10:04 a.m.
Hi,
Trying to configure SSSD on a CentOS server and running into some issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin"
confirms that join is valid. Computer object gets created on AD(Windows).
But authentication attempts result in access denied and, following is
recorded under the logs(Log level for domain set to 2)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No selinux module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No host info module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
[1432158234]: Dynamic DNS update not possible while offline
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and "
Failed to connect, going offline (5 [Input/output error])" although not
sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL
error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
"dc=xyz,dc=local"
"(&(objectClass=user)(sAMAccountName=first.last))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server
not found in Kerberos database)
Here is sssd.conf:
[sssd]
domains = XYZ.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/xyz.local]
debug_level=2
ad_server = AD-Server.xyz.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = XYZ.LOCAL
ldap_uri = ldap://AD-Server.xyz.local
ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
ldap_user_search_base = dc=xyz,dc=local
ldap_user_object_class = user
ldap_group_search_base = ou=Groups,dc=xyz,dc=local
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = ...
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HOSTNAME$(a)XYZ.LOCAL
Valid starting Expires Service principal
04/04/17 13:58:20 04/04/17 23:58:05 krbtgt/XYZ.LOCAL(a)XYZ.LOCAL
renew until 04/11/17 13:58:20
04/04/17 14:00:09 04/04/17 23:58:05 ldap/AD-server.xyz.local(a)XYZ.LOCAL
renew until 04/11/17 13:58:20
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname.xyz.local(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 host/hostname(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
2 HOSTNAME$(a)XYZ.LOCAL
# net ads testjoin
Join is OK
Please let me know if I need to increase logging level to capture
additional details.
Many Thanks,
~ Abhi
10:15 a.m.
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin"
confirms that join is valid. Computer object gets created on AD(Windows).
But authentication attempts result in access denied and, following is
recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No selinux module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
(0x0020): No host info module provided for [xyz.local] !!
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into
/var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
ldap_sasl_bind failed (-2)[Local error]
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
[11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
(0x0020): No available servers for service 'AD'
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
[1432158234]: Dynamic DNS update not possible while offline
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and "
Failed to connect, going offline (5 [Input/output error])" although not
sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL
error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
"dc=xyz,dc=local"
"(&(objectClass=user)(sAMAccountName=first.last))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (Server
not found in Kerberos database)
It is a little bit suspicious that ldapsearch
fails.
If ldap_child.log is not usefull for troubleshooting
then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl issue.
You might try to increase it.
Here is sssd.conf:
[sssd]
domains = XYZ.LOCAL
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=2
[domain/xyz.local]
debug_level=2
ad_server = AD-Server.xyz.local
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
ldap_id_mapping = true
ldap_use_tokengroups = False
ldap_sasl_mech = GSSAPI
krb5_realm = XYZ.LOCAL
ldap_uri = ldap://AD-Server.xyz.local
ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
ldap_user_search_base = dc=xyz,dc=local
ldap_user_object_class = user
ldap_group_search_base = ou=Groups,dc=xyz,dc=local
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_access_order = filter, expire
ldap_account_expire_policy = ad
ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options?
I think default provided with id_provider ad (e.g. ldap_schema = ad)
shoudl be fine.
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_schema = ad
LS
10:54 a.m.
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
On (04/04/17 11:04), Abhijit Tikekar wrote:
>Hi,
>
>Trying to configure SSSD on a CentOS server and running into some issues.
>Hoping to get some guidance here...
>
>All the install steps are successful and at the end "net ads testjoin"
>confirms that join is valid. Computer object gets created on AD(Windows).
>But authentication attempts result in access denied and, following is
>recorded under the logs(Log level for domain set to 2)
>
Try to use higher debug_level. Maybe even the full (9)
>(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
>(0x0020): No selinux module provided for [xyz.local] !!
>(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
>(0x0020): No host info module provided for [xyz.local] !!
>(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
>SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
>information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and
SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already)
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> >[11]: Resource temporarily unavailable
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
> >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> Please look into /var/log/sssd/ldap_child.log
>
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> >information (Server not found in Kerberos database)
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
> >information (Server not found in Kerberos database)
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> >[11]: Resource temporarily unavailable
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040):
> >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
> >[1432158234]: Dynamic DNS update not possible while offline
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done]
> >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
> >possible while offline
> >
> >
> >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and "
> >Failed to connect, going offline (5 [Input/output error])" although not
> >sure if they are all related to a common failure.
