***Thanks in advance for taking the time to help and respond! - greatly appreciated!!!!
I've setup Active Directory Windows Server 2012 R2 and trying to get ssh and sudo access working from CentOS 6.6 (Final) and using sssd 1.11.6 Note: NOT using Kerberos, samba, adcli,realmd, etc. Using: sssd, pam, nsswitch
I'm using also OpenLDAP 2.4.39 and was able to get ssh and sudo working against it, so familar with the process. Now, switching the process to work with AD, I've installed the sudo.schema, rule in AD and added a user,
***but the underlying issue is can't seem to get users to authenticate nor retrieve group information. ldap_search_ext called, msgid = 8 Search result: No such object(32), no errmsg set Search for users, returned 0 results. Failed to retrieve users
---------------------------------------------------
[root@ldap users]# cat /etc/*release CentOS release 6.6 (Final)
[root@ldap users]# sssd --version 1.11.6
I setup a user in AD with the following configuration attributes:
For the User:
cn=abrown displayName = Angela Brown distinguishName = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com gidNunber = 1500 givenName = Angela homeDirectory = /home/abrown mail = abrown@example.com objectCategory = CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com objectClass = top,organizationPerson,person,user objectGUID = F8 B2 23 2D AD B7 26 48 81 29 D0 DA 3D 00 DC B5 objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8 FA EA AC 43 66 06 00 00 primaryGroupID = 513 = (GROUP_RID_USERS) sAMAccountName = abrown sAMAccountType = 805306368 = (NORMAL_USER_ACCOUNT) sn = Brown uid = abrown userPrincipalName = abrown@example.com
For the Group:
cn = allowedusers distinguishName = CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com gidNumber = 1500 member = CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com objectCategory = CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com objectClass = top; group objectGUID = 45 47 DA 79 D7 9E 5E 4B 87 17 E4 7C 71 D0 2E 1F objectSid = 01 05 00 00 00 00 00 05 15 00 00 00 F9 F2 D8 AC AE FF 7F B8 FA EA AC 43 3D 08 00 00 sAMAccountName = allowedusers sAMAccountType = 268435456 = (GROUP_OBJECT)
------------------------------------------ THE ISSUE(S):
So, when I run the 'ls -l' command it's not displaying the name for the user = 2000 and Group name = 1500. When I do this connected to OpenLDAP it will display as abrown and allowedusers, but not to AD as shown:
[root@ldap users]# ls -l total 24 drwxr-xr-x. 2 2000 1500 4096 Apr 8 13:46 abrown
I had to manually add this: mkdir abrown and then: chown 2000:1500 abrown
but if I: "getent passwd abrown" - nothing comes back!
Running sssd: [root@ldap log]# /usr/sbin/sssd -i
..... (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][idnumber=2000] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [ou=Users,ou=example,dc=ad,dc=example,dc=com] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uidNumber=2000)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=Users,ou=example,dc=ad,dc=example,dc=com]. (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [msSFU30LoginShell] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSid] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x1cc4a30], connected[1], ops[0x1cc4990], ldap[0x1cbda50] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: No such object(32), no errmsg set (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1d80d70
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1d81850
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x1d81850 "ltdb_timeout"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x1d80d70 "ltdb_callback"
(Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_search_user_by_uid] (0x0400): No such entry (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x1cc4a30], connected[1], ops[(nil)], ldap[0x1cbda50] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x1cbe2b0 (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] (Wed Apr 8 15:07:43 2015) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit ....
