Hi,
Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.
Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371
I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.
When using "net ads join" I get the following error:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
in the logs, we also get the following( Debug level set to 7)
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching *$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@(null) found in keytab.
But if i try to query this RODC using "ldapsearch" it works.
ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))"
What else can I check to troubleshoot this issue?
Thanks,
~ Abhi
On Tue, Feb 14, 2017 at 11:36:32AM -0500, Abhijit Tikekar wrote:
Hi,
Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.
Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371
I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.
No, you need to create the computer object first and then copy the keytab.
When using "net ads join" I get the following error:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
in the logs, we also get the following( Debug level set to 7)
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching *$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@(null) found in keytab.
But if i try to query this RODC using "ldapsearch" it works.
ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))"
What principal did you authenticate as?
We created the keytab file and imported that into the existing krb5.keytab file using ktutil. I can see that now, klist -k shows a "host" principle entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab host/hostname.X.Y.local". I can see the service principal update after this step in klist.
But authentication using my AD account still fails with the following in logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1666a60 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=firstname.lastname] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [X.Y.local] to [X.Y.local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=X,dc=Y,dc=local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.* *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users* (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1692df0 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1692120 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x1692120 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=firstname.lastname)) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1691210 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x167da00 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x167da00 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
Thanks,
~ Abhi
On Tue, Feb 14, 2017 at 12:42 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Feb 14, 2017 at 11:36:32AM -0500, Abhijit Tikekar wrote:
Hi,
Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.
Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371
I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.
No, you need to create the computer object first and then copy the keytab.
When using "net ads join" I get the following error:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
in the logs, we also get the following( Debug level set to 7)
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in
keytab.
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching *$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/*@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]]
[find_principal_in_keytab]
(0x0400): No principal matching host/*@(null) found in keytab.
But if i try to query this RODC using "ldapsearch" it works.
ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname.lastname))"
What principal did you authenticate as? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Tue, Feb 14, 2017 at 04:32:44PM -0500, Abhijit Tikekar wrote:
We created the keytab file and imported that into the existing krb5.keytab file using ktutil. I can see that now, klist -k shows a "host" principle entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab host/hostname.X.Y.local". I can see the service principal update after this step in klist.
But authentication using my AD account still fails with the following in logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): dbus conn: 0x1666a60 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=firstname.lastname] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [X.Y.local] to [X.Y.local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=X,dc=Y,dc=local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.* *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users* (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1692df0 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1692120 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x1692120 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=firstname.lastname)) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1691210 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x167da00 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Destroying timer event 0x167da00 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
The log snippet just shows that this search:
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
didn't match any object on the AD side. I would test that if you kinit with the host principal and then ldapserch the DC manually using thy -Y GSSAPI switch, does the search yield any result?
Hi Jakub,
First I tried ldapsearch without kinit and got the following as expected:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Ran a kinit with host principal:
* kinit -k -t /etc/krb5.keytab host/hostname.x.y.local*
After this, now ldapsearch works fine. Got the results back for the specified user.
*# ldapsearch -H ldap://RODChostname.x.ylocal/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))"SASL/GSSAPI authentication startedSASL username: host/hostname.x.y.local@X.Y.LOCALSASL SSF: 56SASL data security layer installed.* ... ... ... ...
But still, the exact same user authentication doesn't work when tried using SSSD.
Here is sssd.conf file.
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 [nss] [pam] [sudo] [domain/x.y.local] ad_domain = X.Y.LOCAL ad_server = hostname.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = X.Y.LOCAL krb5_store_password_if_offline = True use_fully_qualified_names = false dyndns_update = False ldap_schema = ad ldap_id_mapping = False cache_credentials = false timeout = 1800 enumerate = True enum_cache_timeout = 1800 ldap_use_tokengroups = True
ldap_uri = ldap://hostname.x.y.local ldap_sudo_search_base = ... ldap_user_search_base = ... ldap_user_object_class = user ldap_group_search_base = ... ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ... ldap_access_filter = ... override_homedir = /home/%d/%u default_shell = /bin/bash
Many Thanks,
~ Abhi
On Wed, Feb 15, 2017 at 4:46 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Feb 14, 2017 at 04:32:44PM -0500, Abhijit Tikekar wrote:
We created the keytab file and imported that into the existing
krb5.keytab
file using ktutil. I can see that now, klist -k shows a "host" principle entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab host/hostname.X.Y.local". I can see the service principal update after
this
step in klist.
