Hi Guys,
i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf and output of "realm list" is identical for both servers. However, one of them can't seem to find the AD users, so ssh fails. I tried doing id <user> and getent passwd <user> and it doesn't find them.
Do you know what the issue might be?
Thanks,
Thomas
Here is my sssd.conf:
# cat /etc/sssd/sssd.conf [autofs] debug_level=1
[krb5] debug_level=1
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3 debug_level=1
[sssd] domains = MYDOMAIN.ca config_file_version = 2 services = nss, pam, ssh, autofs debug_level=1
[domain/MYDOMAIN.ca] ad_domain = MYDOMAIN.ca krb5_realm = MYDOMAIN.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = simple debug_level=1 ignore_group_members=True simple_allow_groups = perform_hpc
and output of realm list:
# realm list MYDOMAIN.ca type: kerberos realm-name: MYDOMAIN.CA domain-name: MYDOMAIN?.ca configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups:
On Tue, Jun 18, 2019 at 06:57:14PM +0000, Thomas Beaudry wrote:
Hi Guys,
i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf and output of "realm list" is identical for both servers. However, one of them can't seem to find the AD users, so ssh fails. I tried doing id <user> and getent passwd <user> and it doesn't find them.
Do you know what the issue might be?
Not without logs, see: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thanks,
Thomas
Here is my sssd.conf:
# cat /etc/sssd/sssd.conf [autofs] debug_level=1
[krb5] debug_level=1
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3 debug_level=1
[sssd] domains = MYDOMAIN.ca config_file_version = 2 services = nss, pam, ssh, autofs debug_level=1
[domain/MYDOMAIN.ca] ad_domain = MYDOMAIN.ca krb5_realm = MYDOMAIN.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = simple debug_level=1 ignore_group_members=True simple_allow_groups = perform_hpc
and output of realm list:
# realm list MYDOMAIN.ca type: kerberos realm-name: MYDOMAIN.CA domain-name: MYDOMAIN?.ca configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups:
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the data provider mentioned in step 4 ("If the command is reaching the NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41eb90:domains@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [admin]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [<ALL>] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
Thanks! Thomas
________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Monday, June 24, 2019 4:19 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 18, 2019 at 06:57:14PM +0000, Thomas Beaudry wrote:
Hi Guys,
i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf and output of "realm list" is identical for both servers. However, one of them can't seem to find the AD users, so ssh fails. I tried doing id <user> and getent passwd <user> and it doesn't find them.
Do you know what the issue might be?
Not without logs, see: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
Thanks,
Thomas
Here is my sssd.conf:
# cat /etc/sssd/sssd.conf [autofs] debug_level=1
[krb5] debug_level=1
[nss] filter_groups = root filter_users = root reconnection_retries = 3
[pam] reconnection_retries = 3 debug_level=1
[sssd] domains = MYDOMAIN.ca config_file_version = 2 services = nss, pam, ssh, autofs debug_level=1
[domain/MYDOMAIN.ca] ad_domain = MYDOMAIN.ca krb5_realm = MYDOMAIN.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = simple debug_level=1 ignore_group_members=True simple_allow_groups = perform_hpc
and output of realm list:
# realm list MYDOMAIN.ca type: kerberos realm-name: MYDOMAIN.CA domain-name: MYDOMAIN?.ca configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups:
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jun 25, 2019 at 07:25:45PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the data provider mentioned in step 4 ("If the command is reaching the NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41eb90:domains@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [admin]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [<ALL>] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
The request gets forwarded to the data provider here..
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline
..but the data provider replies immediately because it had switched to the offline mode. For one reason or another, sssd_be couldn't reach any of the configured or auto-discovered servers.
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
I would suggest looking at the sssd_MYDOMAIN.log files and look for messages that contain strings like "marking server XYZ as NOT_WORKING" or "Going offline". Then look for the request a little earlier, that's what causes sssd to go offline.
Hi again,
Okay so i look at my sssd_MYDOMAIN log i get:
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got 5 servers (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_dc_servers_done] (0x0400): Found 5 domain controllers in domain MYDOMAIN.ca (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_send] (0x0400): Resolving host dc.MYDOMAIN.ca (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in files (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc.MYDOMAIN.ca' in files (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in DNS (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc.MYDOMAIN.ca:389 (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc.MYDOMAIN.ca:389 (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=MYDOMAIN.ca)(NtVer=\14\00\00\00))][]. (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.MYDOMAIN.ca' (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.ca' (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]
Thanks! Thomas ________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Tuesday, June 25, 2019 3:56 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 25, 2019 at 07:25:45PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the data provider mentioned in step 4 ("If the command is reaching the NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41eb90:domains@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [admin]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [<ALL>] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
The request gets forwarded to the data provider here..