> >
> >Although when I try to use ldapsearch directly, it gives the same SASL
> >error.
> >
> >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
> >"dc=xyz,dc=local"
"(&(objectClass=user)(sAMAccountName=first.last))"
> >SASL/GSSAPI authentication started
> >ldap_sasl_interactive_bind_s: Local error (-2)
> > additional info: SASL(-1): generic failure: GSSAPI Error:
> >Unspecified GSS failure. Minor code may provide more information (Server
> >not found in Kerberos database)
> It is a little bit suspicious that ldapsearch fails.
> If ldap_child.log is not usefull for troubleshooting
> then please try to debug with ldapsearch.
>
> ldapsearch -d 7 ...
>
> I am not sure whether bitmast 7 is enough for troubleshooting sasl issue.
> You might try to increase it.
>
>
> >Here is sssd.conf:
> >
> >[sssd]
> >domains = XYZ.LOCAL
> >services = nss, pam, sudo
> >config_file_version = 2
> >debug_level = 0
> >[nss]
> >[pam]
> >[sudo]
> >debug_level=2
> >[domain/xyz.local]
> >debug_level=2
> >ad_server = AD-Server.xyz.local
> >id_provider = ad
> >auth_provider = ad
> >access_provider = ad
> >sudo_provider = ad
> >ldap_id_mapping = true
> >ldap_use_tokengroups = False
> >ldap_sasl_mech = GSSAPI
> >krb5_realm = XYZ.LOCAL
> >ldap_uri = ldap://AD-Server.xyz.local
> >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
> >ldap_user_search_base = dc=xyz,dc=local
> >ldap_user_object_class = user
> >ldap_group_search_base = ou=Groups,dc=xyz,dc=local
> >ldap_group_object_class = group
> >ldap_user_home_directory = unixHomeDirectory
> >ldap_user_principal = userPrincipalName
> >ldap_access_order = filter, expire
> >ldap_account_expire_policy = ad
> >ldap_access_filter = ...
>
> Is there any reason why you configuread all ldap_* options?
> I think default provided with id_provider ad (e.g. ldap_schema = ad)
> shoudl be fine.
>
> >cache_credentials = true
> >override_homedir = /home/%d/%u
> >default_shell = /bin/bash
> >ldap_schema = ad
> >
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
7:11 a.m.
Thanks Jakub,
ldapsearch now completes successfully, but when users tries to
authenticate, they still get access denied. We have confirmed that user
does exist in the groups listed under access filter & both id and getent
passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log (
Debug level 3)
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2].
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt]
(0x0040): sss_send_pac failed, group membership for user with principal
[first.last\@XYZ.LOCAL(a)XYZ.LOCAL] might not be correct.
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex]
(0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission
denied!
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized]
(0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission
denied!
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache]
(0x0020): handle_randomized failed: 13
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error]
(0x0020): 1301: [13][Permission denied]
Same log with Debug level set to 9:
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
krb5_child started.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x1000): total buffer size: [141]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true]
enterprise principal [true] offline [false] UPN [first.last(a)XYZ.LOCAL]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x2000): No old ccache
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not
set] keytab: [/etc/krb5.keytab]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast]
(0x0100): Not using FAST.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user]
(0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000):
Running as [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup]
(0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
Will perform online auth
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [XYZ.LOCAL]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting
initial credentials for first.last\@XYZ.LOCAL(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending
request (225 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending
initial UDP request to dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received
answer from dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received
error from KDC: -1765328359/Additional pre-authentication required
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing
preauth types: 16, 15, 19, 2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected
etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params ""
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key
obtained for encrypted timestamp: aes256-cts/2DA7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted
timestamp (for 1491392737.819101): plain
301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted
6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth
module encrypted_timestamp (2) (flags=1) returned: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced
preauth for next request: 2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending
request (305 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending
initial UDP request to dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received
answer from dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received
error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or
response is too big for UDP; retrying with TCP
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending
request (305 bytes) to XYZ.LOCAL (tcp only)
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating
TCP connection to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP
request to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received
answer from stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing
preauth types: 19
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected
etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params ""
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced
preauth for next request: (empty)
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key
determined by preauth: aes256-cts/2DA7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS
reply; session key is: aes256-cts/2A55
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST
negotiation: unavailable
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
(0x2000): Found keytab entry with the realm of the credential.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0,
enctype 0) with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving
unique ccache of type MEMORY
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing
MEMORY:M2bO4Sd with default princ first.last(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL in MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting
credentials first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL using
ccache MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd with
result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached
TGT for service realm: first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting
tickets for host/hostname.xyz.local(a)XYZ.LOCAL, referrals on
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated
subkey for TGS request: aes256-cts/AB86
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes
requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending
request (1553 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating
TCP connection to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP
request to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received
answer from stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is
for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL with session
key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request
result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received
creds for desired service host/hostname.xyz.local(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating
authenticator for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL,
seqnum 0, subkey (null, session key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
enctype rc4-hmac) with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted
AP-REQ with specified server principal host/hostname.xyz.local(a)XYZ.LOCAL:
rc4-hmac/4965
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ
ticket: first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL, session
key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated
enctype based on authenticator: rc4-hmac
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing
MEMORY:rd_req2 with default princ first.last(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:rd_req2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in MEMORY:rd_req2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying
ccache MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
(0x0400): TGT verified using key for [host/hostname.xyz.local(a)XYZ.LOCAL].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:rd_req2 with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
enctype rc4-hmac) with result: 0/Success
*(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed,
group membership for user with principal [first.last\@XYZ.LOCAL(a)XYZ.LOCAL]
might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying
ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location:
[FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000):
krb5_cc_cache_match failed: [-1765328243][Can't find client principal
first.last(a)XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040):
mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission
denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized
failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[map_krb5_error] (0x0020): 1301: [13][Permission denied]*
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
(0x0200): Received error code 1432158209
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[pack_response_packet] (0x2000): response packet size: [20]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
krb5_child completed successfully
Thanks,
~ Abhi
On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
> On (04/04/17 11:04), Abhijit Tikekar wrote:
> >Hi,
> >
> >Trying to configure SSSD on a CentOS server and running into some
issues.
> >Hoping to get some guidance here...
> >
> >All the install steps are successful and at the end "net ads
testjoin"
> >confirms that join is valid. Computer object gets created on
AD(Windows).
> >But authentication attempts result in access denied and, following is
> >recorded under the logs(Log level for domain set to 2)
> >
> Try to use higher debug_level. Maybe even the full (9)
>
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> >(0x0020): No selinux module provided for [xyz.local] !!
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> >(0x0020): No host info module provided for [xyz.local] !!
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
> >information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and
SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7
already)
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> >[11]: Resource temporarily unavailable
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
> >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> Please look into /var/log/sssd/ldap_child.log
>
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
> >information (Server not found in Kerberos database)
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
> >information (Server not found in Kerberos database)
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
> >ldap_sasl_bind failed (-2)[Local error]
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> >[11]: Resource temporarily unavailable
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
> >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
> >(0x0020): No available servers for service 'AD'
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
> >(0x0020): Failed to connect, going offline (5 [Input/output error])
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS
update
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
> >[1432158234]: Dynamic DNS update not possible while offline
> >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_nsupdate_done]
> >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
> >possible while offline
> >
> >
> >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI
and "
> >Failed to connect, going offline (5 [Input/output error])" although not
> >sure if they are all related to a common failure.
> >
> >Although when I try to use ldapsearch directly, it gives the same SASL
> >error.
> >
> >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
> >"dc=xyz,dc=local"
"(&(objectClass=user)(sAMAccountName=first.last))"
> >SASL/GSSAPI authentication started
> >ldap_sasl_interactive_bind_s: Local error (-2)
> > additional info: SASL(-1): generic failure: GSSAPI Error:
> >Unspecified GSS failure. Minor code may provide more information
(Server
> >not found in Kerberos database)
> It is a little bit suspicious that ldapsearch fails.
> If ldap_child.log is not usefull for troubleshooting
> then please try to debug with ldapsearch.
>
> ldapsearch -d 7 ...
>
> I am not sure whether bitmast 7 is enough for troubleshooting sasl issue.
> You might try to increase it.
