Hi,

We’re getting this referral related error in our sssd installation. Some environment information:

* CentOS 6.6 clients, sssd v1.11.6

* Windows 2012R2 domain controllers, 2008R2 functional level, single domain forest. Let’s call it ad.example.com.

* We have one-way trusts to several other domains/forests, a.foo,com, b.bar.com and c.baz.com

 

We’ve joined the clients with adcli, and we can successfully authenticate with accounts from the ad.example.com domain. It is also possible to

kinit myuser@A.FOO.COM

 

but this fails:

getent passwd myuser@a.foo.com

 

Looking at the logs (after setting debug_level=8), I can see this error message:

 

(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xda3140], connected[1], ops[0xda1480], ldap[0xda3720]

(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points

        ref 1: 'a.foo.com'

 

(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points

        ref 1: 'a.foo.com'

 

(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error

(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users

 

(There’s also a row slightly after, “[ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request”, unclear if this is related, or actually a separate bug)

 

I first interpreted this as indicating that I needed to allow referral chasing, but when I turn that on (via ldap_referrals = true), but aside from taking much longer, it still errors:

 

                (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xe4b9b0], connected[1], ops[0xe4c540], ldap[0xe50a40]

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://a.foo.com/dc=a,dc=foo,dc=com] with fd [25].

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://a.foo.com/dc=a,dc=foo,dc=com].

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points

        ref 1: 'a.foo.com'

 

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points

        ref 1: 'a.foo.com'

 

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error

(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users

 

I also suspected networking issues a while, but a Windows client on the same subnet can authenticate fine (we only do subnet filtering in our firewalls).

 

Here are my configuration files:

sssd.conf:

[sssd]

services = nss, pam, ssh, autofs

config_file_version = 2

domains = AD.EXAMPLE.COM

 

[nss]

override_homedir = /home/%d/%u

override_shell = /bin/bash

 

[domain/AD.EXAMPLE.COM]

debug_level = 8

id_provider = ad

use_fully_qualified_names = TRUE

 

krb5.conf:

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

default_realm = AD.EXAMPLE.COM

dns_lookup_realm = true

dns_lookup_kdc = true

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true

 

# I found documentation indicating that these should be commented out while troubleshooting

# Commenting in/out does not seem to affect the problem, however.

[realms]

# AD.EXAMPLE.COM = {

#  kdc = ad102.ad.example.com

#  kdc = ad201.ad.example.com

#  admin_server = ad201.ad.example.com

# }

 

[domain_realm]

# .ad.example.com = AD.EXAMPLE.COM

# ad.example.com = AD.EXAMPLE.COM

 

What have we done wrong?

 

Best regards,

Carl