Hi!
I'm a newbie on sssd, and not fancy at ldap either.
So I'm starting with this in a small way to see where I can get it.
I've been googling quite extensively the last 3 days, and haven't found any answers.
System: Ubuntu 16.10 sssd version: 1.13.4 LDAP server OpenDJ
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
[nss] #Not authenticated usr from ldap filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,deamon,games,gdm,gnats,haldeamon,hplip,irc,ivm,an,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,polkituser,proxy,pulse,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data filter_groups = root
[pam]
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap:389 ldap_id_use_start_tls = False cache_credentials = True enumerate = True
PAM:
~$ cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so session optional pam_cgfs.so -c freezer,memory,name=systemd # end of pam-auth-update config
~$ sudo service sssd restart Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.
~$ sudo systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since lör 2016-12-03 17:37:15 CET; 25s ago Process: 2236 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)
dec 03 17:37:15 GX620 systemd[1]: Starting System Security Services Daemon... dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Control process exited, code=exited status=4 dec 03 17:37:15 GX620 systemd[1]: Failed to start System Security Services Daemon. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Unit entered failed state. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Failed with result 'exit-code'.
The only real problem I can see, is the: "dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory"
And I don't understand why sssd couldn't load it. I ran:
~$ sudo ldbsearch -H /var/lib/sss/db/config.ldb server_sort:Unable to register control with rootdse! # record 1 dn: cn=HEMMA.HOME,cn=domain,cn=config auth_provider: ldap autofs_provider: ldap cache_credentials: True chpass_provider: ldap cn: HEMMA.HOME enumerate: True id_provider: ldap ldap_id_use_start_tls: False ldap_schema: rfc2307bis ldap_search_base: dc=hemma,dc=home ldap_uri: ldap://ldap:389 distinguishedName: cn=HEMMA.HOME,cn=domain,cn=config
# record 2 dn: cn=sssd,cn=config cn: sssd config_file_version: 2 domain: HEMMA.HOME services: nss,pam distinguishedName: cn=sssd,cn=config
# record 3 dn: cn=config version: 2 lastUpdate: 1480690424 distinguishedName: cn=config
# record 4 dn: cn=nss,cn=config cn: nss filter_groups: root filter_users: root distinguishedName: cn=nss,cn=config
# record 5 dn: cn=pam,cn=config cn: pam distinguishedName: cn=pam,cn=config
# returned 5 records # 5 entries # 0 referrals And I can't see any problems there, except the "server_sort:Unable to register control with rootdse!" which I read in posts was not supposed to be a real problem. Or...?
Anyone can help me out a bit here...?
Best regards from/Med vänliga hälsningar från
Johan Kragsterman
Capvert
On (03/12/16 19:19), Johan Kragsterman wrote:
Hi!
I'm a newbie on sssd, and not fancy at ldap either.
So I'm starting with this in a small way to see where I can get it.
I've been googling quite extensively the last 3 days, and haven't found any answers.
System: Ubuntu 16.10 sssd version: 1.13.4 LDAP server OpenDJ
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
[nss] #Not authenticated usr from ldap filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,deamon,games,gdm,gnats,haldeamon,hplip,irc,ivm,an,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,polkituser,proxy,pulse,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data filter_groups = root
[pam]
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap:389
^^^^^^^^ It does not look like correct URL.
ldap_id_use_start_tls = False
I would recommend to configure certificate + start_tls as well otherwise authentication would not work. sssd does not want to pass plaintext password via unsecure channel.
cache_credentials = True enumerate = True
PAM:
~$ cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so session optional pam_cgfs.so -c freezer,memory,name=systemd # end of pam-auth-update config
~$ sudo service sssd restart Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.
~$ sudo systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since lör 2016-12-03 17:37:15 CET; 25s ago Process: 2236 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)
dec 03 17:37:15 GX620 systemd[1]: Starting System Security Services Daemon... dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Control process exited, code=exited status=4 dec 03 17:37:15 GX620 systemd[1]: Failed to start System Security Services Daemon. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Unit entered failed state. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Failed with result 'exit-code'.