>
>
> >Here is sssd.conf:
> >
> >[sssd]
> >domains = XYZ.LOCAL
> >services = nss, pam, sudo
> >config_file_version = 2
> >debug_level = 0
> >[nss]
> >[pam]
> >[sudo]
> >debug_level=2
> >[domain/xyz.local]
> >debug_level=2
> >ad_server = AD-Server.xyz.local
> >id_provider = ad
> >auth_provider = ad
> >access_provider = ad
> >sudo_provider = ad
> >ldap_id_mapping = true
> >ldap_use_tokengroups = False
> >ldap_sasl_mech = GSSAPI
> >krb5_realm = XYZ.LOCAL
> >ldap_uri = ldap://AD-Server.xyz.local
> >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
> >ldap_user_search_base = dc=xyz,dc=local
> >ldap_user_object_class = user
> >ldap_group_search_base = ou=Groups,dc=xyz,dc=local
> >ldap_group_object_class = group
> >ldap_user_home_directory = unixHomeDirectory
> >ldap_user_principal = userPrincipalName
> >ldap_access_order = filter, expire
> >ldap_account_expire_policy = ad
> >ldap_access_filter = ...
>
> Is there any reason why you configuread all ldap_* options?
> I think default provided with id_provider ad (e.g. ldap_schema = ad)
> shoudl be fine.
>
> >cache_credentials = true
> >override_homedir = /home/%d/%u
> >default_shell = /bin/bash
> >ldap_schema = ad
> >
>
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
7:27 a.m.
On Wed, Apr 05, 2017 at 08:11:01AM -0400, Abhijit Tikekar wrote:
Thanks Jakub,
ldapsearch now completes successfully, but when users tries to
authenticate, they still get access denied. We have confirmed that user
does exist in the groups listed under access filter & both id and getent
passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log (
Debug level 3)
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2].
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt]
(0x0040): sss_send_pac failed, group membership for user with principal
[first.last\@XYZ.LOCAL(a)XYZ.LOCAL] might not be correct.
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex]
(0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission
denied!
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized]
(0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission
denied!
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache]
(0x0020): handle_randomized failed: 13
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error]
(0x0020): 1301: [13][Permission denied]
Same log with Debug level set to 9:
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
krb5_child started.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x1000): total buffer size: [141]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true]
enterprise principal [true] offline [false] UPN [first.last(a)XYZ.LOCAL]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x2000): No old ccache
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
(0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not
set] keytab: [/etc/krb5.keytab]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast]
(0x0100): Not using FAST.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[k5c_precreate_ccache] (0x4000): Recreating ccache
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user]
(0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000):
Running as [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup]
(0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME]
from environment.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
Will perform online auth
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [XYZ.LOCAL]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting
initial credentials for first.last\@XYZ.LOCAL(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending
request (225 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending
initial UDP request to dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received
answer from dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received
error from KDC: -1765328359/Additional pre-authentication required
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing
preauth types: 16, 15, 19, 2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected
etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params ""
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key
obtained for encrypted timestamp: aes256-cts/2DA7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted
timestamp (for 1491392737.819101): plain
301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted
6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth
module encrypted_timestamp (2) (flags=1) returned: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced
preauth for next request: 2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending
request (305 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending
initial UDP request to dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received
answer from dgram 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received
error from KDC: -1765328332/Response too big for UDP, retry with TCP
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or
response is too big for UDP; retrying with TCP
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending
request (305 bytes) to XYZ.LOCAL (tcp only)
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating
TCP connection to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP
request to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received
answer from stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing
preauth types: 19
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected
etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params ""
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced
preauth for next request: (empty)
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key
determined by preauth: aes256-cts/2DA7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS
reply; session key is: aes256-cts/2A55
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST
negotiation: unavailable
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
(0x2000): Found keytab entry with the realm of the credential.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0,
enctype 0) with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving
unique ccache of type MEMORY
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing
MEMORY:M2bO4Sd with default princ first.last(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL in MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting
credentials first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL using
ccache MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving
first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd with
result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached
TGT for service realm: first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting
tickets for host/hostname.xyz.local(a)XYZ.LOCAL, referrals on
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated
subkey for TGS request: aes256-cts/AB86
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes
requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending
request (1553 bytes) to XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating
TCP connection to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP
request to stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received
answer from stream 10.105.11.10:88
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was
from master KDC
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is
for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL with session
key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request
result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received
creds for desired service host/hostname.xyz.local(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating
authenticator for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL,
seqnum 0, subkey (null, session key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
enctype rc4-hmac) with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted
AP-REQ with specified server principal host/hostname.xyz.local(a)XYZ.LOCAL:
rc4-hmac/4965
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ
ticket: first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL, session
key rc4-hmac/81A7
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated
enctype based on authenticator: rc4-hmac
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing
MEMORY:rd_req2 with default princ first.last(a)XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:rd_req2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in MEMORY:rd_req2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying
ccache MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
(0x0400): TGT verified using key for [host/hostname.xyz.local(a)XYZ.LOCAL].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving
first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
MEMORY:rd_req2 with result: 0/Success
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving
host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
enctype rc4-hmac) with result: 0/Success
*(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac]
(0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed,
group membership for user with principal [first.last\@XYZ.LOCAL(a)XYZ.LOCAL]
might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying
ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location:
[FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000):
krb5_cc_cache_match failed: [-1765328243][Can't find client principal
first.last(a)XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040):
mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission
denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
Please check your permissions of /tmp. Normally /tmp should have 1777
permissions..
failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized
failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[map_krb5_error] (0x0020): 1301: [13][Permission denied]*
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
(0x0200): Received error code 1432158209
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
[pack_response_packet] (0x2000): response packet size: [20]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
(0x4000): Response sent.
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
krb5_child completed successfully
Thanks,
~ Abhi
On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
> > On (04/04/17 11:04), Abhijit Tikekar wrote:
> > >Hi,
> > >
> > >Trying to configure SSSD on a CentOS server and running into some
> issues.
> > >Hoping to get some guidance here...
> > >
> > >All the install steps are successful and at the end "net ads
testjoin"
> > >confirms that join is valid. Computer object gets created on
> AD(Windows).
> > >But authentication attempts result in access denied and, following is
> > >recorded under the logs(Log level for domain set to 2)
> > >
> > Try to use higher debug_level. Maybe even the full (9)
> >
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> > >(0x0020): No selinux module provided for [xyz.local] !!
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> > >(0x0020): No host info module provided for [xyz.local] !!
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> more
> > >information (Server not found in Kerberos database)
>
>
> This is the error.
>
> Is this centos-6? If yes, then setting rdns=false in krb5.conf and
> SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7
> already)
>
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> (0x0020):
> > >ldap_sasl_bind failed (-2)[Local error]
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> > >[11]: Resource temporarily unavailable
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
> (0x0040):
> > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
> unavailable
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> [fo_resolve_service_send]
> > >(0x0020): No available servers for service 'AD'
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> [sdap_id_op_connect_done]
> > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > Please look into /var/log/sssd/ldap_child.log
> >
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> [fo_resolve_service_send]
> > >(0x0020): No available servers for service 'AD'
> > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> [sdap_id_op_connect_done]
> > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> more
> > >information (Server not found in Kerberos database)
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> (0x0020):
> > >ldap_sasl_bind failed (-2)[Local error]
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040):
> > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> more
> > >information (Server not found in Kerberos database)
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> (0x0020):
> > >ldap_sasl_bind failed (-2)[Local error]
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed
> > >[11]: Resource temporarily unavailable
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
> (0x0040):
> > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
> unavailable
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> [fo_resolve_service_send]
> > >(0x0020): No available servers for service 'AD'
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> [sdap_id_op_connect_done]
> > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS
> update
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
> > >[1432158234]: Dynamic DNS update not possible while offline
> > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> [ad_dyndns_nsupdate_done]
> > >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not
> > >possible while offline
> > >
> > >
> > >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI
> and "
> > >Failed to connect, going offline (5 [Input/output error])" although
not
> > >sure if they are all related to a common failure.
> > >
> > >Although when I try to use ldapsearch directly, it gives the same SASL
> > >error.
> > >
> > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
> > >"dc=xyz,dc=local"
"(&(objectClass=user)(sAMAccountName=first.last))"
> > >SASL/GSSAPI authentication started
> > >ldap_sasl_interactive_bind_s: Local error (-2)
> > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > >Unspecified GSS failure. Minor code may provide more information
> (Server
> > >not found in Kerberos database)
> > It is a little bit suspicious that ldapsearch fails.
> > If ldap_child.log is not usefull for troubleshooting
> > then please try to debug with ldapsearch.
> >
> > ldapsearch -d 7 ...
> >
> > I am not sure whether bitmast 7 is enough for troubleshooting sasl issue.
> > You might try to increase it.
