On 1/31/2018 12:21 PM, TomK wrote:
On 1/31/2018 9:41 AM, Jakub Hrozek wrote:
> See inline..
>
> On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote:
>> On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote:
>> My bad, did not include sssd-users earlier. :(
>>
>>> Hey All,
>>>
>>> I'm wondering if anyone came across this error below. We have two RHEL
>>> 7.4 servers with SSSD 1.15.2: http-srv01 and http-srv02
>>>
>>> Both connect to the same AD DC host below:
addc-srv03.addom.com.
>>> Verified krb5.conf and sssd.conf both are identical. We can login on
>>> the http-srv01 and can list all groups for an AD account.
>>>
>>> On http-srv02 we cannot login and any group listing from the CLI result
>>> only in the user's local groups. No AD groups.
>>>
>>> Logs give us the output below. Short of adding in the entire log which
>>> I might not be able to do till the end of the week, what could we look
>>> at to resolve this?
>>>
>>> There's very little available online on this error. The RH solution
>>> doesn't make sense since the first host connects and authenticates
>>> users
>>> just fine so it's definitely GC enabled.
>>>
>>
>>
>> --
>> Cheers,
>> Tom K.
>>
-------------------------------------------------------------------------------------
>>
>>
>> Living on earth is expensive, but it includes a free trip around the
>> sun.
>>
>>
>>
>> samba-libs-4.6.2-12.el7_4.x86_64
>> samba-client-libs-4.6.2-12.el7_4.x86_64
>> sssd-1.15.2-50.el7_4.6.x86_64
>> openldap-2.4.44-5.el7.x86_64
>> sssd-ldap-1.15.2-50.el7_4.6.x86_64
>> sssd-common-pac-1.15.2-50.el7_4.6.x86_64
>> samba-winbind-clients-4.6.2-12.el7_4.x86_64
>> samba-common-4.6.2-12.el7_4.noarch
>> sssd-client-1.15.2-50.el7_4.6.x86_64
>> sssd-proxy-1.15.2-50.el7_4.6.x86_64
>> samba-winbind-modules-4.6.2-12.el7_4.x86_64
>> python-sssdconfig-1.15.2-50.el7_4.6.noarch
>> sssd-ipa-1.15.2-50.el7_4.6.x86_64
>> samba-common-libs-4.6.2-12.el7_4.x86_64
>> sssd-krb5-common-1.15.2-50.el7_4.6.x86_64
>> samba-winbind-4.6.2-12.el7_4.x86_64
>> sssd-krb5-1.15.2-50.el7_4.6.x86_64
>> sssd-ad-1.15.2-50.el7_4.6.x86_64
>> sssd-common-1.15.2-50.el7_4.6.x86_64
>> samba-common-tools-4.6.2-12.el7_4.x86_64
>>
>>
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch]
>> (0x4000): dbus
>> conn: 0x55b2e22e8700
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch] (0x4000):
>> Dispatching.
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_message_handler]
>> (0x2000): Received SBUS method
>> org.freedesktop.sssd.dataprovider.getAccountInfo on path
>> /org/freedesktop/sssd/dataprovider
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_get_sender_id_send]
>> (0x2000): Not a sysbus message, quit
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]]
>> [dp_get_account_info_handler]
>> (0x0200): Got request for
>> [0x2][BE_REQ_GROUP][name=unix-admin-group@addom]
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req]
>> (0x0400): DP
>> Request [Account #4]: New request. Flags [0x0001].
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req] (0x0400):
>> Number of active DP request: 1
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state]
>> (0x1000): Domain ADDOM is Active
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state]
>> (0x1000): Domain ADDOM is Active
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_step]
>> (0x4000): beginning to connect
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [fo_resolve_service_send]
>> (0x0100): Trying to resolve service 'AD_GC'
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_server_status]
>> (0x1000):
>> Status of server 'addc-srv03.addom.com' is 'working'
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_port_status] (0x1000):
>> Port status of port 0 for server 'addc-srv03.addom.com' is 'not
working'
>
> What debug level are you running with? Is this the first occurence of
> 'port not working' since sssd started?
It's debug_level = 9. There was 1002 occurrances since I restarted sssd
last night. If it's F/W, I'm not clear on the port this is referring too.
Also confirmed that port 3268 from both clients to the AD DC is blocked
in F/W. However then that raises the question why authentication works
on http-srv01 even though traffic to port 3268 is also getting denied
from that host.
>
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_port_status] (0x0080):
>> SSSD is unable to complete the full connection request, this internal
>> status
>> does not necessarily indicate network port issues.
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [fo_resolve_service_send]
>> (0x0020): No available servers for service 'AD_GC'
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [be_resolve_server_done]
>> (0x1000): Server resolution failed: [5]: Input/output error
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_done]
>> (0x0400): Failed to connect to server, but ignore mark offline is
>> enabled.
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_done]
>> (0x4000): notify error to op #1: 5 [Input/output error]
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_done] (0x0400): DP
>> Request [Account #4]: Request handler finished [0]: Success
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [_dp_req_recv] (0x0400): DP
>> Request [Account #4]: Receiving request data.
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_reply_list_success]
>> (0x0400): DP Request [Account #4]: Finished. Success.
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_req_reply_std]
>> (0x1000): DP
>> Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup
>> failed
>> (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_table_value_destructor]
>> (0x0400): Removing [0:1:0x0001:2::ADDOM:name=unix-admin-group@addom]
>> from
>> reply
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.