Hi,
I'm trying to authenticate with active-directory users (Windows Server 2008 R2) on my Ubuntu 16.04 workstation.
I used the steps in "SSSD and Active Directory" from the Ubuntu documentation.
Adding the computer-account to active-directory worked.
Running id <active-directory-user> also returns the correct active-directory-groups the user is in.
But I can't login with active-directory-user.
content of /var/log/auth.log:
pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=<active-directory-user>
pam_sss(login:account): Access denied for user<active-directory-user>: 4 (System error)
output of "service sssd status":
sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Mo 2016-07-25 12:47:37 CEST; 35min ago Process: 1913 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 2088 (sssd) CGroup: /system.slice/sssd.service ├─2088 /usr/sbin/sssd -D -f ├─2092 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain DOMAIN.LOCAL --uid 0 --gid 0 --debug-to-files ├─2131 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─2132 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Jul 25 12:49:21 ubuntu16 sssd_be[2092]: GSSAPI client step 1
Thank you very much for any help.
Best Regards Frank
Hello,
We will need to see sssd debug logs of the failed login attempt to diagnose further.
https://fedorahosted.org/sssd/wiki/Troubleshooting
As a general suggestion, you can look for log messages similar to this in /var/log/sssd/sssd_<domain> and then look just prior to this in the logs for errors. A message like 'Got request for...<user>' in the logs is when the request hits the backend and the message below is when the response from the backend is sent back to the client(PAM)
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
Kind regards, Justin Stephenson
On 07/28/2016 10:21 AM, Schiller Frank wrote:
Hi,
I'm trying to authenticate with active-directory users (Windows Server 2008 R2) on my Ubuntu 16.04 workstation.
I used the steps in "SSSD and Active Directory" from the Ubuntu documentation.
Adding the computer-account to active-directory worked.
Running id <active-directory-user> also returns the correct active-directory-groups the user is in.
But I can't login with active-directory-user.
content of /var/log/auth.log:
pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=<active-directory-user>
pam_sss(login:account): Access denied for user<active-directory-user>: 4 (System error)
output of "service sssd status":
sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Mo 2016-07-25 12:47:37 CEST; 35min ago Process: 1913 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 2088 (sssd) CGroup: /system.slice/sssd.service ├─2088 /usr/sbin/sssd -D -f ├─2092 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain DOMAIN.LOCAL --uid 0 --gid 0 --debug-to-files ├─2131 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─2132 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Jul 25 12:49:21 ubuntu16 sssd_be[2092]: GSSAPI client step 1
Thank you very much for any help.
Best Regards
Frank _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hello,
thanks for your help.
I have set the debug_level to 10 in /etc/sssd/sssd.conf, restarted the machine and tried to login with a domain user.
In /var/log/sssd are now generated log-files (sssd_<DOMAIN>.log, sssd_pam.log, ....) but all are empty except sssd.log.
sssd.log is attached.
Kind regards.
Frank
-----Ursprüngliche Nachricht----- Von: Justin Stephenson [mailto:jstephen@redhat.com] Gesendet: Donnerstag, 28. Juli 2016 17:07 An: End-user discussions about the System Security Services Daemon Betreff: [SSSD-users] Re: sssd System error
Hello,
We will need to see sssd debug logs of the failed login attempt to diagnose further.
https://fedorahosted.org/sssd/wiki/Troubleshooting
As a general suggestion, you can look for log messages similar to this in /var/log/sssd/sssd_<domain> and then look just prior to this in the logs for errors. A message like 'Got request for...<user>' in the logs is when the request hits the backend and the message below is when the response from the backend is sent back to the client(PAM)
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success]
Kind regards, Justin Stephenson
On 07/28/2016 10:21 AM, Schiller Frank wrote:
Hi,
I'm trying to authenticate with active-directory users (Windows Server 2008 R2) on my Ubuntu 16.04 workstation.
I used the steps in "SSSD and Active Directory" from the Ubuntu documentation.
Adding the computer-account to active-directory worked.
Running id <active-directory-user> also returns the correct active-directory-groups the user is in.