> >
> >
> > >Here is sssd.conf:
> > >
> > >[sssd]
> > >domains = XYZ.LOCAL
> > >services = nss, pam, sudo
> > >config_file_version = 2
> > >debug_level = 0
> > >[nss]
> > >[pam]
> > >[sudo]
> > >debug_level=2
> > >[domain/xyz.local]
> > >debug_level=2
> > >ad_server = AD-Server.xyz.local
> > >id_provider = ad
> > >auth_provider = ad
> > >access_provider = ad
> > >sudo_provider = ad
> > >ldap_id_mapping = true
> > >ldap_use_tokengroups = False
> > >ldap_sasl_mech = GSSAPI
> > >krb5_realm = XYZ.LOCAL
> > >ldap_uri = ldap://AD-Server.xyz.local
> > >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
> > >ldap_user_search_base = dc=xyz,dc=local
> > >ldap_user_object_class = user
> > >ldap_group_search_base = ou=Groups,dc=xyz,dc=local
> > >ldap_group_object_class = group
> > >ldap_user_home_directory = unixHomeDirectory
> > >ldap_user_principal = userPrincipalName
> > >ldap_access_order = filter, expire
> > >ldap_account_expire_policy = ad
> > >ldap_access_filter = ...
> >
> > Is there any reason why you configuread all ldap_* options?
> > I think default provided with id_provider ad (e.g. ldap_schema = ad)
> > shoudl be fine.
> >
> > >cache_credentials = true
> > >override_homedir = /home/%d/%u
> > >default_shell = /bin/bash
> > >ldap_schema = ad
> > >
> >
> > LS
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
2:14 p.m.
Thank you.
Fixing permissions resolved the issue.
~ Abhi
On Wed, Apr 5, 2017 at 8:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Wed, Apr 05, 2017 at 08:11:01AM -0400, Abhijit Tikekar wrote:
> Thanks Jakub,
>
> ldapsearch now completes successfully, but when users tries to
> authenticate, they still get access denied. We have confirmed that user
> does exist in the groups listed under access filter & both id and getent
> passwd return correct user data.
>
> Each time user tries to log in,we get the following under krb5_child.log
(
> Debug level 3)
>
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
> [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac]
> (0x0040): sss_pac_make_request failed [-1][2].
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt]
> (0x0040): sss_send_pac failed, group membership for user with principal
> [first.last\@XYZ.LOCAL(a)XYZ.LOCAL] might not be correct.
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[sss_unique_file_ex]
> (0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]:
Permission
> denied!
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[handle_randomized]
> (0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]:
Permission
> denied!
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache]
> (0x0020): handle_randomized failed: 13
> (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error]
> (0x0020): 1301: [13][Permission denied]
>
>
>
> Same log with Debug level set to 9:
>
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
> krb5_child started.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
> (0x1000): total buffer size: [141]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
> (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true]
> enterprise principal [true] offline [false] UPN [first.last(a)XYZ.LOCAL]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
> (0x2000): No old ccache
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer]
> (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not
> set] keytab: [/etc/krb5.keytab]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast]
> (0x0100): Not using FAST.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [k5c_precreate_ccache] (0x4000): Recreating ccache
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user]
> (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy].
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000):
> Running as [xxxxxxxxxx][yyyyyyyyyy].
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup]
> (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy].
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME]
> from environment.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from
> environment.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
> Will perform online auth
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [XYZ.LOCAL]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting
> initial credentials for first.last\@XYZ.LOCAL(a)XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending
> request (225 bytes) to XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending
> initial UDP request to dgram 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received
> answer from dgram 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response
was
> from master KDC
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received
> error from KDC: -1765328359/Additional pre-authentication required
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing
> preauth types: 16, 15, 19, 2
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected
> etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params
""
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key
> obtained for encrypted timestamp: aes256-cts/2DA7
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted
> timestamp (for 1491392737.819101): plain
> 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted
> 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F
36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth
> module encrypted_timestamp (2) (flags=1) returned: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced
> preauth for next request: 2
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending
> request (305 bytes) to XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending
> initial UDP request to dgram 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received
> answer from dgram 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response
was
> from master KDC
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received
> error from KDC: -1765328332/Response too big for UDP, retry with TCP
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or
> response is too big for UDP; retrying with TCP
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending
> request (305 bytes) to XYZ.LOCAL (tcp only)
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating
> TCP connection to stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending
TCP
> request to stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received
> answer from stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response
was
> from master KDC
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing
> preauth types: 19
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected
> etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params
""
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced
> preauth for next request: (empty)
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key
> determined by preauth: aes256-cts/2DA7
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted
AS
> reply; session key is: aes256-cts/2A55
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST
> negotiation: unavailable
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
> (0x2000): Found keytab entry with the realm of the credential.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving
> host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0,
> enctype 0) with result: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving
> unique ccache of type MEMORY
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698:
Initializing
> MEMORY:M2bO4Sd with default princ first.last(a)XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing
> first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing
> first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL in MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting
> credentials first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL
using
> ccache MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
> MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving
> first.last(a)XYZ.LOCAL -> krbtgt/XYZ.LOCAL(a)XYZ.LOCAL from MEMORY:M2bO4Sd
with
> result: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found
cached
> TGT for service realm: first.last(a)XYZ.LOCAL ->
krbtgt/XYZ.LOCAL(a)XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting
> tickets for host/hostname.xyz.local(a)XYZ.LOCAL, referrals on
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated
> subkey for TGS request: aes256-cts/AB86
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes
> requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending
> request (1553 bytes) to XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating
> TCP connection to stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending
TCP
> request to stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received
> answer from stream 10.105.11.10:88
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response
was
> from master KDC
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply
is
> for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL with
session
> key rc4-hmac/81A7
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS
request
> result: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received
> creds for desired service host/hostname.xyz.local(a)XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
> MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in
MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating
> authenticator for first.last(a)XYZ.LOCAL -> host/hostname.xyz.local@XYZ.
