Deleted /var/lib/sss/ by mistake
by Ali, Saqib
I deleted /var/lib/sss/ by mistake. Now when I try to start SSSD, I
get the following errors:
(Wed Nov 23 11:40:36:059914 2016) [sssd] [check_file] (0x0400):
lstat for [/var/run/nscd/socket] failed: [2][No such file or
directory].
(Wed Nov 23 11:40:36:061661 2016) [sssd] [ldb] (0x0400): ltdb:
tdb(/var/lib/sss/db/config.ldb): tdb_open_ex: could not open file
/var/lib/sss/db/config.ldb: No such file or directory
(Wed Nov 23 11:40:36:061686 2016) [sssd] [ldb] (0x0020): Unable to
open tdb '/var/lib/sss/db/config.ldb': No such file or directory
(Wed Nov 23 11:40:36:061699 2016) [sssd] [ldb] (0x0020): Failed to
connect to '/var/lib/sss/db/config.ldb' with backend 'tdb': Unable to
open tdb '/var/lib/sss/db/config.ldb': No such file or directory
(Wed Nov 23 11:40:36:061709 2016) [sssd] [confdb_init] (0x0010):
Unable to open config database [/var/lib/sss/db/config.ldb]
(Wed Nov 23 11:40:36:061838 2016) [sssd] [load_configuration]
(0x0010): The confdb initialization failed
(Wed Nov 23 11:40:36:061865 2016) [sssd] [main] (0x0020): SSSD
couldn't load the configuration database.
I have already tried uninstalling and re-installing sssd. That didn't help.
How do I restore this directory?
Thanks,
Saqib
7 years, 4 months
Ang: Re: problems to get sssd started
by Johan Kragsterman
Hi again!
-----Johan Kragsterman/Capvert skrev: -----
Till: End-user discussions about the System Security Services Daemon <sssd-users(a)lists.fedorahosted.org>
Från: Johan Kragsterman/Capvert
Datum: 2016-12-03 19:11
Ärende: Ang: [SSSD-users] Re: problems to get sssd started
Hi!
-----Lukas Slebodnik <lslebodn(a)redhat.com> skrev: -----
Till: End-user discussions about the System Security Services Daemon <sssd-users(a)lists.fedorahosted.org>
Från: Lukas Slebodnik <lslebodn(a)redhat.com>
Datum: 2016-12-03 18:55
Ärende: [SSSD-users] Re: problems to get sssd started
On (03/12/16 19:19), Johan Kragsterman wrote:
>
Does /etc/sssd/sssd.conf has correct permissions?
sh# ls -ld /etc/sssd/
drwx------. 1 root root 92 Nov 28 11:51 /etc/sssd/
sh# ls -ld /etc/sssd/sssd.conf
-rw-------. 1 root root 4992 Nov 28 11:51 /etc/sssd/sssd.conf
Ahaa, should the directory ALSO belong to root? I thought only the sssd.conf should be root. So in my case, the directory sssd belongs to user sssd, and the sssd.conf file to root.
I try and change that and get back...
No luck with this. Changed permissions on directory, and same error...
Going to check out the instructions you linked to now.
hmm, permission might be correct on sssd.conf
Try to follow instructions in
https://fedorahosted.org/sssd/wiki/Troubleshooting
In your case, you might increase debug level im main section "[sssd]"
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
7 years, 4 months
DNS lookups for ldapi://
by Michael Ströder
HI!
On the LDAP replicas themselves I'd like to use ldapi:// [1] in parameter
ldap_uri to use the local slapd as primary server and point to the other
replicas in ldap_backup_uri.
Example:
ldap_uri = ldapi://%2Fusr%2Flocal%2Fopenldap%2Fvar%2Frun%2Fldapi
ldap_backup_uri = ldaps://slapd2.example.com ldaps://slapd3.example.com
But in this case I can see DNS lookups sent to the DNS recursor like this:
Nov 30 00:07:57 dnsrec pdns_recursor[19180]: 2 [674869217] question for
'/usr/local/openldap/var/run/ldapi.example.com.|A' from
10.1.32.104
'/usr/local/openldap/var/run/ldapi' is the path name of the LDAPI Unix domain
socket and example.com is in the search list in /etc/resolv.conf.
Hmm, I currently don't have access to the machine. Therefore I can't even check
whether LDAPI works at all.
=> sssd should avoid DNS lookup completely in case of ldapi:// being used
Any comments before I file a ticket?
Ciao, Michael.
