Hi Jakub.
> Note using this round-robin DNS name "myadserver"
works with the RHEL6 "stock" sssd we are running
(sssd-1.5.1-34.el6_1.3.x86_64).
>
> So this has been introduced somewhere between that version and v1.5.14.
>
> BTW I tried setting "ldap_sasl_canonicalize" to true and false btw. It
didn't make any difference.
>
> Can I no longer use a round-robin DNS name for my ldap server?
>
Tim, what openldap and glibc versions are you running? I think getting the
"don't canonicalize" scenario to work involved fixes to several components
including glibc and openldap.
This is on RHEL6, so I think these are the current versions:
# rpm -q glibc openldap
glibc-2.12-1.25.el6_1.3.x86_64
glibc-2.12-1.25.el6_1.3.i686
openldap-2.4.23-15.el6_1.3.x86_64
Does merely swapping the sssd version with the same openldap and
glibc versions help?
I'm not sure what I should swap. I'm running the latest openldap and glibc, I
could try the RHEL6 beta packages.
OK, just installed the RHEL6 beta glibc and openldap...
# rpm -q glibc openldap
glibc-2.12-1.43.el6.x86_64
glibc-2.12-1.43.el6.i686
openldap-2.4.23-19.el6.x86_64
This is the debug output with ldap_sasl_canonicalize = false:
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [be_resolve_server_done] (4): Found
address for server adldapdns.xxx.xxx.xxx: [10.70.134.3] TTL 604800
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_kinit_kdc_resolved] (7): KDC
resolved, attempting to get TGT...
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [create_tgt_req_send_buffer] (7):
buffer size: 86
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [child_handler_setup] (8): Setting up
signal handler up for pid [2584]
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [child_handler_setup] (8): Signal
handler set up for pid [2584]
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [set_tgt_child_timeout] (6): Setting
6 seconds timeout for tgt child
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_process_result] (8): Trace:
sh[0x11adfb0], connected[1], ops[(nil)], ldap[0x11ae6a0]
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_process_result] (8): Trace:
ldap_result found nothing!
(Thu Oct 27 10:16:04 2011) [sssd[be[XXX.XXX.XXX]]] [write_pipe_handler] (6): All data
has been sent!
(Thu Oct 27 10:16:04 2011) [sssd] [main] (7): ldap_child started.
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): total buffer
size: 86
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): realm_str
size: 12
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): got
realm_str: XXX.XXX.XXX
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): princ_str
size: 42
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): got
princ_str: host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): keytab_name
size: 16
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): got
keytab_name: /etc/krb5.keytab
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [unpack_buffer] (7): lifetime:
86400
(Thu Oct 27 10:16:04 2011) [[sssd[ldap_child[2584]]]] [ldap_child_get_tgt_sync] (4):
Principal name is: [host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX]
(Thu Oct 27 10:16:05 2011) [sssd[be[XXX.XXX.XXX]]] [read_pipe_handler] (6): EOF
received, client finished
(Thu Oct 27 10:16:05 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_get_tgt_recv] (6): Child
responded: 0 [FILE:/apps/sssd-1.5.14/var/lib/sss/db/ccache_XXX.XXX.XXX], expired on
[1319710565]
(Thu Oct 27 10:16:05 2011) [sssd[be[XXX.XXX.XXX]]] [sasl_bind_send] (4): Executing sasl
bind mech: gssapi, user: host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX
(Thu Oct 27 10:16:06 2011) [sssd[be[XXX.XXX.XXX]]] [sasl_bind_send] (1): ldap_sasl_bind
failed (-2)[Local error]
(Thu Oct 27 10:16:06 2011) [sssd[be[XXX.XXX.XXX]]] [child_sig_handler] (7): Waiting for
child [2584].
(Thu Oct 27 10:16:06 2011) [sssd[be[XXX.XXX.XXX]]] [child_sig_handler] (4): child [2584]
finished successfully.
(Thu Oct 27 10:16:06 2011) [sssd[be[XXX.XXX.XXX]]] [fo_set_port_status] (4): Marking
port 389 of server 'adldapdns.xxx.xxx.xxx' as 'not working'
So still getting "Local error" from the sasl_bind.
This is the debug output with ldap_sasl_canonicalize = true:
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [be_resolve_server_done] (4): Found
address for server adldapdns.xxx.xxx.xxx: [10.70.13.134] TTL 604800
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_kinit_kdc_resolved] (7): KDC
resolved, attempting to get TGT...
