Multiple GPOs and order processing issue
by Max DiOrio
Hi!
So it seems that I’m having an issue with GPO processing. I have an OU (Servers/Infrastructure) that contains a few servers. In this OU, I have a few GPO’s applied.
Once is “generic” that should applied to every server in this OU - which allows Remote Interactive Login and Logon Locally to Domain Admins.
I also have a GPO that applies to a specific server in this out that grants access to a service account to log on to terminal services and log on as a service. For this GPO, I have a security filter to the specific computer object it is supposed to apply to - and I think this is the root of my issue.
The GPOs are listed
1) Infrastructure servers Access Control (that should apply to them all)
2) Single Computer policy for service account
When looking at the sssd_domain logs, I can see that it’s processing both GPO’s, but only adding the account from policy 2 to the ad_gpo_access_check, meaning domain admins can’t log in to either server, only the service account can to both of them.
So we have multiple issues:
1) It’s not combining the GPO access policies, but only taking the last one found
2) It’s not abiding by the Security Filtering on the GPO
So in my case - how would I go about making this work? Would I need a separate GPO for each server I want to apply individual rights to and explicitly include the domain admins group in it, then using delegation allow the single computer read and deny read of every other computer?
Seems like this also means you can’t do GPO inheritance if it only takes the last found GPO and ignores the settings configured in previous GPO’s it checked.
Any ideas?
Thanks!
Max
5 years, 10 months
one user can't be looked up
by Peter Moody
this is admittedly low priority since this is all just a test network
at this point, but we're looking to deploy sssd at work so I'd like to
make sure all the kinks I know about are well understood/fixed
I have an openldap install with the following users (pmoody, peter)
with uidNumbers (1001, 1002) respectively.
sssd works for both users from freebsd 11.2 prelease (sssd-1.11.7_11,
whew, that's old).
sssd works for pmoody from debian stretch (1.15.0-3). it does *not*
work for the user peter.
this is what happens for the user peter.
pmoody@deb:~$ sudo sss_cache -E
pmoody@deb:~$ getent passwd pmoody
pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
pmoody@deb:~$ getent passwd peter
pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
pmoody@deb:~$
I've tried version 1.16.1-1, same results.
These are the ldap entries for the aforementioned users:
# peter, people, x.com
dn: uid=peter,ou=people,dc=x,dc=com
cn: peter
givenName: peter
sn: moody
uid: peter
uidNumber: 1002
homeDirectory: /home/peter
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
gidNumber: 500
loginShell: /usr/local/bin/fish
# pmoody, people, x.com
dn: uid=pmoody,ou=people,dc=x,dc=com
cn: Peter Moody
givenName: Peter
sn: Moody
uid: pmoody
uidNumber: 1001
homeDirectory: /home/pmoody
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
loginShell: /usr/local/bin/fish
gidNumber: 500
on the debian box that exhibits this error, I see the following in the logs:
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
ldb transaction (nesting: 2)
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
[sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such
object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object
(32)]
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
[sysdb_set_cache_entry_attr] (0x0400): No such entry
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_set_entry_attr]
(0x0080): Cannot set attrs for
name=peter(a)x.com,cn=users,cn=x.com,cn=sysdb, 2 [No such file or
directory]
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
(0x0040): Cache update failed: 2
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
ldb transaction (nesting: 1)
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
(0x0400): Error: 2 (No such file or directory)
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_user]
(0x0020): Failed to save user [peter(a)x.com]
(Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_users]
(0x0040): Failed to store user 0. Ignoring.
it kind of looks like what was reported here :
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
but I don't see a resolution to that report.
any suggestions on what I can do to fix this? logs/configs I can
provide to help isolate the problem?
Cheers,
peter
5 years, 10 months
Announcing SSSD 1.16.2
by Jakub Hrozek
SSSD 1.16.2
===========
The SSSD team is proud to announce the release of version 1.16.2 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
New Features
^^^^^^^^^^^^
* The smart card authentication, or in more general certificate authentication
code now supports OpenSSL in addition to previously supported NSS (#3489).
In addition, the SSH responder can now return public SSH keys derived from
the public keys stored in a X.509 certificate. Please refer to the
``ssh_use_certificate_keys`` option in the man pages.
* The files provider now supports mirroring multiple passwd or group
files. This enhancement can be used to use the SSSD files provider instead
of the nss_altfiles module
Notable bug fixes
^^^^^^^^^^^^^^^^^
* A memory handling issue in the ``nss_ex`` interface was fixed. This bug
would manifest in IPA environments with a trusted AD domain as a crash of
the ns-slapd process, because a ``ns-slapd`` plugin loads the ``nss_ex``
interface (#3715)
* Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
* The ``ad_site`` override is now honored in GPO code as well (#3646)
* Several potential crashes in the NSS responder's netgroup code were fixed
(#3679, #3731)
* A potential crash in the autofs responder's code was fixed (#3752)
* The LDAP provider now supports group renaming (#2653)
* The GPO access control code no longer returns an error if one of the
relevant GPO rules contained no SIDs at all (#3680)
* A memory leak in the IPA provider related to resolving external AD
groups was fixed (#3719)
* Setups that used multiple domains where one of the domains had its ID
space limited using the ``min_id/max_id`` options did not resolve requests
by ID properly (#3728)
* Overriding IDs or names did not work correctly when the domain resolution
order was set as well (#3595)
* A version mismatch between certain newer Samba versions (e.g. those shipped
in RHEL-7.5) and the Winbind interface provided by SSSD was fixed. To further
prevent issues like this in the future, the correct interface is now detected
at build time (#3741)
* The files provider no longer returns a qualified name in case domain
resolution order is used (#3743)
* A race condition between evaluating IPA group memberships and AD group
memberships in setups with IPA-AD trusts that would have manifested as
randomly losing IPA group memberships assigned to an AD user was fixed
(#3744)
* Setting an SELinux login label was broken in setups where the domain
resolution order was used (#3740)
* SSSD start up issue on systems that use the libldb library with version
1.4.0 or newer was fixed.
Packaging Changes
-----------------
* Several new build requirements were added in order to support the OpenSSL
certificate authentication
Documentation Changes
---------------------
* The files provider gained two new configuration options ``passwd_files``
and ``group_files.`` These can be used to specify the additional files
to mirror.
* A new ``ssh_use_certificate_keys`` option toggles whether the SSH responder
would return public SSH keys derived from X.509 certificates.
* The ``local_negative_timeout`` option is now enabled by default. This
means that if SSSD fails to find a user in the configured domains,
but is then able to find the user with an NSS call such as getpwnam,
it would negatively cache the request for the duration of the
local_negative_timeout option.
