I'm running Fedora 26 sssd --version 1.15.3
I am authentication against an Active Directory Domain that has posix extensions enabled. All my ubuntu and centos machines are using power broker or winbind to authenticate to the domain. I want to transition away from power broker. I tried using winbind to connect fedora but I end up with issues of it not using posix extensions from my active directory. So I tried sssd out and see that users show correctly when I run the command getent passwd <username> when using winbind I had to use template for the shell and home directories which I did not like. This is not happening on my ubuntu or centos servers with the same config. There config if it helps is as follows
[global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain
Since that wasn't working, I uninstalled winbind and reinstalled sssd (I had removed it while testing samba since I know they can interfere.)
I used realm to leave and rejoin the domain
It looks like realm rewrote my smb.conf file as such
[global] security = user idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = yes # so that the groups show up in getent winbind enum groups = yes restrict anonymous = 2 #added the following 2 for the Badlock updates that change the defaults #to no longer work with my domain controllers ldap server require strong auth = no client ldap sasl wrapping = plain template homedir=/na/homes/%U template shell=/bin/bash
My sssd.conf file looks like so
[sssd] domains = mind.unm.edu config_file_version = 2 services = nss, pam
[domain/mind.unm.edu] ad_domain = mind.unm.edu krb5_realm = MIND.UNM.EDU realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash #ldap_id_mapping = True ldap_id_mapping = False #use_fully_qualified_names = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = ad # debug = 3
I learned with ldap_id_mapping = True I was getting funny uid's and that interfered with my isilon that is using rfc2307 to our domain. And I want to login with <username> not <domain>\<username> so i set use_fully_qualified_names = False
While reading this https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
under sections: Common AD provider issues->A group my user is a member of doesn’t display in the id output
In case the group is not present in the id -G output at all, there is something up with the initgroups part.
This is the case but I'm not really sure where to go from here.
I set debug on the domain to 3 and my /var/log/sssd/sssd_<domainname> looks as follows when I run id -G <user> in this case the user is jsadowski
id -G <username> is only showing the primary group for any user I have tried. ... (Tue Oct 31 09:16:10 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:17:11 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:17:39 2017) [sssd[be[mind.unm.edu]]] [get_access_filter] (0x0010): Warning: LDAP access rule 'filter' is set, but no ldap_access_filter configured. All domain users will be denied access. (Tue Oct 31 09:18:16 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:21:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc] (0x0010): Missing krb5_realm option! (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_module_run_constructor] (0x0010): Module [krb5] constructor failed [22]: Invalid argument (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init] (0x0010): Unable to load module krb5 (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010): Could not initialize backend [1432158209] (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc] (0x0010): Missing krb5_realm option! (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_module_run_constructor] (0x0010): Module [krb5] constructor failed [22]: Invalid argument (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [dp_target_init] (0x0010): Unable to load module krb5 (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error (Tue Oct 31 09:21:54 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010): Could not initialize backend [1432158209] (Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc] (0x0010): Missing krb5_realm option! (Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [dp_module_run_constructor] (0x0010): Module [krb5] constructor failed [22]: Invalid argument (Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [dp_target_init] (0x0010): Unable to load module krb5 (Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error (Tue Oct 31 09:21:56 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010): Could not initialize backend [1432158209] (Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [krb5_init_kdc] (0x0010): Missing krb5_realm option! (Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [dp_module_run_constructor] (0x0010): Module [krb5] constructor failed [22]: Invalid argument (Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [dp_target_init] (0x0010): Unable to load module krb5 (Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [be_process_init] (0x0010): Unable to setup data provider [1432158209]: Internal Error (Tue Oct 31 09:22:00 2017) [sssd[be[mind.unm.edu]]] [main] (0x0010): Could not initialize backend [1432158209] (Tue Oct 31 09:23:45 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:26:03 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children (Tue Oct 31 09:36:00 2017) [sssd[be[mind.unm.edu]]] [orderly_shutdown] (0x0010): SIGTERM: killing children ... (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable] (0x0080): Task [Subdomains Refresh]: already enabled (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable] (0x0080): Task [SUDO Full Refresh]: already enabled (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [be_ptask_enable] (0x0080): Task [AD machine account password renewal]: already enabled (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [nsupdate_get_addrs_done] (0x0040): nsupdate_get_addrs_done failed: [5]: [Input/output error] (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sdap_dyndns_dns_addrs_done] (0x0040): Could not receive list of current addresses [5]: Input/output error (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [5]: Input/output error (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [5]: Input/output error (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158226]: Authentication Failed (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-545 (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-544 (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-555 (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sdap_ad_tokengroups_get_posix_members] (0x0080): Domain not found for SID S-1-5-32-551 (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such attribute](16)[attribute 'member': no matching attribute value while deleting attribute on 'name=Administrators@mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb'] (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Tue Oct 31 10:16:51 2017) [sssd[be[mind.unm.edu]]] [sysdb_update_members_ex] (0x0020): Could not remove member [jsadowski@mind.unm.edu] from group [name=Administrators@mind.unm.edu,cn=groups,cn=mind.unm.edu,cn=sysdb]. Skipping (Tue Oct 31 10:16:54 2017) [sssd[be[mind.unm.edu]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
On Tue, Oct 31, 2017 at 10:57:23AM -0600, Jeff Sadowski wrote:
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
I would recommend to try testing with the help of ldapsearch -Y GSSAPI: - kinit -k 'shortname$@realm' - KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.dc.server -b "" because it might be easier to take sssd out of the picture.
I would also recommend to check if the client's hostname matches how the client is registered to AD and that all names resolve back and forth.
Finally, I would check the domain_realm mappings in krb5.conf to make sure libkrb5 can infer the correct realm from the domain part of the host name.
sssd-users@lists.fedorahosted.org