logging in with AD account strangeness
by Peter de Groot
please help.
On ubuntu against AD. Logging in with an AD account works fine.. EXCEPT for just ONE account. The other AD accounts work fine
It will let me login once.. and when I try to login again, it comes up with access denied.
BUT... if I do a sssctl cache-remove, it works again .. the first time.
id, and related diagnostics on this account come up fine..
Used realmd to add the machine to AD. sssd.conf below.
Level 10 logs for at first working and not working can be downloaded from
https://intranet.egc.wa.edu.au/downloads/sssd.tar.gz
Please help .. driving me insane :-)
Peter
root@e4182s01sv025:/etc/sssd# more sssd.conf
[sssd]
domains = orange.schools.internal
config_file_version = 2
services = nss, pam ,ifp, sudo
default_domain_suffix = ORANGE.SCHOOLS.INTERNAL
[domain/orange.schools.internal]
ad_domain = orange.schools.internal
krb5_realm = ORANGE.SCHOOLS.INTERNAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_access_control = permissive
root@e4182s01sv025:/etc/sssd#
5 years
SSSD attempting to renew ticket with forrest domain controller not nearest
by Jay McCanta
Having trouble on an Ubuntu 16.04 (Xenial) box with sssd1.13.4-1ubuntu1.12.
The backend goes offline and authentications fail. We have debug_level=9. We expect the server to be talking with one of three DCs in its site.
The Forrest DCs are behind a firewall for us. Any ideas on what may be the cause and the cure?
Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_OUR.DOMAIN.COM], expired on [1554479058]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1554443958
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: OURHOST$
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working'
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x2ee3c10], connected[1], ops[(nil)], ldap[0x3012d40], destructor_lock[0], release_memory[0]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Going offline!
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask.
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1554443120]
(Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
Config:
[sssd]
config_file_version = 2
domains = our.domain.com
services = nss, pam, pac
debug_level = 9
reconnection_retries = 3
[pac]
[nss]
debug_level = 9
[pam]
debug_level = 9
[domain/our.domain.com]
debug_level = 9
id_provider = ad
auth_provider = ad
ad_site=SITE
access_provider = ad
ldap_id_mapping = False
ad_gpo_access_control = permissive
ad_access_filter=DOM:our.domain.com:(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-NOC_Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-SOS_Linux_Access,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SRV-ourhost_LocalAdmins,OU=Local Servers,OU=Groups,dc=our,dc=domain,dc=com)))
[https://cdn.f5.com/webcommon/email-signature/images/f5-logo-rgb-30x30.jpg]<https://f5.com/>
Jay McCanta | Principal Systems Administrator
D +1 (206) 272-7998 M +1-206-434-1080
5 years
getent group <ad-group-name> empty output - no members shown
by Hans Schou
Hi
"getent group <name>" does not give any output at all.
However "getent passwd" looks correctly up in the AD:
$ getent passwd zmir2
zmir2:*:2956636:100:Hans Schou:/home/zmir2:/bin/bash
$ grep -c ^zmir2 /etc/passwd
0
nsswitch looks fine:
$ egrep "^(group|passwd)" /etc/nsswitch.conf
passwd: files sss
group: files sss
SSO is working fine with both ssh and samba share.
$ realm list
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common-tools
login-formats: %U
login-policy: allow-any-login
foo.org
type: kerberos
realm-name: FOO.ORG
domain-name: foo.org
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
# cat /etc/sssd/sssd.conf
[sssd]
domains = foo.org
config_file_version = 2
services = nss, pam
[domain/foo.org]
ad_domain = foo.org
krb5_realm = FOO.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
All on Red Hat 7.6.
The goal is to use an AD group in a samba share but it obviously does not
lookup groups in the AD, only specific users.
--
Venlig hilsen - best regards
5 years