On Tue, Nov 13, 2012 at 12:44:45PM +0000, Longina Przybyszewska wrote:
Hi,
I try sssd-1.9.2 on Ubuntu-Quantal with ad-provider.
So far I can login to the desktop with AD identity;
Login hangs a bit because of unknown group;
What is the best practice to resolve the group (set up PrimaryGroupId, run idmap????)
Sorry, I don't quite understand this problem...are you seeing a
particular group GID not being converted from SID?
Or are you seeing failures due to the SSSD attempting to convert any of the
"local" groups such as "Domain Users" ?
The option 'default_shell = /bin/bash' in sssd.conf
doesn't seem to have
effect.
I would expect it being visible In users info:
Into which section in the SSSD did you put the default_shell option? In
1.9.2 it was only supported in the [nss] section, we changed the option
to also take effect in the domain section during 1.9.3 development.
getent passwd imadatestuser
imadatestuser:*:332410389:332400513:IMADAtest Testesen:/home/imadatestuser:
In pam.d/common-session I added entry for case of nonexistent homedir reference, and
shell - so
ADuser can login.
Do your users have any home directory at all? Could you maybe use the
fallback_homedir or override_homedir directives?
There is a lot of messages in sssd_nat.c.sdu.dk - for searching
principal info for lightdm in AD -
Is it correct? Shouldn't be sssd awared that lightdm is a local service?
.....................
Tue Nov 13 10:29:29 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [pamHandler]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [be_pam_handler] (0x0100): Got
request with the following data
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): command:
PAM_OPEN_SESSION
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): domain:
nat.c.sdu.dk
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): user:
imadatestuser
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): service:
lightdm
^^^^^^^^
This is OK, I guess that lightdm is your display manager and there would
be a file such as /etc/pam.d/lightdm on your system? These messages are
just telling that a PAM session was opened for a user who was logging in
wusing the lightdm service.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data]
(0x0100): tty: :0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): ruser:
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): rhost:
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): authtok
type: 0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): authtok
size: 0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): newauthtok
type: 0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): newauthtok
size: 0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): priv: 1
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [pam_print_data] (0x0100): cli_pid:
2564
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [be_pam_handler] (0x0100): Sending
result [0][nat.c.sdu.dk]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000): dbus conn:
7063D0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [getDomains]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_subdomains] (0x2000):
Undefined backend target.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000): dbus conn:
7063D0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [getAccountInfo]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_account_info] (0x0100): Got
request for [4099][1][name=lightdm]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_id_op_connect_step] (0x4000):
reusing cached connection
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_initgr_send] (0x4000):
Retrieving info for initgroups call
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_initgr_next_base] (0x0400):
Searching for users with base [ou=ADUsers,dc=nat,dc=c,dc=sdu,dc=dk]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=lightdm)(objectclass=person))][ou=ADUsers,dc=nat,dc=c,dc=sdu,dc=dk].^
^^^^^^^^^^^^^^
This looks like some application called getpwnam("lightdm"). You can
"blacklist" users that are known to be local using the filter_users and
filter_groups options.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [sAMAccountName]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [unixUserPassword]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uidNumber]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gidNumber]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [gecos]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [unixHomeDirectory]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [loginShell]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userPrincipalName]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [name]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [memberOf]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [objectGUID]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [objectSID]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [primaryGroupID]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [whenChanged]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [uSNChanged]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [accountExpires]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x1000):
Requesting attrs: [userAccountControl]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x2000):
ldap_search_ext called, msgid = 13
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_process_result] (0x2000):
Trace: sh[0x6e8e00], connected[1], ops[0x76c190], ldap[0x713300]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_process_message] (0x4000):
Message type: [LDAP_RES_SEARCH_RESULT]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_done] (0x0400):
Search result: Success(0), no errmsg set
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_initgr_user] (0x4000):
Receiving info for the user
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_id_op_done] (0x4000): releasing
operation connection
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [ldb] (0x4000): tevent: Added timed
event "ltdb_callback": 0x7555e0
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [ldb] (0x4000): tevent: Destroying
timer event 0x6f8740 "ltdb_timeout"
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [ldb] (0x4000): tevent: Ending timer
event 0x6f4c60 "ltdb_callback"
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sysdb_search_groups] (0x2000): No
such entry
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sysdb_delete_user] (0x0400): Error:
2 (No such file or directory)
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request
processed. Returned 0,0,Success
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_process_result] (0x2000):
Trace: sh[0x6e8e00], connected[1], ops[(nil)], ldap[0x713300]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_process_result] (0x2000):
Trace: ldap_result found nothing!
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000): dbus conn:
707F80
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [getAccountInfo]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_account_info] (0x0100): Got
request for [3][1][name=lightdm]
^^^^^^^^
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_id_op_connect_step] (0x4000):
reusing cached connection
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_initgr_send] (0x4000):
Retrieving info for initgroups call
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_initgr_next_base] (0x0400):
Searching for users with base [ou=ADUsers,dc=nat,dc=c,dc=sdu,dc=dk]
(Tue Nov 13 10:29:30 2012) [sssd[be[nat.c.sdu.dk]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(sAMAccountName=lightdm)(objectclass=person))][ou=ADUsers,dc=nat,dc=c,dc=sdu,dc=dk].
......
I can also see a lot of messages:
...
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [getDomains]
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_subdomains] (0x2000):
Undefined backend target.
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000): dbus conn:
EA75B0
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_dispatch] (0x4000):
Dispatching.
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [sbus_message_handler] (0x4000):
Received SBUS method [getDomains]
(Tue Nov 13 13:10:33 2012) [sssd[be[nat.c.sdu.dk]]] [be_get_subdomains] (0x2000):
Undefined backend target.
I think these confusing DEBUG messages have been fixed in 1.9.3 as well.