_pull_security_ace
> Value returned is $124 = NDR_ERR_TOKEN
> (gdb) fin
> Run till exit from #0 0x00007f18aa8cf576 in ndr_pull_security_acl
> (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x5581d6de3230) at
> src/providers/ad/ad_gpo_ndr.c:372
> 0x00007f18aa8d03ee in ad_gpo_ndr_pull_security_descriptor
> (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x7ffdec42d870) at
> src/providers/ad/ad_gpo_ndr.c:513
> 513 NDR_CHECK(ndr_pull_security_acl(ndr,
> Value returned is $125 = NDR_ERR_TOKEN
> (gdb) fin
> Run till exit from #0 0x00007f18aa8d03ee in
> ad_gpo_ndr_pull_security_descriptor (ndr=0x5581d6ddd5b0, ndr_flags=768,
> r=0x7ffdec42d870) at src/providers/ad/ad_gpo_ndr.c:513
> 0x00007f18aa8ca867 in ad_gpo_parse_sd (mem_ctx=0x5581d6e0cf50,
> data=0x5581d6e171d0 "\001", length=256, _gpo_sd=0x5581d6e0cf50) at
> src/providers/ad/ad_gpo.c:3925
> 3925 ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull,
> Value returned is $126 = NDR_ERR_TOKEN
>
>
> On Mon, May 11, 2020 at 11:07 AM Sumit Bose <sbose(a)redhat.com> wrote:
>
> > On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
> > > Hi all,
> > >
> > > I'm encountering an issue after upgrading to Samba 4.12.2. I can no
> > longer
> > > login with an Active Directory account from a terminal or gnome. I'm
> > > prompted with a "System error" message.
> > >
> > > When I downgrade to samba 4.11.3 everything works fine. AD authentication
> > > works OK with the same account from a Windows machine.
> > >
> > > "getent passwd my_username" works well, as "getent passwd
<group>". kinit
> > > my_username(a)DOMAIN.NET works OK too. Logging in in with "su
<username>"
> > > from a local account works too.
> > >
> > > SSSD version: 2.2.3. This is from an Arch Linux package, that has been
> > > patched
> > > <
> > https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd
> > >
> > > by its maintainer for compatibility with Samba 4.12 (I also compiled sssd
> > > from the current git source code, but encountered the same cryptic
> > error.)
> > > Samba version: 4.12.2
> > > Operating system: Arch Linux (fully upgraded)
> >
> > Hi,
> >
> > do I understand correctly that you recompiled SSSD after updating Samba
> > to version 4.12.2 or did you use the same SSSD binary you used with
> > Samba 4.11.3?
> >
> > According to the logs the error most probably happened in
> > ad_gpo_ndr_pull_security_descriptor(). Can you step through this
> > function with gdb to see which operation failed (please add 'timeout =
> > 999999' to the [domain/...] section of sssd.conf to not run into issues
> > with the watchdog and gdb)? If not I can try to reproduce this locally.
> >
> > bye,
> > Sumit
> >
> > >
> > > Any idea how I could fix this / investigate this further? Please find
> > > sssd.conf and logs below - I couldn't find anything interesting in
there
> > > but I'm no expert :)
> > >
> > > Thanks a lot!
> > >
> > > === sssd.conf ===
> > >
> > > [sssd]
> > > config_file_version = 2
> > > domains = domain.net
> > > services = nss, pam
> > > debug_level = 6
> > >
> > > [domain/domain.net]
> > > ad_hostname = computer.domain.net
> > > krb5_realm = DOMAIN.NET
> > > cache_credentials = true
> > > id_provider = ad
> > > auth_provider = ad
> > > access_provider = ad
> > > chpass_provider = ad
> > > ldap_schema = ad
> > > default_shell = /bin/zsh
> > > fallback_homedir = /home/DOMAIN/%u
> > > dyndns_update = true
> > > dyndns_refresh_interval = 43200
> > > dyndns_update_ptr = true
> > > dyndns_ttl = 3600
> > > debug_level = 6
> > > #enumerate = true
> > >
> > > [pam]
> > > debug_level = 6
> > >
> > > [nss]
> > > debug_level = 6
> > >
> > >
> > > === sssd_domain.net.log ===
> > >
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [dp_get_account_info_send] (0x0200): Got request for
> > > [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > DP Request [Initgroups #17]: New request. Flags [0x0001].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > Number of active DP request: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> > > [DC=domain,DC=net]
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > >
> >
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > (0x0400): Save user
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_get_primary_name]
> > > (0x0400): Processing object MY_USERNAME
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > (0x0400): Processing user MY_USERNAME(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > (0x0400): Adding original memberOf attributes to [MY_USERNAME(a)domain.net
> > ].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to attributes
> > of [
> > > MY_USERNAME(a)domain.net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > (0x0400): Storing info for user MY_USERNAME(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> > ,cn=sysdb]
> > > has set [ts_cache] attrs.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_store_user]
> > > (0x0400): User "MY_USERNAME(a)domain.net" has been stored
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no
> > > filter][CN=My Username,OU=Users,DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_idmap_sid_to_unix]
> > > (0x0400): Object SID [S-1-5-32-545] is a built-in one.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping
> > built-in
> > > object.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_get_initgr_done]
> > > (0x0400): Primary group already cached, nothing to do.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > (0x0400):
> > > DP Request [Initgroups #17]: Request handler finished [0]: Success
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > (0x0400):
> > > DP Request [Initgroups #17]: Receiving request data.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): DP Request [Initgroups #17]: Request removed.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): Number of active DP request: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS responder to
> > > update memory cache
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> > ,cn=sysdb]
> > > has set [ts_cache] attrs.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sbus_issue_request_done]
> > > (0x0400): sssd.dataprovider.getAccountInfo: Success
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> > > (0x0100): Got request with the following data
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): command: SSS_PAM_AUTHENTICATE
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): domain: domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): user: MY_USERNAME(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): service: login
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): tty: tty4
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): ruser:
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): rhost:
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): authtok type: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): cli_pid: 70306
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): logon name: not set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): flags: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > DP Request [PAM Authenticate #18]: New request. Flags [0000].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > Number of active DP request: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
> > > (0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not known.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [fo_resolve_service_send]
> > > (0x0100): Trying to resolve service 'AD'
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [resolve_srv_send]
> > > (0x0200): The status of SRV lookup is resolved
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [be_resolve_server_process] (0x0200): Found address for server
> > > ADDC.domain.net: [192.168.5.4] TTL 900
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [write_pipe_handler]
> > > (0x0400): All data has been sent!
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [child_sig_handler]
> > > (0x0100): child [71170] finished successfully.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [read_pipe_handler]
> > > (0x0400): EOF received, client finished
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> > > (0x0100): Marking port 389 of server 'ADDC.domain.net' as
'working'
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [set_server_common_status] (0x0100): Marking server
'ADDC.domain.net' as
> > > 'working'
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [fo_set_port_status]
> > > (0x0400): Marking port 389 of duplicate server 'ADDC.domain.net'
as
> > > 'working'
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> > ,cn=sysdb]
> > > has set [cache, ts_cache] attrs.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sysdb_set_entry_attr]
> > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=domain.net
> > ,cn=sysdb]
> > > has set [cache, ts_cache] attrs.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > (0x0400):
> > > DP Request [PAM Authenticate #18]: Request handler finished [0]: Success
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > (0x0400):
> > > DP Request [PAM Authenticate #18]: Receiving request data.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): DP Request [PAM Authenticate #18]: Request removed.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): Number of active DP request: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> > > (0x0400): Target selinux is not configured
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sbus_issue_request_done]
> > > (0x0400): sssd.dataprovider.pamHandler: Success
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_pam_handler_send]
> > > (0x0100): Got request with the following data
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): command: SSS_PAM_ACCT_MGMT
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): domain: domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): user: MY_USERNAME(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): service: login
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): tty: tty4
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): ruser:
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): rhost:
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): authtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): cli_pid: 70306
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): logon name: not set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > (0x0100): flags: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > DP Request [PAM Account #19]: New request. Flags [0000].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > (0x0400):
> > > Number of active DP request: 1
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_access_send]
> > > (0x0400): Performing access check for user [MY_USERNAME(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sdap_account_expired_ad]
> > > (0x0400): Performing AD access check for user [MY_USERNAME(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_send]
> > > (0x0400): service login maps to Interactive
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_connect_done]
> > > (0x0400): sam_account_name is COMPUTER$
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [objectclass=domain][DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_master_domain_next_done] (0x0400): Found SID
> > > [S-1-5-21-3635097336-3991203712-2063481127].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_master_domain_netlogon_done] (0x0400): Found flat name [DOMAIN].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_master_domain_netlogon_done] (0x0400): Found forest [domain.net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site
'cn=Domain'.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(objectclass=*)][].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
> > > OU=Computers,DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
> > > DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
> > > cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(objectclass=*)][OU=Computers,DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_populate_gplink_list] (0x0400): som_dn:
> > > OU=Computers,DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(objectclass=*)][DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > [(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try next
> > SOM
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[0]->gpo_dn:
> > >
> >
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_populate_candidate_gpos] (0x0400): candidate_gpos[1]->gpo_dn:
> > >
> >
cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_sd_search_send]
> > > (0x0400): Searching entry
> > >
> >
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
> > > using SD
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging because
> > > scope is set to base.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > >
> >
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
> > > errmsg set
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_parse_sd]
> > > (0x0020): Failed to pull security descriptor
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_sd_process_attrs]
> > > (0x0040): ad_gpo_parse_sd() failed
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [ad_gpo_process_gpo_done]
> > > (0x0040): Unable to get GPO list: [22](Invalid argument)
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [ad_gpo_access_done]
> > > (0x0040): GPO-based access control failed.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > (0x0400):
> > > DP Request [PAM Account #19]: Request handler finished [0]: Success
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > (0x0400):
> > > DP Request [PAM Account #19]: Receiving request data.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): DP Request [PAM Account #19]: Request removed.
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_destructor]
> > > (0x0400): Number of active DP request: 0
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_method_enabled]
> > > (0x0400): Target selinux is not configured
> > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > [sbus_issue_request_done]
> > > (0x0400): sssd.dataprovider.pamHandler: Success
> > >
> > >
> > > === sssd_pam.log ====
> > >
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080): The
> > > following failure is expected to happen in case SELinux is disabled:
> > > SELINUX_getpeercon failed [95][Operation not supported].
> > > Please, consider enabling SELinux in your system.
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler] (0x0400):
> > Client
> > > [0x5606d6371860][19] connected to privileged pipe!
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> > > Received client version [3].
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version] (0x0200):
> > > Offered version [3].
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate] (0x0100):
> > > entering pam_cmd_authenticate
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > command:
> > > SSS_PAM_AUTHENTICATE
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > > my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > service:
> > > login
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> > tty4
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > > type: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > cli_pid:
> > > 70306
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > > name: my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> > 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #12:
> > > New request 'Initgroups by name'
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> > (0x0400):
> > > CR #12: Parsing input name [my_username]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> > > #12: Setting name [my_username]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> > (0x0400):
> > > CR #12: Performing a multi-domain search
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> > (0x0400):
> > > CR #12: Search will bypass the cache and check the data provider
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
> > CR
> > > #12: Using domain [domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> > > (0x0400): CR #12: Preparing input data for domain [domain.net] rules
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> > CR
> > > #12: Looking up my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > (0x0400):
> > > CR #12: Checking negative cache for [my_username(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > (0x0400):
> > > CR #12: [my_username(a)domain.net] is not present in negative cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp] (0x0400): CR
> > > #12: Looking up [my_username(a)domain.net] in data provider
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send]
> > (0x0400):
> > > Creating request for [domain.net
> > > ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> > > CR #12: Looking up [my_username(a)domain.net] in cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> > > (0x0400): CR #12: This request type does not support filtering result by
> > > negative cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done] (0x0400):
> > CR
> > > #12: Returning updated object [my_username(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> > > (0x0400): CR #12: Found 4 entries in domain domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #12:
> > > Finished: Success
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> > > User's primary name is my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> > Sending
> > > request with the following data:
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > command:
> > > SSS_PAM_AUTHENTICATE
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > > domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > > my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > service:
> > > login
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> > tty4
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > > type: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > cli_pid:
> > > 70306
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > > name: my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> > 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> > > pam_dp_send_req returned 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> > > received: [0 (Success)][domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr] (0x0200):
> > > Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb] has
> > set
> > > [cache, ts_cache] attrs.
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > > [pam_response_filter] not available, not fatal.
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 85
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
> > [0]:
> > > Success to the client
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100):
> > > entering pam_cmd_acct_mgmt
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > command:
> > > SSS_PAM_ACCT_MGMT
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > > my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > service:
> > > login
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> > tty4
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > > type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > cli_pid:
> > > 70306
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > > name: my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> > 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400): CR #13:
> > > New request 'Initgroups by name'
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> > (0x0400):
> > > CR #13: Parsing input name [my_username]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name] (0x0400): CR
> > > #13: Setting name [my_username]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> > (0x0400):
> > > CR #13: Performing a multi-domain search
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> > (0x0400):
> > > CR #13: Search will check the cache and check the data provider
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain] (0x0400):
> > CR
> > > #13: Using domain [domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_prepare_domain_data]
> > > (0x0400): CR #13: Preparing input data for domain [domain.net] rules
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> > CR
> > > #13: Looking up my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > (0x0400):
> > > CR #13: Checking negative cache for [my_username(a)domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > (0x0400):
> > > CR #13: [my_username(a)domain.net] is not present in negative cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache] (0x0400):
> > > CR #13: Looking up [my_username(a)domain.net] in cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send] (0x0400):
> > CR
> > > #13: Returning [my_username(a)domain.net] from cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache_filter]
> > > (0x0400): CR #13: This request type does not support filtering result by
> > > negative cache
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_create_and_add_result]
> > > (0x0400): CR #13: Found 4 entries in domain domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400): CR #13:
> > > Finished: Success
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name] (0x0400):
> > > User's primary name is my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> > Sending
> > > request with the following data:
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > command:
> > > SSS_PAM_ACCT_MGMT
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): domain:
> > > domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): user:
> > > my_username(a)domain.net
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > service:
> > > login
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): tty:
> > tty4
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): ruser:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): rhost:
> > > not set
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): authtok
> > > type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > newauthtok type: 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > cli_pid:
> > > 70306
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): logon
> > > name: my_username
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100): flags:
> > 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder] (0x0100):
> > > pam_dp_send_req returned 0
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done] (0x0200):
> > > received: [4 (System error)][domain.net]
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > > [pam_response_filter] not available, not fatal.
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 31
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): Returning
> > [4]:
> > > System error to the client
> > > (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200): Client
> > > disconnected!
> >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
2:24 p.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
Hi Sumit,
Thanks a lot for looking into this. I've tested with your patch: I'm still
encountering a "System error", but a different one, now linked to the
gpo_cse_done() / ad_gpo_parse_gpo_child_response() / ad_gpo_cse_done()
methods:
(2020-05-28 20:53:14): [be[domain.net]] [gpo_cse_done] (0x0020):
ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_cse_done] (0x0400):
gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9}
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_cse_done] (0x0040): Unable
to retrieve policy data: [22](Invalid argument}
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_access_done] (0x0040):
GPO-based access control failed.
I'll send you the payload given to those three methods and more exhaustive
logs in a private email.