But I can't login with active-directory-user.
content of /var/log/auth.log:
pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=<active-directory-user>
pam_sss(login:account): Access denied for user<active-directory-user>: 4 (System error)
output of "service sssd status":
sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Mo 2016-07-25 12:47:37 CEST; 35min ago Process: 1913 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=0/SUCCESS) Main PID: 2088 (sssd) CGroup: /system.slice/sssd.service ├─2088 /usr/sbin/sssd -D -f ├─2092 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain DOMAIN.LOCAL --uid 0 --gid 0 --debug-to-files ├─2131 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─2132 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Jul 25 12:49:21 ubuntu16 sssd_be[2092]: GSSAPI client step 1
Thank you very much for any help.
Best Regards
Frank _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, Jul 29, 2016 at 05:52:51AM +0000, Schiller Frank wrote:
Hello,
thanks for your help.
I have set the debug_level to 10 in /etc/sssd/sssd.conf, restarted the machine and tried to login with a domain user.
In /var/log/sssd are now generated log-files (sssd_<DOMAIN>.log, sssd_pam.log, ....) but all are empty except sssd.log.
If you add debug_level only to the [sssd] section, then the debugging is enabled only for the sssd process itself that doesn't really do much except watches the other processes.
You need to explicitly add debug_level to the appropriate section, see: https://fedorahosted.org/sssd/wiki/Troubleshooting#SSSDdebuglogs (last sentence in that paragraph)
Hello,
thanks. Now attached the sssd_<DOMAIN>.log
Kind regards Frank
-----Ursprüngliche Nachricht----- Von: Jakub Hrozek [mailto:jhrozek@redhat.com] Gesendet: Freitag, 29. Juli 2016 13:44 An: sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: sssd System error
On Fri, Jul 29, 2016 at 05:52:51AM +0000, Schiller Frank wrote:
Hello,
thanks for your help.
I have set the debug_level to 10 in /etc/sssd/sssd.conf, restarted the machine and tried to login with a domain user.
In /var/log/sssd are now generated log-files (sssd_<DOMAIN>.log, sssd_pam.log, ....) but all are empty except sssd.log.
If you add debug_level only to the [sssd] section, then the debugging is enabled only for the sssd process itself that doesn't really do much except watches the other processes.
You need to explicitly add debug_level to the appropriate section, see: https://fedorahosted.org/sssd/wiki/Troubleshooting#SSSDdebuglogs (last sentence in that paragraph) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, Jul 29, 2016 at 12:26:13PM +0000, Schiller Frank wrote:
Hello,
thanks. Now attached the sssd_<DOMAIN>.log
Thank you. The system error happens when processing the GPO policies.
If you're not using them actually, you can disable GPO processing with: ad_gpo_access_control = permissive in the [domain] section.
Michal or Lukas (CC) were looking into the GPO code recently, they might know if this is a known issue or not.
Hello,
that was it. I can login now with active-directory user. We don't need the GPO on the Linux-Workstations.
Thank you very much for your support!
Frank
-----Ursprüngliche Nachricht----- Von: Jakub Hrozek [mailto:jhrozek@redhat.com] Gesendet: Freitag, 29. Juli 2016 14:39 An: End-user discussions about the System Security Services Daemon Cc: mzidek@redhat.com; lslebodn@redhat.com Betreff: [SSSD-users] Re: sssd System error
On Fri, Jul 29, 2016 at 12:26:13PM +0000, Schiller Frank wrote:
Hello,
thanks. Now attached the sssd_<DOMAIN>.log
Thank you. The system error happens when processing the GPO policies.
If you're not using them actually, you can disable GPO processing with: ad_gpo_access_control = permissive in the [domain] section.
Michal or Lukas (CC) were looking into the GPO code recently, they might know if this is a known issue or not. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (29/07/16 12:53), Schiller Frank wrote:
Hello,
that was it. I can login now with active-directory user. We don't need the GPO on the Linux-Workstations.
Thank you very much for your support!