Tickets Fixed
-------------
* `3752 <https://pagure.io/SSSD/sssd/issue/3752>`_ - /usr/libexec/sssd/sssd_autofs SIGABRT crash daily due to a double free
* `3749 <https://pagure.io/SSSD/sssd/issue/3749>`_ - [RFE] sssd.conf should mention the FILES provider as valid config value for the 'id_provider'
* `3748 <https://pagure.io/SSSD/sssd/issue/3748>`_ - home dir disappear in sssd cache on the IPA master for AD users
* `3744 <https://pagure.io/SSSD/sssd/issue/3744>`_ - Race condition between concurrent initgroups requests can cause one of them to return incomplete information
* `3743 <https://pagure.io/SSSD/sssd/issue/3743>`_ - Weirdness when using files provider and domain resolution order
* `3742 <https://pagure.io/SSSD/sssd/issue/3742>`_ - Change of: User may not run sudo --> a password is required
* `3741 <https://pagure.io/SSSD/sssd/issue/3741>`_ - Samba can not register sss idmap module because it's using an outdated SMB_IDMAP_INTERFACE_VERSION
* `3740 <https://pagure.io/SSSD/sssd/issue/3740>`_ - Utilizing domain_resolution_order in sssd.conf breaks SELinux user map
* `3733 <https://pagure.io/SSSD/sssd/issue/3733>`_ - sssd fails to download known_hosts from freeipa
* `3728 <https://pagure.io/SSSD/sssd/issue/3728>`_ - Request by ID outside the min_id/max_id limit of a first domain does not reach the second domain
* `3726 <https://pagure.io/SSSD/sssd/issue/3726>`_ - SSSD with ID provider 'ad' should give a warning in case the ldap schema is manually changed to something different than 'ad'.
* `3725 <https://pagure.io/SSSD/sssd/issue/3725>`_ - sssd not honoring dyndns_server if the DNS update process is terminated with a signal
* `3719 <https://pagure.io/SSSD/sssd/issue/3719>`_ - The SSSD IPA provider allocates information about external groups on a long lived memory context, causing memory growth of the sssd_be process
* `3715 <https://pagure.io/SSSD/sssd/issue/3715>`_ - ipa 389-ds-base crash in krb5-libs - k5_copy_etypes list out of bound?
* `3706 <https://pagure.io/SSSD/sssd/issue/3706>`_ - Hide debug message domain not found for well known sid
* `3694 <https://pagure.io/SSSD/sssd/issue/3694>`_ - externalUser sudo attribute must be fully-qualified
* `3684 <https://pagure.io/SSSD/sssd/issue/3684>`_ - A group is not updated if its member is removed with the cleanup task, but the group does not change
* `3680 <https://pagure.io/SSSD/sssd/issue/3680>`_ - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs
* `3679 <https://pagure.io/SSSD/sssd/issue/3679>`_ - Make nss netgroup requests more robust
* `3674 <https://pagure.io/SSSD/sssd/issue/3674>`_ - The tcurl module logs the payload
* `3671 <https://pagure.io/SSSD/sssd/issue/3671>`_ - KCM: Payload buffer is too small
* `3666 <https://pagure.io/SSSD/sssd/issue/3666>`_ - Fix usage of str.decode() in our tests
* `3664 <https://pagure.io/SSSD/sssd/issue/3664>`_ - LOGS: Improve debugging in case the PAM service is not mapped to any GPO rule
* `3660 <https://pagure.io/SSSD/sssd/issue/3660>`_ - confdb_expand_app_domains() always fails
* `3658 <https://pagure.io/SSSD/sssd/issue/3658>`_ - Application domain is not interpreted correctly
* `3656 <https://pagure.io/SSSD/sssd/issue/3656>`_ - PyErr_NewExceptionWithDoc configure check should not use cached results for different python versions
* `3646 <https://pagure.io/SSSD/sssd/issue/3646>`_ - SSSD's GPO code ignores ad_site option
* `3644 <https://pagure.io/SSSD/sssd/issue/3644>`_ - sss_groupshow no longer labels MPG groups
* `3634 <https://pagure.io/SSSD/sssd/issue/3634>`_ - sssctl COMMAND --help fails if sssd is not configured
* `3633 <https://pagure.io/SSSD/sssd/issue/3633>`_ - Reset the last_request_time when any activity happens on Secrets and KCM responders
* `3629 <https://pagure.io/SSSD/sssd/issue/3629>`_ - Implement sss_nss_getsidbyuid and sss_nss_etsidbygid for situations where customers define UID == GID
* `3619 <https://pagure.io/SSSD/sssd/issue/3619>`_ - Enable local_negative_timeout by default
* `3605 <https://pagure.io/SSSD/sssd/issue/3605>`_ - Fix pep8 issues on our python files.
* `3595 <https://pagure.io/SSSD/sssd/issue/3595>`_ - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set
* `3558 <https://pagure.io/SSSD/sssd/issue/3558>`_ - sudo: report error when two rules share cn
* `3550 <https://pagure.io/SSSD/sssd/issue/3550>`_ - refresh_expired_interval does not work with netgrous in 1.15
* `3520 <https://pagure.io/SSSD/sssd/issue/3520>`_ - Files provider supports only BE_FILTER_ENUM
* `3469 <https://pagure.io/SSSD/sssd/issue/3469>`_ - extend sss-certmap man page regarding priority processing
* `3436 <https://pagure.io/SSSD/sssd/issue/3436>`_ - Certificates used in unit tests have limited lifetime
* `3402 <https://pagure.io/SSSD/sssd/issue/3402>`_ - Support alternative sources for the files provider
* `3335 <https://pagure.io/SSSD/sssd/issue/3335>`_ - GPO retrieval doesn't work if SMB1 is disabled
* `2653 <https://pagure.io/SSSD/sssd/issue/2653>`_ - Group renaming issue when "id_provider = ldap" is set.
