Need help with debugging curious SSSD/LDAP problem that only affects certain users.
by Mark London
Hi all - Sorry to bother you with this problem that I've been working
all day to fix. I've been using SSSD on Redhat for many years, using
LDAP to authenticate a Windows domain. With a new server with Redhat 7,
I'm seeing intermittent login failures for only a small set of users.
There is nothing I can find common to these user accounts. The
failures happen 24 hours a day (it's authentication for an IMAP mail
server, so logins occur constant). I've flushed all the SSSD caching
files and started from scratch, and that did not help. I turned on
SSSD debugging, and here's an example that shows LDAP authentication
failing for a user, but only a small while afterwards, it works. I
googled, the ldap error message, and could only find it for people who
were always constantly not able to to authenticate. Not an
intermittent problem, like mine.
Any recommendations for other ways to debug this problem (domain server
LDAP logging?) would be appreciated. If there is not the proper forum
to ask this question, please advise me on a better place to post it
(besides stackoverflow, which I'll do as a last resort). My sssd.conf
file , occurs after these log entries.
--------------------------------------------------------------------------------
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to
[ldaps://psfcd.psfc.mit.edu:636/??base] with fd[24].
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [fo_set_port_status]
(0x0100): Marking port 636 of server 'psfcd.psfc.mit.edu' as 'working'
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [set_server_common_status]
(0x0100): Marking server 'psfcd.psfc.mit.edu' as 'working'
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [fo_set_port_status]
(0x0400): Marking port 636 of duplicate server 'psfc.psfc.mit.edu' as
'working'
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_send] (0x0100):
Executing simple bind as: CN=Smith\, John,OU=Smith Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x1000):
Server returned no controls.
(Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x0400):
Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C09042F,
comment: AcceptSecurityContext error, data 52e, v2580
(Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [fo_set_port_status]
(0x0400): Marking port 636 of duplicate server 'psfcd.psfc.mit.edu' as
'working'
(Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_send] (0x0100):
Executing simple bind as: CN=Smith\, John,OU=Smith Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
(Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x1000):
Server returned no controls.
(Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x0400):
Bind result: Success(0), no errmsg set
--------------------------------------------------------------------------------
i tried increasing the SSSD debugging level, without anything
interesting appearing. If it would help, though , I'll post it, with
all the complete lines.
I should add that i have windows password account locking disabled. I've
attached my sssd.conf file below. I am aware that sssd can authenticate
directly to AD. However, the domain server and mail server are on
separate networks, and I have no idea if ports can't be opened on the
firewall, to allow this to happen. Opening up the LDAP port on the
firewall, seemed to be the obviously easier choice. Thanks very much!
- Mark
--------------------------------------------------------------------------------
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = PSFC
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 0
; entry_cache_timeout = 600
; entry_cache_nowait_timeout = 300
[pam]
reconnection_retries = 3
debug_level = 0
[domain/PSFC]
description = LDAP domain with AD server
enumerate = false
min_id = 501
cache_credentials = false
debug_level = 7
ldap_purge_cache_timeout = 0
ldap_enumeration_refresh_timeout = 300
ldap_referrals = false
id_provider = ldap
chpass_provider = none
auth_provider = ldap
ldap_tls_reqcert = allow
ldap_uri =
ldaps://psfcd1.psfc.mit.edu,ldaps://psfcd2.psfc.mit.edu,ldaps://psfcd3.ps...
ldap_schema = rfc2307bis
ldap_search_base = dc=psfc,dc=mit,dc=edu
ldap_user_search_base = dc=psfc,dc=mit,dc=edu
ldap_group_search_base = dc=psfc,dc=mit,dc=edu
ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC
Users,DC=psfc,DC=mit,DC=edu
ldap_default_authtok_type = password
ldap_default_authtok = MY_PASSWORD
ldap_user_object_class = person
ldap_user_name = sAMAccountName
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_member = msSFU30PosixMember
ldap_user_member_of = msSFU30PosixMemberOf
ldap_group_name = name
ldap_group_gid_number = msSFU30GidNumber
ldap_force_upper_case_realm = True
6 years, 8 months
Re: SSSD user mailing list: Unable to login to my kerberos realm
by Lukas Slebodnik
On (17/08/17 12:38), Louis Garcia wrote:
>Sorry to mail you directly but I think the sssd user mailing list is not
>accepting my emails. I replied twice to this thread yesterday and both
>bounced.
>
I have no idea why you have problems to send a mails there.
>These are the logs you wanted. Let me know how you want to proceed.
