Hi,
We are unable to connect one machine (CentOS 6.9) to Active Directory using SSSD. It is giving the following error whenever we attempt the join. Exact same settings are working for other servers.
# net ads join -k Failed to join domain: failed to lookup DC info for domain X.Y.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET
But testjoin shows OK.
# net ads testjoin Join is OK
Even though join says OK, users are not able to authenticate
# net ads info LDAP server: x.x.x.x LDAP server name: AD-Server.x.y.local Realm: X.Y.LOCAL Bind Path: dc=X,dc=Y,dc=LOCAL LDAP port: 389 Server time: Thu, 08 Jun 2017 11:18:41 EDT KDC server: x.x.x.x Server time offset: 0
“id” and “getent passwd <username>” return nothing.
DNS entries are correct under /etc/resolv.conf
Here is sanitized sssd_domain.log file (Log Level – 5)
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sysdb_domain_init_internal] (0x0200): DB File for x.y.local: /var/lib/sss/db/cache_x.y.local.ldb (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_x.y.local,1) (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$))]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [hostname]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_common_options] (0x0100): Setting domain option case_sensitive to [false] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added failover server AD-Server.x.y.local (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate.. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_nsupdate_timer_schedule] (0x0200): Scheduling timer in 86400 seconds (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=x,dc=y,dc=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][ou=Groups,ou=aaaa,ou=bbbb,ou=Company,dc=x,dc=y,dc=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_idmap_init] (0x0100): Initializing [5] domains for ID-mapping (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_machine_account_password_renewal_init] (0x0100): The helper program [/usr/sbin/adcli] for renewal doesn't exist [2]: No such file or directory (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_server set to AD-Server.x.y.local (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_lifetime] (0x0200): No lifetime configured. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [check_and_export_options] (0x0100): ccache is of type FILE (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [parse_krb5_map_user] (0x0200): Warning: krb5_map_user is empty! (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][ou=Global Groups,ou=Groups,ou=aaaa,ou=bbbb,ou=Company,dc=x,dc=y,dc=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_process_init] (0x0020): No selinux module provided for [x.y.local] !! (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_process_init] (0x0020): No host info module provided for [x.y.local] !! (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [load_backend_module] (0x0200): no module name found in confdb, using [ad]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_write_krb5_localauth_snippet] (0x0200): File for localauth plugin configuration is [/var/lib/sss/pubconf/krb5.include.d/localauth_plugin] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [x.y.local] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_x_y_local] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Will look for hostname@X.Y.LOCAL in default keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected primary: HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [select_principal_from_keytab] (0x0200): Selected realm: X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to HOSTNAME$ (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to X.Y.LOCAL (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [_ad_servers_init] (0x0100): Added service discovery for AD (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_srv_lookup_plugin] (0x0080): SRV lookup plugin is already set (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_fo_set_srv_lookup_plugin] (0x0080): Unable to set SRV lookup plugin, another plugin may be already in place (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_purge_cache_timeout is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [dp_option_inherit] (0x0100): Option ldap_use_tokengroups is not set up to be inherited (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [become_user] (0x0200): Trying to become user [0][0]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [become_user] (0x0200): Already user [0]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbe6280. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbe6b30] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbe8800. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbe97f0] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbe6b30] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [PAM] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'AD-Server.x.y.local' in files (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'AD-Server.x.y.local' as 'resolving name' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'AD-Server.x.y.local' in files (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'AD-Server.x.y.local' in DNS (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [set_server_common_status] (0x0100): Marking server 'AD-Server.x.y.local' as 'name resolved' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600 (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://AD-Server.x.y.local' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://AD-Server.x.y.local' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Entering. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbec7b0. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbee680] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600 (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbee680] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [14490] finished successfully. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD-Server.x.y.local' as 'not working' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbe97f0] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [NSS] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:40:00 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]
Capture when net ads join fails. .66 is the ad server and .109 is the CentOS machine.
