On Thu, Aug 28, 2014 at 07:14:13PM +0300, Kristjan Elias wrote:
Hi all,
I have been having some trouble lately with our setup of sssd what i will try to describe for you now.
For the past year we have been using sssd to authenticate our RHEL6 local users from Corporate MS AD. This has been working without any problems so far.
Last week the last of our DC AD servers were upgraded to Windows server 2012R2 and now the problems started. Firstly AD performance enhancements were lost.
Snippet from logs:
(Wed Aug 20 12:21:17 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 14:34:38 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 15:22:52 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 16:03:46 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 16:24:53 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 16:49:04 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 17:45:55 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Wed Aug 20 18:05:01 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [5]
(Thu Aug 21 02:20:38 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 04:43:38 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 10:27:18 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 10:32:27 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 10:52:46 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 16:38:27 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 17:08:06 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
(Thu Aug 21 17:41:15 2014) [sssd[be[MS_AD]]] [sdap_get_server_opts_from_rootdse] (0x0080): Received invalid value for AD compatibility level. Continuing without AD performance enhancements
For this i filed a bug:
I have local patches for this issue. If you tell me your RHEL versions, I can build you test packages right away.
Secondly when running without AD performance enhancements all logins fail when going through the users parent groups.
This error disables the AD login for my RHEL servers.
Here are the failure points in sssd log for 3 different users:
From my login attempt: (Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sysdb_search_group_by_name] (0x0400): No such entry
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Group #34 [SKYPEDWETL4] is not cached, need to add a fake entry
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Mapping group [FTE_europe_2] objectSID to unix ID
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSID] attribute while id-mapping. [0][Success]
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_nested_groups_store] (0x0400): Could not add incomplete groups [2]: No such file or directory
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [save_rfc2307bis_groups] (0x0080): Could not save groups [2]: No such file or directory
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_initgr_rfc2307bis_done] (0x0080): Could not save groups memberships [2](Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Initgroups done
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Error in initgroups: [2][No such file or directory]
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: sh[0x23dfc50], connected[1], ops[(nil)], ldap[0x23dead0]
(Thu Aug 28 13:59:04 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
I didn't see this problem in my testing so far. Could you describe the group topology a bit so that we can reproduce locally?
Sorry for the trouble you're seeing..
My colleague login attempt:
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sysdb_search_group_by_name] (0x0400): No such entry
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Group #32 [SKYPEDWETL4] is not cached, need to add a fake entry
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Mapping group [SKYPE_ES_BI_FTE] objectSID to unix ID
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSID] attribute while id-mapping. [0][Success]
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_nested_groups_store] (0x0400): Could not add incomplete groups [2]: No such file or directory
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [save_rfc2307bis_groups] (0x0080): Could not save groups [2]: No such file or directory
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_initgr_rfc2307bis_done] (0x0080): Could not save groups memberships [2](Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Initgroups done
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Error in initgroups: [2][No such file or directory]
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: sh[0x23dff60], connected[1], ops[(nil)], ldap[0x23de070]
(Thu Aug 28 15:22:11 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
Another collegue: (Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sysdb_search_group_by_name] (0x0400): No such entry
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Group #34 [SKYPEDW_FILESHARE_TEST_TPUM_RO] is not cached, need to add a fake entry
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): start ldb transaction (nesting: 2)
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_add_incomplete_groups] (0x1000): Mapping group [SKYPE_ES_BI_FTE] objectSID to unix ID
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_attrs_get_sid_str] (0x0080): No [objectSID] attribute while id-mapping. [0][Success]
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2)
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_nested_groups_store] (0x0400): Could not add incomplete groups [2]: No such file or directory
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 1)
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [save_rfc2307bis_groups] (0x0080): Could not save groups [2]: No such file or directory
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_initgr_rfc2307bis_done] (0x0080): Could not save groups memberships [2](Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [ldb] (0x4000): cancel ldb transaction (nesting: 0)
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Initgroups done
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_get_initgr_done] (0x4000): Error in initgroups: [2][No such file or directory]
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: sh[0x23dff60], connected[1], ops[(nil)], ldap[0x23de070]
(Thu Aug 28 15:31:57 2014) [sssd[be[MS_AD]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
My sssd.conf looks like this: ##########################################################
[sssd]
domains = MS_AD
services = nss,pam
config_file_version = 2
[nss]
filter_users = root,etl,gpadmin,nws
filter_groups = root,etl,gpadmin,nws
default_shell = /bin/bash
[pam]
reconnection_retries = 3
offline_credentials_expiration = 1
offline_failed_login_attempts = 1
[domain/MS_AD]
description = LDAP domain with MS AD server
debug_level = 9
# caching credentials
enumerate = false
cache_credentials = false
min_id = 1000
id_provider = ldap
I'm curious, why don't you use id_provider=ad instead?
Do you need to avoid joining the Linux machine to the AD domain?
Please note that the AD provider is in many respects a superset of the LDAP provider, so all the ldap_* options would apply, with the exception of the bind DN. When using the AD provider, you need to use GSSAPI instead.
auth_provider = ldap
chpass_provider = ldap
ldap_tls_reqcert = never
ldap_id_mapping = True
ldap_schema = ad
ldap_idmap_range_min = 10000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 20000000
ldap_uri = ldap://adserveraddress/
ldap_search_base = OU=UserAccounts,DC=something,DC=something ,DC=something,DC=com
ldap_default_bind_dn = CN=Bind User Name,OU=UserAccounts,DC=something,DC= something,DC=something,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = passwordgoeshere
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_objectsid = objectSid
ldap_group_objectsid = objectGUID
ldap_user_search_filter = memberOf=CN=SKYPEDWETL4,OU=UserAccounts,DC= something,DC=something,DC=something,DC=com
override_homedir = /home/%u
# performance
ldap_disable_referrals = true
##########################################################
Have any of you had experiences with errors like this?
Many thanks for your attention!
Thanks,
Kristjan Elias
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users