Is there any way to fully disable dns server lookup or set different dns server for service discovery (like dyndns_server string, but just dns_server string) ? I tried to set all parameters in krb5.conf and sssd.conf for server, but it still try to dns lookup.
On Thu, Jun 15, 2017 at 06:39:30AM -0000, Rishat Teregulov wrote:
Is there any way to fully disable dns server lookup
Just set the ad_server option: ad_server, ad_backup_server (string) The comma-separated list of hostnames of the AD servers to which SSSD should connect in order of preference. For more information on failover and server redundancy, see the “FAILOVER” section.
This is optional if autodiscovery is enabled. For more information on service discovery, refer to the “SERVICE DISCOVERY” section.
Note: Trusted domains will always auto-discover servers even if the primary server is explicitly defined in the ad_server option.
or set different dns server for service discovery (like dyndns_server string, but just dns_server string) ?
No, sorry, this is not possible.
I tried to set all parameters in krb5.conf and sssd.conf for server, but it still try to dns lookup.
For the joined domain or trusted domain?
Sorry, forgot to mention. Already done this. Here is my sssd.conf [sssd] domains = AD.DOMAIN.EXAMPLE config_file_version = 2 services = nss, pam, sudo
[domain/AD.DOMAIN.EXAMPLE] ad_domain = AD.DOMAIN.EXAMPLE krb5_realm = AD.DOMAIN.EXAMPLE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /opt/home/%u access_provider = simple ad_enable_dns_sites = false ad_server = AD.DOMAIN.EXAMPLE krb5_server = AD.DOMAIN.EXAMPLE simple_allow_groups = Developers @AD.DOMAIN.EXAMPLE debug_level = 9
[sudo]
On Thu, Jun 15, 2017 at 08:03:39AM -0000, Rishat Teregulov wrote:
Sorry, forgot to mention. Already done this. Here is my sssd.conf
Did you take a look into the logs to see which servers are being autodiscovered?
[sssd] domains = AD.DOMAIN.EXAMPLE config_file_version = 2 services = nss, pam, sudo
[domain/AD.DOMAIN.EXAMPLE] ad_domain = AD.DOMAIN.EXAMPLE krb5_realm = AD.DOMAIN.EXAMPLE realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /opt/home/%u access_provider = simple ad_enable_dns_sites = false ad_server = AD.DOMAIN.EXAMPLE krb5_server = AD.DOMAIN.EXAMPLE simple_allow_groups = Developers @AD.DOMAIN.EXAMPLE debug_level = 9
[sudo] _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
As I see, it resolve it just by ip, can I post logs here? (Thu Jun 15 08:23:12 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [be_resolve_server_process] (0x0200): Found address for server AD.DOMAIN.EXAMPLE: [172.16.176.122] TTL 261
On Thu, Jun 15, 2017 at 08:35:59AM -0000, Rishat Teregulov wrote:
All logs too big https://contattafiles.s3-us-west-1.amazonaws.com/tnt3511/wqtpj4q4fAwIX3p/sss...
I see: (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [18783]. (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [child_sig_handler] (0x0100): child [18783] finished successfully. (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
On older distributions, it used to help to set rdns=false in krb5.conf and SASL_NOCANON on in ldap.conf. But it might be helpful to run kinit -kt && ldapsearch -Y GSSAPI with KRB5_TRACE=/dev/stderr to check for more diagnostic messages.
Yes, I set krb5.conf to this to try not to resolve dns queries. [libdefaults] default_realm = AD.DOMAIN.EXAMPLE dns_lookup_realm = false dns_lookup_kdc = false rdns = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } } fcc-mit-ticketflags = true [realms] AD.DOMAIN.EXAMPLE = { default_domain = AD.DOMAIN.EXAMPLE kdc = AD.DOMAIN.EXAMPLE admin_server = AD.DOMAIN.EXAMPLE } [domain_realm] .AD.DOMAIN.EXAMPLE = AD.DOMAIN.EXAMPLE AD.DOMAIN.EXAMPLE = AD.DOMAIN.EXAMPLE [login] krb4_convert = true krb4_get_tickets = false
On 06/15/2017 04:57 AM, Rishat Teregulov wrote:
Yes, I set krb5.conf to this to try not to resolve dns queries. [libdefaults] default_realm = AD.DOMAIN.EXAMPLE dns_lookup_realm = false dns_lookup_kdc = false rdns = false krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } } fcc-mit-ticketflags = true [realms] AD.DOMAIN.EXAMPLE = { default_domain = AD.DOMAIN.EXAMPLE kdc = AD.DOMAIN.EXAMPLE admin_server = AD.DOMAIN.EXAMPLE }
I'm not sure if this output was sanitized, but the 'kdc' and 'admin_server' lines should contain a hostname of the KDC/AD server you want libkrb5 to communicate with, not only a realm name.
-Justin
[domain_realm] .AD.DOMAIN.EXAMPLE = AD.DOMAIN.EXAMPLE AD.DOMAIN.EXAMPLE = AD.DOMAIN.EXAMPLE [login] krb4_convert = true krb4_get_tickets = false _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On (15/06/17 10:48), Jakub Hrozek wrote:
On Thu, Jun 15, 2017 at 08:35:59AM -0000, Rishat Teregulov wrote:
All logs too big https://contattafiles.s3-us-west-1.amazonaws.com/tnt3511/wqtpj4q4fAwIX3p/sss...
I see: (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)] (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [child_sig_handler] (0x1000): Waiting for child [18783]. (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [child_sig_handler] (0x0100): child [18783] finished successfully. (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039
On older distributions, it used to help to set rdns=false in krb5.conf and SASL_NOCANON on in ldap.conf. But it might be helpful to run kinit -kt && ldapsearch -Y GSSAPI with KRB5_TRACE=/dev/stderr to check for more diagnostic messages.
I am not sure whether it is possible with newer version. Maybe the simplest way for Rishat would be disable SASL (ldap_sasl_mech) But I am not sure whether it is possible with AD provider.
It should be possible with id_provider ldap + auth_provider krb5
LS
sssd-users@lists.fedorahosted.org