LOCAL,
> seqnum 0, subkey (null, session key rc4-hmac/81A7
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving
> host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
> enctype rc4-hmac) with result: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted
> AP-REQ with specified server principal host/hostname.xyz.local@XYZ.
LOCAL:
> rc4-hmac/4965
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ
> ticket: first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL,
session
> key rc4-hmac/81A7
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated
> enctype based on authenticator: rc4-hmac
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625:
Initializing
> MEMORY:rd_req2 with default princ first.last(a)XYZ.LOCAL
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
> MEMORY:rd_req2
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL in
MEMORY:rd_req2
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying
> ccache MEMORY:M2bO4Sd
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt]
> (0x0400): TGT verified using key for [host/hostname.xyz.local@XYZ.
LOCAL].
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving
> first.last(a)XYZ.LOCAL -> host/hostname.xyz.local(a)XYZ.LOCAL from
> MEMORY:rd_req2 with result: 0/Success
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving
> host/hostname.xyz.local(a)XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2,
> enctype rc4-hmac) with result: 0/Success
>
>
>
>
>
>
>
>
> *(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac]
> (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017)
> [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed,
> group membership for user with principal [first.last\@XYZ.LOCAL(a)XYZ.
LOCAL]
> might not be correct.(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]]
> [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying
> ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]]
> [sss_get_ccache_name_for_principal] (0x4000): Location:
> [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017)
> [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal]
(0x2000):
> krb5_cc_cache_match failed: [-1765328243][Can't find client principal
> first.last(a)XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017)
> [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040):
> mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission
> denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
Please check your permissions of /tmp. Normally /tmp should have 1777
permissions..
> failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017)
> [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized
> failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [map_krb5_error] (0x0020): 1301: [13][Permission denied]*
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
> (0x0200): Received error code 1432158209
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]]
> [pack_response_packet] (0x2000): response packet size: [20]
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400):
> krb5_child completed successfully
>
>
> Thanks,
>
> ~ Abhi
>
>
>
>
> On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
>
> > On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
> > > On (04/04/17 11:04), Abhijit Tikekar wrote:
> > > >Hi,
> > > >
> > > >Trying to configure SSSD on a CentOS server and running into some
> > issues.
> > > >Hoping to get some guidance here...
> > > >
> > > >All the install steps are successful and at the end "net ads
testjoin"
> > > >confirms that join is valid. Computer object gets created on
> > AD(Windows).
> > > >But authentication attempts result in access denied and, following
is
> > > >recorded under the logs(Log level for domain set to 2)
> > > >
> > > Try to use higher debug_level. Maybe even the full (9)
> > >
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> > > >(0x0020): No selinux module provided for [xyz.local] !!
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init]
> > > >(0x0020): No host info module provided for [xyz.local] !!
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
> > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> > more
> > > >information (Server not found in Kerberos database)
> >
> >
> > This is the error.