But authentication using my AD account still fails with the following in logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch]
(0x4000):
dbus conn: 0x1666a60 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch]
(0x4000):
Dispatching. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=firstname.lastname] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [X.Y.local] to [X.Y.local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_id_op_connect_step]
(0x4000): reusing cached connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=X,dc=Y,dc=local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(
sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local].
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[unixUserPassword]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[unixHomeDirectory]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPrincipalName]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userAccountControl]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0
results.*
*(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users* (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1692df0 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1692120 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000):
Destroying
timer event 0x1692120 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=firstname.lastname)) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1691210 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x167da00 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000):
Destroying
timer event 0x167da00 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
The log snippet just shows that this search:
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)( sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
didn't match any object on the AD side. I would test that if you kinit with the host principal and then ldapserch the DC manually using thy -Y GSSAPI switch, does the search yield any result? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Feb 15, 2017 at 08:33:39AM -0500, Abhijit Tikekar wrote:
Hi Jakub,
First I tried ldapsearch without kinit and got the following as expected:
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Ran a kinit with host principal:
- kinit -k -t /etc/krb5.keytab host/hostname.x.y.local*
After this, now ldapsearch works fine. Got the results back for the specified user.
I am suprised that this works, I would expect only the netbios$@realm principal to work, but I guess in your environment host/fqdn@realm is also a computer account..
*# ldapsearch -H ldap://RODChostname.x.ylocal/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))"SASL/GSSAPI authentication startedSASL username: host/hostname.x.y.local@X.Y.LOCALSASL SSF: 56SASL data security layer installed.*
Are you sure you are using the same LDAP URI, the same base and the same Kerberos principal as SSSD uses? Because down below, SSSD does an alternative of this call, just calling into openldap-libs calls directly.
... ... ... ...
But still, the exact same user authentication doesn't work when tried using SSSD.
I would focus on user resolution (so, id $username) before trying out authentication.
Here is sssd.conf file.
[sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 [nss] [pam] [sudo] [domain/x.y.local] ad_domain = X.Y.LOCAL ad_server = hostname.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = X.Y.LOCAL krb5_store_password_if_offline = True use_fully_qualified_names = false dyndns_update = False ldap_schema = ad ldap_id_mapping = False cache_credentials = false timeout = 1800 enumerate = True
And to make logs cleaner and easier to read, I would suggest to not use enumeration (not mentioning the performance impact enumeration has..)
enum_cache_timeout = 1800 ldap_use_tokengroups = True
Hmm, you first define tokengroups to false, then to true. I think the second setting wins here, but the config is a bit inconsistent then.
ldap_uri = ldap://hostname.x.y.local ldap_sudo_search_base = ... ldap_user_search_base = ... ldap_user_object_class = user ldap_group_search_base = ... ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ... ldap_access_filter = ...
Unless you use any of the providers set to 'ldap', I would recommend against setting the low-level options directly.
override_homedir = /home/%d/%u default_shell = /bin/bash
Many Thanks,
~ Abhi
On Wed, Feb 15, 2017 at 4:46 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Feb 14, 2017 at 04:32:44PM -0500, Abhijit Tikekar wrote:
We created the keytab file and imported that into the existing
krb5.keytab
file using ktutil. I can see that now, klist -k shows a "host" principle entry for this computer which was missing earlier.
Also initialized the new keytab file using "kinit -k -t /etc/krb5.keytab host/hostname.X.Y.local". I can see the service principal update after
this
step in klist.