Thanks again,
Thibault
On Thu, May 28, 2020 at 5:31 PM Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, May 19, 2020 at 03:25:27PM +0200, Sumit Bose wrote:
> On Sat, May 16, 2020 at 04:55:08PM +0200, Thibault Boyeux wrote:
> > Hi Sumit
> >
> > Thanks a lot for your email. Apologies for the late answer, it took me
a
> > little time to get used to how gdb works ;)
> >
> > Anyway, after debugging the latest git version, it looks like the issue
> > systematically happens line 237 of *ad_gpo_ndr.c, *in the
> > *ndr_pull_security_ace_object_ctr()* method, calling Samba's new
> > ndr_pull_steal_switch_value method (introduced in 4.12 according to
this
> > <https://github.com/SSSD/sssd/pull/976>):
> >
> > 237: NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
> >
> > This check systematically returns NDR_ERR_TOKEN (instead, I guess, of
> > NDR_ERR_SUCCESS), which then makes all other methods fail in the
following
> > order: ndr_pull_security_ace() (line 320), ndr_pull_security_acl()
(line
> > 372) and ad_gpo_ndr_pull_security_descriptor() (line 513). See gdb logs
> > below
> >
> > Anything I could do to investigate this further?
>
> Hi,
>
> thanks for the details, but I still have no idea what might be wrong.
>
> Can you send me the binary data used as 'data' variable in
> ad_gpo_parse_sd()? Then I can try on my own with different versions of
> Samba.
Hi,
thanks for privately sending the data. I was able to reproduce the issue
and there was another report about this issue as well. I create a
pull-request with the fix at https://github.com/SSSD/sssd/pull/5184. If
you have a chance to test the patch feedback would be very welcome.
bye,
Sumit
>
> bye,
> Sumit
>
> >
> > Thanks again,
> >
> > Best,
> >
> > Thibault
> >
> >
> > Breakpoint 15, ndr_pull_security_ace_object_ctr (ndr=0x5581d6ddd5b0,
> > ndr_flags=512, r=0x5581d6e2147c) at src/providers/ad/ad_gpo_ndr.c:237
> > 237 NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
> > (gdb) fin
> > Run till exit from #0 ndr_pull_security_ace_object_ctr
> > (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e2147c) at
> > src/providers/ad/ad_gpo_ndr.c:237
> > 0x00007f18aa8cf0d2 in ndr_pull_security_ace (ndr=0x5581d6ddd5b0,
> > ndr_flags=512, r=0x5581d6e21470) at src/providers/ad/ad_gpo_ndr.c:320
> > 320 NDR_CHECK(ndr_pull_security_ace_object_ctr
> > Value returned is $123 = NDR_ERR_TOKEN
> > (gdb) fin
> > Run till exit from #0 0x00007f18aa8cf0d2 in ndr_pull_security_ace
> > (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e21470) at
> > src/providers/ad/ad_gpo_ndr.c:320
> > 0x00007f18aa8cf576 in ndr_pull_security_acl (ndr=0x5581d6ddd5b0,
> > ndr_flags=768, r=0x5581d6de3230) at src/providers/ad/ad_gpo_ndr.c:372
> > 372 NDR_CHECK(ndr_pull_security_ace
> > Value returned is $124 = NDR_ERR_TOKEN
> > (gdb) fin
> > Run till exit from #0 0x00007f18aa8cf576 in ndr_pull_security_acl
> > (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x5581d6de3230) at
> > src/providers/ad/ad_gpo_ndr.c:372
> > 0x00007f18aa8d03ee in ad_gpo_ndr_pull_security_descriptor
> > (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x7ffdec42d870) at
> > src/providers/ad/ad_gpo_ndr.c:513
> > 513 NDR_CHECK(ndr_pull_security_acl(ndr,
> > Value returned is $125 = NDR_ERR_TOKEN
> > (gdb) fin
> > Run till exit from #0 0x00007f18aa8d03ee in
> > ad_gpo_ndr_pull_security_descriptor (ndr=0x5581d6ddd5b0, ndr_flags=768,
> > r=0x7ffdec42d870) at src/providers/ad/ad_gpo_ndr.c:513
> > 0x00007f18aa8ca867 in ad_gpo_parse_sd (mem_ctx=0x5581d6e0cf50,
> > data=0x5581d6e171d0 "\001", length=256, _gpo_sd=0x5581d6e0cf50) at
> > src/providers/ad/ad_gpo.c:3925
> > 3925 ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull,
> > Value returned is $126 = NDR_ERR_TOKEN
> >
> >
> > On Mon, May 11, 2020 at 11:07 AM Sumit Bose <sbose(a)redhat.com> wrote:
> >
> > > On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
> > > > Hi all,
> > > >
> > > > I'm encountering an issue after upgrading to Samba 4.12.2. I can
no
> > > longer
> > > > login with an Active Directory account from a terminal or gnome.
I'm
> > > > prompted with a "System error" message.
> > > >
> > > > When I downgrade to samba 4.11.3 everything works fine. AD
authentication
> > > > works OK with the same account from a Windows machine.
> > > >
> > > > "getent passwd my_username" works well, as "getent
passwd
<group>". kinit
> > > > my_username(a)DOMAIN.NET works OK too. Logging in in with "su
<username>"
> > > > from a local account works too.
> > > >
> > > > SSSD version: 2.2.3. This is from an Arch Linux package, that has
been
> > > > patched
> > > > <
> > >
https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd
> > > >
> > > > by its maintainer for compatibility with Samba 4.12 (I also
compiled sssd
> > > > from the current git source code, but encountered the same cryptic
> > > error.)
> > > > Samba version: 4.12.2
> > > > Operating system: Arch Linux (fully upgraded)
> > >
> > > Hi,
> > >
> > > do I understand correctly that you recompiled SSSD after updating
Samba
> > > to version 4.12.2 or did you use the same SSSD binary you used with
> > > Samba 4.11.3?
> > >
> > > According to the logs the error most probably happened in
> > > ad_gpo_ndr_pull_security_descriptor(). Can you step through this
> > > function with gdb to see which operation failed (please add 'timeout
=
> > > 999999' to the [domain/...] section of sssd.conf to not run into
issues
> > > with the watchdog and gdb)? If not I can try to reproduce this
locally.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Any idea how I could fix this / investigate this further? Please
find
> > > > sssd.conf and logs below - I couldn't find anything interesting
in
there
> > > > but I'm no expert :)
> > > >
> > > > Thanks a lot!
