On Fri, Mar 29, 2013 at 12:11:42PM +0000, Rowland Penny wrote:
On 29/03/13 11:21, Jakub Hrozek wrote:
On Thu, Mar 28, 2013 at 09:22:32PM +0000, Rowland Penny wrote:
Hello, I am trying to use sssd instead of winbind against a samba 4 AD server. After looking around the internet, I have got to the point where I can get a domain users info with 'getent passwd <domainuser>' and 'id <domainuser>'. I can also create a directory and chmod it <domainuser>:users, what I cannot do is login into the computer through ssh or the login GUI on the computer. This is on Linux Mint 14 using sssd 1.9.1.
Does anybody have any idea why sssd seems to work but fails in a very important way.
Can you paste or attach tail of /var/log/secure, your (sanitized) sssd.conf and the relevant portion of /var/log/sssd/sssd_$domain.log after raising debug_level to 6 or higher in the domain section? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, as requested here are the three files. Sorry but the domain logfile is a bit large.
No problem.
getent passwd testuser testuser:*:3000016:100:testuser:/home/HOME/testuser:/bin/bash
id testuser uid=3000016(testuser) gid=100(users) groups=100(users)
but testuser cannot login via ssh or the login gui
/var/log/auth.log
^^ thanks, I always forget how is the file called on Debian derivatives.
Mar 29 11:27:23 mint-VirtualBox mdm[1061]: pam_sss(mdm:auth): received for user testuser: 9 (Authentication service cannot retrieve authentication info)
Looks like SSSD couldn't connect to the authentication server..
/etc/sssd/sssd.conf
[sssd] #debug_level = 3 config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 domains = DOMAIN services = nss, pam
[nss] # The following prevents SSSD from searching for the root user/group in # all domains (you can add here a comma-separated list of system accounts that # are always going to be /etc/passwd users, or that you want to filter out). filter_groups = root filter_users = root reconnection_retries = 3
[pam]
[domain/DOMAIN] description = LDAP domain with AD server debug_level = 9 cache_credentials = true enumerate = False
id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap
# Uncomment if service discovery is not working ldap_uri = ldap://adserver.domain.lan/
# Define these only if anonymous binds are not allowed and no keytab is available ldap_default_bind_dn = CN=Administrator,CN=Users,DC=domain,DC=lan ldap_default_authtok_type = password ldap_default_authtok = P4$$w0rd*
ldap_schema = rfc2307bis
ldap_search_base = dc=domain,dc=lan
# It looks like the ?sub?search notation is also accepted: http://sgallagh.wordpress.com/2011/12/22/sssd-tips-and-tricks-vol-2-ldap/ #ldap_user_search_base = cn=Users,dc=domain,dc=lan?sub?uid=* ldap_user_search_base = cn=Users,dc=domain,dc=lan ldap_user_object_class = person
ldap_user_domain_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_gecos = displayName ldap_user_uuid = objectGUID ldap_user_modify_timestamp = whenChanged
ldap_group_search_base = dc=domain,dc=lan ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_uuid = objectGUID ldap_group_modify_timestamp = whenChanged ldap_group_nesting_level = 2
ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = True
ldap_pwd_policy = none
#krb5_server = domain.lan
Did you comment out krb5_server in order to use service discovery on purpose? It's a valid usecase, just checking if it was the intent.
krb5_realm = DOMAIN.LAN dns_discovery_domain = domain.lan
# Probably required with sssd 1.8.x and newer krb5_canonicalize = false
# Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists #ldap_sasl_mech = GSSAPI # Uncomment and adjust if the default principal host/fqdn@REALM is not available #ldap_sasl_authid=MINT-VIRTUALBOX$@DOMAIN.LAN
/var/log/sssd/sssd_DOMAIN.log
<snip first part of the log>
Here comes the account request...
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=mdm] (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] (0x1000): Status of server 'adserver.domain.lan' is 'name not resolved'
..sssd begins to connect..
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_port_status] (0x1000): Port status of port 389 for server 'adserver.domain.lan' is 'neutral' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds
...triggers name resolution..
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] (0x1000): Status of server 'adserver.domain.lan' is 'name not resolved' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_is_address] (0x4000): [adserver.domain.lan] does not look like an IP address (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_step] (0x2000): Querying files (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'adserver.domain.lan' in files (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [set_server_common_status] (0x0100): Marking server 'adserver.domain.lan' as 'resolving name' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_step] (0x2000): Querying files (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'adserver.domain.lan' in files (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_step] (0x2000): Querying DNS (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'adserver.domain.lan' in DNS (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_done] (0x0020): Failed to resolve server 'adserver.domain.lan': Could not contact DNS servers
And fails because the underlying resolver library cannot contact DNS servers.
(Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [set_server_common_status] (0x0100): Marking server 'adserver.domain.lan' as 'not working' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (adserver.domain.lan), resolver returned (5) (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] (0x1000): Status of server 'adserver.domain.lan' is 'not working' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] (0x1000): Status of server 'adserver.domain.lan' is 'not working' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_mark_offline] (0x2000): Going offline!
As a result of failed DNS resolution, the sssd goes offline.
Later in the logfiles I see that the SSSD succeeded in connecting to the LDAP server, but the only authentication request captured in the logs is:
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_pam_handler] (0x1000): Wait queue of user [testuser] is empty, running request immediately. (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0x99a7ae0
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0x99a7ba8
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): tevent: Destroying timer event 0x99a7ba8 "ltdb_timeout"
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): tevent: Ending timer event 0x99a7ae0 "ltdb_callback"
(Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send] (0x0100): No ccache file for user [testuser] found. (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid. (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] (0x0400): SRV resolution of service 'KERBEROS'. Will use DNS discovery domain 'domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_KERBEROS._udp.domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._udp.domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done] (0x0020): SRV query failed: [Could not contact DNS servers] (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] (0x0400): SRV resolution of service 'KERBEROS'. Will use DNS discovery domain 'domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_KERBEROS._tcp.domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_KERBEROS._tcp.domain.lan' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 seconds (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [request_watch_destructor] (0x0400): Deleting request watch (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done] (0x0020): SRV query failed: [Could not contact DNS servers] (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status] (0x0100): Marking port 0 of server '(no name)' as 'not working' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5) (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_resolve_server_process] (0x1000): Trying with the next one! (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_resolve_service_send] (0x0020): No available servers for service 'KERBEROS' (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_mark_offline] (0x2000): Going offline!
^^ Which fails after the service resolution via DNS failed.
Does authentication work if you set krb5_server to adserver.domain.lan ?