The only real problem I can see, is the: "dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory"
Does /etc/sssd/sssd.conf has correct permissions?
sh# ls -ld /etc/sssd/ drwx------. 1 root root 92 Nov 28 11:51 /etc/sssd/
sh# ls -ld /etc/sssd/sssd.conf -rw-------. 1 root root 4992 Nov 28 11:51 /etc/sssd/sssd.conf
And I don't understand why sssd couldn't load it. I ran:
~$ sudo ldbsearch -H /var/lib/sss/db/config.ldb server_sort:Unable to register control with rootdse! # record 1 dn: cn=HEMMA.HOME,cn=domain,cn=config auth_provider: ldap autofs_provider: ldap cache_credentials: True chpass_provider: ldap cn: HEMMA.HOME enumerate: True id_provider: ldap ldap_id_use_start_tls: False ldap_schema: rfc2307bis ldap_search_base: dc=hemma,dc=home ldap_uri: ldap://ldap:389 distinguishedName: cn=HEMMA.HOME,cn=domain,cn=config
# record 2 dn: cn=sssd,cn=config cn: sssd config_file_version: 2 domain: HEMMA.HOME services: nss,pam distinguishedName: cn=sssd,cn=config
# record 3 dn: cn=config version: 2 lastUpdate: 1480690424 distinguishedName: cn=config
# record 4 dn: cn=nss,cn=config cn: nss filter_groups: root filter_users: root distinguishedName: cn=nss,cn=config
# record 5 dn: cn=pam,cn=config cn: pam distinguishedName: cn=pam,cn=config
# returned 5 records # 5 entries # 0 referrals And I can't see any problems there, except the "server_sort:Unable to register control with rootdse!" which I read in posts was not supposed to be a real problem. Or...?
Anyone can help me out a bit here...?
hmm, permission might be correct on sssd.conf
Try to follow instructions in https://fedorahosted.org/sssd/wiki/Troubleshooting
In your case, you might increase debug level im main section "[sssd]"
LS
Hi!
-----Lukas Slebodnik lslebodn@redhat.com skrev: ----- Till: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Från: Lukas Slebodnik lslebodn@redhat.com Datum: 2016-12-03 18:55 Ärende: [SSSD-users] Re: problems to get sssd started
On (03/12/16 19:19), Johan Kragsterman wrote:
Does /etc/sssd/sssd.conf has correct permissions?
sh# ls -ld /etc/sssd/ drwx------. 1 root root 92 Nov 28 11:51 /etc/sssd/
sh# ls -ld /etc/sssd/sssd.conf -rw-------. 1 root root 4992 Nov 28 11:51 /etc/sssd/sssd.conf
Ahaa, should the directory ALSO belong to root? I thought only the sssd.conf should be root. So in my case, the directory sssd belongs to user sssd, and the sssd.conf file to root.
I try and change that and get back...
hmm, permission might be correct on sssd.conf
Try to follow instructions in https://fedorahosted.org/sssd/wiki/Troubleshooting
In your case, you might increase debug level im main section "[sssd]"
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi!
Want to give feedback on my own initial problem to start the sssd service.
Very simple fault in the sssd.conf.
In my initial file is had this:
[sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
What caused the problem was that it should be plural instead of singular of the domain = XXX: domains = XXX. So it should be:
domains = HEMMA.HOME instead....a simple thing, huh?
Regards Johan
-----Lukas Slebodnik lslebodn@redhat.com skrev: ----- Till: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Från: Lukas Slebodnik lslebodn@redhat.com Datum: 2016-12-03 18:55 Ärende: [SSSD-users] Re: problems to get sssd started
On (03/12/16 19:19), Johan Kragsterman wrote:
Hi!