-------------------------------
If I take the filter from within the debug of: (&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))) and perform a ldapsearch, it pulls back the correct results:
[root@ldap ~]# ldapsearch -D "cn=adaccess,ou=adaccts,ou=example,dc=ad,dc=example,dc=com" -w 'password here' -b "DC=ad,DC=example,DC=com" -h adservername.example.com '(&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0))))' # extended LDIF # # LDAPv3 # base <DC=ad,DC=example,DC=com> with scope subtree # filter: (&(gidNumber=1500)(objectClass=group)(name=*)(&(gidNumber=*)(!(gidNumber=0)))) # requesting: ALL #
# allowedusers, Groups, example, ad.example.com dn: CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com objectClass: top objectClass: group cn: allowedusers member: CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com distinguishedName: CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC= com instanceType: 4 whenCreated: 20150408174301.0Z whenChanged: 20150408174359.0Z uSNCreated: 81925 uSNChanged: 81931 name: allowedusers objectGUID:: RUfaedeeXkuHF+R8cdAuHw== objectSid:: AQUAAAAAAAUVAAAA+fLYrK7/f7j66qxDPQgAAA== sAMAccountName: allowedusers sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com dSCorePropagationData: 16010101000000.0Z gidNumber: 1500
# search reference ref: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example ,DC=com
# search reference ref: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example ,DC=com
# search reference ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com
# search result search: 2 result: 0 Success
# numResponses: 5 # numEntries: 1 # numReferences: 3
-------------------------------------- Setup of sssd.conf
[root@ldap sssd]# cat sssd.conf [domain/default]
ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.va.example.com ldap_tls_cacertdir = /etc/pki/tls/certs
[sssd] config_file_version = 2 services = nss, pam, sudo domains = LDAP
[nss] filter_users = root filter_groups = root
[pam]
[sudo]
[domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 9 cache_credentials = true enumerate = false
ldap_uri = ldaps://ldapservername.example.com
ldap_default_bind_dn = CN=Manager,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = passwordhere ldap_access_filter = ou=users,ou=example,dc=ad,dc=example,dc=com
ldap_search_base = dc=example,dc=com
ldap_schema = ad
ldap_user_principal = userPrincipalName ldap_user_fullname = displayName ldap_user_name = sAMAccountName ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_user_objectsid = objectSid
ldap_group_object_class = group ldap_group_objectsid = objectGUID
ldap_sudo_search_base = ou=sudoers,dc=ad,dc=example,dc=com
ldap_user_search_base = ou=Users,ou=example,dc=ad,dc=example,dc=com ldap_group_search_base = ou=Groups,ou=example,dc=ad,dc=example,dc=com
ldap_tls_cacert = /etc/pki/tls/certs/certnamehere.crt
Hi,
I think you should follow below given link first and then start thinking what steps you have missed in your set up and correct them.
< https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20...
< http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-di...
--Regards Ashishkumar S. Yadav
As to the first article, I'll take a look again to see if I missed any of the attributes set, thanks.
As to the 2nd article, I've read this many times. The issue here is that the section, "Preparing for Active Directory" is essentially now deprecated(no longer supported) by Microsoft. As mentioned in a few places:
http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-man...
https://technet.microsoft.com/en-us/library/dn303411.aspx - "Subsystem for Unix-based Applications" - deprecated.
I believe I've set these values in my configuration, but haven't seen any solutions as to replacements or workarounds.
Regards,
Sterling
------ Original Message ------ From: "Ashish Yadav" gwalashish@gmail.com To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/9/2015 2:17:32 AM Subject: Re: [SSSD-users] sssd - CentOS to Active Directory - no errmsg set and returning 0 results
Hi,
I think you should follow below given link first and then start thinking what steps you have missed in your set up and correct them.
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server http://www.chriscowley.me.uk/blog/2013/12/16/integrating-rhel-with-active-directory/
--Regards Ashishkumar S. Yadav
On Wed, 8 Apr 2015, Sterling Sahaydak wrote:
***but the underlying issue is can't seem to get users to authenticate nor retrieve group information. ldap_search_ext called, msgid = 8 Search result: No such object(32), no errmsg set Search for users, returned 0 results. Failed to retrieve users
Am I reading this right? You've got a user configured with no explicit UID, and then you're avoiding using the AD provider (with the id mapping) and just use LDAP. LDAP that's going to want to know the UID of the user, but can't because no attribute defines it.
I think you need a really good reason to avoid using the AD provider. That also means you need a really good reason to not configure kerberos. Why would you want to not use kerberos?
jh
If you take a look at the listing of the user section I posted, you'll see 2nd to the last line:
... sn = Brown uid = abrown userPrincipalName = abrown@example.com
As to your 2nd statement, I'm using OpenLDAP in conjunction with AD and using OpenLDAP proxy to AD, thereby needing in sssd to have access_provider = ldap
------ Original Message ------ From: "John Hodrien" J.H.Hodrien@leeds.ac.uk To: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com; "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: 4/9/2015 4:13:00 AM Subject: Re: [SSSD-users] sssd - CentOS to Active Directory - no errmsg set and returning 0 results
On Wed, 8 Apr 2015, Sterling Sahaydak wrote:
***but the underlying issue is can't seem to get users to authenticate nor retrieve group information. ldap_search_ext called, msgid = 8 Search result: No such object(32), no errmsg set Search for users, returned 0 results. Failed to retrieve users
Am I reading this right? You've got a user configured with no explicit UID, and then you're avoiding using the AD provider (with the id mapping) and just use LDAP. LDAP that's going to want to know the UID of the user, but can't because no attribute defines it.