Sanitized contents of sssd.conf, krb5.conf and smb.conf
sssd.conf [sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 5 [nss] [pam] debug_level=5 [sudo] debug_level=0 [domain/x.y.local] debug_level=5 ad_server = AD-Server.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_use_tokengroups = False krb5_realm = X.Y.LOCAL ldap_uri = ldap://AD-Server.x.y.local ldap_sudo_search_base ldap_user_search_base ldap_group_search_base ldap_access_order = filter, expire ad_access_filter = cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash
krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] X.Y.LOCAL = { kdc = AD-Server.x.y.local:88 admin_server = AD-Server.x.y.local:749 } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
smb.conf [global] workgroup = X client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = X.Y.LOCAL security = ads log file = /var/log/samba/log.%m max log size = 50 min protocol = SMB2
Thanks,
~ abhi
On Thu, Jun 08, 2017 at 12:05:55PM -0400, Abhijit Tikekar wrote:
Hi,
We are unable to connect one machine (CentOS 6.9) to Active Directory using SSSD. It is giving the following error whenever we attempt the join. Exact same settings are working for other servers.
# net ads join -k Failed to join domain: failed to lookup DC info for domain X.Y.LOCAL' over rpc: NT_STATUS_CONNECTION_RESET
But testjoin shows OK.
# net ads testjoin Join is OK
Even though join says OK, users are not able to authenticate
# net ads info LDAP server: x.x.x.x LDAP server name: AD-Server.x.y.local Realm: X.Y.LOCAL Bind Path: dc=X,dc=Y,dc=LOCAL LDAP port: 389 Server time: Thu, 08 Jun 2017 11:18:41 EDT KDC server: x.x.x.x Server time offset: 0
“id” and “getent passwd <username>” return nothing.
DNS entries are correct under /etc/resolv.conf
Here is sanitized sssd_domain.log file (Log Level – 5)
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sysdb_domain_init_internal] (0x0200): DB File for x.y.local: /var/lib/sss/db/cache_x.y.local.ldb
...
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Adding connection 0xbec7b0. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sbus_server_init_new_connection] (0x0200): Got a connection (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): Set-up Backend ID timeout [0xbee680] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [get_naming_context] (0x0200): Using value from [defaultNamingContext] as naming context. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=x,DC=y,DC=local]. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=x,DC=y,DC=local][SUBTREE][] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [6] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600 (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbee680] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [SUDO] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [child_sig_handler] (0x0100): child [14490] finished successfully. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
Please check the ldap_child.log file. SSSD is not able to get a Kerberos ticket with the help of the system keytab /etc/krb5.keytab.
bye, Sumit
(Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [13]: Permission denied (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'AD-Server.x.y.local' as 'not working' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_ptask_enable] (0x0080): Task [Check if online (periodic)]: already enabled (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get the subdomain list while offline (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Cancel DP ID timeout [0xbe97f0] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] (0x0100): Added Frontend client [NSS] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:40:00 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No such file or directory] (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], [2][No such file or directory]
Capture when net ads join fails. .66 is the ad server and .109 is the CentOS machine.
Sanitized contents of sssd.conf, krb5.conf and smb.conf
sssd.conf [sssd] domains = X.Y.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 5 [nss] [pam] debug_level=5 [sudo] debug_level=0 [domain/x.y.local] debug_level=5 ad_server = AD-Server.x.y.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_use_tokengroups = False krb5_realm = X.Y.LOCAL ldap_uri = ldap://AD-Server.x.y.local ldap_sudo_search_base ldap_user_search_base ldap_group_search_base ldap_access_order = filter, expire ad_access_filter = cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash
krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = X.Y.LOCAL dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] X.Y.LOCAL = { kdc = AD-Server.x.y.local:88 admin_server = AD-Server.x.y.local:749 } [domain_realm] .x.y.local = X.Y.LOCAL x.y.local = X.Y.LOCAL
smb.conf [global] workgroup = X client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = X.Y.LOCAL security = ads log file = /var/log/samba/log.%m max log size = 50 min protocol = SMB2
Thanks,
~ abhi
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org