But authentication using my AD account still fails with the following in logs:
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch]
(0x4000):
dbus conn: 0x1666a60 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_dispatch]
(0x4000):
Dispatching. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sbus_get_sender_id_send]
(0x2000): Not a sysbus message, quit (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=firstname.lastname] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [X.Y.local] to [X.Y.local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
[sdap_id_op_connect_step]
(0x4000): reusing cached connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=X,dc=Y,dc=local] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)(
sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local].
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[unixUserPassword]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[unixHomeDirectory]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userPrincipalName]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs:
[userAccountControl]
(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 17 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_add] (0x2000): New operation 17 timeout 6 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[0x1667a50], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_op_destructor] (0x2000): Operation 17 finished (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. *(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0
results.*
*(Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users* (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1692df0 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1692120 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000):
Destroying
timer event 0x1692120 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1692df0 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=firstname.lastname)) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1691210 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x167da00 (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Running timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000):
Destroying
timer event 0x167da00 "ltdb_timeout" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [ldb] (0x4000): Ending timer event 0x1691210 "ltdb_callback" (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_search_groups] (0x2000): No such entry (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: sh[0x166d2a0], connected[1], ops[(nil)], ldap[0x1637f20] (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
How to check further where it is failing?
The log snippet just shows that this search:
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=firstname.lastname)(objectclass=user)( sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=X,dc=Y,dc=local]. (Tue Feb 14 16:10:56 2017) [sssd[be[X.Y.local]]]
didn't match any object on the AD side. I would test that if you kinit with the host principal and then ldapserch the DC manually using thy -Y GSSAPI switch, does the search yield any result? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Jakub,
Thanks for clarifying some of these items. I am relatively new to SSSD so I apologize in advance if I miss something basic in logs & configs.
I tried checking using "id" and "getent". "getent" does not return any output, whereas "id" returns with the following:
*id: first.last: No such user*
RODC has the same group structure as our writable domain controller and we have kept the SSSD config entries(access filters etc) the same as those on CentOS servers connected to writable DC where SSSD works fine. So I believe the ldap_access_filter & search_base is correct for the user trying to authenticate.
When we created the keytab from the writable domain controller for this machine, we used the "rndpass" but on the server itself, kinit never asked for the password. Do you think there could be some issue here and sssd is not able to authenticate successfully in the first place? but I would assume keytab is good because direct ldapsearch works using the same keytab file.
Following is received in SSSD logs when trying id "first.last".
(Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x4000): dbus conn: 0xa7a280 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][name=first.last] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [be_req_set_domain] (0x0400): Changing request domain from [x.y.local] to [x.y.local] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=x,dc=y,dc=local] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_print_server] (0x2000): Searching <RODC IP> (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=first.last)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=x,dc=y,dc=local]. (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_op_add] (0x2000): New operation 8 timeout 6 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://abc.x.y.local/DC=abc,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://training.x.y.local/DC=training,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.x.y.local/DC=DomainDnsZones,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[0xaa1640], ldap[0xa6c050] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_op_destructor] (0x2000): Operation 8 finished (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://abc.x.y.local/DC=abc,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://training.x.y.local/DC=training,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.x.y.local/DC=DomainDnsZones,DC=x,DC=y,DC=local (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_id_op_done] (0x4000): releasing operation connection (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xa841a0 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xa926e0 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Running timer event 0xa841a0 "ltdb_callback" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Destroying timer event 0xa926e0 "ltdb_timeout" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Ending timer event 0xa841a0 "ltdb_callback" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_by_name] (0x0400): No such entry (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=first.last)) (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0xa84390 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0xa80fd0 (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Running timer event 0xa84390 "ltdb_callback" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Destroying timer event 0xa80fd0 "ltdb_timeout" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [ldb] (0x4000): Ending timer event 0xa84390 "ltdb_callback" (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_search_groups] (0x2000): No such entry (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: sh[0xa90570], connected[1], ops[(nil)], ldap[0xa6c050] (Mon Feb 20 09:42:03 2017) [sssd[be[x.y.local]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [k5c_send_data] (0x0200): Received error code 1432158209
Config for password-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so auth required pam_deny.so
Many Thanks,
~ Abhi
On Tue, Feb 14, 2017 at 11:36 AM, Abhijit Tikekar abhijittikekar@gmail.com wrote:
Hi,
Has anyone had any success while setting up SSSD with RODC AD Server? We are setting this up on CentOS 6.8 machines but doesn't seem to work.
