8:41 a.m.
Hi,
That user, test.user, is in the subdomain a.domain.org.
Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct -
domain.org is the root domain of which b.domain.org is a subdomain. We do not have users
in the root domain. All users are in other subdomains.
I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not show in
the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that sssd
believes that domain "a" is a subdomain if b.domain.org rather than another
subdomain of domain.org.
I might have to ask if I can send un-obfuscated incase I am adding in confusion!
Thanks,
Matthew
--- Original Message ---
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
Sent: 29 September 2013 12:26
To: "End-user discussions about the System Security Services Daemon"
<sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 24, 2013 at 11:02:48AM +0000, a t wrote:
Hi,
please see logs attached. (couldn't upload logs as they were too large so i hope a
tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands
below;
ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds
ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error
on ssh login is "Permission denied, please try again."
(NOTE: I have just noticed I tested with uppercase domain "B" and lowercase
domain "a". I have just retested with uppercase "A" and it still
fails.)
There are DNS server errors in the log.
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query]
(0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000):
Scheduling a timeout of 6 seconds
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000):
Scheduling DNS timeout watcher
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400):
Deleting request watch
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040):
querying hosts database failed [5]: Input/output error
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040):
Could not resolve address for this machine, error [5]: Input/output error, resolver
returned: [11]: Could not contact DNS servers
However, DNS from this install is working (when querying its hostname or others on LAN or
internet) and from other boxes querying its hostname. resolv.conf has correct name servers
and they are responding to 'nslookup' and 'host'
Also the following line looks to be creating the parent domain (domain.org) as a
subdomain or b.domain.org?
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating
[domain.org] as subdomain of [B.DOMAIN.ORG]!
I have changed domain names in logs and changed bits of SIDs. Hope I have not confused
anything with SID changes!!
Thanks,
Matthew
Hi,
I'm sorry for the late reply..
According to these logs I see three potential things to take a look at:
1)
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query]
(0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000):
Scheduling a timeout of 6 seconds
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000):
Scheduling DNS timeout watcher
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400):
Deleting request watch
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040):
querying hosts database failed [5]: Input/output error
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040):
Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS
servers
It looks like you were hitting https://fedorahosted.org/sssd/ticket/2063
which should be resolved by now.
What exact version was this? The one from sssd-devel?
2)
The other thing I see:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0200):
Mapping file for domain [B.DOMAIN.ORG] is
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_B_DOMAIN_ORG]
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_krb5_touch_config] (0x0020):
Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0020):
Unable to change last modification time of krb5.conf. Created mappings may not be loaded.
This sounds like SELinux denial to me. Could you try setting SELinux to
permissive for the duration of the test (setenforce 0)
3)
Then in the logs I see a lookup and authentication of [CN=test user,OU=No
Management,OU=User Accounts,DC=b,DC=domain,DC=org]
Is that a root domain or subdomain user? Because this particular request
seems to have completed fine.. According to the logs, the subdomain should
be just called domain.org:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating
[domain.org] as subdomain of [B.DOMAIN.ORG]!
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sdap_domain_subdom_add] (0x0400):
subdomain domain.org is a new one, will create a new sdap domain object
But I don't see a request for a subdomain user from domain.org..not sure
if the real DN just got lost in the obfuscation..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
1:43 p.m.
New subject: authenticating against all sub-domains in AD forest
On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote:
Hi,
That user, test.user, is in the subdomain a.domain.org.
Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct -
domain.org is the root domain of which b.domain.org is a subdomain. We do not have users
in the root domain. All users are in other subdomains.
I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not show in
the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that sssd
believes that domain "a" is a subdomain if b.domain.org rather than another
subdomain of domain.org.
I might have to ask if I can send un-obfuscated incase I am adding in confusion!
Thanks,
Matthew
Interesting, I see no fatal erorr in the domain log, then. Could you
also paste the tail of /var/log/secure after the auth and also put
debug_level directive into the [pam] section as well?
If you prefer, you can send the logs directly to me without obfuscation.
