Thanks very much, Sumit, That did fix the 'some domain users aren't being recognised at all' problem, though it didn't fix 'not recognising all the groups'. I tried adding 'ldap_group_uuid = NotExistingAttribute' as well, in case that's a real command, but that didn't get me anywhere.
I'll try the new build Jakub provided and see if that fixes that part. Much appreciated! Chris
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Sumit Bose Sent: 20 March 2015 10:03 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] ldb_modify_failed invalid attribute syntax
On Thu, Mar 19, 2015 at 09:19:42PM +0000, Christopher Butt wrote:
Hi, I'm trying to authenticate against an AD domain. The first domain I did this on was almost flawlessly easy, but this time, on a different domain I'm having problems. I've searched, but I've mostly got fixed bugs from old versions. Like this one: https://bugzilla.redhat.com/show_bug.cgi?id=886848 which suggests that case sensitivity might have been an issue. Is it still one?
My symptoms:
- Some domain users aren't being recognised at all,
- Some users are not getting the full groups list, eg just 'domain users'
- Some users are connecting apparently fine with lots of AD groups visible from an 'id' or 'groups' command. So far it seems that the domain admins all work fine, but it's not clear if that's a coincidence or not.
Maybe you are hitting https://fedorahosted.org/sssd/ticket/2588 . If the binary objectGuid attribute of the not recognised user starts with a 0 SSSD will currently fail. There is a patch for this under review in the sssd-devel list. If you cannot wait for the fix to be released you can set
ldap_user_uuid = notExistingAttributeName
in the domain section of sssd.conf to not read the objectGUID attribute from AD.
HTH
bye, Sumit
I've set up SSDB using realmd as follows:
realm join -v internal.mydomain.com --user jn-monty --computer-ou=OU=Linux\ Servers,OU=Member\ Servers,DC=internal,DC=mydomain,DC=com
(jn-monty is a domain-admin in this case.)
[root@myserver admin]# sssd --version 1.12.2
[root@myserver admin]# cat /etc/sssd/sssd.conf
[sssd] domains = internal.mydomain.com config_file_version = 2 services = nss, pam, pac
[domain/internal.mydomain.com] ad_domain = internal.mydomain.com krb5_realm = INTERNAL.MYDOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad debug_level = 5 auth_provider = ad
If I 'id' a missing user I get the following in the logs:
[root@myserver admin]# id bqt-pmimon@internal.mydomain.com (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-pmimon] (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0080): ldb_modify failed: [Invalid attribute syntax] (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sysdb_set_entry_attr] (0x0040): Error: 22 (Invalid argument) (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_user] (0x0020): Failed to save user [BQT-PMimon] (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. (Thu Mar 19 19:32:54 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success id: bqt-pmimon@internal.mydomain.com: no such user
If I 'id' a working user I get the following:
[root@myserver admin]# id bqt-imartin@internal.mydomain.com (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=bqt-imartin] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14296] finished successfully. (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$ (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1002][1][idnumber=680800513] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_get_account_info] (0x0200): Got request for [0x1003][1][name=bqt-imartin] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in files (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'production-dc03v.internal.mydomain.com' in files (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'production-dc03v.internal.mydomain.com' in DNS (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.Prodtown._sites.trainline.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_gc._tcp.trainline.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'AD_GC' as 'resolved' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com:3268' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [be_resolve_server_process] (0x0200): Found address for server production-dc03v.internal.mydomain.com: [10.244.121.197] TTL 3600 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://production-dc03v.internal.mydomain.com' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [child_sig_handler] (0x0100): child [14297] finished successfully. (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: myserver$ (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 3268 of server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [set_server_common_status] (0x0100): Marking server 'production-dc03v.internal.mydomain.com' as 'working' (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-vCenter Admin,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [sysdb_update_members_ex] (0x0020): Could not remove member [bqt-imartin] from group [name=DLG-SC-Linux Admins,cn=groups,cn=internal.mydomain.com,cn=sysdb]. Skipping (Thu Mar 19 20:12:55 2015) [sssd[be[internal.mydomain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success uid=680803710(bqt-imartin@internal.mydomain.com) gid=680800513(domain users@internal.mydomain.com) groups=680800513(domain users@internal.mydomain.com) [root@myserver admin]# id bqt-imartin@internal.mydomain.com
The information in this email (and any attachments) is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you received this email in error please tell us by reply email (or telephone the sender) and delete all electronic copies on your system or other copies known to you. Trainline Investments Holdings Limited (Registered No.5776685), Trainline.com Limited (Registered No. 3846791) and Trainline International Limited (Registered No. 6881309) are all registered in England and Wales with registered office at 50 Farringdon Road, London, EC1M 3HE. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users The information in this email (and any attachments) is confidential and is intended solely for the use of the individual or entity to whom it is addressed. If you received this email in error please tell us by reply email (or telephone the sender) and delete all electronic copies on your system or other copies known to you. Trainline Investments Holdings Limited (Registered No.5776685), Trainline.com Limited (Registered No. 3846791) and Trainline International Limited (Registered No. 6881309) are all registered in England and Wales with registered office at 50 Farringdon Road, London, EC1M 3HE.