I'm a newbie on sssd, and not fancy at ldap either.
So I'm starting with this in a small way to see where I can get it.
I've been googling quite extensively the last 3 days, and haven't found any answers.
System: Ubuntu 16.10 sssd version: 1.13.4 LDAP server OpenDJ
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss,pam domain = HEMMA.HOME
[nss] #Not authenticated usr from ldap filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,deamon,games,gdm,gnats,haldeamon,hplip,irc,ivm,an,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,polkituser,proxy,pulse,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data filter_groups = root
[pam]
[domain/HEMMA.HOME] autofs_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=hemma,dc=home id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap:389
^^^^^^^^ It does not look like correct URL.
ldap_id_use_start_tls = False
I would recommend to configure certificate + start_tls as well otherwise authentication would not work. sssd does not want to pass plaintext password via unsecure channel.
cache_credentials = True enumerate = True
PAM:
~$ cat /etc/pam.d/common-session # # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session optional pam_ldap.so session optional pam_systemd.so session optional pam_cgfs.so -c freezer,memory,name=systemd # end of pam-auth-update config
~$ sudo service sssd restart Job for sssd.service failed because the control process exited with error code. See "systemctl status sssd.service" and "journalctl -xe" for details.
~$ sudo systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since lör 2016-12-03 17:37:15 CET; 25s ago Process: 2236 ExecStart=/usr/sbin/sssd -D -f (code=exited, status=4)
dec 03 17:37:15 GX620 systemd[1]: Starting System Security Services Daemon... dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Control process exited, code=exited status=4 dec 03 17:37:15 GX620 systemd[1]: Failed to start System Security Services Daemon. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Unit entered failed state. dec 03 17:37:15 GX620 systemd[1]: sssd.service: Failed with result 'exit-code'.
The only real problem I can see, is the: "dec 03 17:37:15 GX620 sssd[2236]: SSSD couldn't load the configuration database [2]: No such file or directory"
Does /etc/sssd/sssd.conf has correct permissions?
sh# ls -ld /etc/sssd/ drwx------. 1 root root 92 Nov 28 11:51 /etc/sssd/
sh# ls -ld /etc/sssd/sssd.conf -rw-------. 1 root root 4992 Nov 28 11:51 /etc/sssd/sssd.conf
And I don't understand why sssd couldn't load it. I ran:
~$ sudo ldbsearch -H /var/lib/sss/db/config.ldb server_sort:Unable to register control with rootdse! # record 1 dn: cn=HEMMA.HOME,cn=domain,cn=config auth_provider: ldap autofs_provider: ldap cache_credentials: True chpass_provider: ldap cn: HEMMA.HOME enumerate: True id_provider: ldap ldap_id_use_start_tls: False ldap_schema: rfc2307bis ldap_search_base: dc=hemma,dc=home ldap_uri: ldap://ldap:389 distinguishedName: cn=HEMMA.HOME,cn=domain,cn=config
# record 2 dn: cn=sssd,cn=config cn: sssd config_file_version: 2 domain: HEMMA.HOME services: nss,pam distinguishedName: cn=sssd,cn=config
# record 3 dn: cn=config version: 2 lastUpdate: 1480690424 distinguishedName: cn=config
# record 4 dn: cn=nss,cn=config cn: nss filter_groups: root filter_users: root distinguishedName: cn=nss,cn=config
# record 5 dn: cn=pam,cn=config cn: pam distinguishedName: cn=pam,cn=config
# returned 5 records # 5 entries # 0 referrals And I can't see any problems there, except the "server_sort:Unable to register control with rootdse!" which I read in posts was not supposed to be a real problem. Or...?
Anyone can help me out a bit here...?
hmm, permission might be correct on sssd.conf
Try to follow instructions in https://fedorahosted.org/sssd/wiki/Troubleshooting
In your case, you might increase debug level im main section "[sssd]"
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Johan Kragsterman -
Lukas Slebodnik