Hi,
please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below;
ssh B\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds ssh a\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again."
(NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.)
There are DNS server errors in the log.
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host'
Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org?
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!!
Thanks,
Matthew
On Tue, Sep 24, 2013 at 11:02:48AM +0000, a t wrote:
Hi,
please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below;
ssh B\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds ssh a\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again."
(NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.)
There are DNS server errors in the log.
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host'
Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org?
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!!
Thanks,
Matthew
Hi,
I'm sorry for the late reply..
According to these logs I see three potential things to take a look at:
1) (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
It looks like you were hitting https://fedorahosted.org/sssd/ticket/2063 which should be resolved by now.
What exact version was this? The one from sssd-devel?
2) The other thing I see: (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [B.DOMAIN.ORG] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_B_DOMAIN_ORG] (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded.
This sounds like SELinux denial to me. Could you try setting SELinux to permissive for the duration of the test (setenforce 0)
3) Then in the logs I see a lookup and authentication of [CN=test user,OU=No Management,OU=User Accounts,DC=b,DC=domain,DC=org]
Is that a root domain or subdomain user? Because this particular request seems to have completed fine.. According to the logs, the subdomain should be just called domain.org:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]! (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sdap_domain_subdom_add] (0x0400): subdomain domain.org is a new one, will create a new sdap domain object
But I don't see a request for a subdomain user from domain.org..not sure if the real DN just got lost in the obfuscation..
sssd-users@lists.fedorahosted.org