Detailed Changelog
------------------
* Fabiano Fidêncio (77):
* TESTS: Fix E501 pep8 issues on test_ldap.py
* TESTS: Fix E20[12] pep8 issues on python-test.py
* TESTS: Fix E501 pep8 issues on python-test.py
* TESTS: Fix E251 pep8 issues on python-test.py
* TESTS: Fix E231 pep8 issues on python-test.py
* TESTS: Fix E265 pep8 issues on python-test.py
* TESTS: Fix E128 pep8 issues on python-test.py
* TESTS: Fix E302 pep8 issues on python-test.py
* TESTS: Fix W391 pep8 issues on python-test.py
* TESTS: Fix E228 pep8 issues on python-test.py
* TESTS: Fix E261 pep8 issues on python-test.py
* TESTS: Fix E701 pep8 issues on python-test.py
* TESTS: Fix E305 pep8 issues on python-test.py
* TESTS: Fix E20[12] pep8 issues on pysss_murmur-test.py
* TESTS: Fix E211 pep8 issues on pysss_murmur-test.py
* TESTS: Fix E20[12] pep8 issues on pyhbac-test.py
* TESTS: Fix E261 pep8 issues on pyhbac-test.py
* TESTS: Fix W391 pep8 issues on pyhbac-test.py
* TESTS: Fix E501 pep8 issues on pyhbac-test.py
* TESTS: Fix E302 pep8 issues on pyhbac-test.py
* TESTS: Fix E305 pep8 issues on pyhbac-test.py
* TESTS: Fix E711 pep8 issues on sssd_group.py
* TESTS: Fix E305 pep8 issues on sssd_netgroup.py
* TESTS: Fix E501 pep8 issues on utils.py
* TESTS: Fix E305 pep8 issues on conf.py
* CONTRIB: Fix E501 pep8 issues on sssd_gdb_plugin.py
* CONTRIB: Fix E305 pep8 issues on sssd_gdb_plugin.py
* TESTS: Fix E302 pep8 issues on test_enumeration.py
* TESTS: FIX E501 pep8 issues on pysss_murmur-test.py
* CI: Enable pep8 check
* CI: Ignore E722 pep8 issues on debian machines
* TESTS: Fix E501 pep8 issues on test_netgroup.py
* NSS: Remove dead code
* CONFDB: Start a ldb transaction from sss_ldb_modify_permissive()
* TOOLS: Take into consideration app domains
* TESTS: Move get_call_output() to util.py
* TESTS: Make get_call_output() more flexible about the stderr log
* TESTS: Add a basic test of `sssctl domain-list`
* KCM: Use json_loadb() when dealing with sss_iobuf data
* KCM: Remove mem_ctx from kcm_new_req()
* KCM: Introduce kcm_input_get_payload_len()
* KCM: Do not use 2048 as fixed size for the payload
* KCM: Adjust REPLY_MAX to the one used in krb5
* KCM: Fix typo in ccdb_sec_delete_list_done()
* KCM: Only print the number of found items after we have it
* SERVER: Tone down shutdown messages for socket-activated responders
* MAN: Improve docs about GC detection
* NSS: Add InvalidateGroupById handler
* DP: Add dp_sbus_invalidate_group_memcache()
* ERRORS: Add ERR_GID_DUPLICATED
* SDAP: Add sdap_handle_id_collision_for_incomplete_groups()
* SDAP: Properly handle group id-collision when renaming incomplete groups
* SYSDB_OPS: Error out on id-collision when adding an incomplete group
* SECRETS: reset last_request_time on any activity
* KCM: reset last_request_time on any activity
* RESPONDER: Add sss_client_fd_handler()
* RESPONDER: Make use of sss_client_fd_handler()
* SECRETS: Make use of sss_client_fd_handler()
* KCM: Make use of sss_client_fd_handler()
* TESTS: Rename test_idle_timeout()
* TESTS: Add test for responder_idle_timeout
* TESTS: Fix typo in test_sysdb_domain_resolution_order_ops()
* SYSDB: Properly handle name/gid override when using domain resolution order
* TESTS: Increase test_resp_idle_timeout* timeout
* COVERITY: Add coverity support
* MAKE_SRPM: Add --output parameter
* Add .copr/Makefile
* CACHE_REQ: Don't force a fqname for files provider' output
* cache_req: Don't force a fqname for files provider output
* tests: Add a test for files provider + domain resolution order
* man: Users managed by the files provider don't have their output fully-qualified
* Revert "CACHE_REQ: Don't force a fqname for files provider' output"
* selinux_child: workaround fqnames when using DRO
* sudo_ldap: fix sudoHost=defaults -> cn=defaults in the filter
* Revert "sysdb custom: completely replace old object instead of merging it"
* sysdb_sudo: completely replace old object instead of merging it
* tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES
* Jakub Hrozek (33):
* Bumping the version to track 1.16.2 development
* IPA: Handle empty nisDomainName
* TESTS: Fix E266 pep8 issues on test_ldap.py
* TESTS: Fix E231 pep8 issues on test_session_recording.py
* TESTS: Fix E501 pep8 issues on test_session_recording.py
* TESTS: Fix E303 pep8 issues on test_ldap.py
* SYSDB: When marking an entry as expired, also set the originalModifyTimestamp to 1
* IPA: Qualify the externalUser sudo attribute
* NSS: Adjust netgroup setnetgrent cache lifetime if midpoint refresh is used
* TESTS: Add a test for the multiple files feature
* SDAP: Improve a DEBUG message about GC detection
* LDAP: Augment the sdap_opts structure with a data provider pointer
* TESTS: Add an integration test for renaming incomplete groups during initgroups
* SYSDB: sysdb_add_incomplete_group now returns EEXIST with a duplicate GID
* MAN: Document which principal does the AD provider use
* FILES: Do not overwrite and actually remove files_ctx.{pwd,grp}_watch
* FILES: Reduce code duplication
* FILES: Reset the domain status back even on errors
* FILES: Skip files that are not created yet
* FILES: Only send the request for update if the files domain is inconsistent
* DYNDNS: Move the retry logic into a separate function
* DYNDNS: Retry also on timeouts
* AD: Warn if the LDAP schema is overriden with the AD provider
* SYSDB: Only check non-POSIX groups for GID conflicts
* Do not keep allocating external groups on a long-lived context
* CACHE_REQ: Do not fail the domain locator plugin if ID outside the domain range is looked up
* MAN: Fix the title of the session recording man page
* DP/LDAP: Only increase the initgrTimestamp when the full initgroups DP request finishes
* LDAP: Do not use signal-unsafe calls in ldap_child SIGTERM handler
* AUTOFS: remove timed event if related object is removed
* RESPONDERS: Enable the local negative timeout by default
* LDAP: Suppress a loud debug message in case a built-in SID can't be resolved
* Updating the translations for the 1.16.2 release
* Justin Stephenson (3):
* DEBUG: Print simple allow and deny lists
* CONFDB: Add passwd_files and group_files options
* FILES: Handle files provider sources
* Lukas Slebodnik (21):
* CI: Add dbus into debian dependencies
* intg: convert results returned as bytes to strings
* SYSDB: Remove unused parameter from sysdb_cache_connect_helper
* SPEC: Add gcc to build dependencies
* UTIL: Use alternative way for detecting PyErr_NewExceptionWithDoc
* CONFIGURE: drop unused check
* SYSDB: Return ENOENT for mpg with local provider
* sysdb-tests: sysdb_search_group_by_name with local provider
* selinux_child: Allow to query sssd
* selinux_child: Fix crash with initialized key
* BUILD: Remove unnecessary flags from test_ipa_dn
* BUILD: Remove ldap libraries from SSSD_LIBS
* BUILD: Remove ldap libraries from TOOL_LIBS
* BUILD: Remove pcre libs from common _LIBS
* BUILD: Remove pcre from krb5_child
* BUILD: Remove libcollection form common libs
* BUILD: Reduce dependencies of sss_signal
* BUILD: Remove cares from sssd_secrets
* BUILD: Remove libini_config from common libs
* MONITOR: Do not use two configuration databases
* CI: Prepare for python3 -> python
* Michal Židek (6):
* AD: Missing header in ad_access.h
* GPO: Add ad_options to ad_gpo_process_som_state
* GPO: Use AD site override if set
* GPO: Fix bug with empty GPO rules
* GPO: DEBUG msg when GP to PAM mappings overlap
* GPO: Debugging default PAM service mapping
* Pavel Březina (3):
* sudo ldap: do not store rules without sudoHost attribute
* sysdb custom: completely replace old object instead of merging it
* sssctl: move check for version error to correct place
* Richard Sharpe (1):
* nss-imap: add sss_nss_getsidbyuid() and sss_nss_getsidbygid()
* Sumit Bose (38):
* intg: enhance netgroups test
* TESTS: simple CA to generate certificates for test
* TESTS: replace hardcoded certificates
* TESTS: remove NSS test databases
* test_ca: add empty index.txt.attr file
* nss: initialize nss_enum_index in nss_setnetgrent()
* nss: add a netgroup counter to struct nss_enum_index
* nss-idmap: do not set a limit
* nss-idmap: use right group list pointer after sss_get_ex()
* NSS: nss_clear_netgroup_hash_table() do not free data
* winbind idmap plugin: support inferface version 6
