It is "ad_hostname=VICTORIA$(a)NAT.C.SDU.DK" - this is my mail editor starting
with capital letter after "." ;(
I joined domain (again, again..) from scratch.
ad_hostname = VICTORIA$NAT.C.SDU.DK
I have the following principal names bound to computer victoria.nat.sdu.dk
root@victoria:/var/log/sssd# ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y
GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk'
'(&(objectClass=computer)(name=victoria))'
....
# VICTORIA, Linux computers, ADResources, nat.c.sdu.dk
dn: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: VICTORIA
distinguishedName: CN=VICTORIA,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D
C=sdu,DC=dk
...
name: VICTORIA
...
sAMAccountName: VICTORIA$
sAMAccountType: 805306369
dNSHostName: victoria.nat.c.sdu.dk
userPrincipalName: victoria.nat.sdu.dk(a)NAT.C.SDU.DK
servicePrincipalName: host/victoria.nat.c.sdu.dk
...
I can kinit as admin aduser.
I can kinit as principal VICTORIA$ and VICTORIA$NAT.C.SDU.DK
I can as local root get info on computer 'victoria' and ad user
'imadatestuser':
ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux
computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk'
'(&(objectClass=computer)(name=victoria))'
root@victoria:/var/log/sssd# ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y
GSSAPI -b 'ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk'
'(&(objectClass=person)(sAMAccountName=imadatestuser))'
I can kinit imadatestuser
BUT login as imadatestuser and ' getent passwd imadatestuser' doesn't work -
still the same error on "port 0"
What is "port 0" ???
Ldap_child.log
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): total
buffer size: 37
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): realm_str
size: 12
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): got
realm_str: NAT.C.SDU.DK
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): princ_str
size: 9
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): got
princ_str: VICTORIA$
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000):
keytab_name size: 0
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [unpack_buffer] (0x1000): lifetime:
86400
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [VICTORIA$(a)NAT.C.SDU.DK]
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [ldap_child_get_tgt_sync] (0x0100):
Using keytab [default]
(Fri Nov 9 11:50:07 2012) [[sssd[ldap_child[4438]]]] [pack_buffer] (0x1000): result [0]
krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): total
buffer size: 37
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): realm_str
size: 12
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): got
realm_str: NAT.C.SDU.DK
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): princ_str
size: 9
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): got
princ_str: VICTORIA$
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000):
keytab_name size: 0
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [unpack_buffer] (0x1000): lifetime:
86400
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [ldap_child_get_tgt_sync] (0x0100):
Principal name is: [VICTORIA$(a)NAT.C.SDU.DK]
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [ldap_child_get_tgt_sync] (0x0100):
Using keytab [default]
(Fri Nov 9 11:51:39 2012) [[sssd[ldap_child[4441]]]] [pack_buffer] (0x1000): result [0]
krberr [0] msgsize [40] msg [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK]
......
Sssd_nat.c.sdu.dk.log
.....
Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_account_info] (0x0100): Got
request for [4097][1][name=imadatestuser]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_account_info] (0x0100):
Request processed. Returned 1,11,Fast reply - offline
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port
status of port 0 for server 'nat.c.sdu.dk' is 'not working'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x0100): Reseting
the status of port 0 for server 'nat.c.sdu.dk'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000):
Saving the first resolved server
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200):
Found address for server nat.c.sdu.dk: [10.144.5.17] TTL 271
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [ad_resolve_callback] (0x0100):
Constructed uri 'ldap://nat.c.sdu.dk'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_ldap_connect_callback_add]
(0x1000): New LDAP connection to [ldap://nat.c.sdu.dk:389/??base] with fd [22].
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [*]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [altServer]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [namingContexts]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [supportedControl]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [supportedExtension]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [supportedFeatures]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [supportedLDAPVersion]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [supportedSASLMechanisms]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [domainControllerFunctionality]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [defaultNamingContext]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [lastUSN]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [highestCommittedUSN]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_server_opts_from_rootdse]
(0x0100): Setting AD compatibility level to [4]
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_kinit_next_kdc] (0x1000):
Resolving next KDC for service AD
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000):
Saving the first resolved server
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200):
Found address for server nat.c.sdu.dk: [10.144.5.17] TTL 271
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_kinit_kdc_resolved] (0x1000):
KDC resolved, attempting to get TGT...
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [create_tgt_req_send_buffer] (0x1000):
buffer size: 37
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [child_sig_handler] (0x1000): Waiting
for child [4471].
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [child_sig_handler] (0x0100): child
[4471] finished successfully.
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing
sasl bind mech: gssapi, user: VICTORIA$
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking
port 0 of server 'nat.c.sdu.dk' as 'not working'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100):
Trying to resolve service 'AD'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status
of server 'nat.c.sdu.dk' is 'name resolved'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port
status of port 0 for server 'nat.c.sdu.dk' is 'not working'
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000):
Server resolution failed: 5
(Fri Nov 9 12:07:00 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200):
Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or
directory]
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 8. november 2012 18:41
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] startup problem/port status 0
On Thu, Nov 08, 2012 at 03:38:47PM +0000, Longina Przybyszewska wrote:
In /etc/sssd/sssd.conf
......
Ad_hostname = VICTORIA$(a)NAT.C.SDU.DK
......
It should be "ad_hostname" (note the capital A) and it's only useful for
specifying the machine hostname in case the output of hostname command wouldn't
reflect the real host name..
Does it work if you set:
ad_hostname = VICTORIA$
krb5_realm = NAT.C.SDU.DK
(VICTORIA$(a)NAT.C.SDU.DK was the one that worked for you, right?)
If it doesn't, can you raise debugging in the domain section, restart the sssd, try
again and look for lines that mention "ldap_child" ? You would see the principal
used there.
IT is obviously confusing about principal names...
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub
Hrozek
Sent: 8. november 2012 10:54
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] startup problem/port status 0
On Tue, Nov 06, 2012 at 02:16:26PM +0000, Longina Przybyszewska wrote:
> Hi again,
> Thanks a lot for guiding me so far :)
>
> I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu
Quantal.
>
> SSSD is configured against AD as auth/id - provider
>
> sssd.conf
>
> [sssd]
> debug_level = 0x1310
> config_file_version = 2
> services = nss, pam
> domains = nat.c.sdu.dk
>
> [nss]
> filter_groups = root
> filter_users = root
>
> [pam]
>
> [domain/nat.c.sdu.dk]
>
> debug_level = 0x1310
>
> enumerate = False
> min_id = 1000
> max_id = 20000
>
> auth_provider = ad
> id_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> ad_server = nat.c.sdu.dk
> ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk
>
>
> From log:
> (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]]
> [be_resolve_server_process] (0x1000): Saving the first resolved
> server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]]
> [be_resolve_server_process] (0x0200): Found address for server
> nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012)
[sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi,
user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status]
(0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6
13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to
resolve service 'AD'
> (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000):
Status of server 'nat.c.sdu.dk' is 'name resolved'
> (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port
status of port 0 for server 'nat.c.sdu.dk' is 'not working'
> (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]]
> [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue
> Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback]
> (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6
> 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files]
> (0x0200): Could not remove
> [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or
> directory
>
There is not all the information in the log, raising the debug_level might provide more
info, but I think the problem is in the kinit.
Can you kinit as the principal specified in the ad_hostname and then ldapsearch the
directory?
Are you sure about the principal in ad_hostname? I think it is typically HOST$@DOMAIN,
your principal doesn't contain the at-sign.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users