> > > >
> > > > === sssd.conf ===
> > > >
> > > > [sssd]
> > > > config_file_version = 2
> > > > domains = domain.net
> > > > services = nss, pam
> > > > debug_level = 6
> > > >
> > > > [domain/domain.net]
> > > > ad_hostname = computer.domain.net
> > > > krb5_realm = DOMAIN.NET
> > > > cache_credentials = true
> > > > id_provider = ad
> > > > auth_provider = ad
> > > > access_provider = ad
> > > > chpass_provider = ad
> > > > ldap_schema = ad
> > > > default_shell = /bin/zsh
> > > > fallback_homedir = /home/DOMAIN/%u
> > > > dyndns_update = true
> > > > dyndns_refresh_interval = 43200
> > > > dyndns_update_ptr = true
> > > > dyndns_ttl = 3600
> > > > debug_level = 6
> > > > #enumerate = true
> > > >
> > > > [pam]
> > > > debug_level = 6
> > > >
> > > > [nss]
> > > > debug_level = 6
> > > >
> > > >
> > > > === sssd_domain.net.log ===
> > > >
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [dp_get_account_info_send] (0x0200): Got request for
> > > > [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > DP Request [Initgroups #17]: New request. Flags [0x0001].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > Number of active DP request: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_initgr_next_base] (0x0400): Searching for users with base
> > > > [DC=domain,DC=net]
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > >
> > >
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > > (0x0400): Save user
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_get_primary_name]
> > > > (0x0400): Processing object MY_USERNAME
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > > (0x0400): Processing user MY_USERNAME(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > > (0x0400): Adding original memberOf attributes to [
MY_USERNAME(a)domain.net
> > > ].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > > (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to
attributes
> > > of [
> > > > MY_USERNAME(a)domain.net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [sdap_save_user]
> > > > (0x0400): Storing info for user MY_USERNAME(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sysdb_set_entry_attr]
> > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
domain.net
> > > ,cn=sysdb]
> > > > has set [ts_cache] attrs.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sysdb_store_user]
> > > > (0x0400): User "MY_USERNAME(a)domain.net" has been stored
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[no
> > > > filter][CN=My Username,OU=Users,DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_idmap_sid_to_unix]
> > > > (0x0400): Object SID [S-1-5-32-545] is a built-in one.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_ad_save_group_membership_with_idmapping] (0x0400): Skipping
> > > built-in
> > > > object.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_get_initgr_done]
> > > > (0x0400): Primary group already cached, nothing to do.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > (0x0400):
> > > > DP Request [Initgroups #17]: Request handler finished [0]: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > > (0x0400):
> > > > DP Request [Initgroups #17]: Receiving request data.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): DP Request [Initgroups #17]: Request removed.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): Number of active DP request: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS
responder to
> > > > update memory cache
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sysdb_set_entry_attr]
> > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
domain.net
> > > ,cn=sysdb]
> > > > has set [ts_cache] attrs.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sbus_issue_request_done]
> > > > (0x0400): sssd.dataprovider.getAccountInfo: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_pam_handler_send]
> > > > (0x0100): Got request with the following data
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): command: SSS_PAM_AUTHENTICATE
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): domain: domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): user: MY_USERNAME(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): service: login
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): tty: tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): ruser:
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): rhost:
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): authtok type: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): cli_pid: 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): logon name: not set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): flags: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > DP Request [PAM Authenticate #18]: New request. Flags [0000].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > Number of active DP request: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [krb5_auth_send]
> > > > (0x0100): Domain directory for user [MY_USERNAME(a)domain.net] not
known.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [fo_resolve_service_send]
> > > > (0x0100): Trying to resolve service 'AD'
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[resolve_srv_send]
> > > > (0x0200): The status of SRV lookup is resolved
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [be_resolve_server_process] (0x0200): Found address for server
> > > > ADDC.domain.net: [192.168.5.4] TTL 900
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[write_pipe_handler]
> > > > (0x0400): All data has been sent!
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[child_sig_handler]
> > > > (0x0100): child [71170] finished successfully.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[read_pipe_handler]
> > > > (0x0400): EOF received, client finished
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[fo_set_port_status]
> > > > (0x0100): Marking port 389 of server 'ADDC.domain.net' as
'working'
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [set_server_common_status] (0x0100): Marking server '
ADDC.domain.net' as
> > > > 'working'
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[fo_set_port_status]
> > > > (0x0400): Marking port 389 of duplicate server
'ADDC.domain.net'
as
> > > > 'working'
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sysdb_set_entry_attr]
> > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
domain.net
> > > ,cn=sysdb]
> > > > has set [cache, ts_cache] attrs.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sysdb_set_entry_attr]
> > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
domain.net
> > > ,cn=sysdb]
> > > > has set [cache, ts_cache] attrs.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > (0x0400):
> > > > DP Request [PAM Authenticate #18]: Request handler finished [0]:
Success
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > > (0x0400):
> > > > DP Request [PAM Authenticate #18]: Receiving request data.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): DP Request [PAM Authenticate #18]: Request removed.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): Number of active DP request: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_method_enabled]
> > > > (0x0400): Target selinux is not configured
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sbus_issue_request_done]
> > > > (0x0400): sssd.dataprovider.pamHandler: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_pam_handler_send]
> > > > (0x0100): Got request with the following data
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): command: SSS_PAM_ACCT_MGMT
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): domain: domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): user: MY_USERNAME(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): service: login
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): tty: tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): ruser:
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): rhost:
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): authtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): cli_pid: 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): logon name: not set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [pam_print_data]
> > > > (0x0100): flags: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > DP Request [PAM Account #19]: New request. Flags [0000].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_attach_req]
> > > (0x0400):
> > > > Number of active DP request: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_access_send]
> > > > (0x0400): Performing access check for user [MY_USERNAME(a)domain.net
]
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sdap_account_expired_ad]
> > > > (0x0400): Performing AD access check for user [
MY_USERNAME(a)domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_access_send]
> > > > (0x0400): service login maps to Interactive
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_connect_done]
> > > > (0x0400): sam_account_name is COMPUTER$
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > >
[(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > > [objectclass=domain][DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_master_domain_next_done] (0x0400): Found SID
> > > > [S-1-5-21-3635097336-3991203712-2063481127].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > > [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_master_domain_netlogon_done] (0x0400): Found flat name
[DOMAIN].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_master_domain_netlogon_done] (0x0400): Found forest [
domain.net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site
'cn=Domain'.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > > [(objectclass=*)][].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn is
> > > > OU=Computers,DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn is
> > > > DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn is
> > > > cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > > [(objectclass=*)][OU=Computers,DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_populate_gplink_list] (0x0400): som_dn:
> > > > OU=Computers,DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > > [(objectclass=*)][DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_populate_gplink_list] (0x0400): som_dn: DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > >
[(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM; try
next
> > > SOM
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_populate_candidate_gpos] (0x0400):
candidate_gpos[0]->gpo_dn:
> > > >
> > >
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_populate_candidate_gpos] (0x0400):
candidate_gpos[1]->gpo_dn:
> > > >
> > >
cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_sd_search_send]
> > > > (0x0400): Searching entry
> > > >
> > >
[CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
> > > > using SD
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging
because
> > > > scope is set to base.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
> > > >
> > >
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_generic_op_finished] (0x0400): Search result:
Success(0), no
> > > > errmsg set
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_parse_sd]
> > > > (0x0020): Failed to pull security descriptor
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_sd_process_attrs]
> > > > (0x0040): ad_gpo_parse_sd() failed
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [ad_gpo_process_gpo_done]
> > > > (0x0040): Unable to get GPO list: [22](Invalid argument)
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[ad_gpo_access_done]
> > > > (0x0040): GPO-based access control failed.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > (0x0400):
> > > > DP Request [PAM Account #19]: Request handler finished [0]: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [_dp_req_recv]
> > > (0x0400):
> > > > DP Request [PAM Account #19]: Receiving request data.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): DP Request [PAM Account #19]: Request removed.
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_req_destructor]
> > > > (0x0400): Number of active DP request: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_method_enabled]
> > > > (0x0400): Target selinux is not configured
> > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > [sbus_issue_request_done]
> > > > (0x0400): sssd.dataprovider.pamHandler: Success
> > > >
> > > >
> > > > === sssd_pam.log ====
> > > >
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred] (0x0080):
The
> > > > following failure is expected to happen in case SELinux is
disabled:
> > > > SELINUX_getpeercon failed [95][Operation not supported].
> > > > Please, consider enabling SELinux in your system.
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler]
(0x0400):
> > > Client
> > > > [0x5606d6371860][19] connected to privileged pipe!
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version]
(0x0200):
> > > > Received client version [3].
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version]
(0x0200):
> > > > Offered version [3].
