I've got SSSD working local via AD for unix account authentication, however we are joining a new mother ship and we are not on their LAN and thus don't have access to their AD network.
They setup an LDAPS configuration and while I can query it via ldapsearch, I can't get sssd to find anything. getent nor id return anything, but I see the requests in the sssd_domain.log. I'm sure I'm tripping up trying to refactor my AD config to work in the new LDAPs environment.
I understand my ldapsearch is doing a full blown query list and obviously if I give it a filter of my user for example, I get all my data (sssd doesn't need all that data but i need something).
I've spent a week banging my head and searching and trying different examples and really failing :)
So any assistance would be appreciated. I've tried the search, trial and error, read and figured I've exhausted my understanding and exhausted my attempts at copying others configurations and now I'm just running in circles.
Thanks in advance.
So basic data:
CentOS 7 sssd 1.16.4 LDAPS endpoint on a windows AD domain.
sssd.conf
[domain/LDAP]
# Return debug level to 0 once working debug_level = 9
default_domain_suffix = aads.com enumerate = false cache_credentials = false id_provider = ldap auth_provider = ldap #access_provider = ldap sudo_provider = ldap chpass_provider = ldap
# timing config entry_cache_timeout = 10 # entry_cache_nowait_timeout = 10 # entry_cache_nowait_percentage = 10
#use_fully_qualified_names = true ldap_id_use_start_tls = true ldap_service_port = 636 ldap_tls_reqcert = allow ldap_force_upper_case_realm = true ldap_uri = ldaps://aadds.com ldap_search_base = dc=aadds,dc=com ldap_user_object_class = posixAccount ldap_default_bind_dn = aadds\sssd ldap_default_authtok_type = password ldap_default_authtok = somearbitrarycrap ldap_tls_cacertdir = /etc/openldap/cacerts
# Unix to AD attribute mapping ldap_schema = rfc2307bis #ldap_schema = rfc2307 ldap_user_object_class = person ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = whenChanged ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_gecos = displayName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_shell = loginShell ldap_group_name = uniqueMember
Some data has been secured.
#> ldapsearch -v -x -D AADDS\sssd -b "dc=aadds,dc=com" -H ldaps:// aadds.com -W "(cn=tory blue)" ldap_initialize( ldaps://aadds.com:636/??base ) Enter LDAP Password: filter: (cn=tory blue) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=aadds,dc=com> with scope subtree # filter: (cn=tory blue) # requesting: ALL #
# Tory Blue, AA Users, aadds.com <bunch of data pertaining to my user deleted>
#> id tory.blue@aads.com #> id tory.blue #>
sssd debug:
Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=tory.blue@aadds.com] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #8]: New request. Flags [0x0001]. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=aadds,dc=com] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching SECURED:636 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName= tory.blue@aadds.com)(mail=tory.blue@aadds.com ))(objectclass=person)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=aadds,dc=com]. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 18 timeout 6 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 18 finished (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d71d00
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321d71dd0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d71d00 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71dd0 "ltdb_timeout"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71d00 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost= tory.blue@aadds.com)) (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d711a0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321c1c0e0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d711a0 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321c1c0e0 "ltdb_timeout"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d711a0 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): No such entry (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #8]: Request handler finished [0]: Success (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #8]: Receiving request data. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #8]: Finished. Success. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_std] (0x1000): DP Request [Account #8]: Returning [Success]: 0,0,Success (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:LDAP:name=tory.blue@aadds.com] from reply table (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #8]: Request removed. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[(nil)], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
Tory, Some of the directives specified seem unnecessary. For example since you're using a ldaps URI there's no need to implement TLS directives, and since the LDAP backend is AD many of the attribute mappings are likely unnecessary as well unless there's something we don't understand at play. Perhaps simplify the config first.
I would try the following and test.
# ldap_id_use_start_tls = true # ldap_service_port = 636 ldap_tls_reqcert = allow ldap_force_upper_case_realm = true ldap_uri = ldaps://aadds.com ldap_search_base = dc=aadds,dc=com # ldap_user_object_class = posixAccount ldap_default_bind_dn = aadds\sssd ldap_default_authtok_type = password ldap_default_authtok = somearbitrarycrap ldap_tls_cacertdir = /etc/openldap/cacerts
# Unix to AD attribute mapping ldap_schema = ad # ldap_schema = rfc2307 # ldap_user_object_class = person # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory
# ldap_user_modify_timestamp = whenChanged # ldap_user_principal = userPrincipalName # ldap_user_name = sAMAccountName # ldap_user_gecos = displayName # ldap_user_uid_number = uidNumber # ldap_user_gid_number = gidNumber # ldap_user_shell = loginShell # ldap_group_name = uniqueMember
-- lawrence
On Thu, Oct 22, 2020, 2:54 AM Tory M Blue tmblue@gmail.com wrote:
I've got SSSD working local via AD for unix account authentication, however we are joining a new mother ship and we are not on their LAN and thus don't have access to their AD network.
They setup an LDAPS configuration and while I can query it via ldapsearch, I can't get sssd to find anything. getent nor id return anything, but I see the requests in the sssd_domain.log. I'm sure I'm tripping up trying to refactor my AD config to work in the new LDAPs environment.