* winbind idmap plugin: fix detection
* p11_child: move verification into separate functions
* p11_child: add verification option
* utils: add get_ssh_key_from_cert()
* utils: move p11 child paths to util.h
* utils: add cert_to_ssh_key request
* tests: add test for cert_to_ssh_key request
* ssh: use cert_to_ssh_key request to verify certifcate and get keys
* ssh: add option ssh_use_certificate_keys and enhance man page
* utils: remove unused code from cert utils
* tests: add SSH responder tests
* p11_child: split common and NSS code into separate files
* p11_child: add OpenSSL support
* TESTS: make some cert auth checks order independent
* p11_child: allow tests to use OpenSSL version of p11_child
* certmap: fix issue found by Coverity in OpenSSL version
* SPEC/CI: enable openssl build for Debian and upcoming versions
* certmap: allow missing empty EKU in OpenSSL version
* KCM: be aware that size_t might have different size than other integers
* sysdb: add sysdb_getgrgid_attrs()
* ipa: use mpg aware group lookup in get_object_from_cache()
* ipa: allow mpg group objects in apply_subdomain_homedir()
* AD/LDAP: do not fall back to mpg user lookup on GC connection
* cifs idmap plugin: use new sss_nss_idmap calls
* winbind idmap plugin: use new sss_nss_idmap calls
* libwbclient-sssd: use new sss_nss_idmap calls
* pysss_nss_idmap: add python bindings for new sss_nss_idmap calls
* Thorsten Scherf (1):
* man: Add FILES as a valid config option for 'id_provider'
* Yuri Chornoivan (1):
* MAN: Fix minor typos
* amitkuma (1):
* sssctl: Showing help even when sssd not configured
* amitkumar50 (2):
* MAN: Add sss-certmap man page regarding priority processing
* MAN: Clarify how comments work in sssd.conf
5 years, 10 months
Files provider - does not start properly ?
by JOHE (John Hearns)
I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
In the configuration file I set enable_files_domain = True
sssd_implicit_files.log then says :
[sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]
Any ideas please?
Also rather confusingly /etc/nsswitch.conf still has to be set with: passwd files sss
The simpl eminded amongst us (me) thought that from the description of the sssd files provider, the passwd and group file would be read at startup, therefore all you would need is sss in the nsswitch.conf
Clearly there is a huge hole of comprehension. Between my ears.
5 years, 10 months
id username works on ubuntu xenial, but fails on ubuntu trusty
by Asif Iqbal
I can `*id axisys*` and it *works* fine with ubuntu xenial running *sssd
version 1.13.4* but *failing* on ubuntu trusty running *sssd version 1.11.8*
I have the same *sssd.conf* and *nsswitch.conf* on both servers and I also
provided the *sssd_LDAP.log* and I noticed there is
no *nss_cmd_getgrgid_search* on trusty / sssd 1.11.8 log
*sssd.conf*
========
[sssd]
domains = LDAP
services = nss, pam, sudo
config_file_version = 2
[nss]
[pam]
[sudo]
[domain/LDAP]
debug_level = 9
id_provider = ldap
ldap_schema = rfc2307bis
auth_provider = ldap
access_provider = ldap
ldap_default_bind_dn = uid=nattacp,ou=people,dc=mnet,dc=qintra,dc=com
ldap_default_authtok = secret
ldap_access_filter = objectClass=mnetperson
ldap_uri = ldaps://192.168.0.34:1636
ldap_search_base = ou=People,dc=mnet,dc=qintra,dc=com
ldap_user_object_class = mnetPerson
ldap_group_object_class = inetOrgPerson
ldap_default_authtok_type = password
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/ssl/certs/ctl.cer
ldap_user_uid_number = mnetid
ldap_user_gid_number = mnetid
ldap_group_gid_number = mnetid
cache_credentials = True
*nsswitch.conf*
===========
passwd: compat sss
group: compat sss
shadow: compat sss
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
logs from the command `*id axisys*'
ubuntu trusty *sssd_LDAP.log* (*fails*)
===========================
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [get_client_cred] (0x4000): Client
creds: euid[1000] egid[1000] pid[6291].
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17] with input [axisys].
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'axisys' matched without domain, user is axisys
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): using default domain [(null)]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [axisys] from [<ALL>]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/LDAP/axisys]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [axisys@LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x1e0e620
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x1e0e750
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x1e0e620 "ltdb_callback"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x1e0e750 "ltdb_timeout"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x1e0e620 "ltdb_callback"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x417c90:1:axisys@LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [LDAP][4097][1][name=axisys]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sbus_add_timeout] (0x2000):
0x1e05a30
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x417c90:1:axisys@LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus
conn: 0x19204f0
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [getAccountInfo]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [getAccountInfo]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [be_get_account_info] (0x0100):
Got request for [4097][1][name=axisys]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [be_req_set_domain] (0x0400):
Changing request domain from [LDAP] to [LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_id_op_connect_step]
(0x4000): reusing cached connection
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base [ou=People,dc=mnet,dc=qintra,dc=com]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(uid=axisys)(objectclass=mnetPerson)(uid=*)(&(mnetid=*)(!(mnetid=0))))][ou=People,dc=mnet,dc=qintra,dc=com].
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uid]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPassword]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [mnetid]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [mnetid]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [homeDirectory]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPrincipalName]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowLastChange]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMin]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowMax]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowWarning]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowInactive]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowExpire]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [shadowFlag]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [krbPasswordExpiration]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [pwdAttribute]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [authorizedService]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [nsAccountLock]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [host]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginDisabled]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginExpirationTime]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginAllowedTimeMap]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 4
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1928340], connected[1], ops[0x19563c0], ldap[0x191baa0]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_entry] (0x4000):
OriginalDN: [uid=axisys,ou=People,dc=mnet,dc=qintra,dc=com].
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectClass]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [uid]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [mnetid]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [cn]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [modifyTimestamp]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1928340], connected[1], ops[0x19563c0], ldap[0x191baa0]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_done]
(0x0400): Search result: Success(0), no errmsg set
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_search_user_process]
(0x0400): Search for users, returned 1 results.
