On Wed, Jun 24, 2015 at 05:55:28PM +0000, Carl Pettersson (EXT BN) wrote:
Hi, We're getting this referral related error in our sssd installation. Some environment information:
- CentOS 6.6 clients, sssd v1.11.6
- Windows 2012R2 domain controllers, 2008R2 functional level, single domain forest. Let's call it ad.example.com.
- We have one-way trusts to several other domains/forests, a.foo,com, b.bar.com and c.baz.com
We've joined the clients with adcli, and we can successfully authenticate with accounts from the ad.example.com domain. It is also possible to kinit myuser@A.FOO.COM
but this fails: getent passwd myuser@a.foo.com
Looking at the logs (after setting debug_level=8), I can see this error message:
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xda3140], connected[1], ops[0xda1480], ldap[0xda3720] (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(There's also a row slightly after, "[ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request", unclear if this is related, or actually a separate bug)
I first interpreted this as indicating that I needed to allow referral chasing, but when I turn that on (via ldap_referrals = true), but aside from taking much longer, it still errors:
No, it's a bug in SSSD.
6.6 is already quite old in SSSD terms, could you please try a newer version from this COPR repo? https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/
1.12.5 is more-or-less equivalent to what 6.7 will include..
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xe4b9b0], connected[1], ops[0xe4c540], ldap[0xe50a40]
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://a.foo.com/dc=a,dc=foo,dc=com] with fd [25]. (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error] (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://a.foo.com/dc=a,dc=foo,dc=com]. (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
I also suspected networking issues a while, but a Windows client on the same subnet can authenticate fine (we only do subnet filtering in our firewalls).
Here are my configuration files: sssd.conf: [sssd] services = nss, pam, ssh, autofs config_file_version = 2 domains = AD.EXAMPLE.COM
[nss] override_homedir = /home/%d/%u override_shell = /bin/bash
[domain/AD.EXAMPLE.COM] debug_level = 8 id_provider = ad use_fully_qualified_names = TRUE
krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = AD.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
# I found documentation indicating that these should be commented out while troubleshooting # Commenting in/out does not seem to affect the problem, however. [realms] # AD.EXAMPLE.COM = { # kdc = ad102.ad.example.com # kdc = ad201.ad.example.com # admin_server = ad201.ad.example.com # }
[domain_realm] # .ad.example.com = AD.EXAMPLE.COM # ad.example.com = AD.EXAMPLE.COM
What have we done wrong?
Best regards, Carl
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users