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate]
(0x0100):
> > > > entering pam_cmd_authenticate
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > command:
> > > > SSS_PAM_AUTHENTICATE
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
domain:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
user:
> > > > my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > service:
> > > > login
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
tty:
> > > tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
ruser:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
rhost:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
authtok
> > > > type: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > > newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > cli_pid:
> > > > 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
logon
> > > > name: my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
flags:
> > > 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400):
CR #12:
> > > > New request 'Initgroups by name'
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> > > (0x0400):
> > > > CR #12: Parsing input name [my_username]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name]
(0x0400): CR
> > > > #12: Setting name [my_username]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> > > (0x0400):
> > > > CR #12: Performing a multi-domain search
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> > > (0x0400):
> > > > CR #12: Search will bypass the cache and check the data provider
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain]
(0x0400):
> > > CR
> > > > #12: Using domain [domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_prepare_domain_data]
> > > > (0x0400): CR #12: Preparing input data for domain [domain.net]
rules
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
(0x0400):
> > > CR
> > > > #12: Looking up my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > > (0x0400):
> > > > CR #12: Checking negative cache for [my_username(a)domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > > (0x0400):
> > > > CR #12: [my_username(a)domain.net] is not present in negative cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp]
(0x0400): CR
> > > > #12: Looking up [my_username(a)domain.net] in data provider
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_dp_get_account_send]
> > > (0x0400):
> > > > Creating request for [domain.net
> > > > ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache]
(0x0400):
> > > > CR #12: Looking up [my_username(a)domain.net] in cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache_filter]
> > > > (0x0400): CR #12: This request type does not support filtering
result by
> > > > negative cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done]
(0x0400):
> > > CR
> > > > #12: Returning updated object [my_username(a)domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_create_and_add_result]
> > > > (0x0400): CR #12: Found 4 entries in domain domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400):
CR #12:
> > > > Finished: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name]
(0x0400):
> > > > User's primary name is my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> > > Sending
> > > > request with the following data:
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > command:
> > > > SSS_PAM_AUTHENTICATE
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
domain:
> > > > domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
user:
> > > > my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > service:
> > > > login
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
tty:
> > > tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
ruser:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
rhost:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
authtok
> > > > type: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > > newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > cli_pid:
> > > > 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
logon
> > > > name: my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
flags:
> > > 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder]
(0x0100):
> > > > pam_dp_send_req returned 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done]
(0x0200):
> > > > received: [0 (Success)][domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr]
(0x0200):
> > > > Entry [name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
has
> > > set
> > > > [cache, ts_cache] attrs.
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > > > [pam_response_filter] not available, not fatal.
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen:
85
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
Returning
> > > [0]:
> > > > Success to the client
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt]
(0x0100):
> > > > entering pam_cmd_acct_mgmt
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > command:
> > > > SSS_PAM_ACCT_MGMT
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
domain:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
user:
> > > > my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > service:
> > > > login
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
tty:
> > > tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
ruser:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
rhost:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
authtok
> > > > type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > > newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > cli_pid:
> > > > 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
logon
> > > > name: my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
flags:
> > > 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send] (0x0400):
CR #13:
> > > > New request 'Initgroups by name'
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_process_input]
> > > (0x0400):
> > > > CR #13: Parsing input name [my_username]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_parse_name_for_domains]
> > > > (0x0200): name 'my_username' matched without domain, user is
my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name]
(0x0400): CR
> > > > #13: Setting name [my_username]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_select_domains]
> > > (0x0400):
> > > > CR #13: Performing a multi-domain search
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_domains]
> > > (0x0400):
> > > > CR #13: Search will check the cache and check the data provider
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain]
(0x0400):
> > > CR
> > > > #13: Using domain [domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_prepare_domain_data]
> > > > (0x0400): CR #13: Preparing input data for domain [domain.net]
rules
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
(0x0400):
> > > CR
> > > > #13: Looking up my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > > (0x0400):
> > > > CR #13: Checking negative cache for [my_username(a)domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_ncache]
> > > (0x0400):
> > > > CR #13: [my_username(a)domain.net] is not present in negative cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache]
(0x0400):
> > > > CR #13: Looking up [my_username(a)domain.net] in cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
(0x0400):
> > > CR
> > > > #13: Returning [my_username(a)domain.net] from cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache_filter]
> > > > (0x0400): CR #13: This request type does not support filtering
result by
> > > > negative cache
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_create_and_add_result]
> > > > (0x0400): CR #13: Found 4 entries in domain domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done] (0x0400):
CR #13:
> > > > Finished: Success
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name]
(0x0400):
> > > > User's primary name is my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req] (0x0100):
> > > Sending
> > > > request with the following data:
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > command:
> > > > SSS_PAM_ACCT_MGMT
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
domain:
> > > > domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
user:
> > > > my_username(a)domain.net
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > service:
> > > > login
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
tty:
> > > tty4
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
ruser:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
rhost:
> > > > not set
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
authtok
> > > > type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > > newauthtok type: 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
priv: 1
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
> > > cli_pid:
> > > > 70306
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
logon
> > > > name: my_username
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data] (0x0100):
flags:
> > > 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder]
(0x0100):
> > > > pam_dp_send_req returned 0
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done]
(0x0200):
> > > > received: [4 (System error)][domain.net]
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses] (0x0100):
> > > > [pam_response_filter] not available, not fatal.
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200): blen:
31
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
Returning
> > > [4]:
> > > > System error to the client
> > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200):
Client
> > > > disconnected!
> > >
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > >
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
11:51 a.m.
New subject: System error when trying to login into an AD after upgrading to Samba 4.12.2
On Thu, May 28, 2020 at 09:24:40PM +0200, Thibault Boyeux wrote:
Hi Sumit,
Thanks a lot for looking into this. I've tested with your patch: I'm still
encountering a "System error", but a different one, now linked to the
gpo_cse_done() / ad_gpo_parse_gpo_child_response() / ad_gpo_cse_done()
methods:
(2020-05-28 20:53:14): [be[domain.net]] [gpo_cse_done] (0x0020):
ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_cse_done] (0x0400):
gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9}
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_cse_done] (0x0040): Unable
to retrieve policy data: [22](Invalid argument}
(2020-05-28 20:53:14): [be[domain.net]] [ad_gpo_access_done] (0x0040):
GPO-based access control failed.
I'll send you the payload given to those three methods and more exhaustive
logs in a private email.
Hi,
the new issue is different and already tracked by
https://bugzilla.redhat.com/show_bug.cgi?id=1839805 which contains some
explanations why this happens and a way to get around this issue
('ad_gpo_access_control = disabled'). Btw, it looks like this is only an
issue with a Samba DC.
bye,
Sumit
Thanks again,
Thibault
On Thu, May 28, 2020 at 5:31 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Tue, May 19, 2020 at 03:25:27PM +0200, Sumit Bose wrote:
> > On Sat, May 16, 2020 at 04:55:08PM +0200, Thibault Boyeux wrote:
> > > Hi Sumit
> > >
> > > Thanks a lot for your email. Apologies for the late answer, it took me
> a
> > > little time to get used to how gdb works ;)
> > >
> > > Anyway, after debugging the latest git version, it looks like the issue
> > > systematically happens line 237 of *ad_gpo_ndr.c, *in the
> > > *ndr_pull_security_ace_object_ctr()* method, calling Samba's new
> > > ndr_pull_steal_switch_value method (introduced in 4.12 according to
> this
> > > <https://github.com/SSSD/sssd/pull/976>):
> > >
> > > 237: NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
> > >
> > > This check systematically returns NDR_ERR_TOKEN (instead, I guess, of
> > > NDR_ERR_SUCCESS), which then makes all other methods fail in the
> following
> > > order: ndr_pull_security_ace() (line 320), ndr_pull_security_acl()
> (line
> > > 372) and ad_gpo_ndr_pull_security_descriptor() (line 513). See gdb logs
> > > below
> > >
> > > Anything I could do to investigate this further?
> >
> > Hi,
> >
> > thanks for the details, but I still have no idea what might be wrong.
> >
> > Can you send me the binary data used as 'data' variable in
> > ad_gpo_parse_sd()? Then I can try on my own with different versions of
> > Samba.
>
> Hi,
>
> thanks for privately sending the data. I was able to reproduce the issue
> and there was another report about this issue as well. I create a
> pull-request with the fix at https://github.com/SSSD/sssd/pull/5184. If
> you have a chance to test the patch feedback would be very welcome.
