SSSD with AD provider - can't obtain group information in subdomain
by 杉山昌治
Hello
I'm struggle with configuration of sssd to retrieve group information
defined in a subdomain.
I would have your support to solve my issue.
Here is my AD configuration. There are 3 AD servers.
Root Domain labroot.example.com (just for top AD management)
Sub Domain labsso.labroot.example.com (user, global group and universal
group are defined here)
Subsub Domain labbu.labsso.labroot.example.com (local domain group is
defined here)
I created a user and groups in those AD servers as below.
User/Groups in Domain sso.example.com
========================
User test_user (MemberOf=G-Group-Server)
Group G-Role-ISOps-Server (Type: Global Group, Members=test_user,
MemberOf=U-Role-ISOps-Server)
Group U-Role-ISOps-Server (Type: Universal Group,
Members=G-Role-ISOps-Server)
User/Groups in Domain sso.example.com
========================
Group D-Role-Server (Type: Domain Local Group,
Members=U-Role-ISOps-Server)
As for SSSD, I tried to use both "1.11.6" and "1.12.1" with "AD provider"
as backend.
I expected to get all groups (G-Role-ISOps-Server, U-Role-ISOps-Server and
D-ISOps-Server) as a result of
"id test_user" command.
But I could not find domain local group (D-Role-ISOps-Server) in groups of
the user "test_user".
as the result of "id test_user" command.
I also could not find any members as the result of "getent group
D-Role-ISOps-Server" command.
I tried to use single domain (sso-ad-ad) and multiple domains (sso-ad-ad
and bu-ad-ad) in sssd configuration, but the result is the almost same.
(when I use sso-ad-ad domain only, I could not get anything as result of
"getent group d-role-isops-server").
# id test_user
uid=638201126(test_user) gid=638200513(domain users)
groups=638200513(domain
users),638201113(g-role-server),638201118(u-role-server),638200512(domain
admins)
# getent group d-role-isops-server
d-role-isops-server:*:927601110:
I'm not sure how SSSD AD provider searches group information based on
members/memberOf attributes, I suspect missing "memberOf" in universal
group (U-Role-*) and "member of domain local group" (U-Role-ISOps-Server)
is out of scope of LABBU domain might be clue of my issue.
Please advise me what's wrong on my configuration and resolution of my
issue.
Thanks in advance.
Shoji
*** Configurations and LDAP search results ***
sssd.conf file
==========
[sssd]
config_file_version = 2
services = nss, pam
domains = sso-ad-ad, bu-ad-ad
# domains = sso-ad-ad
[nss]
fallback_homedir = /home/SSO/%u
default_shell = /bin/bash
[pam]
[domain/sso-ad-ad]
id_provider = ad
auth_provider = ad
access_provider = ad
ad_server = jpbw0-in00-is82.labsso.labroot.isops.example.com
ad_hostname = jpbw0-in00-is82.labsso.labroot.isops.example.com
ldap_schema = ad
ad_enable_gc = true
ldap_id_mapping = true
debug_level = 1
[domain/bu-ad-ad]
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_server = jpbw0-in00-is81.labbu.labsso.labroot.isops.example.com
ad_hostname = jpbw0-in00-is81.labbu.labsso.labroot.isops.example.com
ldap_id_mapping = true
debug_level = 1
LDAP Search in Global Catalog of LABSSO
==================================
I can search the domain local group in the global catalog.
[root@jpbl0-in00-is11 providers]# ldapsearch -Y GSSAPI -LLL -H "ldap://
jpbw0-in00-is82.labsso.labroot.isops.example.com:3268" -b
"DC=labsso,DC=labroot,DC=isops,DC=example,DC=com"
"(&(name=d-role-isops-server)(objectclass=group)(name=*))"
SASL/GSSAPI authentication started
SASL username: host/
jpbl0-in00-is11.lab.isops.ibm.com(a)LABSSO.LABROOT.ISOPS.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn:
CN=D-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=labroot,DC=isops,DC=example,DC=com
objectClass: top
objectClass: group
cn: D-Role-ISOps-Server
description: Server Team
distinguishedName:
CN=D-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=labroot,DC=isops,DC=example,DC=com
instanceType: 0
whenCreated: 20131029185150.0Z
whenChanged: 20131029185448.0Z
uSNCreated: 17964
uSNChanged: 18034
name: D-Role-ISOps-Server
objectGUID:: YflnJQk4IUK4YUAHO43J6w==
objectSid:: AQUAAAAAAAUVAAAAml0mRju+InNXWri7VgQAAA==
sAMAccountName: D-Role-ISOps-Server
sAMAccountType: 536870912
groupType: -2147483644
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
LDAP Search in LABSSO
====================
I can not search the domain local group in normal domain.