[1] https://tools.ietf.org/html/draft-chu-ldap-ldapi-00
7 years, 4 months
Multiple mount autofs/sssd
by Jonathan Del Campo
Hello,
I am looking for a solution to mount two different NFS exports on a same
mountpoint in order to have this kind of configuration
server1:/path on /s/work
server2:/path on /s/work
/s/work :
- fileA_server1
- fileB_server1
- fileA_server2
- fileB_server2
The /s/work mountpoint is provided by autofs/sssd and the map is on an LDAP
autofs OU.
I have tried many solutions, but I want to avoid the symlink to another
mounted directory solution.
Can anyone help ?
thanks,
J
7 years, 4 months
sssd-13.4 can't login
by Longina Przybyszewska
Hi,
Can you help me with a problem I struggle quite a time, that appeared after upgrade to sssd-13.4 (Ubuntu Xenial):
User can not login;
Home directory (nfs) secured with Kerberos, is mounted, with proper idmapping, but user is refused to login to the desktop (lightdm).
Ssh login is possible, but permission denied to access the home directory.
This is setup with:
..
id_provider=ad
use_fully_qualified_names = true
ldap_id_mapping = false
..
In the krb5_child.log I can see suspicious sequence about "krb5_cc_cache_match failed";
Output from the log:
--
Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.933479: Sending request (8186 bytes) to A
DM.C.DOMAIN (tcp only)
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.934588: Resolving hostname host0a.adm.
c.domain.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.936998: Initiating TCP connection to stre
am 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.938147: Sending TCP request to stream 10.
144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946674: Received answer (8380 bytes) from
stream 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.946720: Terminating TCP connection to str
eam 10.144.5.5:88
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948199: Response was not from master KDC
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948264: Decoding FAST response
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948342: FAST reply key: rc4-hmac/12E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948366: TGS reply is for user(a)NAT.C.SD
U.DK -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN with session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948401: TGS request result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948407: Received creds for desired servic
e host/lnx-adm557.a.c.domain(a)A.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948416: Storing user(a)N.C.DOMAIN -> h
ost/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948440: Creating authenticator for user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, seqnum 0, subkey (null), session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948500: Retrieving host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948585: Decrypted AP-REQ with specified server principal host/lnx-adm557.a.c.domain(a)A.C.DOMAIN: aes256-cts/DDBF
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948594: AP-REQ ticket: user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN, session key aes256-cts/31E4
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948813: Negotiated enctype based on authenticator: aes256-cts
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948828: Initializing MEMORY:rd_req2 with default princ user(a)N.C.DOMAIN
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948837: Storing user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN in MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948849: Destroying ccache MEMORY:gNruZJ9
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0400): TGT verified using key for [host/lnx-adm557.a.c.domain(a)A.C.DOMAIN].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948876: Retrieving user(a)N.C.DOMAIN -> host/lnx-adm557.a.c.domain(a)A.C.DOMAIN from MEMORY:rd_req2 with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.948967: Retrieving LNX-ADM557$(a)A.C.DOMAIN from MEMORY:/etc/krb5.keytab (vno 6, enctype aes256-cts) with result: 0/Success
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [user\@N.C.DOMAIN(a)A.C.DOMAIN] might not be correct.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_child_krb5_trace_cb] (0x4000): [3331] 1477404875.949031: Destroying ccache MEMORY:rd_req2
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_10002_XXXXXX]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal user(a)N.C.DOMAIN in cache collection]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): Initializing ccache of type [FILE]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [create_ccache] (0x4000): returning: 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Switch user to [10002][30000000].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [switch_creds] (0x0200): Already user [10002].
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x0200): Received error code 0
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [pack_response_packet] (0x2000): response packet size: [138]
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [k5c_send_data] (0x4000): Response sent.
(Tue Oct 25 16:14:35 2016) [[sssd[krb5_child[3331]]]] [main] (0x0400): krb5_child completed successfully
--
ls -l /tmp/krb5cc_10002_gIeneD
-rw------- 1 user(a)n.c.domain lnx-primary(a)a.c.domain 16482 Oct 25 16:14 /tmp/krb5cc_10002_gIeneD
klist -c /tmp/krb5cc_10002_gIeneD
Ticket cache: FILE:/tmp/krb5cc_10002_gIeneD
Default principal: user(a)N.C.DOMAIN
Valid starting Expires Service principal
10/25/2016 16:14:35 10/26/2016 02:14:35 krbtgt/N.C.DOMAIN(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 krbtgt/C.SDU.DK(a)N.C.DOMAIN
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain@
renew until 10/26/2016 02:14:35
10/25/2016 16:14:36 10/26/2016 02:14:35 nfs/adm-lnx-nfs0a.a.c.domain(a)A.C.DOMAIN
renew until 10/26/2016 02:14:35
Best,
Longina
7 years, 4 months