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_search_user_process]
(0x4000): Retrieved total 1 users
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 0)
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Save
user
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_attrs_get_sid_str]
(0x0080): No [objectSID] attribute while id-mapping. [0][Success]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_user] (0x4000):
objectSID: not available for group [(null)].
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_primary_name]
(0x0400): Processing object axisys
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_user] (0x0400):
Processing user axisys
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_user] (0x0020): no
gid provided for [axisys] in domain [LDAP].
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_user] (0x0020):
Failed to save user [axisys]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_save_users] (0x0040):
Failed to store user 0. Ignoring.
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 0)
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_get_users_done] (0x4000):
Saving 1 Users - Done
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000):
releasing operation connection
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sbus_remove_timeout] (0x2000):
0x1e05a30
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x1e08760
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 0 errno: 0 error message: Success
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/LDAP/axisys]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [axisys@LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x1e13c40
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x1e13d70
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x1e13c40 "ltdb_callback"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x1e13d70 "ltdb_timeout"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x1e13c40 "ltdb_callback"
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400):
Adding [NCE/USER/LDAP/axisys] to negative cache
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040):
No results for getpwnam call
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x417c90:1:axisys@LDAP]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Wed Jun 6 19:12:22 2018) [sssd[nss]] [client_destructor] (0x2000):
Terminated client [0x1e09540][19]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1928340], connected[1], ops[(nil)], ldap[0x191baa0]
(Wed Jun 6 19:12:22 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: ldap_result found nothing!
(Wed Jun 6 19:12:23 2018) [sssd] [service_send_ping] (0x0100): Pinging LDAP
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_add_timeout] (0x2000): 0x2171a20
(Wed Jun 6 19:12:23 2018) [sssd] [service_send_ping] (0x0100): Pinging nss
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_add_timeout] (0x2000): 0x2177990
(Wed Jun 6 19:12:23 2018) [sssd] [service_send_ping] (0x0100): Pinging pam
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_add_timeout] (0x2000): 0x2177de0
(Wed Jun 6 19:12:23 2018) [sssd] [service_send_ping] (0x0100):
(Wed Jun 6 19:12:23 2018) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
0x1df85b0
(Wed Jun 6 19:12:23 2018) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd[pam]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd[pam]] [sbus_get_sender_id_send] (0x2000):
Pinging sudo
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_add_timeout] (0x2000): Not a sysbus
message, quit
(Wed Jun 6 19:12:23 2018) [sssd[pam]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [ping] 0x217d310
(Wed Jun 6 19:12:23 2018) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus
conn: 0x12245b0
(Wed Jun 6 19:12:23 2018) [sssd[sudo]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd[sudo]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Wed Jun 6 19:12:23 2018) [sssd[sudo]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x217d310
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x217bca0
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd] [ping_check] (0x0100): Service sudo
replied to ping
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x2177de0
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x2178100
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd] [ping_check] (0x0100): Service pam
replied to ping
(Wed Jun 6 19:12:23 2018) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x1e055b0
(Wed Jun 6 19:12:23 2018) [sssd[nss]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd[nss]] [sbus_message_handler] (0x4000):
Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd[nss]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Wed Jun 6 19:12:23 2018) [sssd[nss]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x2177990
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x21782e0
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd] [ping_check] (0x0100): Service nss
replied to ping
(Wed Jun 6 19:12:23 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus
conn: 0x190f130
(Wed Jun 6 19:12:23 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd[be[LDAP]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Jun 6 19:12:23 2018) [sssd[be[LDAP]]] [sbus_handler_got_caller_id]
(0x4000): Received SBUS method [ping]
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x2171a20
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x2172000
(Wed Jun 6 19:12:23 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:12:23 2018) [sssd] [ping_check] (0x0100): Service LDAP
replied to ping
ubuntu xenial *sssd_LDAP.log* (*works*!)
==============================
(Wed Jun 6 19:09:40 2018) [sssd] [services_startup_timeout] (0x0400):
Handling timeout
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [get_client_cred] (0x4000): Client
creds: euid[1000] egid[1000] pid[4418].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [17][SSS_NSS_GETPWNAM] with input [axisys].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'axisys' matched without domain, user is axisys
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [axisys] from [<ALL>]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/LDAP/axisys]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100):
Requesting info for [axisys@LDAP]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x119a170
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x119a230
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x119a170 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x119a230 "ltdb_timeout"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x119a170 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400):
Returning info for user [axisys@LDAP]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [expand_homedir_template] (0x0020):
Missing template.
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getbyid] (0x0400): Running
command [34][SSS_NSS_GETGRGID] with id [408462].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GID/408462]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0100):
Requesting info for [408462@LDAP]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x11953b0
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x1195470
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x11953b0 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x1195470 "ltdb_timeout"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x11953b0 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [*nss_cmd_getgrgid_search*]
(0x0400): Returning info for gid [408462@LDAP]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getgrgid_search] (0x0080):
No matching domain found for [408462]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/GROUP/LDAP/Asif Iqbal]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running
command [38][SSS_NSS_INITGR] with input [axisys].
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_parse_name_for_domains]
(0x0200): name 'axisys' matched without domain, user is axisys
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
Requesting info for [axisys] from [<ALL>]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [sss_ncache_check_str] (0x2000):
Checking negative cache for [NCE/USER/LDAP/axisys]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0100): Requesting info for [axisys@LDAP]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x119a170
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x119a230
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x119a170 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x119a230 "ltdb_timeout"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x119a170 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_callback": 0x118f740
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Added timed event
"ltdb_timeout": 0x119bfb0
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Running timer event
0x118f740 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Destroying timer
event 0x119bfb0 "ltdb_timeout"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [ldb] (0x4000): Ending timer event
0x118f740 "ltdb_callback"
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a
LOCAL view, continuing with provided values.
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [check_cache] (0x0400): Cached entry
is valid, returning..
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [nss_cmd_initgroups_search]
(0x0400): Initgroups for [axisys@LDAP] completed
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [calc_flat_name] (0x0080): Flat name
requested but domain has noflat name set, falling back to domain name
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [reset_idle_timer] (0x4000): Idle
timer re-set for client [0x118f5c0][21]
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
(Wed Jun 6 19:09:44 2018) [sssd[nss]] [client_destructor] (0x2000):
Terminated client [0x118f5c0][21]
(Wed Jun 6 19:09:45 2018) [sssd] [service_send_ping] (0x2000): Pinging LDAP
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_add_timeout] (0x2000): 0x1df8380
(Wed Jun 6 19:09:45 2018) [sssd] [service_send_ping] (0x2000): Pinging nss
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_add_timeout] (0x2000): 0x1df26c0
(Wed Jun 6 19:09:45 2018) [sssd] [service_send_ping] (0x2000): Pinging pam
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_add_timeout] (0x2000): 0x1df7140
dbus conn: 0x1c29d50
(Wed Jun 6 19:09:45 2018) [sssd] [service_send_ping] (0x2000): Pinging sudo
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_add_timeout] (0x2000): 0x1df2ef0
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sbus_message_handler]
(0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x1df8380
(Wed Jun 6 19:09:45 2018) [sssd[nss]] [sbus_dispatch] (0x4000):
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x1df1b10
dbus conn: 0x118a260
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd] [ping_check] (0x2000): Service LDAP
replied to ping
(Wed Jun 6 19:09:45 2018) [sssd[nss]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd[nss]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Wed Jun 6 19:09:45 2018) [sssd[sudo]] [sbus_dispatch] (0x4000): dbus
conn: 0x12f1270
(Wed Jun 6 19:09:45 2018) [sssd[sudo]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd[sudo]] [sbus_message_handler] (0x2000):
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Wed Jun 6 19:09:45 2018) [sssd[nss]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Wed Jun 6 19:09:45 2018) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn:
0x2527260
(Wed Jun 6 19:09:45 2018) [sssd[pam]] [sbus_dispatch] (0x4000):
Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd[pam]] [sbus_message_handler] (0x2000):
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x1df26c0
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x1df76b0
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd] [ping_check] (0x2000): Service nss
replied to ping
Received SBUS method org.freedesktop.sssd.service.ping on path
/org/freedesktop/sssd/service
(Wed Jun 6 19:09:45 2018) [sssd[pam]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x1df7140
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x1df90a0
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd] [ping_check] (0x2000): Service pam
replied to ping
(Wed Jun 6 19:09:45 2018) [sssd[sudo]] [sbus_get_sender_id_send] (0x2000):
Not a sysbus message, quit
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_remove_timeout] (0x2000): 0x1df2ef0
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): dbus conn:
0x1dfb540
(Wed Jun 6 19:09:45 2018) [sssd] [sbus_dispatch] (0x4000): Dispatching.
(Wed Jun 6 19:09:45 2018) [sssd] [ping_check] (0x2000): Service sudo
replied to ping
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_execute] (0x0400):
Task [SUDO Full Refresh]: executing task, timeout 21600 seconds
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_full_refresh_send]
(0x0400): Issuing a full refresh of sudo rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_id_op_connect_step]
(0x4000): beginning to connect
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'LDAP'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [get_server_status] (0x1000):
Status of server '192.168.0.34' is 'name not resolved'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [get_port_status] (0x1000):
Port status of port 1636 for server '192.168.0.34' is 'neutral'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6
seconds
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [get_server_status] (0x1000):
Status of server '192.168.0.34' is 'name not resolved'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server '192.168.0.34' as 'resolving name'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server '192.168.0.34' as 'name resolved'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_resolve_server_process]
(0x1000): Saving the first resolved server
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_resolve_server_process]
(0x0200): Found address for server 192.168.0.34: [192.168.0.34] TTL 7200
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400):
Constructed uri 'ldaps://192.168.0.34:1636'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x4000):
Using file descriptor [21] for LDAP connection.
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400):
Setting 6 seconds timeout for connecting
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldaps://
192.168.0.34:1636/??base] with fd [21].
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_rootdse_send]
(0x4000): Getting rootdse
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_print_server] (0x2000):
Searching 192.168.0.34
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [*]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [altServer]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [namingContexts]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedControl]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedExtension]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedFeatures]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedLDAPVersion]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [supportedSASLMechanisms]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [domainControllerFunctionality]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [defaultNamingContext]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [lastUSN]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [highestCommittedUSN]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 1
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New
operation 1 timeout 6
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c60140], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_entry] (0x1000):
OriginalDN: [].
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [objectClass]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [namingContexts]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [supportedExtension]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [supportedControl]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [supportedSASLMechanisms]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [supportedLDAPVersion]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [vendorName]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [vendorVersion]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [dataversion]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [netscapemdsuffix]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [supportedSSLCiphers]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [enabledSSLCiphers]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No
sub-attributes for [attributeencryptionciphers]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c60140], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000):
Operation 1 finished
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_rootdse_done]
(0x2000): Got rootdse
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_rootdse_done]
(0x2000): Skipping auto-detection of match rule
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is
supported by this server!
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[sdap_get_server_opts_from_rootdse] (0x0200): Will use modification
timestamp as usn!
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000):
the connection will expire at 1528313085
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [simple_bind_send] (0x0100):
Executing simple bind as: uid=nattacp,ou=people,dc=mnet,dc=qintra,dc=com
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [simple_bind_send] (0x2000):
ldap simple bind sent, msgid = 2
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New
operation 2 timeout 6
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c6b080], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: ldap_result found nothing!
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c6b080], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_BIND]
...
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [simple_bind_done] (0x1000):
Password Policy Response: expire [-1] grace [-1] error [No error].
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [simple_bind_done] (0x0400):
Bind result: Success(0), no errmsg set
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000):
Operation 2 finished
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [_be_fo_set_port_status]
(0x8000): Setting status: PORT_WORKING. Called from:
../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2052
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100):
Marking port 1636 of server '192.168.0.34' as 'working'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server '192.168.0.34' as 'working'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [fo_set_port_status] (0x0400):
Marking port 1636 of duplicate server '192.168.0.34' as 'working'
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_id_op_connect_done]
(0x4000): notify connected to op #1
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [check_ipv4_addr] (0x0200):
Loopback IPv4 address 127.0.0.1
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_ip_addresses]
(0x2000): Found IP address: 10.0.2.15 in network 10.0.2.0/24
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_ip_addresses]
(0x2000): Found IP address: 10.193.69.239 in network 10.193.68.0/23
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [check_ipv6_addr] (0x0200):
Loopback IPv6 address ::1
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_ip_addresses]
(0x2000): Found IP address: fe80::e9:3aff:fe83:3ee2 in network fe80::/64
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_ip_addresses]
(0x2000): Found IP address: fe80::a00:27ff:fe9e:c1bf in network fe80::/64
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_hostnames_send]
(0x2000): Found hostname: ubuntu-xenial
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [resolv_is_address] (0x4000):
[ubuntu-xenial] does not look like an IP address
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [resolv_gethostbyname_step]
(0x2000): Querying files
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of
'ubuntu-xenial' in files
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_id_op_connect_done]
(0x4000): caching successful connection after 1 notifies
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]]
[be_run_unconditional_online_cb] (0x4000): List of unconditional online
callbacks is empty, nothing to do.
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_run_online_cb] (0x0080):
Going online. Running callbacks.
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_get_hostnames_done]
(0x2000): Found fqdn: ubuntu-xenial
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_send]
(0x0400): About to fetch sudo rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_search_bases_next_base]
(0x0400): Issuing LDAP lookup with base [ou=People,dc=mnet,dc=qintra,dc=com]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_print_server] (0x2000):
Searching 192.168.0.34
....
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [cn]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoCommand]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoHost]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoUser]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoOption]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoRunAs]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoRunAsUser]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoRunAsGroup]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoNotBefore]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoNotAfter]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sudoOrder]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [modifyTimestamp]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 3
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New
operation 3 timeout 6
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c66150], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: ldap_result found nothing!
