On Mon, Oct 23, 2017 at 10:11:50AM +0200, Jeremy Monnet wrote:
Hi,
On Sat, Oct 21, 2017 at 8:56 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Oct 20, 2017 at 04:39:54PM +0200, Jeremy Monnet wrote:
Hi,
I have that error message that I do not understand, because I have 2
ubuntu
servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04).
Ubuntu
14 is working fine, I can authenticate and sudo just fine, Ubuntu 16 can list users and groups but I cannot authenticate nor sudo. And I see in
the
sssd_domain.log :
(Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
(0x1000):
Status of server '<servername>' is 'name resolved' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000): Port status of port 389 for server '<servername>' is 'not working' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_server_status]
(0x1000):
Status of server '<servername2>' is 'name resolved' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [get_port_status] (0x1000): Port status of port 389 for server '<servername2>' is 'not working' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Fri Oct 20 16:27:29 2017) [sssd[be[domain]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Of course, port 389 is indeed reachable, and I have joined and re-joined the domain several times, deleted the object computer in AD, checked several times that the keytab was created, and that I could kinit with
it...
One thing is that I join a child AD domain and tries to login with an account from the main domain, that is probably an issue, but as that work on the other Ubuntu with the same setup, I am stuck...
Can you show the whole log or the first time the not working message appeared since sssd restart?
I have tried to sanitize the whole log file, but therareis too many
acccounts, servers, etc appearing in the logs, so I will try to provide you just the required snippets. In parallel I will open a new thread because I am not sure of the setup I use, and I haven't been to find the recommended way of configuring an AD auth in real life (i.e. with multiple domains, firewalls blocking the ports, etc...).
So I have restarted sssd this morning, clearing the logs in between, and I get : root@server:/var/log/sssd# grep "Port status of port" sssd_<domain>.log (Mon Oct 23 09:37:28 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Oct 23 09:37:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'working' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'neutral' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'neutral' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad1>.<domain>' is 'not working' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'not working' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad1>.<domain>' is 'not working' (Mon Oct 23 09:39:12 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'not working' (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'working' (Mon Oct 23 09:39:20 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'working' (Mon Oct 23 09:39:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'working' (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad2>.<domain>' is 'neutral' (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad1>.<domain>' is 'working' (Mon Oct 23 09:40:31 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad1>.<domain>' is 'working' (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 3268 for server '<ad1>.<domain>' is 'neutral' (Mon Oct 23 09:42:38 2017) [sssd[be[<domain>]]] [get_port_status] (0x1000): Port status of port 389 for server '<ad1>.<domain>' is 'working'
In the attached snippet you will find all (Mon Oct 23 09:39:12 2017)
This sounds wrong: [sdap_kinit_send] (0x0400): Attempting kinit (default, host/<servername>.<subdomain>.<domain>, <SUBDOMAIN>.<DOMAIN>, 86400) with AD, you normally want to use the SHORTNAME$REALM principal, not the host/hostname principal, because the latter is only a service principal, not a user/computer one.
But since you're using id_provider=ad, then sssd should have already picked up that principal..is the SHORTNAME$@REALM principal in your keytab at all?