It's not a solution it's just a workaround. But if you do not want to use GPO for access control then it is a sufficient workaround.
There seems to be some problem with gpo child. (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Das Argument ist ungültig] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Das Argument ist ungültig} (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Das Argument ist ungültig) [Internal Error] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Sending result [4][MMDE.LOCAL] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Sent result [4][MMDE.LOCAL]
Could you change ad_gpo_access_control back to enforcing (the default) and provide doman log file together with *_child.log files?
LS
Hello,
sorry for the late repsonse. I was out of office.
I changed back to enforcing and attached the logs.
Best regards Frank
-----Ursprüngliche Nachricht----- Von: Lukas Slebodnik [mailto:lslebodn@redhat.com] Gesendet: Freitag, 29. Juli 2016 15:45 An: End-user discussions about the System Security Services Daemon Betreff: [SSSD-users] Re: sssd System error
On (29/07/16 12:53), Schiller Frank wrote:
Hello,
that was it. I can login now with active-directory user. We don't need the GPO on the Linux-Workstations.
Thank you very much for your support!
It's not a solution it's just a workaround. But if you do not want to use GPO for access control then it is a sufficient workaround.
There seems to be some problem with gpo child. (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][Das Argument ist ungültig] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9} (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](Das Argument ist ungültig} (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Das Argument ist ungültig) [Internal Error] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Sending result [4][MMDE.LOCAL] (Fri Jul 29 14:12:00 2016) [sssd[be[MMDE.LOCAL]]] [be_pam_handler_callback] (0x0100): Sent result [4][MMDE.LOCAL]
Could you change ad_gpo_access_control back to enforcing (the default) and provide doman log file together with *_child.log files?
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (03/08/16 08:05), Schiller Frank wrote:
Hello,
sorry for the late repsonse. I was out of office.
I changed back to enforcing and attached the logs.
Thank you very much for provided log file. SSSD was not able to store GPO files because it was not able to create directory.
[[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x4000): smb_path_with_suffix: /mmde.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI [[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/mmde.local [[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x0020): mkdir(/var/lib/sss/gpo_cache/mmde.local) failed: 2 [[sssd[gpo_child[2704]]]] [gpo_cache_store_file] (0x0020): prepare_gpo_cache failed [2][No such file or directory]
Does the directory /var/lib/sss/gpo_cache/ exist?
This directory is created on fedora as part of installation sssd pacakges.
LS
Hello,
no, there were: keytabs pipes mc pubconf db
I've created the gpo_cache directory and set owner to sssd:sssd and now it works with ad_gpo_access_control = enforcing too.
Thank you very much Frank
-----Ursprüngliche Nachricht----- Von: Lukas Slebodnik [mailto:lslebodn@redhat.com] Gesendet: Mittwoch, 3. August 2016 12:22 An: End-user discussions about the System Security Services Daemon Betreff: [SSSD-users] Re: sssd System error
On (03/08/16 08:05), Schiller Frank wrote:
Hello,
sorry for the late repsonse. I was out of office.
I changed back to enforcing and attached the logs.
Thank you very much for provided log file. SSSD was not able to store GPO files because it was not able to create directory.
[[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x4000): smb_path_with_suffix: /mmde.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI [[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/mmde.local [[sssd[gpo_child[2704]]]] [prepare_gpo_cache] (0x0020): mkdir(/var/lib/sss/gpo_cache/mmde.local) failed: 2 [[sssd[gpo_child[2704]]]] [gpo_cache_store_file] (0x0020): prepare_gpo_cache failed [2][No such file or directory]
Does the directory /var/lib/sss/gpo_cache/ exist?
This directory is created on fedora as part of installation sssd pacakges.
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (03/08/16 10:55), Schiller Frank wrote:
Hello,
no, there were: keytabs pipes mc pubconf db
I've created the gpo_cache directory and set owner to sssd:sssd and now it works with ad_gpo_access_control = enforcing too.
Please file a bug. It should be fixed in ubuntu/debian packaging.
BTW on fedora, the directory is owned by package sssd-common
LS
sssd-users@lists.fedorahosted.org