Hi,
We’re getting this referral related error in our sssd installation. Some environment information:
* CentOS 6.6 clients, sssd v1.11.6
* Windows 2012R2 domain controllers, 2008R2 functional level, single domain forest. Let’s call it ad.example.com.
* We have one-way trusts to several other domains/forests, a.foo,com, b.bar.com and c.baz.com
We’ve joined the clients with adcli, and we can successfully authenticate with accounts from the ad.example.com domain. It is also possible to
kinit myuser@A.FOO.COM
but this fails:
getent passwd myuser@a.foo.com
Looking at the logs (after setting debug_level=8), I can see this error message:
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xda3140], connected[1], ops[0xda1480], ldap[0xda3720]
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(There’s also a row slightly after, “[ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request”, unclear if this is related, or actually a separate bug)
I first interpreted this as indicating that I needed to allow referral chasing, but when I turn that on (via ldap_referrals = true), but aside from taking much longer, it still errors:
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0xe4b9b0], connected[1], ops[0xe4c540], ldap[0xe50a40]
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://a.foo.com/dc=a,dc=foo,dc=com] with fd [25].
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] (0x1000): Failed to bind to [ldap://a.foo.com/dc=a,dc=foo,dc=com].
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points
ref 1: 'a.foo.com'
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
(Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
I also suspected networking issues a while, but a Windows client on the same subnet can authenticate fine (we only do subnet filtering in our firewalls).
Here are my configuration files:
sssd.conf:
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = AD.EXAMPLE.COM
[nss]
override_homedir = /home/%d/%u
override_shell = /bin/bash
[domain/AD.EXAMPLE.COM]
debug_level = 8
id_provider = ad
use_fully_qualified_names = TRUE
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# I found documentation indicating that these should be commented out while troubleshooting
# Commenting in/out does not seem to affect the problem, however.
[realms]
# AD.EXAMPLE.COM = {
# kdc = ad102.ad.example.com
# kdc = ad201.ad.example.com
# admin_server = ad201.ad.example.com
# }
[domain_realm]
# .ad.example.com = AD.EXAMPLE.COM
# ad.example.com = AD.EXAMPLE.COM
What have we done wrong?
Best regards,
Carl