>
>#cat /etc/sssd/sssd.conf
>[sssd]
>domains = files
>services = nss, pam
>
>[pam]
>debug_level = 9
>
>[domain/files]
>id_provider = files
>auth_provider = krb5
>debug_level = 9
>
>krb5_server = panther.montclaire.local
>krb5_realm = MONTCLAIRE.LOCAL
>
You might also ser
krb5_store_password_if_offline = True
cache_credentials = True
So hash of password will be cached and you would be able to authenticate
offline. And first option is for "automatic kinit" when you move from offline
to online mode. But both options are unrelated.
>#pgrep -af sssd
>667 /usr/sbin/sssd -i -f
>681 /usr/libexec/sssd/sssd_be --domain files --uid 0 --gid 0
>--debug-to-files
>722 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
>723 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
That output is expected.
Unfortunately, I cannot see any attempt for authentication in log files.
sh$ zgrep -E "dp_pam|command:" sssd_files.log.v2.gz
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Close Session]: Sending result [0][files]
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION
(Wed Aug 16 20:25:36 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Close Session]: Sending result [0][files]
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Open Session]: Sending result [0][files]
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Wed Aug 16 20:26:09 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Open Session]: Sending result [0][files]
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Open Session]: Sending result [0][files]
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [dp_pam_handler] (0x0100): Got request with the following data
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Wed Aug 16 20:26:39 2017) [sssd[be[files]]] [dp_pam_reply] (0x1000): DP Request [PAM Open Session]: Sending result [0][files]
How do you test? ssh/su/tty ?
Are /etc/pam.d/system-auth /etc/pam.d/password-auth the same?
I expected related part of journal which would match ssh or su (pam related
parts). Because we have sssd logs for sssd troubleshooting :-)
Adding sssd-users back to CC.
LS
6 years, 8 months
Limiting which subdomains are chased in 1.13.4?
by Omen Wild
I have a sssd install on Ubuntu 16.04 (1.13.4-1ubuntu1.6) and one of the
subdomains in the forest is having issues (cannot be contacted from my
host), which is causing a `ls' in a directory to take a minute after all
the timeouts. The 'cannot contact' seems to get cached for 60 seconds,
because immediate ls's are quick, but a minute later go back to slow.
Is there any way to limit which subdomains sssd can, or cannot,
contact? We have a split config, where the computers are in one
subdomain, and the users in a child subdomain, so I cannot just set
"subdomains_provider = none", though that did solve the slow directory
lookups, it killed my ability to login with users from the domain.
Thanks,
Omen
--
Omen Wild
Systems Administrator
Metro Cluster
6 years, 8 months
Unable to login to my kerberos realm
by Louis Garcia
I've setup a kdc server and I'm able to kinit from my client and get a
ticket for ssh, nfs. I am having trouble setting up sssd so I can skip
kinit. I only setup a kerberos server do I also need a ldap server?
This is how I configured PAM: #authconfig --enablesssd --enablesssdauth
--enablekrb5 --update
I'm sure not one line of my sssd.conf file is right.
[sssd]
services = nss, pam
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
[nss]
filter_groups = root
filter_users = root
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/kerberos]
id_provider = proxy
proxy_lib_name = false
auth_provider = krb5
chpass_provider = krb5
krb5_realm = MONTCLAIRE.LOCAL
krb5_server = panther.montclaire.local
cache_credentials = True
krb5_store_password_if_offline = True
6 years, 8 months
realm join taking more than 5 minutes - waiting on password which was already entered
by smfrench@gmail.com
In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join" taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took ~6 minutes when
normally would take a few seconds). As you can see from the verbose output below the
two longest stretches (greater than 2 minutes! each) were waiting between launching
"net ads join" and piping the password in (and similarly "net ads keytab
create" had a long delay between starting the command and giving it the password).
Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling out to
realm_command_runv_async it was not obvious why there should be any delay between the
launch of the net command the passing of the password (I did see one report of "net
ads keytab create" hanging if the keytab already existed but that is not the same
problem as this). Any idea how/why such long delays between launching net and inputting
the password in realmd async code? > 5 minutes is a long time to do something that
usually completes in 10 seconds
2017-08-01 19:54:09 realmd[14197]: * Performing LDAP DSE lookup on: ...
2017-08-01 19:54:09 realmd[14197]: * Successfully discovered ...
2017-08-01 19:54:10 realmd[14197]: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
2017-08-01 19:54:10 realmd[14197]: * Joining using a manual netbios name: ....