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_online_cb] (0x0400):
Back end is online
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_enable] (0x0080):
Task [SUDO Smart Refresh]: already enabled
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_online_cb] (0x0400):
Back end is online
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_enable] (0x0080):
Task [SUDO Full Refresh]: already enabled
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[0x1c66150], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0400): Search result: Success(0), no errmsg set
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000):
Operation 3 finished
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_search_bases_done]
(0x0400): Receiving data from base [ou=People,dc=mnet,dc=qintra,dc=com]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_done]
(0x0040): Received 0 sudo rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000):
releasing operation connection
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_refresh_done]
(0x0400): Received 0 rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 0)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 1)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sysdb_sudo_purge_all]
(0x0400): Deleting all cached sudo rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 2)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1c68a20
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1c68ae0
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer
event 0x1c68a20 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1c68ae0 "ltdb_timeout"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1c68a20 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sysdb_delete_recursive]
(0x4000): Found [1] items to delete.
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sysdb_delete_recursive]
(0x4000): Trying to delete [cn=sudorules,cn=custom,cn=LDAP,cn=sysdb].
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 3)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1c67050
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1c67110
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer
event 0x1c67050 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1c67290
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1c677e0
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1c67110 "ltdb_timeout"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1c67050 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer
event 0x1c67290 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1c677e0 "ltdb_timeout"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1c67290 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 3)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 2)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 1)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 0)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_refresh_done]
(0x0400): Sudoers is successfuly stored in cache
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_set_usn] (0x0200):
SUDO higher USN value: [1]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1c4fd20
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1c4f6d0
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer
event 0x1c4fd20 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1c4f6d0 "ltdb_timeout"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1c4fd20 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb
transaction (nesting: 0)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_callback": 0x1c6ddc0
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed
event "ltdb_timeout": 0x1c6de80
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer
event 0x1c6ddc0 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying
timer event 0x1c6de80 "ltdb_timeout"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer
event 0x1c6ddc0 "ltdb_callback"
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb
transaction (nesting: 0)
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_full_refresh_done]
(0x0400): Successful full refresh of sudo rules
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_done] (0x0400): Task
[SUDO Full Refresh]: finished successfully
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [be_ptask_schedule] (0x0400):
Task [SUDO Full Refresh]: scheduling task 21600 seconds from last execution
time [1528333785]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: sh[0x1c505c0], connected[1], ops[(nil)], ldap[0x1c40820]
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_process_result] (0x2000):
Trace: ldap_result found nothing!
(Wed Jun 6 19:09:45 2018) [sssd[be[LDAP]]] [sdap_sudo_online_cb] (0x0400):
We are back online. SUDO host information will be renewed on next refresh.
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
5 years, 10 months
Refreshing tickets with msktutil
by JOHE (John Hearns)
sssd version 1.15.0 running on Ubuntu Xenial.
In my setup sssd is not automatically refreshing computer account tickets after 30 days, for some reason.
I found te msktutil package, which has a cron job which runs msktutil --auto-update each day.
So far so good.
However msktutil --auto-update fails but msktutil --update works OK.
Can anyone drop me a hint please why this might be so?
Snippets from the verbose output below.
/usr/sbin/msktutil --verbose --auto-update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-V1URdr
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: and$
-- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab...
-- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Preauthentication failed)
-- try_machine_keytab_princ: Authentication with keytab failed
/usr/sbin/msktutil --verbose --update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-QXmuHN
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: and$
-- try_machine_keytab_princ: Trying to authenticate for and$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZChBdy
-- finalize_exec: Authenticated using method 1
5 years, 10 months
Nested LDAP groups and filtering
by Christian Svensson
Hi sssd-users,
My LDAP setup contains two bases:
dc=office1,dc=company,dc=tld
dc=office2,dc=company,dc=tld
Groups can cross-reference other groups in the two bases, like this:
cn=printer-access,ou=groups,dc=office1,dc=company,dc=tld
- member: cn=everybody,ou=groups,dc=office1,dc=company,dc=tld
- member: cn=everybody,ou=groups,dc=office2,dc=company,dc=tld
cn=printer-access,ou=groups,dc=office2,dc=company,dc=tld
- member: cn=everybody,ou=groups,dc=office2,dc=company,dc=tld
What I'm trying achieve is to have a server belonging to office1 being able
to expand all groups, even if the references are across office boundary,
but only see the leaf groups that are in its own base.
What I've tried is something like this:
[domain/office1]
debug_level = 9
enumerate = true
cache_credentials = true
entry_cache_timeout = 600
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_search_base = dc=company,dc=tld
ldap_group_search_base = dc=office1,dc=company,dc=tld
# Also tried with:
# ldap_group_search_base = dc=company,dc=tld?subtree?(dc:dn:=office1)
ldap_schema = rfc2307bis
ldap_group_member = member
ldap_group_nesting_level = 5
ldap_uri = ldaps://xxx
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/ldap-ca.crt
Sadly this does not work, which I'm not that surprised over. The lookup
logic reports:
(Sun May 20 14:00:29 2018) [sssd[be[ office1]]] [sdap_save_grpmem]
(0x0400): Adding member users to group [printer-access@office1]
(Sun May 20 14:00:29 2018) [sssd[be[ office1]]] [sdap_find_entry_by_origDN]
(0x4000): Searching cache for [
cn=everybody,ou=groups,dc=office2,dc=company,dc=tld].
(Sun May 20 14:00:29 2018) [sssd[be[ office1]]] [sdap_fill_memberships]
(0x0080): Member [ cn=everybody,ou=groups,dc=office2,dc=company,dc=tld] was
not found in cache. Is it out of scope?
Looking at the way things are executed in code and logs it seems like there
is no "post processing" to drop groups based on LDAP attributes, nor is
there any way for me to add attributes to the full name of the resource to
disambiguate them. Those are the two ways I've been attacking this, and
both seems to not be supported.
Are my observations correct? Is there a workaround other than making sure
groups have unique names across the whole company?
When groups are not colliding in name everything works just fine if I
put " ldap_group_search_base
= dc=company,dc=tld", but I'd prefer if I could avoid having to resort to
globally unique group names.
Thanks,
P.S. My groups are named differently and have been renamed in the log
messages. Let me know if something doesn't make sense and I might have
typo'd a replacement.
5 years, 10 months
sssd failing to lookup user/group names by ID
by David Potterveld
I'm having an issue with sssd failing to look up user or group names from an AD provider. The error occurs on both modern Fedora and Centos 7 systems joined to AD via realm commands. On Centos 7, the version of SSSD is 1.16.0, and that is the version on which I am reporting.
The systems will work perfectly for a long time (up to months) and then suddenly start failing. The most noticeable failure is that "ls -l" of files will give UID/GID numbers, not names, and also ssh into the system will report the error "/usr/bin/id: cannot find name for group ID".
The failure can be temporarily cured with commands such as:
getent passwd username
getent group "domain users"
but after a short period of time the failure resumes. Clearing the cache via "sss_cache -E" also causes the problem to immediately manifest.