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline
..but the data provider replies immediately because it had switched to the offline mode. For one reason or another, sssd_be couldn't reach any of the configured or auto-discovered servers.
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
I would suggest looking at the sssd_MYDOMAIN.log files and look for messages that contain strings like "marking server XYZ as NOT_WORKING" or "Going offline". Then look for the request a little earlier, that's what causes sssd to go offline. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jun 25, 2019 at 08:25:44PM +0000, Thomas Beaudry wrote:
Hi again,
Okay so i look at my sssd_MYDOMAIN log i get:
(Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got answer. Processing... (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] (0x0400): Got 5 servers (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_dc_servers_done] (0x0400): Found 5 domain controllers in domain MYDOMAIN.ca (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_dcs_done] (0x0400): About to locate suitable site (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_send] (0x0400): Resolving host dc.MYDOMAIN.ca (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in files (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc.MYDOMAIN.ca' in files (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc.MYDOMAIN.ca' in DNS
Looks like it took 2 seconds here to resolve a DNS record..
(Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_resolv_done] (0x0400): Connecting to ldap://dc.MYDOMAIN.ca:389 (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_done] (0x0400): Successful connection to ldap://dc.MYDOMAIN.ca:389 (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=MYDOMAIN.ca)(NtVer=\14\00\00\00))][]. (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_client_site_done] (0x0400): Found site: Default-First-Site-Name (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_site_done] (0x0400): About to discover primary and backup servers (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_servers_send] (0x0400): Looking up primary servers (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. Will use DNS discovery domain 'Default-First-Site-Name._sites.MYDOMAIN.ca' (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.ca'
..and then another 2 seconds here, which caused a timeout in the server discovery.
Does it help to increase the dns_resolver_timeout from its default of 6 seconds? Please see the note in man sssd-ad, there are several timeouts that might need to be increased in unison, can you try e.g.: ldap_opt_timeout = 20 dns_resolver_timeout = 10
(This might even be too high, but let's see..)
(Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]
Thanks! Thomas ________________________________________ From: Jakub Hrozek jhrozek@redhat.com Sent: Tuesday, June 25, 2019 3:56 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: id / getent not finding AD users
On Tue, Jun 25, 2019 at 07:25:45PM +0000, Thomas Beaudry wrote:
Hi Jakub,
Thanks for the link so i followed the troubleshooting and I notice i can't reach the data provider mentioned in step 4 ("If the command is reaching the NSS responder, does it get forwarded to the Data Provider?")
If i look at my sssd_nss log i get with a timestamp that matches my id <username> command:
(Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41eb90:domains@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17][SSS_NSS_GETPWNAM] with input [admin]. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'admin' matched without domain, user is admin (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [<ALL>] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a LOCAL view, continuing with provided values. (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin]
The request gets forwarded to the data provider here..
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline
..but the data provider replies immediately because it had switched to the offline mode. For one reason or another, sssd_be couldn't reach any of the configured or auto-discovered servers.
(Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41d420:1:admin@MYDOMAIN.ca] (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
What would be the next step?
I would suggest looking at the sssd_MYDOMAIN.log files and look for messages that contain strings like "marking server XYZ as NOT_WORKING" or "Going offline". Then look for the request a little earlier, that's what causes sssd to go offline. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi Jakub,
So i tired
Does it help to increase the dns_resolver_timeout from its default of 6
seconds? Please see the note in man sssd-ad, there are several timeouts that might need to be increased in unison, can you try e.g.: ldap_opt_timeout = 20 dns_resolver_timeout = 10
but it didn't fix the problem. Here is my domain log with the same timesteamp as my id <user> command: https://pastebin.com/raw/swicNUPe
thanks, Thomas
On Thu, Jun 27, 2019 at 05:01:27PM +0000, Thomas Beaudry wrote:
Hi Jakub,
So i tired
Does it help to increase the dns_resolver_timeout from its default of 6
seconds? Please see the note in man sssd-ad, there are several timeouts that might need to be increased in unison, can you try e.g.: ldap_opt_timeout = 20 dns_resolver_timeout = 10
but it didn't fix the problem. Here is my domain log with the same timesteamp as my id <user> command: https://pastebin.com/raw/swicNUPe
thanks, Thomas
OK, but now the error is different, right? At least in the domain log I see: (Thu Jun 27 12:56:09 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0]
btw I find it odd that the logs seemingly uses the host/hostname principal: (Thu Jun 27 12:56:03 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_kinit_send] (0x0400): Attempting kinit (default, host/perform-capstone, MYDOMAIN.ca, 86400)
did you specify ldap_sasl_authid yourself or did sssd pick this principal? If sssd did pick this principal, can I see the whole log?
sssd-users@lists.fedorahosted.org