I'm running Fedora 26
sssd --version
1.15.3
I am authentication against an Active Directory Domain that has posix
extensions enabled.
All my ubuntu and centos machines are using power broker or winbind to
authenticate to the domain.
I want to transition away from power broker.
I tried using winbind to connect fedora but I end up with issues of it
not using posix extensions from my active directory.
So I tried sssd out and see that users show correctly when I run the command
getent passwd <username>
when using winbind I had to use template for the shell and home
directories which I did not like.
This is not happening on my ubuntu or centos servers with the same config.
There config if it helps is as follows
[global]
security = ads
realm =
MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
Since that wasn't working, I uninstalled winbind and reinstalled sssd
(I had removed it while testing samba since I know they can
interfere.)
I used realm to leave and rejoin the domain
It looks like realm rewrote my smb.conf file as such
[global]
security = user
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
template homedir=/na/homes/%U
template shell=/bin/bash
My sssd.conf file looks like so
[sssd]
domains =
mind.unm.edu
config_file_version = 2
services = nss, pam
[
domain/mind.unm.edu]
ad_domain =
mind.unm.edu
krb5_realm =
MIND.UNM.EDU
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
#ldap_id_mapping = True
ldap_id_mapping = False
#use_fully_qualified_names = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = ad
#
debug = 3
I learned with ldap_id_mapping = True I was getting funny uid's and
that interfered with my isilon that is using rfc2307 to our domain.
And I want to login with <username> not <domain>\\<username> so i set
use_fully_qualified_names = False
While reading this
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
under sections:
Common AD provider issues->A group my user is a member of doesn’t
display in the id output
In case the group is not present in the id -G output at all, there is
something up with the initgroups part.
This is the case but I'm not really sure where to go from here.
I set debug on the domain to 3 and my /var/log/sssd/sssd_<domainname>
looks as follows when I run id -G <user>
in this case the user is jsadowski
id -G <username> is only showing the primary group for any user I have tried.
...
(Tue Oct 31 09:16:10 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:11 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]]
[get_access_filter] (0x0010): Warning: LDAP access rule 'filter' is
set, but no ldap_access_filter configured. All domain users will be
denied access.
(Tue Oct 31 09:18:16 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc]
(0x0010): Missing krb5_realm option!
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]]
[dp_module_run_constructor] (0x0010): Module [krb5] constructor failed
[22]: Invalid argument
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [dp_target_init]
(0x0010): Unable to load module krb5
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [be_process_init]
(0x0010): Unable to setup data provider [1432158209]: Internal Error
(Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010):
Could not initialize backend [1432158209]
(Tue Oct 31 09:23:45 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:26:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
(Tue Oct 31 09:36:00 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
...
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_run_online_cb]
(0x0080): Going online. Running callbacks.
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [Subdomains Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Smart Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [SUDO Full Refresh]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable]
(0x0080): Task [AD machine account password renewal]: already enabled
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[resolv_gethostbyname_done] (0x0040): querying hosts database failed
[5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could
not contact DNS servers
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed:
[5]: [Input/output error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of
current addresses [5]: Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]:
Input/output error
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]]
[ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]:
Input/output error
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_cli_connect_recv] (0x0040): Unable to establish connection
[1432158226]: Authentication Failed
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-545
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-544
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-555
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for
SID S-1-5-32-551
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such
attribute](16)[attribute 'member': no matching attribute value while
deleting attribute on
'name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb']
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No
such attribute]
(Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]]
[sysdb_update_members_ex] (0x0020): Could not remove member
[jsadowski(a)mind.unm.edu] from group
[name=Administrators(a)mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb].
Skipping
(Tue Oct 31 10:16:54 2017) [sssd[be[mind.unm.edu]]]
[sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules