Can't open the bug. I get the following error.
"You are not authorized to access bug #1293168.
Most likely the bug has been restricted for internal development processes and we cannot
grant access.
If you are a Red Hat customer with an active subscription, please visit the Red Hat
Customer Portal for assistance with your issue
If you are a Fedora Project user and require assistance, please consider using one of the
mailing lists we host for the Fedora Project."
Update on current situation:
Removed it from the realm but now it will not rejoin. Removed two-factor for the server
in AD but still will not accept administrator's password. Suspect that some firewall
rules were removed. Had FW engineer check and he saw 389 blocked. Put in a request for
ports TCP 53, 389, 3268 and UDP 389, 138, 123, 53, 88, and 137 from centos server to AD
server. Waiting for him to implement the rules and will try again.
[root@PHXRASPCI01 ~]# realm join -v -U domainadmin(a)abc.com
abc.com
* Resolving:
_ldap._tcp.abc.com
* Performing LDAP DSE lookup on: x.x.161.252
* Performing LDAP DSE lookup on: x.x.161.251
* Successfully discovered:
abc.com
Password for domainadmin(a)abc.com:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd,
/usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WENPUY -U
domainadmin(a)abc.com ads join
abc.com
Enter domainadmin(a)abc.com's password:kerberos_kinit_password domainadmin(a)ABC.COM
failed: KDC policy rejects request
Failed to join domain: failed to connect to AD: KDC policy rejects request
! Joining the domain
abc.com failed
realm: Couldn't join realm: Joining the domain
abc.com failed
Sonia
-----Original Message-----
From: Jakub Hrozek [mailto:jhrozek@redhat.com]
Sent: Tuesday, January 31, 2017 10:12 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: account not authenticating in child domain
On Mon, Jan 30, 2017 at 02:39:04PM -0500, Justin Stephenson wrote:
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_initgr_next_base]
(0x0400): Searching for users with base [DC=abc,DC=com] (Fri Jan 27
15:53:36 2017) [sssd[be[abc.com]]] [sdap_print_server] (0x2000):
Searching x.x.161.251
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_generic_ext_step]
(0x0400): calling ldap_search_ext with
[(&(sAMAccountName=018843)(objectclass=user)(objectSID=*))][DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectClass] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [sAMAccountName] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixUserPassword] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uidNumber] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gidNumber] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [gecos]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [unixHomeDirectory] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [loginShell] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userPrincipalName] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [memberOf] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectGUID] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [objectSID] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [primaryGroupID] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [whenChanged] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [uSNChanged] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [accountExpires] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x1000): Requesting attrs: [userAccountControl] (Fri Jan 27 15:53:36
2017) [sssd[be[abc.com]]] [sdap_get_generic_ext_step]
(0x2000): ldap_search_ext called, msgid = 5 (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_op_add] (0x2000): New operation 5 timeout 6
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1],
ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_entry] (0x1000):
OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [whenChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [memberOf]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uSNChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectGUID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectSid]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1],
ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_entry] (0x1000):
OriginalDN: [CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com].
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectClass]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [whenChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [memberOf]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [uSNChanged]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [name]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectGUID]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userAccountControl] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [primaryGroupID] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [objectSid]
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [sAMAccountName] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_parse_range] (0x2000):
No sub-attributes for [userPrincipalName] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1],
ops[0x7fa8ee60d3a0], ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_generic_op_finished] (0x0400): Search
result: Success(0), no errmsg set (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_op_destructor]
(0x2000): Operation 5 finished
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_get_initgr_user]
(0x0040): Expected one user entry and got 2 (Fri Jan 27 15:53:36 2017)
[sssd[be[abc.com]]] [sdap_get_initgr_user]
(0x0040): No matching DN found.
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_add_timeout] (0x2000):
0x7fa8ef626070
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sdap_process_result]
(0x2000): Trace: sh[0x7fa8ee618840], connected[1], ops[(nil)],
ldap[0x7fa8ee61a020] (Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]]
[sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [sbus_remove_timeout]
(0x2000): 0x7fa8ef626070
(Fri Jan 27 15:53:36 2017) [sssd[be[abc.com]]] [acctinfo_callback] (0x0100):
Request processed. Returned 3,22,Init group lookup failed
This also looks like a problem, a search with sAMAccountName=018843 is
returning two objects but then matching to an expected base DN fails:
CN=Sonia G,OU=Employees,OU=User Accounts,DC=a,DC=abc,DC=com
and
CN=Sonia G,OU=Employees,OU=User Accounts,DC=abc,DC=com
Ah, I think this is the root cause. And it might explain why we saw preauthnentication
failed, perhaps the password was just sent to a wrong account.
What sssd version are you running? This bug sounds a bit like
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org