6:03 p.m.
Hi,
I have what I believe is a minimal sssd.conf (running on CentOS 6.6)
that has previously worked fine without the line "ldap_id_mapping =
False".
I recently had to add rfc2307 attributes to AD (long story), and
therefore added the line "ldap_id_mapping = False" to my sssd.conf...
at which point sssd will now no longer start (it's fine if I remove
this line, but of course returns the wrong information).
Relevant log messages (obtained using 'sssd -i -d 0x03f0') might be these ones:
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0100): Initializing [1] domains for ID-mapping
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_add_domain] (0x0020): Could not add domain
[mydomain.my.tld] to the map: [11]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0020): Could not add domain
[mydomain.my.tld][S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz][7091] to
ID map: [Input/output error]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[load_backend_module] (0x0010): Error (5) in module (ad)
initialization (sssm_ad_id_init)!
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[be_process_init] (0x0010): fatal error initializing data providers
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]] [main]
(0x0010): Could not initialize backend [5]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0040):
Child [mydomain.my.tld] exited with code [3]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0010):
Process [mydomain.my.tld], definitely stopped!
My sssd.conf is:
[sssd]
config_file_version = 2
domains = mydomain.my.tld
services = nss, pam
[domain/mydomain.my.tld]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
What are the best troubleshooting steps I can take next?
Cheers,
Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
2:03 a.m.
On (12/06/15 00:03), Jonathan Hunter wrote:
Hi,
I have what I believe is a minimal sssd.conf (running on CentOS 6.6)
that has previously worked fine without the line "ldap_id_mapping =
False".
I recently had to add rfc2307 attributes to AD (long story), and
therefore added the line "ldap_id_mapping = False" to my sssd.conf...
at which point sssd will now no longer start (it's fine if I remove
this line, but of course returns the wrong information).
Relevant log messages (obtained using 'sssd -i -d 0x03f0') might be these ones:
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0100): Initializing [1] domains for ID-mapping
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_add_domain] (0x0020): Could not add domain
[mydomain.my.tld] to the map: [11]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[sdap_idmap_init] (0x0020): Could not add domain
[mydomain.my.tld][S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz][7091] to
ID map: [Input/output error]
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[load_backend_module] (0x0010): Error (5) in module (ad)
initialization (sssm_ad_id_init)!
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
[be_process_init] (0x0010): fatal error initializing data providers
(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]] [main]
(0x0010): Could not initialize backend [5]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0040):
Child [mydomain.my.tld] exited with code [3]
(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0010):
Process [mydomain.my.tld], definitely stopped!
My sssd.conf is:
[sssd]
config_file_version = 2
domains = mydomain.my.tld
services = nss, pam
[domain/mydomain.my.tld]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
What are the best troubleshooting steps I can take next?
man sssd-ldap -> ID MAPPING -> 3rd paragraph says:
Please note that changing the ID mapping related configuration options
will cause user and group IDs to change. At the moment, SSSD does not
support changing IDs, so the SSSD database must be removed. Because
cached passwords are also stored in the database, removing the database
should only be performed while the authentication servers are
reachable, otherwise users might get locked out. In order to cache the
password, an authentication must be performed. It is not sufficient to
use sss_cache(8) to remove the database, rather the process consists
of:
· Making sure the remote servers are reachable
· Stopping the SSSD service
· Removing the database
· Starting the SSSD service
LS
6:53 a.m.
Thank you Lukas - appreciated.
For the benefit of the archives, this fixed it for me:
rm /var/lib/sss/db/*
Thanks!
Jonathan
On 12 June 2015 at 08:03, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
On (12/06/15 00:03), Jonathan Hunter wrote:
>Hi,
>
>I have what I believe is a minimal sssd.conf (running on CentOS 6.6)
>that has previously worked fine without the line "ldap_id_mapping =
>False".
>
>I recently had to add rfc2307 attributes to AD (long story), and
>therefore added the line "ldap_id_mapping = False" to my sssd.conf...
>at which point sssd will now no longer start (it's fine if I remove
>this line, but of course returns the wrong information).
>
>Relevant log messages (obtained using 'sssd -i -d 0x03f0') might be these
ones:
>
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
>[sdap_idmap_init] (0x0100): Initializing [1] domains for ID-mapping
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
>[sdap_idmap_add_domain] (0x0020): Could not add domain
>[mydomain.my.tld] to the map: [11]
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
>[sdap_idmap_init] (0x0020): Could not add domain
>[mydomain.my.tld][S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz][7091] to
>ID map: [Input/output error]
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
>[load_backend_module] (0x0010): Error (5) in module (ad)
>initialization (sssm_ad_id_init)!
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]]
>[be_process_init] (0x0010): fatal error initializing data providers
>(Thu Jun 11 23:55:11 2015) [sssd[be[mydomain.my.tld]]] [main]
>(0x0010): Could not initialize backend [5]
>(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0040):
>Child [mydomain.my.tld] exited with code [3]
>(Thu Jun 11 23:55:11 2015) [sssd] [mt_svc_exit_handler] (0x0010):
>Process [mydomain.my.tld], definitely stopped!
>
>My sssd.conf is:
>
>[sssd]
>config_file_version = 2
>domains = mydomain.my.tld
>services = nss, pam
>[domain/mydomain.my.tld]
>id_provider = ad
>auth_provider = ad
>access_provider = ad
>ldap_id_mapping = False
>
>What are the best troubleshooting steps I can take next?
>
man sssd-ldap -> ID MAPPING -> 3rd paragraph says:
Please note that changing the ID mapping related configuration options
will cause user and group IDs to change. At the moment, SSSD does not
support changing IDs, so the SSSD database must be removed. Because
cached passwords are also stored in the database, removing the database
should only be performed while the authentication servers are
reachable, otherwise users might get locked out. In order to cache the
password, an authentication must be performed. It is not sufficient to
use sss_cache(8) to remove the database, rather the process consists
of:
· Making sure the remote servers are reachable
· Stopping the SSSD service
· Removing the database
· Starting the SSSD service
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein
3237
days inactive
3239
days old
sssd-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Jonathan Hunter -
Lukas Slebodnik