Computer object is created and replicated to RODC. Verified that all configuration file parameters are identical to the ones mentioned in the link below. https://access.redhat.com/discussions/2838371
I assume we still have to join the server to RODC? Is the joining process still the same as we do for a Writable DC.
When using "net ads join" I get the following error:
Failed to join domain: Failed to set account flags for machine account (NT_STATUS_NOT_SUPPORTED)
in the logs, we also get the following( Debug level set to 7)
(Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for testdmzlin@X.Y.LOCAL in default keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching TESTDMZLIN$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/testdmzlin@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching *$@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@X.Y.LOCAL found in keytab. (Tue Feb 14 11:20:42 2017) [sssd[be[x.y.local]]] [find_principal_in_keytab] (0x0400): No principal matching host/*@(null) found in keytab.
But if i try to query this RODC using "ldapsearch" it works.
ldapsearch -H ldap://RODC_ServerName.x.y.local/ -Y GSSAPI -N -b "dc=x,dc=y,dc=local" "(&(objectClass=user)(sAMAccountName=firstname. lastname))"
What else can I check to troubleshoot this issue?
Thanks,
~ Abhi
On (20/02/17 11:33), Abhijit Tikekar wrote:
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
Here is the problem.
sssd failed to initialize krb5 context for some reason.
kerr = krb5_init_context(&kctx);
I can see that it tried to use keyring ccache. "ccname: [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache? Becasue IIRC there is KEYRING ccache in rhel6 but it does not support collections ccache as in el7.
Are you able to kinit from command line?
I can also see that it tried to kinit with enterprise principal.
Are you able to kinit with it? "kinit -E"
Could you share your krb5.conf?
LS
Hi,
I tried replacing KEYRING with a FILE option but same results.
#default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
When I try using kinit -E, it asks for the principal password. But the keytab was created using a "rndpass" option so I am not really sure what to put as a password.
]# kinit -E Password for host/hostname.x.y.local@X.Y.LOCAL:
Here is the complete krb5.conf file:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL #dns_lookup_realm = true dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true #default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid} default_keytab_name = /etc/krb5.keytab [realms] X.Y.LOCAL = { kdc = RODC.x.y.local:88 admin_server = RODC.x.y.local:749 default_domain = x.y.local } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
Thanks,
~ Abhi
On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik lslebodn@redhat.com wrote:
On (20/02/17 11:33), Abhijit Tikekar wrote:
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to
"true",
both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send]
(0x0100):
Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]]
[set_server_common_status]
(0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler]
(0x0100):
Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data]
(0x0100):
logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send]
(0x0100):
Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for
user
first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME]
from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
Here is the problem.
sssd failed to initialize krb5 context for some reason.
kerr = krb5_init_context(&kctx);
I can see that it tried to use keyring ccache. "ccname: [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache? Becasue IIRC there is KEYRING ccache in rhel6 but it does not support collections ccache as in el7.
Are you able to kinit from command line?
I can also see that it tried to kinit with enterprise principal.
Are you able to kinit with it? "kinit -E"
Could you share your krb5.conf?
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
We are still unable to make SSSD work with RODC.
While checking few other logs, came across the following under krb5_child.log. Does this help in isolating the issue in any way?
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.x.y.local@X.Y.LOCAL]. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656134: Retrieving first.last@X.Y.LOCAL -> host/hostname.x.y.local@X.Y.LOCAL from MEMORY:rd_req2 with result: 0/Success
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656242: Retrieving host/hostname.x.y.local@X.Y.LOCAL from MEMORY:/etc/krb5.keytab (vno 5, enctype rc4-hmac) with result: 0/Success (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@ABC@X.Y.LOCAL] might not be correct. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656339: Destroying ccache MEMORY:rd_req2 (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/var/tmp/krb5cc_233006683] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [create_ccache] (0x0020): 733: [13][Permission denied] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [pack_response_packet] (0x2000): response packet size: [20] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x4000): Response sent. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [main] (0x0400): krb5_child completed successfully
Although, the file /var/tmp/krb5cc_233006683 doesn't exist.
