On Mon, Jan 30, 2017 at 02:39:04PM -0500, Justin Stephenson wrote:
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_initgr_next_base]
(0x0400): Searching for users with base [DC=abc,DC=com]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000):
Searching x.x.161.251
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sAMAccountName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixUserPassword]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixHomeDirectory]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPrincipalName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectGUID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectSID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [primaryGroupID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [whenChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uSNChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 5
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_add] (0x2000): New
operation 5 timeout 6
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0],
ldap[0x7fa8ee61a020]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000):
OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [whenChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [memberOf]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uSNChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectGUID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userAccountControl]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [primaryGroupID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectSid]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [sAMAccountName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userPrincipalName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0],
ldap[0x7fa8ee61a020]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_entry] (0x1000):
OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [whenChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [memberOf]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uSNChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectGUID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userAccountControl]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [primaryGroupID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectSid]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [sAMAccountName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userPrincipalName]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[0x7fa8ee60d3a0],
ldap[0x7fa8ee61a020]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_op_destructor]
(0x2000): Operation 5 finished
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user]
(0x0040): Expected one user entry and got 2
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user]
(0x0040): No matching DN found.
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000):
0x7fa8ef626070
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)],
ldap[0x7fa8ee61a020]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout]
(0x2000): 0x7fa8ef626070
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 3,22,Init group lookup failed
This also looks like a problem, a search with sAMAccountName=018843 is
returning two objects but then matching to an expected base DN fails:
CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com
and
CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com
Ah, I think this is the root cause. And it might explain why we saw
preauthnentication failed, perhaps the password was just sent to a wrong
account.
What sssd version are you running? This bug sounds a bit like
https://bugzilla.redhat.com/show_bug.cgi?id=1293168