[root@jpbl0-in00-is11]# ldapsearch -Y GSSAPI -LLL -H "ldap://
jpbw0-in00-is82.labsso.labroot.isops.example.com" -b
"DC=labsso,DC=labroot,DC=isops,DC=example,DC=com"
"(&(name=d-role-isops-server)(objectclass=group)(name=*))"
SASL/GSSAPI authentication started
SASL username: host/
jpbl0-in00-is11.lab.isops.example.com(a)LABSSO.LABROOT.ISOPS.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# refldap://
labbu.labsso.labroot.isops.example.com/DC=labbu,DC=labsso,DC=labroot,
DC=isops,DC=example,DC=com
# refldap://
DomainDnsZones.labsso.labroot.isops.example.com/DC=DomainDnsZones,DC=
labsso,DC=labroot,DC=isops,DC=example,DC=com
9 years, 7 months
Primary group with ldap_id_mapping
by Jacob Weber
If I have ldap_id_mapping turned on, how does SSSD determine a user's primary group? I don't think
ldap_user_gid_number is used in this case, since the numeric IDs are determined on the client side.
Thanks,
Jacob
9 years, 7 months
sssd fails to connect to LDAP after high load on the server
by Daniel Jung
Hi,
There were few cases where SSSD seems to stop working and required restart
when the server's load average gets high ~ 80 on 24threads(processors)
platform.
Running 6.5 centos with 1.9.2-129 x86_64
On 6.5,
sssd_nss.log shows the following:
Thu Jul 31 20:28:38 2014) [sssd[nss]] [sss_dp_init] (0x0010): Failed to
connect to monitor services.
(Thu Jul 31 20:28:38 2014) [sssd[nss]] [sss_process_init] (0x0010): fatal
error setting up backend connector
(Thu Jul 31 20:30:19 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Thu Jul 31 20:44:16 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Thu Jul 31 20:44:46 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Thu Jul 31 20:45:16 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Thu Jul 31 20:45:46 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
<snip>
Fri Aug 1 19:55:18 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Fri Aug 1 19:55:48 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
(Fri Aug 1 19:56:18 2014) [sssd[nss]] [nss_dp_reconnect_init] (0x0010):
Could not reconnect to LDAP provider.
Also the /var/log/messages:
Jul 31 20:26:22 sssd[nss]: Shutting down
Jul 31 20:26:22 ssd[be[LDAP]]: Shutting down
Jul 31 20:26:24 sssd[be[LDAP]]: Starting up
Jul 31 20:26:24 sssd[nss]: Starting up
Jul 31 20:28:34 sssd[be[LDAP]]: Shutting down
Jul 31 20:28:34 sssd[nss]: Shutting down
Jul 31 20:28:38 sssd[nss]: Starting up
Jul 31 20:28:38 sssd[be[LDAP]]: Starting up
Jul 31 20:28:40 sssd[nss]: Starting up
Jul 31 20:30:05 sssd[be[LDAP]]: Shutting down
Jul 31 20:30:25 sssd[be[LDAP]]: Starting up
Seems like restart @20:30:25 didnt properly restart sssd daemon? I believe
1.9.2-129 is the latest avail?
enumerate is false, ldap_network_timeout is 5 and we have multiple ldap_uri
settings where hosts are separated by ","
Would appreciate if you can shed some light on this. Thanks.
9 years, 7 months
/usr/lib/samba/ldb : No such file or directory
by shadrock uhuru
Hi Steve
i think i have found the problem
this is a portion of the samba install steps from
https://wiki.archlinux.org/index.php/Samba_4_Active_Directory_Domain_Cont...
if you intend to use the LDB utilities, you will need to set the
LDB_MODULES_PATH
# echo "export
LDB_MODULES_PATH=\"\${LDB_MODULES_PATH}:/usr/lib/samba/ldb\"" >
/etc/profile.d/sambaldb.sh
# chmod 0755 /etc/profile.d/sambaldb.sh
cat /etc/profile.d/sambaldb.sh
export LDB_MODULES_PATH="${LDB_MODULES_PATH}:/usr/lib/samba/ldb"
# export
LDB_MODULES_PATH=":/usr/lib/samba/ldb"
there is no value for ${LDB_MODULES_PATH}
i assumed that ${LDB_MODULES_PATH} would be exported by samba4,
i then looked further at what was actually exported and decided that the
"${LDB_MODULES_PATH}:" section may not be needed so i
export LDB_MODULES_PATH="/usr/lib/samba/ldb" and the error disappeared.
i hope nothing breaks further down the line by removing ${LDB_MODULES_PATH}:
shadrock
/
>> / hi everyone
> />/ could anyone explain the following line in the startup sequence,
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or
directory
> />/ the directory exist with file in it .
> /
> Have you checked permissions and selinux context?
> Was it removed and then copied from other place?
> Labels and permission might be off then.
>
>> / how do i fix it ?
> />/ shadrock
> />/
> />/
> />/ sssd -i -d7
> />/ (Fri Aug 1 14:08:42:941358 2014) [sssd] [check_file] (0x0400): lstat
> />/ for [/var/run/nscd/socket] failed: [2][No such file or directory].
> />/ (Fri Aug 1 14:08:43:034141 2014) [sssd] [ldb] (0x0400):
> />/ server_sort:Unable to register control with rootdse!
