Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated! Thomas
?actually the client in this case is using lxde instead of ubuntu, but it does occur with Ubuntu. Is LXDE less reliable sssd wise?
________________________________ From: Thomas Beaudry thomas.beaudry@concordia.ca Sent: Wednesday, October 18, 2017 11:37 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] loss of id / i have no name!
Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated! Thomas
On Wed, Oct 18, 2017 at 03:37:44PM +0000, Thomas Beaudry wrote:
Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated! Thomas
I'm sorry if this sounds unhelpful but I'm not sure without seeing logs that capture the error.
Could you enable debug logs as per https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, then note when the error happens and post the logs along with the timestamp when the setup broke?
Hi,
Here is the sssd domain log: https://drive.google.com/open?id=0B5ihYtqDQffzaUpERnkyNHlZamM
The crash occured between today (Friday Oct 20 2;14-2:17pm)
Thomas ________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Wednesday, October 18, 2017 2:43 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: loss of id / i have no name!
On Wed, Oct 18, 2017 at 03:37:44PM +0000, Thomas Beaudry wrote:
Hi,
I have repeated issues with users losing their usernames (only being mapped to their uid / in the terminal it says "i have no name!@host"). It doesn't happen daily, but it is extremely frustrating because they are running scientific pipelines that take a few hours to several days to complete, and as soon as their name is lost, it fails and the pipeline has to start from scratch.
My setup is as follows.
Client: Ubuntu 16.04 (Note that my university has licenses for Redhat, I could upgrade to it if it will 100% fix my problem. I simply use Ubuntu since a lot of scientific packages are already tailored for it, and it saves me weeks of work).
Server: Windows AD, with a Windows NFS file server.
What i don't understand is that if a user is successfully able to authenticate, why isn't the account cached, and used for their entire session? How can a name be lost if it is cached. I have the following in my sssd.conf:
cache_credentials = True krb5_store_password_if_offline = True
I have had this issue for quite awhile, so upon a previous sssd users suggestion, i disabled reverse DNS and it seemed to make this occur less often, but as far as I can tell my DNS is setup properly. I can do a `nslookup <host>` and get the proper ip address, and vice versa.
Any help would be greatly appreciated! Thomas
I'm sorry if this sounds unhelpful but I'm not sure without seeing logs that capture the error.
Could you enable debug logs as per https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html, then note when the error happens and post the logs along with the timestamp when the setup broke? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Fri, Oct 20, 2017 at 07:35:02PM +0000, Thomas Beaudry wrote:
Hi,
Here is the sssd domain log: https://drive.google.com/open?id=0B5ihYtqDQffzaUpERnkyNHlZamM
The crash occured between today (Friday Oct 20 2;14-2:17pm)
I'm sorry, but I don't see anything outright wrong. There are some servers that are unreachable (see messages that mention NOT_WORKING around 14:17:07).
But I'm not sure that's related. Do you know what is the UID of the user who is getting that "I have no name" error? IIRC that error is caused by sssd (or the NSS stack in general) not being able to convert the numerical user ID into name..
Hi,
The user is: j_huc uid: 891461586
Thanks Jakub! Thomas ________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Saturday, October 21, 2017 2:53 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: loss of id / i have no name!
On Fri, Oct 20, 2017 at 07:35:02PM +0000, Thomas Beaudry wrote:
Hi,
Here is the sssd domain log: https://drive.google.com/open?id=0B5ihYtqDQffzaUpERnkyNHlZamM
The crash occured between today (Friday Oct 20 2;14-2:17pm)
I'm sorry, but I don't see anything outright wrong. There are some servers that are unreachable (see messages that mention NOT_WORKING around 14:17:07).
But I'm not sure that's related. Do you know what is the UID of the user who is getting that "I have no name" error? IIRC that error is caused by sssd (or the NSS stack in general) not being able to convert the numerical user ID into name.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Mon, Oct 23, 2017 at 02:20:13PM +0000, Thomas Beaudry wrote:
Hi,
The user is: j_huc uid: 891461586
(I'm sorry about the delay)
Yes, that ID appears to have some issues: (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][idnumber=891461586] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [be_req_set_domain] (0x0400): Changing request domain from [domain.ca] to [domain.ca] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [ad_account_can_shortcut] (0x0080): Mapping ID [891461586] to SID failed: [IDMAP domain not found] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [users_get_send] (0x0080): [891461586] did not match any configured ID mapping domain
Could you share your sssd.conf file, sanitized, if needed?
Hi,
No problem for the delay, I am happy to have any help. Here is my sssd.conf:
[autofs] debug_level=10
[krb5] debug_level=10
[nss] filter_groups = root filter_users = root reconnection_retries = 3 debug_level=10
[pam] reconnection_retries = 3 debug_level=10
[sssd] domains = domain.ca config_file_version = 2 services = nss, pam, ssh, autofs debug_level=10
[domain/domain.ca] ad_domain = domain.ca krb5_realm = DOMAIN.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = simple debug_level=10 ignore_group_members=True simple_allow_groups = perform_hpc
I joined this machine to the domain using realmd
Thomas
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Tuesday, October 24, 2017 3:48 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: loss of id / i have no name!
On Mon, Oct 23, 2017 at 02:20:13PM +0000, Thomas Beaudry wrote:
Hi,
The user is: j_huc uid: 891461586
(I'm sorry about the delay)
Yes, that ID appears to have some issues: (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [be_get_account_info] (0x0200): Got request for [0x1001][FAST BE_REQ_USER][1][idnumber=891461586] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [be_req_set_domain] (0x0400): Changing request domain from [domain.ca] to [domain.ca] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [ad_account_can_shortcut] (0x0080): Mapping ID [891461586] to SID failed: [IDMAP domain not found] (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [users_get_send] (0x0080): [891461586] did not match any configured ID mapping domain
Could you share your sssd.conf file, sanitized, if needed? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org