5:37 a.m.
New subject: authenticating against all sub-domains in AD forest
Date: Tue, 1 Oct 2013 20:43:54 +0200
From: jhrozek(a)redhat.com
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote:
> Hi,
>
> That user, test.user, is in the subdomain a.domain.org.
>
> Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not
correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not
have users in the root domain. All users are in other subdomains.
>
> I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not
show in the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that
sssd believes that domain "a" is a subdomain if b.domain.org rather than another
subdomain of domain.org.
>
> I might have to ask if I can send un-obfuscated incase I am adding in confusion!
>
> Thanks,
>
> Matthew
Interesting, I see no fatal erorr in the domain log, then. Could you
also paste the tail of /var/log/secure after the auth and also put
debug_level directive into the [pam] section as well?
If you prefer, you can send the logs directly to me without obfuscation.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi,
I'll send the logs direct, thank you. I have debug_level = 8. Is that Ok or too
chatty?
Thanks,
Matthew
8:42 a.m.
New subject: authenticating against all sub-domains in AD forest
From: adammtemple(a)hotmail.com
To: sssd-users(a)lists.fedorahosted.org
Date: Thu, 3 Oct 2013 10:37:03 +0000
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
Date: Tue, 1 Oct 2013 20:43:54 +0200
From: jhrozek(a)redhat.com
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote:
> Hi,
>
> That user, test.user, is in the subdomain a.domain.org.
>
> Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not
correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not
have users in the root domain. All users are in other subdomains.
>
> I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not
show in the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that
sssd believes that domain "a" is a subdomain if b.domain.org rather than another
subdomain of domain.org.
>
> I might have to ask if I can send un-obfuscated incase I am adding in confusion!
>
> Thanks,
>
> Matthew
Interesting, I see no fatal erorr in the domain log, then. Could you
also paste the tail of /var/log/secure after the auth and also put
debug_level directive into the [pam] section as well?
If you prefer, you can send the logs directly to me without obfuscation.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Jakub
Please see the PAM log below;
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No
enumeration for [B.DOMAIN.ORG]!
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [confdb_get_domain_internal] (0x1000):
pwd_expiration_warning is -1
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection
0x15634e0
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x1563a10/0x155e950
(12), -/W (enabled)
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID:
(pam,1)
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x155e580
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re
[(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))].
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format
[%1$s@%2$s].
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for
domain name
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection
0x1562880
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x1565200/0x1562680
(13), -/W (enabled)
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP:
(1,PAM)
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x15656b0
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for
B.DOMAIN.ORG: /var/lib/sss/db/cache_B.DOMAIN.ORG.ldb
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control
with rootdse!
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_process_init] (0x0400): Responder
Initialization complete
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding
[NCE/USER/B.DOMAIN.ORG/root] to negative cache permanently
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name
'root' matched without domain, user is root
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using
default domain [(null)]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding
[NCE/GROUP/B.DOMAIN.ORG/root] to negative cache permanently
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file
descriptors set to [8192]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request
for [0x41b4b0:domains@B.DOMAIN.ORG]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get
domains request for [B.DOMAIN.ORG][forced][]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x15688b0
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering
request [0x41b4b0:domains@B.DOMAIN.ORG]
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x15656b0
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version
(1) from DP
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x155e580
(Thu Oct 3 14:23:50 2013) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1)
from Monitor
(Thu Oct 3 14:23:51 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x15688b0
(Thu Oct 3 14:23:51 2013) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data
Provider - DP error code: 0 errno: 0 error message: Success
(Thu Oct 3 14:23:51 2013) [sssd[pam]] [new_subdomain] (0x0400): Creating [domain.org] as
subdomain of [B.DOMAIN.ORG]!
(Thu Oct 3 14:23:51 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request:
[0x41b4b0:domains@B.DOMAIN.ORG]
(Thu Oct 3 14:27:25 2013) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder
is being shut down
Thanks,
Matthew
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
3850
days inactive
3854
days old
sssd-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
a t -
Jakub Hrozek