>
> bye,
> Sumit
>
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks again,
> > >
> > > Best,
> > >
> > > Thibault
> > >
> > >
> > > Breakpoint 15, ndr_pull_security_ace_object_ctr (ndr=0x5581d6ddd5b0,
> > > ndr_flags=512, r=0x5581d6e2147c) at src/providers/ad/ad_gpo_ndr.c:237
> > > 237 NDR_CHECK(ndr_pull_steal_switch_value(ndr, r,
&level));
> > > (gdb) fin
> > > Run till exit from #0 ndr_pull_security_ace_object_ctr
> > > (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e2147c) at
> > > src/providers/ad/ad_gpo_ndr.c:237
> > > 0x00007f18aa8cf0d2 in ndr_pull_security_ace (ndr=0x5581d6ddd5b0,
> > > ndr_flags=512, r=0x5581d6e21470) at src/providers/ad/ad_gpo_ndr.c:320
> > > 320 NDR_CHECK(ndr_pull_security_ace_object_ctr
> > > Value returned is $123 = NDR_ERR_TOKEN
> > > (gdb) fin
> > > Run till exit from #0 0x00007f18aa8cf0d2 in ndr_pull_security_ace
> > > (ndr=0x5581d6ddd5b0, ndr_flags=512, r=0x5581d6e21470) at
> > > src/providers/ad/ad_gpo_ndr.c:320
> > > 0x00007f18aa8cf576 in ndr_pull_security_acl (ndr=0x5581d6ddd5b0,
> > > ndr_flags=768, r=0x5581d6de3230) at src/providers/ad/ad_gpo_ndr.c:372
> > > 372 NDR_CHECK(ndr_pull_security_ace
> > > Value returned is $124 = NDR_ERR_TOKEN
> > > (gdb) fin
> > > Run till exit from #0 0x00007f18aa8cf576 in ndr_pull_security_acl
> > > (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x5581d6de3230) at
> > > src/providers/ad/ad_gpo_ndr.c:372
> > > 0x00007f18aa8d03ee in ad_gpo_ndr_pull_security_descriptor
> > > (ndr=0x5581d6ddd5b0, ndr_flags=768, r=0x7ffdec42d870) at
> > > src/providers/ad/ad_gpo_ndr.c:513
> > > 513 NDR_CHECK(ndr_pull_security_acl(ndr,
> > > Value returned is $125 = NDR_ERR_TOKEN
> > > (gdb) fin
> > > Run till exit from #0 0x00007f18aa8d03ee in
> > > ad_gpo_ndr_pull_security_descriptor (ndr=0x5581d6ddd5b0, ndr_flags=768,
> > > r=0x7ffdec42d870) at src/providers/ad/ad_gpo_ndr.c:513
> > > 0x00007f18aa8ca867 in ad_gpo_parse_sd (mem_ctx=0x5581d6e0cf50,
> > > data=0x5581d6e171d0 "\001", length=256, _gpo_sd=0x5581d6e0cf50)
at
> > > src/providers/ad/ad_gpo.c:3925
> > > 3925 ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull,
> > > Value returned is $126 = NDR_ERR_TOKEN
> > >
> > >
> > > On Mon, May 11, 2020 at 11:07 AM Sumit Bose <sbose(a)redhat.com>
wrote:
> > >
> > > > On Fri, May 08, 2020 at 03:35:56PM +0200, Thibault Boyeux wrote:
> > > > > Hi all,
> > > > >
> > > > > I'm encountering an issue after upgrading to Samba 4.12.2. I
can no
> > > > longer
> > > > > login with an Active Directory account from a terminal or
gnome.
> I'm
> > > > > prompted with a "System error" message.
> > > > >
> > > > > When I downgrade to samba 4.11.3 everything works fine. AD
> authentication
> > > > > works OK with the same account from a Windows machine.
> > > > >
> > > > > "getent passwd my_username" works well, as
"getent passwd
> <group>". kinit
> > > > > my_username(a)DOMAIN.NET works OK too. Logging in in with
"su
> <username>"
> > > > > from a local account works too.
> > > > >
> > > > > SSSD version: 2.2.3. This is from an Arch Linux package, that
has
> been
> > > > > patched
> > > > > <
> > > >
> https://git.archlinux.org/svntogit/community.git/tree/trunk?h=packages/sssd
> > > > >
> > > > > by its maintainer for compatibility with Samba 4.12 (I also
> compiled sssd
> > > > > from the current git source code, but encountered the same
cryptic
> > > > error.)
> > > > > Samba version: 4.12.2
> > > > > Operating system: Arch Linux (fully upgraded)
> > > >
> > > > Hi,
> > > >
> > > > do I understand correctly that you recompiled SSSD after updating
> Samba
> > > > to version 4.12.2 or did you use the same SSSD binary you used with
> > > > Samba 4.11.3?
> > > >
> > > > According to the logs the error most probably happened in
> > > > ad_gpo_ndr_pull_security_descriptor(). Can you step through this
> > > > function with gdb to see which operation failed (please add
'timeout
> =
> > > > 999999' to the [domain/...] section of sssd.conf to not run into
> issues
> > > > with the watchdog and gdb)? If not I can try to reproduce this
> locally.
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > Any idea how I could fix this / investigate this further?
Please
> find
> > > > > sssd.conf and logs below - I couldn't find anything
interesting in
> there
> > > > > but I'm no expert :)
> > > > >
> > > > > Thanks a lot!
> > > > >
> > > > > === sssd.conf ===
> > > > >
> > > > > [sssd]
> > > > > config_file_version = 2
> > > > > domains = domain.net
> > > > > services = nss, pam
> > > > > debug_level = 6
> > > > >
> > > > > [domain/domain.net]
> > > > > ad_hostname = computer.domain.net
> > > > > krb5_realm = DOMAIN.NET
> > > > > cache_credentials = true
> > > > > id_provider = ad
> > > > > auth_provider = ad
> > > > > access_provider = ad
> > > > > chpass_provider = ad
> > > > > ldap_schema = ad
> > > > > default_shell = /bin/zsh
> > > > > fallback_homedir = /home/DOMAIN/%u
> > > > > dyndns_update = true
> > > > > dyndns_refresh_interval = 43200
> > > > > dyndns_update_ptr = true
> > > > > dyndns_ttl = 3600
> > > > > debug_level = 6
> > > > > #enumerate = true
> > > > >
> > > > > [pam]
> > > > > debug_level = 6
> > > > >
> > > > > [nss]
> > > > > debug_level = 6
> > > > >
> > > > >
> > > > > === sssd_domain.net.log ===
> > > > >
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [dp_get_account_info_send] (0x0200): Got request for
> > > > > [0x3][BE_REQ_INITGROUPS][name=my_username(a)domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > DP Request [Initgroups #17]: New request. Flags [0x0001].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > Number of active DP request: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_initgr_next_base] (0x0400): Searching for users with
base
> > > > > [DC=domain,DC=net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > >
> > > >
>
[(&(sAMAccountName=my_username)(objectclass=user)(objectSID=*))][DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_save_user]
> > > > > (0x0400): Save user
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_get_primary_name]
> > > > > (0x0400): Processing object MY_USERNAME
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_save_user]
> > > > > (0x0400): Processing user MY_USERNAME(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_save_user]
> > > > > (0x0400): Adding original memberOf attributes to [
> MY_USERNAME(a)domain.net
> > > > ].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_save_user]
> > > > > (0x0400): Adding user principal [MY_USERNAME(a)DOMAIN.NET] to
> attributes
> > > > of [
> > > > > MY_USERNAME(a)domain.net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[sdap_save_user]
> > > > > (0x0400): Storing info for user MY_USERNAME(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sysdb_set_entry_attr]
> > > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
> domain.net
> > > > ,cn=sysdb]
> > > > > has set [ts_cache] attrs.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sysdb_store_user]
> > > > > (0x0400): User "MY_USERNAME(a)domain.net" has been
stored
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> [no
> > > > > filter][CN=My Username,OU=Users,DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_idmap_sid_to_unix]
> > > > > (0x0400): Object SID [S-1-5-32-545] is a built-in one.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_ad_save_group_membership_with_idmapping] (0x0400):
Skipping
> > > > built-in
> > > > > object.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_get_initgr_done]
> > > > > (0x0400): Primary group already cached, nothing to do.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > > (0x0400):
> > > > > DP Request [Initgroups #17]: Request handler finished [0]:
Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[_dp_req_recv]
> > > > (0x0400):
> > > > > DP Request [Initgroups #17]: Receiving request data.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): DP Request [Initgroups #17]: Request removed.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): Number of active DP request: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [dp_get_account_info_initgroups_step] (0x0400): Ordering NSS
> responder to
> > > > > update memory cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sysdb_set_entry_attr]
> > > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
> domain.net
> > > > ,cn=sysdb]
> > > > > has set [ts_cache] attrs.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sbus_issue_request_done]
> > > > > (0x0400): sssd.dataprovider.getAccountInfo: Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_pam_handler_send]
> > > > > (0x0100): Got request with the following data
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): command: SSS_PAM_AUTHENTICATE
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): domain: domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): user: MY_USERNAME(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): service: login
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): tty: tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): ruser:
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): rhost:
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): authtok type: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): cli_pid: 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): logon name: not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): flags: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > DP Request [PAM Authenticate #18]: New request. Flags [0000].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > Number of active DP request: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[krb5_auth_send]
> > > > > (0x0100): Domain directory for user [MY_USERNAME(a)domain.net]
not
> known.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [fo_resolve_service_send]
> > > > > (0x0100): Trying to resolve service 'AD'
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [resolve_srv_send]
> > > > > (0x0200): The status of SRV lookup is resolved
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [be_resolve_server_process] (0x0200): Found address for server
> > > > > ADDC.domain.net: [192.168.5.4] TTL 900
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [write_pipe_handler]
> > > > > (0x0400): All data has been sent!