Under /var/log/secure, we are still getting the same error message when access is denied.
May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd.x.y.local user=first.last May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): received for user first.last: 4 (System error)
Thanks,
~ Abhi
Sent from my iPhone
On Feb 21, 2017, at 9:48 AM, Abhijit Tikekar abhijittikekar@gmail.com wrote:
Hi,
I tried replacing KEYRING with a FILE option but same results.
#default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
When I try using kinit -E, it asks for the principal password. But the keytab was created using a "rndpass" option so I am not really sure what to put as a password.
]# kinit -E Password for host/hostname.x.y.local@X.Y.LOCAL:
Here is the complete krb5.conf file:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL #dns_lookup_realm = true dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true #default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid} default_keytab_name = /etc/krb5.keytab [realms] X.Y.LOCAL = { kdc = RODC.x.y.local:88 admin_server = RODC.x.y.local:749 default_domain = x.y.local } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
Thanks,
~ Abhi
On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik lslebodn@redhat.com wrote: On (20/02/17 11:33), Abhijit Tikekar wrote:
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
Here is the problem.
sssd failed to initialize krb5 context for some reason.
kerr = krb5_init_context(&kctx);
I can see that it tried to use keyring ccache. "ccname: [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache? Becasue IIRC there is KEYRING ccache in rhel6 but it does not support collections ccache as in el7.
Are you able to kinit from command line?
I can also see that it tried to kinit with enterprise principal.
Are you able to kinit with it? "kinit -E"
Could you share your krb5.conf?
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Turns out, krb5.conf permissions were incorrect.
Before:
ls -l /etc/krb5.conf -rw-------. 1 root root 719 May 12 14:09 /etc/krb5.conf
After:
ls -l /etc/krb5.conf -rw-r--r--. 1 root root 719 May 12 14:09 /etc/krb5.conf
After making this change, user's are now able to authenticate successfully.
Thanks,
~ abhi
Sent from my iPhone
On May 12, 2017, at 1:22 PM, Abhijit Tikekar abhijittikekar@gmail.com wrote:
We are still unable to make SSSD work with RODC.
While checking few other logs, came across the following under krb5_child.log. Does this help in isolating the issue in any way?
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.x.y.local@X.Y.LOCAL]. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656134: Retrieving first.last@X.Y.LOCAL -> host/hostname.x.y.local@X.Y.LOCAL from MEMORY:rd_req2 with result: 0/Success
(Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656242: Retrieving host/hostname.x.y.local@X.Y.LOCAL from MEMORY:/etc/krb5.keytab (vno 5, enctype rc4-hmac) with result: 0/Success (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@ABC@X.Y.LOCAL] might not be correct. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_child_krb5_trace_cb] (0x4000): [50688] 1494602280.656339: Destroying ccache MEMORY:rd_req2 (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/var/tmp/krb5cc_233006683] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@X.Y.LOCAL in cache collection] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [create_ccache] (0x0020): 733: [13][Permission denied] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [map_krb5_error] (0x0020): 1301: [1432158209][Unknown code UUz 1] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [pack_response_packet] (0x2000): response packet size: [20] (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [k5c_send_data] (0x4000): Response sent. (Fri May 12 11:18:00 2017) [[sssd[krb5_child[50688]]]] [main] (0x0400): krb5_child completed successfully
Although, the file /var/tmp/krb5cc_233006683 doesn't exist.
Under /var/log/secure, we are still getting the same error message when access is denied.
May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=abcd.x.y.local user=first.last May 12 12:12:07 hostname sshd[51001]: pam_sss(sshd:auth): received for user first.last: 4 (System error)
Thanks,
~ Abhi
Sent from my iPhone
On Feb 21, 2017, at 9:48 AM, Abhijit Tikekar abhijittikekar@gmail.com wrote:
Hi,
I tried replacing KEYRING with a FILE option but same results.