2017-08-01 19:54:10 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads join <domain>
2017-08-01 19:56:42 realmd[14197]: Enter <username's> password:
2017-08-01 19:56:42 realmd[14197]: Using short domain name -- <short name>
2017-08-01 19:56:42 realmd[14197]: Joined ... to dns domain ...
2017-08-01 19:56:42 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U <username> ads keytab create
2017-08-01 19:59:33 realmd[14197]: Enter <username's> password:
Any ideas why realmd's async processing (basically passing the password to
the underlying "net ads join" etc.) is doing this?
6 years, 8 months
test if machine is already joined?
by Eugene Vilensky
Hello,
Apologies for the naivete of this question. How can I test if a machine
already has a successful relationship with active directory?
context: I want to set an ansible fact if it is in fact join and if not
execute adcli to join.
Thank you!
-Eugene
6 years, 8 months
SSSD Packet Capture Samples
by Tom Peterson
Hi All,
First off thank you for all the hard work put into SSSD! It's been a great
piece of software to work with and seems like it has a configuration
setting for just about anything that can be thrown at it!
We use SSSD at work and I've helped troubleshoot a few instances of
authenticating against an external LDAP server. I setup a little lab to
collect captures of some different config settings. My initial set is
around different TLS scenarios:
https://support.cloudshark.org/kb/sssd-activedirectory-captures.html
All of the raw capture files can be downloaded after opening them by going
to 'Export -> Download File'.
I'll be adding to this and have a few more scenarios in mind I want to
explore. If anyone has any feedback or suggestions on things they would
like to see please let me know!I Hoping someone finds this little
contribution of captures useful.
And once again, thank you for all the work put into SSSD!
-Tom
6 years, 8 months
AD parent child issues
by Tristan Bouillon
Hi
I have this case I'm working on and it's driving me crazy. I try to
setup something like this:
AD setup is like this with be-directional approbation:
- example.com
\-- chlld.example.com
Have users registered in example.com => user1(a)example.com
computers are registered in child.eample.com => server1(a)child.example.com
I want to connect with user1 to server1 with ssh and sssd.
Before any debug process I want to make sure this is possible because
i'm running in circle.
When setting up sssd et krb5 confs with child.example.com:
-- sssd nss says: example.com is created as a subdomain of child.example.com
-- but AD backend is online for child.example.com and i can query it
-- the query for user1(a)example.com works great but the AD server in
child.example.com does not know the user and can't query his master AD
server.
When setting up sssd et krb5 confs with example.com
-- it attempts kinit with host/server1.child.example.com and fails
to get a tgt. AD is set to offline and it cannot query it.
When trying to mix up theses solutions I find something similar to the
cases above.
If it is possible can someone point me towards the configuration I'm
suppose to make.
Don't know if it's the place but GG for the debugging options provides
with SSSD, it is clear and powerful.
6 years, 8 months
Clarifiication: Short name input format with SSSD
by Lachlan Musicman
With relation to SSSD 1.15.3's
[RFE] Short name input format with SSSD for users from all domains when
domain autodiscovery is used or when SSSD acts as an IPA client for server
with IPA-AD trusts
https://pagure.io/SSSD/sssd/issue/3001
I read this to mean that in my
unix.domain.com domain managed by IPA, with a one way trust into AD at
domain.com
I can now login with:
ssh lsimpson(a)server.unix.domain.com
instead of what I currently do with
ssh lsimpson@domain.com(a)server.unix.domain.com
(and my /etc/sssd/sssd.conf has
[sssd]
domains = unix.domain.com
)
Am I reading that correctly, or do I have it wrong?
Is there any config that needs to happen to implement this? Do I need to
remove the domains= from sssd.conf?
Cheers
L.
------
"The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics
is the insistence that we cannot ignore the truth, nor should we panic
about it. It is a shared consciousness that our institutions have failed
and our ecosystem is collapsing, yet we are still here — and we are
creative agents who can shape our destinies. Apocalyptic civics is the
conviction that the only way out is through, and the only way through is
together. "
*Greg Bloom* @greggish
https://twitter.com/greggish/status/873177525903609857
6 years, 8 months
gpupdate?
by Mote, Todd
Is there a facility in SSSD to perform a group policy update and application without requiring a login? Like the windows gpupdate.exe command line tool? An example scenario I'm thinking about is a change in an Access Control GPO. The administrator of the system, as root, either invalidates the SSSD cache or removes it completely. If the admin wanted group policy to get downloaded and cached immediately, is there a way to do that, or is login the only trigger for that action?
Todd
6 years, 8 months
