Hi,
Trying to configure SSSD on a CentOS server and running into some issues. Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on AD(Windows). But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ... cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HOSTNAME$@XYZ.LOCAL
Valid starting Expires Service principal 04/04/17 13:58:20 04/04/17 23:58:05 krbtgt/XYZ.LOCAL@XYZ.LOCAL renew until 04/11/17 13:58:20 04/04/17 14:00:09 04/04/17 23:58:05 ldap/AD-server.xyz.local@XYZ.LOCAL renew until 04/11/17 13:58:20
# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/hostname.xyz.local@XYZ.LOCAL 2 host/hostname.xyz.local@XYZ.LOCAL 2 host/hostname.xyz.local@XYZ.LOCAL 2 host/hostname.xyz.local@XYZ.LOCAL 2 host/hostname.xyz.local@XYZ.LOCAL 2 host/hostname@XYZ.LOCAL 2 host/hostname@XYZ.LOCAL 2 host/hostname@XYZ.LOCAL 2 host/hostname@XYZ.LOCAL 2 host/hostname@XYZ.LOCAL 2 HOSTNAME$@XYZ.LOCAL 2 HOSTNAME$@XYZ.LOCAL 2 HOSTNAME$@XYZ.LOCAL 2 HOSTNAME$@XYZ.LOCAL 2 HOSTNAME$@XYZ.LOCAL
# net ads testjoin Join is OK
Please let me know if I need to increase logging level to capture additional details.
Many Thanks,
~ Abhi
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some issues. Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on AD(Windows). But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into /var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. You might try to increase it.
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine.
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
LS
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some issues. Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on AD(Windows). But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into /var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. You might try to increase it.
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine.
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thanks Jakub,
ldapsearch now completes successfully, but when users tries to authenticate, they still get access denied. We have confirmed that user does exist in the groups listed under access filter & both id and getent passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log ( Debug level 3)
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.LOCAL] might not be correct. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache] (0x0020): handle_randomized failed: 13 (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]
Same log with Debug level set to 9:
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child started. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x1000): total buffer size: [141] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x2000): No old ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast] (0x0100): Not using FAST. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user] (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): Will perform online auth (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting initial credentials for first.last@XYZ.LOCAL@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending request (225 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received error from KDC: -1765328359/Additional pre-authentication required (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing preauth types: 16, 15, 19, 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key obtained for encrypted timestamp: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted timestamp (for 1491392737.819101): plain 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced preauth for next request: 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending request (305 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or response is too big for UDP; retrying with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending request (305 bytes) to XYZ.LOCAL (tcp only) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing preauth types: 19 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced preauth for next request: (empty) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key determined by preauth: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS reply; session key is: aes256-cts/2A55 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST negotiation: unavailable (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving unique ccache of type MEMORY (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing MEMORY:M2bO4Sd with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting credentials first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL using ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached TGT for service realm: first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting tickets for host/hostname.xyz.local@XYZ.LOCAL, referrals on (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated subkey for TGS request: aes256-cts/AB86 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending request (1553 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL with session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received creds for desired service host/hostname.xyz.local@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating authenticator for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL, seqnum 0, subkey (null, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted AP-REQ with specified server principal host/hostname.xyz.local@XYZ.LOCAL: rc4-hmac/4965 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ ticket: first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated enctype based on authenticator: rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing MEMORY:rd_req2 with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.xyz.local@XYZ.LOCAL]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success
*(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.LOCAL] might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]* (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [pack_response_packet] (0x2000): response packet size: [20] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x4000): Response sent. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child completed successfully
Thanks,
~ Abhi
On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some
issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on
AD(Windows).
But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into /var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS
update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI
and "
Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server
not found in Kerberos database)
It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. You might try to increase it.
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine.
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Apr 05, 2017 at 08:11:01AM -0400, Abhijit Tikekar wrote:
Thanks Jakub,
ldapsearch now completes successfully, but when users tries to authenticate, they still get access denied. We have confirmed that user does exist in the groups listed under access filter & both id and getent passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log ( Debug level 3)
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.LOCAL] might not be correct. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache] (0x0020): handle_randomized failed: 13 (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]
Same log with Debug level set to 9:
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child started. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x1000): total buffer size: [141] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x2000): No old ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast] (0x0100): Not using FAST. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user] (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): Will perform online auth (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting initial credentials for first.last@XYZ.LOCAL@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending request (225 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received error from KDC: -1765328359/Additional pre-authentication required (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing preauth types: 16, 15, 19, 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key obtained for encrypted timestamp: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted timestamp (for 1491392737.819101): plain 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced preauth for next request: 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending request (305 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or response is too big for UDP; retrying with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending request (305 bytes) to XYZ.LOCAL (tcp only) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing preauth types: 19 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced preauth for next request: (empty) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key determined by preauth: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS reply; session key is: aes256-cts/2A55 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST negotiation: unavailable (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving unique ccache of type MEMORY (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing MEMORY:M2bO4Sd with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting credentials first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL using ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached TGT for service realm: first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting tickets for host/hostname.xyz.local@XYZ.LOCAL, referrals on (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated subkey for TGS request: aes256-cts/AB86 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending request (1553 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL with session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received creds for desired service host/hostname.xyz.local@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating authenticator for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL, seqnum 0, subkey (null, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted AP-REQ with specified server principal host/hostname.xyz.local@XYZ.LOCAL: rc4-hmac/4965 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ ticket: first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated enctype based on authenticator: rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing MEMORY:rd_req2 with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.xyz.local@XYZ.LOCAL]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success
*(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.LOCAL] might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
Please check your permissions of /tmp. Normally /tmp should have 1777 permissions..
failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]* (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [pack_response_packet] (0x2000): response packet size: [20] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x4000): Response sent. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child completed successfully
Thanks,
~ Abhi
On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some
issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on
AD(Windows).
