On Thu, Mar 19, 2015 at 09:19:42PM +0000, Christopher Butt wrote:
Hi, I'm trying to authenticate against an AD domain. The first domain I did this on was almost flawlessly easy, but this time, on a different domain I'm having problems. I've searched, but I've mostly got fixed bugs from old versions. Like this one: https://bugzilla.redhat.com/show_bug.cgi?id=886848 which suggests that case sensitivity might have been an issue. Is it still one?
My symptoms:
- Some domain users aren't being recognised at all,
- Some users are not getting the full groups list, eg just 'domain users'
- Some users are connecting apparently fine with lots of AD groups visible from an 'id' or 'groups' command. So far it seems that the domain admins all work fine, but it's not clear if that's a coincidence or not.
I've set up SSDB using realmd as follows:
realm join -v internal.mydomain.com --user jn-monty --computer-ou=OU=Linux\ Servers,OU=Member\ Servers,DC=internal,DC=mydomain,DC=com
(jn-monty is a domain-admin in this case.)
[root@myserver admin]# sssd --version 1.12.2
[root@myserver admin]# cat /etc/sssd/sssd.conf
[sssd] domains = internal.mydomain.com config_file_version = 2 services = nss, pam, pac
[domain/internal.mydomain.com] ad_domain = internal.mydomain.com krb5_realm = INTERNAL.MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad debug_level = 5 auth_provider = ad
If I 'id' a missing user I get the following in the logs:
[root@myserver admin]# id bqt-pmimon@internal.mydomain.com (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-pmimon] (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax]
I think this is a know bug Sumit has a patch for:
I've started revieweing it but didn't finish the review. I'll finish the reviews and build a test package for you. https://fedorahosted.org/sssd/ticket/2588
(Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0040): Error: 22 (Invalid argument) (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_user] (0x0020): Failed to save user [BQT-PMimon] (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success id: bqt-pmimon@internal.mydomain.com: no such user
If I 'id' a working user I get the following:
[root@myserver admin]# id bqt-imartin@internal.mydomain.com (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-imartin] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14296] finished successfully. (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$ (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][idnumber=680800513] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=bqt-imartin] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in files (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'production-dc03v.internal.mydomain.com' in files (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in DNS (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Prodtown._sites.trainline.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.trainline.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com:3268' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14297] finished successfully. (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$ (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-vCenter Admin,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-Linux Admins,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success uid=680803710(bqt-imartin@internal.mydomain.com) gid=680800513(domain users@internal.mydomain.com) groups=680800513(domain users@internal.mydomain.com) [root@myserver admin]# id bqt-imartin@internal.mydomain.com
It would be nice to see more verbose logs with the test package I'll give you.