I think you need a really good reason to avoid using the AD provider. That also means you need a really good reason to not configure kerberos. Why would you want to not use kerberos?
jh
On Thu, 9 Apr 2015, Sterling Sahaydak wrote:
If you take a look at the listing of the user section I posted, you'll see 2nd to the last line:
... sn = Brown uid = abrown userPrincipalName = abrown@example.com
As to your 2nd statement, I'm using OpenLDAP in conjunction with AD and using OpenLDAP proxy to AD, thereby needing in sssd to have access_provider = ldap
Fair enough.
uid is not a uid, it's a username. What *UID* are you expecting SSSD to hand out without using id mapping?
jh
On Thu, 2015-04-09 at 14:45 +0100, John Hodrien wrote:
On Thu, 9 Apr 2015, Sterling Sahaydak wrote:
If you take a look at the listing of the user section I posted, you'll see 2nd to the last line:
... sn = Brown uid = abrown userPrincipalName = abrown@example.com
As to your 2nd statement, I'm using OpenLDAP in conjunction with AD and using OpenLDAP proxy to AD, thereby needing in sssd to have access_provider = ldap
Fair enough.
uid is not a uid, it's a username. What *UID* are you expecting SSSD to hand out without using id mapping?
Hi John, for clarity, you are asking: What uidNumber are you expecting SSSD to resolve ?
Simo.
Forgot to include in my original posting that I do have uidNumber = 2000 set in the User in AD already set.
Dn: CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com accountExpires: 9223372036854775807 (never); cn: abrown; codePage: 0; countryCode: 0; displayName: Angela Brown; distinguishedName: CN=abrown,OU=Users,OU=example,DC=ad,DC=example,DC=com; dSCorePropagationData: 0x0 = ( ); gidNumber: 1500; givenName: Angelica; homeDirectory: /home/abrown; instanceType: 0x4 = ( WRITE ); loginShell: /bin/bash; mail: abrown@example.com; memberOf (9): CN=allowedusers,OU=Groups,OU=example,DC=ad,DC=example,DC=com; CN=testgroup,OU=Groups,OU=example,DC=ad,DC=example,DC=com; CN=Services-All,OU=Groups,OU=example,DC=ad,DC=example,DC=com; name: abrown; objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=example,DC=com; objectClass (4): top; person; organizationalPerson; user; objectGUID: 2d23b2f8-b7ad-4826-8129-d0da3d00dcb5; objectSid: S-1-5-21-2899899129-3095396270-1135405818-1638; primaryGroupID: 513 = ( GROUP_RID_USERS ); pwdLastSet: 4/2/2015 6:20:14 PM Eastern Daylight Time; sAMAccountName: abrown; sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT ); sn: Brown; uid: abrown; uidNumber: 2000; userAccountControl: 0x200 = ( NORMAL_ACCOUNT ); userPrincipalName: abrown@example.com; uSNChanged: 81899; uSNCreated: 29756; whenChanged: 4/8/2015 1:35:06 PM Eastern Daylight Time; whenCreated: 3/18/2015 5:49:51 PM Eastern Daylight Time;
------ Original Message ------ From: "Simo Sorce" simo@redhat.com To: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Cc: "Sterling Sahaydak" sterling.sahaydak@pi-coral.com Sent: 4/9/2015 10:01:48 AM Subject: Re: [SSSD-users] sssd - CentOS to Active Directory - no errmsg set and returning 0 results
On Thu, 2015-04-09 at 14:45 +0100, John Hodrien wrote:
On Thu, 9 Apr 2015, Sterling Sahaydak wrote:
If you take a look at the listing of the user section I posted,
you'll see
2nd to the last line:
... sn = Brown uid = abrown userPrincipalName = abrown@example.com
As to your 2nd statement, I'm using OpenLDAP in conjunction with AD
and
using OpenLDAP proxy to AD, thereby needing in sssd to have
access_provider
= ldap
Fair enough.
uid is not a uid, it's a username. What *UID* are you expecting SSSD to hand out without using id mapping?
Hi John, for clarity, you are asking: What uidNumber are you expecting SSSD to resolve ?
Simo.
-- Simo Sorce * Red Hat, Inc * New York
sssd-users@lists.fedorahosted.org
-
Ashish Yadav -
John Hodrien -
Simo Sorce -
Sterling Sahaydak