I ran some tests with logging enabled. NSS debug level set to 6. The test is to issue the command:
ls -ld dpotterv
When things are working, I see:
drwx------. 19 dpotterv domain users 29 Jun 1 10:08 dpotterv
When things are failing, I see:
drwx------. 19 900209170 900200513 29 Jun 1 10:08 dpotterv
Here are the entries from the nss log for FAILURE:
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 900209170
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #21: New request 'User by ID'
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #21: Performing a multi-domain search
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #21: Search will check the cache and check the data provider
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #21: Using domain [local]
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #21: Looking up UID:900209170@local
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #21: Checking negative cache for [UID:900209170@local]
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #21: [UID:900209170@local] is not present in negative cache
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #21: Looking up [UID:900209170@local] in cache
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_idminmax_check] (0x0200): id exceeds min/max boundaries
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #21: ID [UID:900209170@local] was filtered out
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_locate_dom_cache_done] (0x0040): cache_req_search_recv returned [1432158300]: ID is outside the allowed range
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #21: Finished: Error 1432158300: ID is outside the allowed range
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [nss_getby_id] (0x0400): Input ID: 900200513
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #22: New request 'Group by ID'
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #22: Performing a multi-domain search
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #22: Search will check the cache and check the data provider
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #22: Using domain [local]
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #22: Looking up GID:900200513@local
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #22: Checking negative cache for [GID:900200513@local]
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #22: [GID:900200513@local] is not present in negative cache
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #22: Looking up [GID:900200513@local] in cache
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_idminmax_check] (0x0200): id exceeds min/max boundaries
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #22: ID [GID:900200513@local] was filtered out
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_locate_dom_cache_done] (0x0040): cache_req_search_recv returned [1432158300]: ID is outside the allowed range
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [cache_req_process_result] (0x0400): CR #22: Finished: Error 1432158300: ID is outside the allowed range
(Fri Jun 1 11:17:59 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
I should note that in the sssd config file, I have:
[domain/local]
min_id = 3000
max_id = 199999
id_provider = local
access_provider = permit
remove_homedir = false
[domain/anl]
min_id = 200000
ldap_idmap_range_size = 100000000
cache_credentials = false
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ldap_schema = ad
ldap_id_mapping = true
(Yes, we have a very large range size. Currently, about 0.75 million SIDs in the AD forest, and someone wanted room for growth.)
Looking at the log entries, I see what looks like normal flow of events. A multi-domain search is initiated, and the first domain searched is the local one.
It correctly determines that the ID is outside the range that is valid for this domain, and it returns.
What is not happening is a subsequent search of the ANL domain where the ID is valid!
The following is the NSS log when I do "getent passwd dpotterv", which succeeds:
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [nss_getby_name] (0x0400): Input name: dpotterv
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_send] (0x0400): CR #27: New request 'User by name'
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_process_input] (0x0400): CR #27: Parsing input name [dpotterv]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'dpotterv' matched without domain, user is dpotterv
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_set_name] (0x0400): CR #27: Setting name [dpotterv]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_select_domains] (0x0400): CR #27: Performing a multi-domain search
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_domains] (0x0400): CR #27: Search will check the cache and check the data provider
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #27: Using domain [local]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #27: Preparing input data for domain [local] rules
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #27: Looking up dpotterv@local
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #27: Checking negative cache for [dpotterv@local]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #27: [dpotterv@local] is not present in negative cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Looking up [dpotterv@local] in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Object [dpotterv@local] was not found in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #27: Looking up [dpotterv@local] in data provider
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Looking up [dpotterv@local] in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Object [dpotterv@local] was not found in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache_add_to_domain] (0x0400): CR #27: Adding [dpotterv@local] to negative cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/local/dpotterv@local] to negative cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_set_domain] (0x0400): CR #27: Using domain [anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_prepare_domain_data] (0x0400): CR #27: Preparing input data for domain [anl] rules
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #27: Looking up dpotterv@anl
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #27: Checking negative cache for [dpotterv@anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #27: [dpotterv@anl] is not present in negative cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Looking up [dpotterv@anl] in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_send] (0x0400): CR #27: Object found, but needs to be refreshed.
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_dp] (0x0400): CR #27: Looking up [dpotterv@anl] in data provider
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x5560f40e6b50:1:dpotterv@anl@anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [anl][0x1][BE_REQ_USER][name=dpotterv@anl:-]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x5560f40e6b50:1:dpotterv@anl@anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_cache] (0x0400): CR #27: Looking up [dpotterv@anl] in cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_ncache_filter] (0x0400): CR #27: This request type does not support filtering result by negative cache
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_search_done] (0x0400): CR #27: Returning updated object [dpotterv@anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_create_and_add_result] (0x0400): CR #27: Found 1 entries in domain anl
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x5560f40e6b50:1:dpotterv@anl@anl]
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [cache_req_done] (0x0400): CR #27: Finished: Success
(Fri Jun 1 11:34:14 2018) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
This looks like a completely routine multi-domain search by name, first searching the local domain, and then searching the ANL domain, where it queries and receives an answer from the AD data provider.
So, is there a bug in sssd wherein it is failing to continue multi-domain searches by ID when an ID is out of range for local? Or is there something I'm doing wrong in the sssd config? I'm happy to do further debugging. What logs (and level) might be useful?
Our needs are fairly simple. ID's below 200000 are local, everything else is divided into large slices for AD domain(s), and we are joined to one large AD domain.
Thanks for any insight!
5 years, 10 months
Server not found in Kerberos database and debug level 11
by JOHE (John Hearns)
I would appreciate some pointers.
I have a sandbox setup running on VMs. There is an AD controller using the VM image which Microsoft has available for testing.
I have created a domain called ad.test
On my client machine I am continually getting this error:
[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
On the client klist-k | uniq returns
KVNO Principal
---- --------------------------------------------------------------------------
3 CLIENT1$(a)ADTEST.PRIVATE
3 host/CLIENT1(a)ADTEST.PRIVATE
3 host/client1(a)ADTEST.PRIVATE
3 RestrictedKrbHost/CLIENT1(a)ADTEST.PRIVATE
3 RestrictedKrbHost/client1(a)ADTEST.PRIVATE
The funny thing is ONLY kinit -k CLIENT1$\(a)ADTEST.PRIVATE will work.
I do get a tgt:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT1$(a)ADTEST.PRIVATE
Just in the sandbox I am also setting:
ldap_auth_disable_tls_never_use_in_production = true
Any pointers please? I have cranked debug up to 8 and this error message seems to be the crucial one.
By the way, why does the debug level not go up to 11?
5 years, 10 months
Strange behaviour with groups
by JOHE (John Hearns)
I am seeing some very strange behaviour.
Very often when I issue the command 'groups username' then only the local groups in /etc/group are returned.
Issue the command again then the list with the local groups plus the AD groups is returned.
In /etc/nsswitch.conf group: files sss
I am altering the parameter ad_enable_gc to False but this happened with is set to True also.
Any ideas please?
5 years, 10 months