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [create_tgt_req_send_buffer] (7):
buffer size: 86
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [child_handler_setup] (8): Setting up
signal handler up for pid [2604]
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [child_handler_setup] (8): Signal
handler set up for pid [2604]
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [set_tgt_child_timeout] (6): Setting
6 seconds timeout for tgt child
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_process_result] (8): Trace:
sh[0xfabf20], connected[1], ops[(nil)], ldap[0xfac610]
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_process_result] (8): Trace:
ldap_result found nothing!
(Thu Oct 27 10:17:12 2011) [sssd[be[XXX.XXX.XXX]]] [write_pipe_handler] (6): All data
has been sent!
(Thu Oct 27 10:17:12 2011) [sssd] [main] (7): ldap_child started.
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): total buffer
size: 86
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): realm_str
size: 12
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): got
realm_str: XXX.XXX.XXX
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): princ_str
size: 42
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): got
princ_str: host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): keytab_name
size: 16
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): got
keytab_name: /etc/krb5.keytab
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [unpack_buffer] (7): lifetime:
86400
(Thu Oct 27 10:17:12 2011) [[sssd[ldap_child[2604]]]] [ldap_child_get_tgt_sync] (4):
Principal name is: [host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX]
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [read_pipe_handler] (6): EOF
received, client finished
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [sdap_get_tgt_recv] (6): Child
responded: 0 [FILE:/apps/sssd-1.5.14/var/lib/sss/db/ccache_XXX.XXX.XXX], expired on
[1319710633]
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [sasl_bind_send] (4): Executing sasl
bind mech: gssapi, user: host/myhost999.xxx.xxx.xxx(a)XXX.XXX.XXX
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [child_sig_handler] (7): Waiting for
child [2604].
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [child_sig_handler] (4): child [2604]
finished successfully.
(Thu Oct 27 10:17:13 2011) [sssd[be[XXX.XXX.XXX]]] [fo_set_port_status] (4): Marking
port 389 of server 'adldapdns.xxx.xxx.xxx' as 'working'
So it's working now... kinda. :)
Some questions:
1) I don't understand why this makes a difference. Surely DISABLING the reverse
lookup during the bind would make this work. Not the other way around?
2) The login process with ldap_sasl_canonicalize = true is CONSIDERABLY SLOWER. It
takes a long time to get a Password: prompt. When it's false I get the prompt
straight away (but it won't log in). I can only assume because the sasl_bind failed
that it doesn't do the initgroups (and that's what takes a long time).
3) Now that I can login, I find the system can't resolves uids and gids to
usernames and groupnames. e.g.
ssh myhost999
Password:
Last login: Thu Oct 27 10:14:24 2011 from anotherhost.xxx.xxx.xxx
id: cannot find name for user ID 9999999
id: cannot find name for user ID 9999999
$ id
uid=9999999 gid=900(localgroup1)
groups=900(localgroup1),902,1923(localgroup2),2131,2132,2135,2202,2203,9000,9001,9002,9003,9004,9007,9008,9009,9010,9011,9012,9015,9020,9023,9028,9030,9031,9032,9034,9037,9042,9043,9045,9047,9048,9050,9055,9056,9058,9070,9071,9100,9101,9151,9156,9158,9164,9165,9166,9167,9169,9170,9172,9173,9175,9176,9177,9178,9179,9181,9185,9187,9188,9193,9198,9200,9202,9203,9205,9207,9208,9209,9210,9211,9212,9214,9215,9216,9219,9220,9221,9223,9224,9228,9229,9235,9237,9239,9243,9244,9247,9248,9251,9252,9254,9255,9256,9257,9260,9263,9264,9265,9267,9268,9270,9271,9273,9274,9275,9276,9277,9278,9279,9281,9282,9283,9284,9285,9287,9288,9290,9291,9292,9296,9297,9299,9300,9301,9302,9304,9309,9310,9311,9312,9313,9314,9315,9316,9318,9319,9321,9322,9323,9324,9325,9326,9328,9329,9337,9338,9339,9340,9341
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ groups
localgroup1 groups: cannot find name for group ID 902
902 localgroup2 groups: cannot find name for group ID 2131
2131 groups: cannot find name for group ID 2132
2132 groups: cannot find name for group ID 2135
2135 groups: cannot find name for group ID 2202
2202 groups: cannot find name for group ID 2203
..etc
..etc
Best Regards,
Tim.
This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related
entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at
suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not
necessarily reflect the view of Suncorp. The content, including attachments, is a
confidential communication between Suncorp and the intended recipient. If you are not the
intended recipient, any use, interference with, disclosure or copying of this e-mail,
including attachments, is unauthorised and expressly prohibited. If you have received this
e-mail in error please contact the sender immediately and delete the e-mail and any
attachments from your system.