> >
> > Is this centos-6? If yes, then setting rdns=false in krb5.conf and
> > SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7
> > already)
> >
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> > (0x0020):
> > > >ldap_sasl_bind failed (-2)[Local error]
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection
failed
> > > >[11]: Resource temporarily unavailable
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
> > (0x0040):
> > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
> > unavailable
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > [fo_resolve_service_send]
> > > >(0x0020): No available servers for service 'AD'
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > [sdap_id_op_connect_done]
> > > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > > Please look into /var/log/sssd/ldap_child.log
> > >
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > [fo_resolve_service_send]
> > > >(0x0020): No available servers for service 'AD'
> > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
> > [sdap_id_op_connect_done]
> > > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
> > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> > more
> > > >information (Server not found in Kerberos database)
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> > (0x0020):
> > > >ldap_sasl_bind failed (-2)[Local error]
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
> > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> > more
> > > >information (Server not found in Kerberos database)
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
> > (0x0020):
> > > >ldap_sasl_bind failed (-2)[Local error]
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection
failed
> > > >[11]: Resource temporarily unavailable
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
> > (0x0040):
> > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
> > unavailable
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > [fo_resolve_service_send]
> > > >(0x0020): No available servers for service 'AD'
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > [sdap_id_op_connect_done]
> > > >(0x0020): Failed to connect, going offline (5 [Input/output error])
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > > >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for
DNS
> > update
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > > >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
> > > >[1432158234]: Dynamic DNS update not possible while offline
> > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
> > [ad_dyndns_nsupdate_done]
> > > >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS
update not
> > > >possible while offline
> > > >
> > > >
> > > >I see couple of obvious errors here, mainly the ones for SASL:
GSSAPI
> > and "
> > > >Failed to connect, going offline (5 [Input/output error])"
although
not
> > > >sure if they are all related to a common failure.
> > > >
> > > >Although when I try to use ldapsearch directly, it gives the same
SASL
> > > >error.
> > > >
> > > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b
> > > >"dc=xyz,dc=local" "(&(objectClass=user)(
sAMAccountName=first.last))"
> > > >SASL/GSSAPI authentication started
> > > >ldap_sasl_interactive_bind_s: Local error (-2)
> > > > additional info: SASL(-1): generic failure: GSSAPI Error:
> > > >Unspecified GSS failure. Minor code may provide more information
> > (Server
> > > >not found in Kerberos database)
> > > It is a little bit suspicious that ldapsearch fails.
> > > If ldap_child.log is not usefull for troubleshooting
> > > then please try to debug with ldapsearch.
> > >
> > > ldapsearch -d 7 ...
> > >
> > > I am not sure whether bitmast 7 is enough for troubleshooting sasl
issue.
> > > You might try to increase it.
> > >
> > >
> > > >Here is sssd.conf:
> > > >
> > > >[sssd]
> > > >domains = XYZ.LOCAL
> > > >services = nss, pam, sudo
> > > >config_file_version = 2
> > > >debug_level = 0
> > > >[nss]
> > > >[pam]
> > > >[sudo]
> > > >debug_level=2
> > > >[domain/xyz.local]
> > > >debug_level=2
> > > >ad_server = AD-Server.xyz.local
> > > >id_provider = ad
> > > >auth_provider = ad
> > > >access_provider = ad
> > > >sudo_provider = ad
> > > >ldap_id_mapping = true
> > > >ldap_use_tokengroups = False
> > > >ldap_sasl_mech = GSSAPI
> > > >krb5_realm = XYZ.LOCAL
> > > >ldap_uri = ldap://AD-Server.xyz.local
> > > >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local
> > > >ldap_user_search_base = dc=xyz,dc=local
> > > >ldap_user_object_class = user
> > > >ldap_group_search_base = ou=Groups,dc=xyz,dc=local
> > > >ldap_group_object_class = group
> > > >ldap_user_home_directory = unixHomeDirectory
> > > >ldap_user_principal = userPrincipalName
> > > >ldap_access_order = filter, expire
> > > >ldap_account_expire_policy = ad
> > > >ldap_access_filter = ...
> > >
> > > Is there any reason why you configuread all ldap_* options?
> > > I think default provided with id_provider ad (e.g. ldap_schema = ad)
> > > shoudl be fine.
> > >
> > > >cache_credentials = true
> > > >override_homedir = /home/%d/%u
> > > >default_shell = /bin/bash
> > > >ldap_schema = ad
> > > >
> > >
> > > LS
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave@lists.
fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.
fedorahosted.org
> >
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
2576
days inactive
2577
days old
sssd-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Abhijit Tikekar -
Jakub Hrozek -
Lukas Slebodnik