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [child_sig_handler]
> > > > > (0x0100): child [71170] finished successfully.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [read_pipe_handler]
> > > > > (0x0400): EOF received, client finished
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [fo_set_port_status]
> > > > > (0x0100): Marking port 389 of server 'ADDC.domain.net'
as
> 'working'
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [set_server_common_status] (0x0100): Marking server '
> ADDC.domain.net' as
> > > > > 'working'
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [fo_set_port_status]
> > > > > (0x0400): Marking port 389 of duplicate server
'ADDC.domain.net'
> as
> > > > > 'working'
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sysdb_set_entry_attr]
> > > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
> domain.net
> > > > ,cn=sysdb]
> > > > > has set [cache, ts_cache] attrs.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sysdb_set_entry_attr]
> > > > > (0x0200): Entry [name=MY_USERNAME(a)domain.net,cn=users,cn=
> domain.net
> > > > ,cn=sysdb]
> > > > > has set [cache, ts_cache] attrs.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > > (0x0400):
> > > > > DP Request [PAM Authenticate #18]: Request handler finished
[0]:
> Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[_dp_req_recv]
> > > > (0x0400):
> > > > > DP Request [PAM Authenticate #18]: Receiving request data.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): DP Request [PAM Authenticate #18]: Request removed.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): Number of active DP request: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_method_enabled]
> > > > > (0x0400): Target selinux is not configured
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sbus_issue_request_done]
> > > > > (0x0400): sssd.dataprovider.pamHandler: Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_pam_handler_send]
> > > > > (0x0100): Got request with the following data
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): command: SSS_PAM_ACCT_MGMT
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): domain: domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): user: MY_USERNAME(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): service: login
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): tty: tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): ruser:
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): rhost:
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): authtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): cli_pid: 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): logon name: not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[pam_print_data]
> > > > > (0x0100): flags: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > DP Request [PAM Account #19]: New request. Flags [0000].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[dp_attach_req]
> > > > (0x0400):
> > > > > Number of active DP request: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_access_send]
> > > > > (0x0400): Performing access check for user
[MY_USERNAME(a)domain.net
> ]
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sdap_account_expired_ad]
> > > > > (0x0400): Performing AD access check for user [
> MY_USERNAME(a)domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_access_send]
> > > > > (0x0400): service login maps to Interactive
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_connect_done]
> > > > > (0x0400): sam_account_name is COMPUTER$
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > >
> [(&(objectclass=user)(sAMAccountName=COMPUTER$))][dc=domain,dc=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > > [objectclass=domain][DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_master_domain_next_done] (0x0400): Found SID
> > > > > [S-1-5-21-3635097336-3991203712-2063481127].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > > [(&(DnsDomain=domain.net)(NtVer=\14\00\00\00))][].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_master_domain_netlogon_done] (0x0400): Found flat name
> [DOMAIN].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_master_domain_netlogon_done] (0x0400): Found site [Domain].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_master_domain_netlogon_done] (0x0400): Found forest [
> domain.net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_site_name_retrieval_done] (0x0400): Using AD site
> 'cn=Domain'.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > > [(objectclass=*)][].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[0]->som_dn
is
> > > > > OU=Computers,DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[1]->som_dn
is
> > > > > DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_site_dn_retrieval_done] (0x0400): som_list[2]->som_dn
is
> > > > > cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > > [(objectclass=*)][OU=Computers,DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_populate_gplink_list] (0x0400): som_dn:
> > > > > OU=Computers,DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > > [(objectclass=*)][DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_populate_gplink_list] (0x0400): som_dn:
DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > >
> [(objectclass=*)][cn=Domain,cn=Sites,CN=Configuration,DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_get_som_attrs_done] (0x0040): no attrs found for SOM;
try
> next
> > > > SOM
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_populate_candidate_gpos] (0x0400):
> candidate_gpos[0]->gpo_dn:
> > > > >
> > > >
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [ad_gpo_populate_candidate_gpos] (0x0400):
> candidate_gpos[1]->gpo_dn:
> > > > >
> > > >
> cn={6FF5E2F5-D491-45A1-9432-5AB497AEF031},cn=policies,cn=system,DC=domain,DC=net
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [sdap_sd_search_send]
> > > > > (0x0400): Searching entry
> > > > >
> > > >
> [CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net]
> > > > > using SD
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_send] (0x0400): WARNING: Disabling paging
> because
> > > > > scope is set to base.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext
with
> > > > >
> > > >
>
[(objectclass=*)][CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=domain,DC=net].
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > > [sdap_get_generic_op_finished] (0x0400): Search result:
> Success(0), no
> > > > > errmsg set
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_parse_sd]
> > > > > (0x0020): Failed to pull security descriptor
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_sd_process_attrs]
> > > > > (0x0040): ad_gpo_parse_sd() failed
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [ad_gpo_process_gpo_done]
> > > > > (0x0040): Unable to get GPO list: [22](Invalid argument)
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [ad_gpo_access_done]
> > > > > (0x0040): GPO-based access control failed.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]] [dp_req_done]
> > > > (0x0400):
> > > > > DP Request [PAM Account #19]: Request handler finished [0]:
Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
[_dp_req_recv]
> > > > (0x0400):
> > > > > DP Request [PAM Account #19]: Receiving request data.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): DP Request [PAM Account #19]: Request removed.
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_req_destructor]
> > > > > (0x0400): Number of active DP request: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> [dp_method_enabled]
> > > > > (0x0400): Target selinux is not configured
> > > > > (Fri May 8 15:10:10 2020) [sssd[be[domain.net]]]
> > > > [sbus_issue_request_done]
> > > > > (0x0400): sssd.dataprovider.pamHandler: Success
> > > > >
> > > > >
> > > > > === sssd_pam.log ====
> > > > >
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [get_client_cred]
(0x0080):
> The
> > > > > following failure is expected to happen in case SELinux is
> disabled:
> > > > > SELINUX_getpeercon failed [95][Operation not supported].