#default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid}
When I try using kinit -E, it asks for the principal password. But the keytab was created using a "rndpass" option so I am not really sure what to put as a password.
]# kinit -E Password for host/hostname.x.y.local@X.Y.LOCAL:
Here is the complete krb5.conf file:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL #dns_lookup_realm = true dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = true #default_ccache_name = KEYRING:persistent:%{uid} default_ccache_name = FILE:/var/tmp/krb5cc_%{uid} default_keytab_name = /etc/krb5.keytab [realms] X.Y.LOCAL = { kdc = RODC.x.y.local:88 admin_server = RODC.x.y.local:749 default_domain = x.y.local } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
Thanks,
~ Abhi
On Tue, Feb 21, 2017 at 2:22 AM, Lukas Slebodnik lslebodn@redhat.com wrote: On (20/02/17 11:33), Abhijit Tikekar wrote:
Hi Jakub,
ldap_id_mapping was set to "false" on this server. Once I set it to "true", both id and getent started working. But the user authentication via SSH still does not go through.
We see the following in SSSD logs(Debug level set to 5)
(Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_get_account_info] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][1][name=first.last] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local:3268' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:43 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/server_hostname.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17466] finished successfully. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'RODC.x.y.local' as 'working' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): Domain not found for SID S-1-5-21-<....ID....> (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): domain: x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): user: first.last (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): service: sshd (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): tty: ssh (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): ruser: (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): rhost: remote_host.x.y.local (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): authtok type: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): priv: 1 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): cli_pid: 17465 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [pam_print_data] (0x0100): logon name: not set (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [krb5_auth_send] (0x0100): Home directory for user [first.last] not known. (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server RODC.x.y.local: [RODC IP] TTL 7200 (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://RODC.x.y.local' (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sending result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [be_pam_handler_callback] (0x0100): Sent result [4][x.y.local] (Mon Feb 20 11:06:44 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [17467] finished successfully.
*And the following under /var/log/secure*
Feb 20 11:15:30 hostname sshd[17499]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote_host.x.y.local user=first.last Feb 20 11:15:35 hostname sshd[17499]: pam_sss(sshd:auth): received for user first.last: 4 (System error) Feb 20 11:15:37 hostname sshd[17496]: error: PAM: Authentication failure for first.last from remote_host.x.y.local
*Under krb5_child.log*
(Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxx] gid [yyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@COMPANY.COM] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:xxxxxxxx] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [check_use_fast] (0x0100): Not using FAST. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [become_user] (0x0200): Trying to become user [xxxxxxxx][yyyyyyyy]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@COMPANY.COM@x.y.local] might not be correct. (Mon Feb 20 11:25:04 2017) [[sssd[krb5_child[17566]]]] [create_ccache] (0x0020): 733: [13][Permission denied]
Here is the problem.
sssd failed to initialize krb5 context for some reason.
kerr = krb5_init_context(&kctx);
I can see that it tried to use keyring ccache. "ccname: [KEYRING:persistent:xxxxxxxx]". Does it work with FILE cache? Becasue IIRC there is KEYRING ccache in rhel6 but it does not support collections ccache as in el7.
Are you able to kinit from command line?
I can also see that it tried to kinit with enterprise principal.
Are you able to kinit with it? "kinit -E"
Could you share your krb5.conf?
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (12/05/17 14:20), Abhijit Tikekar wrote:
Turns out, krb5.conf permissions were incorrect.
Before:
ls -l /etc/krb5.conf -rw-------. 1 root root 719 May 12 14:09 /etc/krb5.conf
After:
ls -l /etc/krb5.conf -rw-r--r--. 1 root root 719 May 12 14:09 /etc/krb5.conf
After making this change, user's are now able to authenticate successfully.
This is a reason why I asked in previous mail whether you can kinit from command line. I assume you testes kinit as a root.
But I am glad that it works for you now.
LS
sssd-users@lists.fedorahosted.org