I understand my ldapsearch is doing a full blown query list and obviously if I give it a filter of my user for example, I get all my data (sssd doesn't need all that data but i need something).
I've spent a week banging my head and searching and trying different examples and really failing :)
So any assistance would be appreciated. I've tried the search, trial and error, read and figured I've exhausted my understanding and exhausted my attempts at copying others configurations and now I'm just running in circles.
Thanks in advance.
So basic data:
CentOS 7 sssd 1.16.4 LDAPS endpoint on a windows AD domain.
sssd.conf
[domain/LDAP]
# Return debug level to 0 once working debug_level = 9
default_domain_suffix = aads.com enumerate = false cache_credentials = false id_provider = ldap auth_provider = ldap #access_provider = ldap sudo_provider = ldap chpass_provider = ldap
# timing config entry_cache_timeout = 10 # entry_cache_nowait_timeout = 10 # entry_cache_nowait_percentage = 10
#use_fully_qualified_names = true ldap_id_use_start_tls = true ldap_service_port = 636 ldap_tls_reqcert = allow ldap_force_upper_case_realm = true ldap_uri = ldaps://aadds.com ldap_search_base = dc=aadds,dc=com ldap_user_object_class = posixAccount ldap_default_bind_dn = aadds\sssd ldap_default_authtok_type = password ldap_default_authtok = somearbitrarycrap ldap_tls_cacertdir = /etc/openldap/cacerts
# Unix to AD attribute mapping ldap_schema = rfc2307bis #ldap_schema = rfc2307 ldap_user_object_class = person ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory
ldap_user_modify_timestamp = whenChanged ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_user_gecos = displayName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_shell = loginShell ldap_group_name = uniqueMember
Some data has been secured.
#> ldapsearch -v -x -D AADDS\sssd -b "dc=aadds,dc=com" -H ldaps:// aadds.com -W "(cn=tory blue)" ldap_initialize( ldaps://aadds.com:636/??base ) Enter LDAP Password: filter: (cn=tory blue) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=aadds,dc=com> with scope subtree # filter: (cn=tory blue) # requesting: ALL #
# Tory Blue, AA Users, aadds.com
<bunch of data pertaining to my user deleted>
#> id tory.blue@aads.com #> id tory.blue #>
sssd debug:
Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=tory.blue@aadds.com] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #8]: New request. Flags [0x0001]. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=aadds,dc=com] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching SECURED:636 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName= tory.blue@aadds.com)(mail=tory.blue@aadds.com ))(objectclass=person)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=aadds,dc=com]. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 18 timeout 6 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 18 finished (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Ref: ldaps:// aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d71d00
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321d71dd0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d71d00 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71dd0 "ltdb_timeout"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71d00 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] (0x0400): No such entry (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost= tory.blue@aadds.com)) (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d711a0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321c1c0e0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d711a0 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321c1c0e0 "ltdb_timeout"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d711a0 "ltdb_callback"
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): No such entry (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #8]: Request handler finished [0]: Success (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #8]: Receiving request data. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #8]: Finished. Success. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_std] (0x1000): DP Request [Account #8]: Returning [Success]: 0,0,Success (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:LDAP:name=tory.blue@aadds.com] from reply table (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #8]: Request removed. (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0 (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[(nil)], ldap[0x562321bf7400] (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Oct 22, 2020 at 1:30 AM Lawrence Kearney hangarbait@gmail.com wrote:
Tory, Some of the directives specified seem unnecessary. For example since you're using a ldaps URI there's no need to implement TLS directives, and since the LDAP backend is AD many of the attribute mappings are likely unnecessary as well unless there's something we don't understand at play. Perhaps simplify the config first.
I would try the following and test.
# ldap_id_use_start_tls = true # ldap_service_port = 636 ldap_tls_reqcert = allow ldap_force_upper_case_realm = true ldap_uri = ldaps://aadds.com ldap_search_base = dc=aadds,dc=com # ldap_user_object_class = posixAccount ldap_default_bind_dn = aadds\sssd ldap_default_authtok_type = password ldap_default_authtok = somearbitrarycrap ldap_tls_cacertdir = /etc/openldap/cacerts
# Unix to AD attribute mapping ldap_schema = ad # ldap_schema = rfc2307 # ldap_user_object_class = person # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory
# ldap_user_modify_timestamp = whenChanged # ldap_user_principal = userPrincipalName # ldap_user_name = sAMAccountName # ldap_user_gecos = displayName # ldap_user_uid_number = uidNumber # ldap_user_gid_number = gidNumber # ldap_user_shell = loginShell # ldap_group_name = uniqueMember
-- lawrence
Thanks Lawrence, so same results, but def means I didn't need as much stuff as I had in there. I'm still able to get into the LDAP server but not getting any results.
Not sure if this error is telling, or generic/normal ?
(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x55791e6f7000 (Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. (Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider (Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
Also is this saying that it's not able to find the user and thus falls back to looking for the group or is this a sign of an issue?
(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] (0x0400): No such entry (Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost= tory.blue@aadds.com))
Thanks again -Tory
sssd-users@lists.fedorahosted.org