> > > > > Please, consider enabling SELinux in your system.
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [accept_fd_handler]
> (0x0400):
> > > > Client
> > > > > [0x5606d6371860][19] connected to privileged pipe!
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version]
> (0x0200):
> > > > > Received client version [3].
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sss_cmd_get_version]
> (0x0200):
> > > > > Offered version [3].
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_authenticate]
> (0x0100):
> > > > > entering pam_cmd_authenticate
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[sss_parse_name_for_domains]
> > > > > (0x0200): name 'my_username' matched without domain,
user is
> my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > command:
> > > > > SSS_PAM_AUTHENTICATE
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> domain:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> user:
> > > > > my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > service:
> > > > > login
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> tty:
> > > > tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> ruser:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> rhost:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> authtok
> > > > > type: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > > newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > cli_pid:
> > > > > 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> logon
> > > > > name: my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> flags:
> > > > 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send]
(0x0400):
> CR #12:
> > > > > New request 'Initgroups by name'
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_process_input]
> > > > (0x0400):
> > > > > CR #12: Parsing input name [my_username]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[sss_parse_name_for_domains]
> > > > > (0x0200): name 'my_username' matched without domain,
user is
> my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name]
> (0x0400): CR
> > > > > #12: Setting name [my_username]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_select_domains]
> > > > (0x0400):
> > > > > CR #12: Performing a multi-domain search
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_domains]
> > > > (0x0400):
> > > > > CR #12: Search will bypass the cache and check the data
provider
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain]
> (0x0400):
> > > > CR
> > > > > #12: Using domain [domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_prepare_domain_data]
> > > > > (0x0400): CR #12: Preparing input data for domain [domain.net]
> rules
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
> (0x0400):
> > > > CR
> > > > > #12: Looking up my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache]
> > > > (0x0400):
> > > > > CR #12: Checking negative cache for [my_username(a)domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache]
> > > > (0x0400):
> > > > > CR #12: [my_username(a)domain.net] is not present in negative
cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_dp]
> (0x0400): CR
> > > > > #12: Looking up [my_username(a)domain.net] in data provider
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[sss_dp_get_account_send]
> > > > (0x0400):
> > > > > Creating request for [domain.net
> > > > > ][0x3][BE_REQ_INITGROUPS][name=my_username@domain.net:-]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache]
> (0x0400):
> > > > > CR #12: Looking up [my_username(a)domain.net] in cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_search_ncache_filter]
> > > > > (0x0400): CR #12: This request type does not support filtering
> result by
> > > > > negative cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_done]
> (0x0400):
> > > > CR
> > > > > #12: Returning updated object [my_username(a)domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_create_and_add_result]
> > > > > (0x0400): CR #12: Found 4 entries in domain domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done]
(0x0400):
> CR #12:
> > > > > Finished: Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name]
> (0x0400):
> > > > > User's primary name is my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req]
(0x0100):
> > > > Sending
> > > > > request with the following data:
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > command:
> > > > > SSS_PAM_AUTHENTICATE
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> domain:
> > > > > domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> user:
> > > > > my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > service:
> > > > > login
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> tty:
> > > > tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> ruser:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> rhost:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> authtok
> > > > > type: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > > newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > cli_pid:
> > > > > 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> logon
> > > > > name: my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> flags:
> > > > 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder]
> (0x0100):
> > > > > pam_dp_send_req returned 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done]
> (0x0200):
> > > > > received: [0 (Success)][domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [sysdb_set_entry_attr]
> (0x0200):
> > > > > Entry
[name=my_username(a)domain.net,cn=users,cn=domain.net,cn=sysdb]
> has
> > > > set
> > > > > [cache, ts_cache] attrs.
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses]
(0x0100):
> > > > > [pam_response_filter] not available, not fatal.
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
blen:
> 85
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
> Returning
> > > > [0]:
> > > > > Success to the client
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_cmd_acct_mgmt]
> (0x0100):
> > > > > entering pam_cmd_acct_mgmt
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[sss_parse_name_for_domains]
> > > > > (0x0200): name 'my_username' matched without domain,
user is
> my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > command:
> > > > > SSS_PAM_ACCT_MGMT
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> domain:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> user:
> > > > > my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > service:
> > > > > login
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> tty:
> > > > tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> ruser:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> rhost:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> authtok
> > > > > type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > > newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > cli_pid:
> > > > > 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> logon
> > > > > name: my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> flags:
> > > > 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_send]
(0x0400):
> CR #13:
> > > > > New request 'Initgroups by name'
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_process_input]
> > > > (0x0400):
> > > > > CR #13: Parsing input name [my_username]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[sss_parse_name_for_domains]
> > > > > (0x0200): name 'my_username' matched without domain,
user is
> my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_name]
> (0x0400): CR
> > > > > #13: Setting name [my_username]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_select_domains]
> > > > (0x0400):
> > > > > CR #13: Performing a multi-domain search
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_domains]
> > > > (0x0400):
> > > > > CR #13: Search will check the cache and check the data provider
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_set_domain]
> (0x0400):
> > > > CR
> > > > > #13: Using domain [domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_prepare_domain_data]
> > > > > (0x0400): CR #13: Preparing input data for domain [domain.net]
> rules
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
> (0x0400):
> > > > CR
> > > > > #13: Looking up my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache]
> > > > (0x0400):
> > > > > CR #13: Checking negative cache for [my_username(a)domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
[cache_req_search_ncache]
> > > > (0x0400):
> > > > > CR #13: [my_username(a)domain.net] is not present in negative
cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_cache]
> (0x0400):
> > > > > CR #13: Looking up [my_username(a)domain.net] in cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_search_send]
> (0x0400):
> > > > CR
> > > > > #13: Returning [my_username(a)domain.net] from cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_search_ncache_filter]
> > > > > (0x0400): CR #13: This request type does not support filtering
> result by
> > > > > negative cache
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]]
> [cache_req_create_and_add_result]
> > > > > (0x0400): CR #13: Found 4 entries in domain domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [cache_req_done]
(0x0400):
> CR #13:
> > > > > Finished: Success
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pd_set_primary_name]
> (0x0400):
> > > > > User's primary name is my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req]
(0x0100):
> > > > Sending
> > > > > request with the following data:
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > command:
> > > > > SSS_PAM_ACCT_MGMT
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> domain:
> > > > > domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> user:
> > > > > my_username(a)domain.net
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > service:
> > > > > login
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> tty:
> > > > tty4
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> ruser:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> rhost:
> > > > > not set
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> authtok
> > > > > type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > > newauthtok type: 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> priv: 1
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> > > > cli_pid:
> > > > > 70306
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> logon
> > > > > name: my_username
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_print_data]
(0x0100):
> flags:
> > > > 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dom_forwarder]
> (0x0100):
> > > > > pam_dp_send_req returned 0
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_dp_send_req_done]
> (0x0200):
> > > > > received: [4 (System error)][domain.net]
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [filter_responses]
(0x0100):
> > > > > [pam_response_filter] not available, not fatal.
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
blen:
> 31
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [pam_reply] (0x0200):
> Returning
> > > > [4]:
> > > > > System error to the client
> > > > > (Fri May 8 15:10:10 2020) [sssd[pam]] [client_recv] (0x0200):
> Client
> > > > > disconnected!
> > > >
> > > > > _______________________________________________
> > > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > > >
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > >
> >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1421
days inactive
1442
days old
sssd-users@lists.fedorahosted.org
7 comments
3 participants
participants (3)
-
Orion Poplawski -
Sumit Bose -
Thibault Boyeux