Sorry for the delay, was doing some troubleshooting.

Here is what I know now:

The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu 14.04).

SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work.

Users in the admin group can't log into these hosts.

I created a newadmins group and assigned a new user to it. When I add the "User Administrator" role the new user can't log into the hosts with older sssd.

As soon as I delete the "User Administrator" role, new user has access again.

I've pasted the last bit of logs from a sssd_domain log below. I'd be happy to forward the entire log, or additional logs if they will be helpful.


Andy


(Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 29 (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1b47990], connected[1], ops[0x1b59ab0], ldap[0x1b2b030] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [groups_by_user_done] (0x0040): Failed to canonicalize name, using [rob]. (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=rob)) (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1b47990], connected[1], ops[(nil)], ldap[0x1b2b030] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [be_get_account_info] (0x0100): Got request for [4099][1][name=monetra] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [be_req_set_domain] (0x0400): Changing request domain from [monetra.com] to [monetra.com] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse domain SID from [(null)] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [cn=accounts,dc=monetra,dc=com] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=monetra)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][cn=accounts,dc=monetra,dc=com]. (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaNTSecurityIdentifier] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [entryUSN] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipaSshPubKey] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 30 (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1b47990], connected[1], ops[0x1b5a870], ldap[0x1b2b030] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [groups_by_user_done] (0x0040): Failed to canonicalize name, using [monetra]. (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_user_by_name] (0x0400): No such entry (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] (0x2000): Search groups with filter: (&(objectclass=group)(ghost=monetra)) (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_search_groups] (0x2000): No such entry (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory) (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1b47990], connected[1], ops[(nil)], ldap[0x1b2b030] (Fri Jan 6 10:00:15 2017) [sssd[be[monetra.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Fri Jan 6 10:00:20 2017) [sssd[be[monetra.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Jan 6 10:00:30 2017) [sssd[be[monetra.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Fri Jan 6 10:00:40 2017) [sssd[be[monetra.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit

^ these last lines continue until (Fri Jan  6 10:04:40 2017).


On 01/06/2017 09:33 AM, Jakub Hrozek wrote:
On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote:
Hi,

I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my
Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate
against the upgraded servers. It appears the problem is the version of sssd
that is installed in the earlier Ubuntu versions. Is this a know issue and
does anyone know of a work around for this? The sssd package in the PPA repo
for 14.04 ( 1.12.5-1~trusty) didn't fix the issue.
What do the sssd logs say?


--
Andy Brittingham
Main Street Softworks
(800)650-9787

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to