> />/ (Fri Aug 1 14:08:43:039640 2014) [sssd] [confdb_get_domain_internal]
> />/ (0x0400): No enumeration for [tissisat.co.uk]!
> />/ (Fri Aug 1 14:08:43:040001 2014) [sssd] [confdb_get_domain_internal]
> />/ (0x1000): pwd_expiration_warning is -1
> />/ (Fri Aug 1 14:08:43:040678 2014) [sssd] [ldb] (0x0400):
> />/ server_sort:Unable to register control with rootdse!
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [server_setup] (0x0400): CONFDB:
> />/ /var/lib/sss/db/config.ldb
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or
directory
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [sysdb_domain_init_internal]
(0x0200):
> />/ DB File for tissisat.co.uk: /var/lib/sss/db/cache_tissisat.co.uk.ldb
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or
directory
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [ldb] (0x0400): asq: Unable to
> />/ register control with rootdse!
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [sbus_new_server] (0x0400): D-BUS
> />/ Server listening on
> />/
unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=4e3498299402c9fa69fe2d4553db915b/
9 years, 8 months
/usr/lib/samba/ldb : No such file or directory
by shadrock uhuru
hi everyone
could anyone explain the following line in the startup sequence,
ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
the directory exist with file in it .
how do i fix it ?
shadrock
sssd -i -d7
(Fri Aug 1 14:08:42:941358 2014) [sssd] [check_file] (0x0400): lstat
for [/var/run/nscd/socket] failed: [2][No such file or directory].
(Fri Aug 1 14:08:43:034141 2014) [sssd] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!
(Fri Aug 1 14:08:43:039640 2014) [sssd] [confdb_get_domain_internal]
(0x0400): No enumeration for [tissisat.co.uk]!
(Fri Aug 1 14:08:43:040001 2014) [sssd] [confdb_get_domain_internal]
(0x1000): pwd_expiration_warning is -1
(Fri Aug 1 14:08:43:040678 2014) [sssd] [ldb] (0x0400):
server_sort:Unable to register control with rootdse!
(Fri Aug 1 14:08:43 2014) [sssd] [server_setup] (0x0400): CONFDB:
/var/lib/sss/db/config.ldb
ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
(Fri Aug 1 14:08:43 2014) [sssd] [sysdb_domain_init_internal] (0x0200):
DB File for tissisat.co.uk: /var/lib/sss/db/cache_tissisat.co.uk.ldb
ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
(Fri Aug 1 14:08:43 2014) [sssd] [ldb] (0x0400): asq: Unable to
register control with rootdse!
(Fri Aug 1 14:08:43 2014) [sssd] [sbus_new_server] (0x0400): D-BUS
Server listening on
unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=4e3498299402c9fa69fe2d4553db915b
9 years, 8 months
/usr/lib/samba/ldb : No such file or directory
by shadrock uhuru
Hi Steve
i'm working on archlinux there is no selinux to be concerned with
the directory and all the files in //usr/lib/samba/ldb are
permission 755 and owned by root:root
and they have not been changed in any way.
shadrock
/
> >/ hi everyone
> />/ could anyone explain the following line in the startup sequence,
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
> />/ the directory exist with file in it .
> /
> Have you checked permissions and selinux context?
> Was it removed and then copied from other place?
> Labels and permission might be off then.
>
> >/ how do i fix it ?
> />/ shadrock
> />/
> />/
> />/ sssd -i -d7
> />/ (Fri Aug 1 14:08:42:941358 2014) [sssd] [check_file] (0x0400): lstat
> />/ for [/var/run/nscd/socket] failed: [2][No such file or directory].
> />/ (Fri Aug 1 14:08:43:034141 2014) [sssd] [ldb] (0x0400):
> />/ server_sort:Unable to register control with rootdse!
> />/ (Fri Aug 1 14:08:43:039640 2014) [sssd] [confdb_get_domain_internal]
> />/ (0x0400): No enumeration for [tissisat.co.uk]!
> />/ (Fri Aug 1 14:08:43:040001 2014) [sssd] [confdb_get_domain_internal]
> />/ (0x1000): pwd_expiration_warning is -1
> />/ (Fri Aug 1 14:08:43:040678 2014) [sssd] [ldb] (0x0400):
> />/ server_sort:Unable to register control with rootdse!
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [server_setup] (0x0400): CONFDB:
> />/ /var/lib/sss/db/config.ldb
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [sysdb_domain_init_internal] (0x0200):
> />/ DB File for tissisat.co.uk: /var/lib/sss/db/cache_tissisat.co.uk.ldb
> />/ ldb: unable to stat module :/usr/lib/samba/ldb : No such file or directory
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [ldb] (0x0400): asq: Unable to
> />/ register control with rootdse!
> />/ (Fri Aug 1 14:08:43 2014) [sssd] [sbus_new_server] (0x0400): D-BUS
> />/ Server listening on
> />/ unix:path=/var/lib/sss/pipes/private/sbus-monitor,guid=4e3498299402c9fa69fe2d4553db915b/
9 years, 8 months