But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into /var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS
update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline
I see couple of obvious errors here, mainly the ones for SASL: GSSAPI
and "
Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same SASL error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server
not found in Kerberos database)
It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. You might try to increase it.
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine.
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Thank you.
Fixing permissions resolved the issue.
~ Abhi
On Wed, Apr 5, 2017 at 8:27 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Apr 05, 2017 at 08:11:01AM -0400, Abhijit Tikekar wrote:
Thanks Jakub,
ldapsearch now completes successfully, but when users tries to authenticate, they still get access denied. We have confirmed that user does exist in the groups listed under access filter & both id and getent passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log
(
Debug level 3)
(Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.LOCAL] might not be correct. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[sss_unique_file_ex]
(0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]:
Permission
denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]]
[handle_randomized]
(0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]:
Permission
denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache] (0x0020): handle_randomized failed: 13 (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]
Same log with Debug level set to 9:
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child started. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x1000): total buffer size: [141] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [first.last@XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x2000): No old ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast] (0x0100): Not using FAST. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user] (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME]
from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to
[true]
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): Will perform online auth (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting initial credentials for first.last@XYZ.LOCAL@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending request (225 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response
was
from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received error from KDC: -1765328359/Additional pre-authentication required (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing preauth types: 16, 15, 19, 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key obtained for encrypted timestamp: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted timestamp (for 1491392737.819101): plain 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F
36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced preauth for next request: 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending request (305 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response
was
from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or response is too big for UDP; retrying with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending request (305 bytes) to XYZ.LOCAL (tcp only) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending
TCP
request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response
was
from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing preauth types: 19 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced preauth for next request: (empty) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key determined by preauth: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted
AS
reply; session key is: aes256-cts/2A55 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST negotiation: unavailable (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving unique ccache of type MEMORY (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698:
Initializing
MEMORY:M2bO4Sd with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting credentials first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL
using
ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving first.last@XYZ.LOCAL -> krbtgt/XYZ.LOCAL@XYZ.LOCAL from MEMORY:M2bO4Sd
with
result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found
cached
TGT for service realm: first.last@XYZ.LOCAL ->
krbtgt/XYZ.LOCAL@XYZ.LOCAL
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting tickets for host/hostname.xyz.local@XYZ.LOCAL, referrals on (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated subkey for TGS request: aes256-cts/AB86 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending request (1553 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending
TCP
request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response
was
from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply
is
for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL with
session
key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS
request
result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received creds for desired service host/hostname.xyz.local@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in
MEMORY:M2bO4Sd
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating authenticator for first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.
LOCAL,
seqnum 0, subkey (null, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted AP-REQ with specified server principal host/hostname.xyz.local@XYZ.
LOCAL:
rc4-hmac/4965 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ ticket: first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL,
session
key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated enctype based on authenticator: rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625:
Initializing
MEMORY:rd_req2 with default princ first.last@XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL in
MEMORY:rd_req2
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0400): TGT verified using key for [host/hostname.xyz.local@XYZ.
LOCAL].
(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving first.last@XYZ.LOCAL -> host/hostname.xyz.local@XYZ.LOCAL from MEMORY:rd_req2 with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving host/hostname.xyz.local@XYZ.LOCAL from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success
*(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last@XYZ.LOCAL@XYZ.
LOCAL]
might not be correct.(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]]
[sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017)
[[sssd[krb5_child[11215]]]]
[sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal]
(0x2000):
krb5_cc_cache_match failed: [-1765328243][Can't find client principal first.last@XYZ.LOCAL in cache collection](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
Please check your permissions of /tmp. Normally /tmp should have 1777 permissions..
failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]* (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [pack_response_packet] (0x2000): response packet size: [20] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x4000): Response sent. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child completed successfully
Thanks,
~ Abhi
On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek jhrozek@redhat.com
wrote:
On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote:
On (04/04/17 11:04), Abhijit Tikekar wrote:
Hi,
Trying to configure SSSD on a CentOS server and running into some
issues.
Hoping to get some guidance here...
All the install steps are successful and at the end "net ads
testjoin"
confirms that join is valid. Computer object gets created on
AD(Windows).
But authentication attempts result in access denied and, following
is
recorded under the logs(Log level for domain set to 2)
Try to use higher debug_level. Maybe even the full (9)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database)
This is the error.
Is this centos-6? If yes, then setting rdns=false in krb5.conf and SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already)
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection
failed
[11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error])
Please look into /var/log/sssd/ldap_child.log
(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log]
(0x0040):
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more
information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send]
(0x0020):
ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection
failed
[11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done]
(0x0040):
Task [SUDO Full Refresh]: failed with [11]: Resource temporarily
unavailable
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[fo_resolve_service_send]
(0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[sdap_id_op_connect_done]
(0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for
DNS
update
(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]]
[ad_dyndns_nsupdate_done]
(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS
update not
possible while offline
I see couple of obvious errors here, mainly the ones for SASL:
GSSAPI
and "
Failed to connect, going offline (5 [Input/output error])" although
not
sure if they are all related to a common failure.
Although when I try to use ldapsearch directly, it gives the same
SASL
error.
]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(
sAMAccountName=first.last))"
SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(Server
not found in Kerberos database)
It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch.
ldapsearch -d 7 ...
I am not sure whether bitmast 7 is enough for troubleshooting sasl
issue.
You might try to increase it.
Here is sssd.conf:
[sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ...
Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine.
cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.
fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.
fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org