[SSSD-users] Re: Getting 4 (System error) for SSSD clients connected to RODC
On Thu, Jun 04, 2020 at 11:47:36AM -0400, Abhijit Tikekar wrote: > Hi all, > > We recently started having issues with some SSSD clients that are > connecting to RODC. They were all working fine when suddenly all > authentications started getting following > > sshd[4487]: pam_sss(sshd:auth): received for user firstname.lastname: 4 > (System error) > > Being a RODC, keytab was created manually on a writable DC using setspn & > ktpass and then integrated on the system using ktutil. Things were fine > until last week when it stopped working on all such systems. We are not > able to identify if the issue is on the system side or AD. Network side > looks good and all required ports are open between client and Server. Host > can also resolve RODC via DNS. Even other utilities such as ldapsearch, > getent, id etc retrieve the results just fine. It is only the main login > process that fails. Attaching parts of logs generated with debug level 10. > > It would be great if someone can review these and point us in the right > direction. > > *sssd_domain.log* > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_attach_req] (0x0400): > Number of active DP request: 1 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sdap_id_op_connect_step] > (0x4000): beginning to connect > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'AD' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_server_status] > (0x1000): Status of server 'RODC.x.y.local' is 'name resolved' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > (0x1000): Port status of port 0 for server 'RODC.x.y.local' is 'not working' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > (0x0080): SSSD is unable to complete the full connection request, this > internal status does not necessarily indicate network port issues. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'AD' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_resolve_server_done] > (0x1000): Server resolution failed: [5]: Input/output error > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error]) > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > (0x2000): Going offline! > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > (0x2000): Enable check_if_online_ptask. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_enable] > (0x0080): Task [Check if online (periodic)]: already enabled > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_run_offline_cb] > (0x4000): Flag indicates that offline callback were already called. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] > (0x4000): notify offline to op #1 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to LDAP > [11]: Resource temporarily unavailable > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [ad_subdomains_refresh_connect_done] (0x0080): No AD server is available, > cannot get the subdomain list while offline > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_done] (0x0400): DP > Request [Subdomains #2]: Request handler finished [0]: Success > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [_dp_req_recv] (0x0400): > DP Request [Subdomains #2]: Receiving request data. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [dp_req_reply_list_success] (0x0400): DP Request [Subdomains #2]: Finished. > Success. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_reply_std] > (0x1000): DP Request [Subdomains #2]: Returning [Provider is Offline]: > 1,1432158212,Offline > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [dp_table_value_destructor] (0x0400): Removing [8:8::] from reply > table > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > (0x0400): DP Request [Subdomains #2]: Request removed. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > (0x0400): Number of active DP request: 0 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [sdap_id_release_conn_data] (0x4000): releasing unused connection > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sbus_dispatch] (0x4000): > dbus conn: 0x55c31927bed0 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_offline_cb] > (0x0400): Back end is offline > > *ldap_child.log* > > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [main] (0x0400): > ldap_child started. > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [main] (0x2000): > context initialized > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [unpack_buffer] > (0x1000): total buffer size: 73 > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [unpack_buffer] > (0x1000): realm_str size: 14 > (Tue May 26 23:10:52 2020)
[SSSD-users] Re: Getting 4 (System error) for SSSD clients connected to RODC
Hi James, Forgot to mention.We already tried that. It is still the same error. Thanks, ~ Abhi On Thu, Jun 4, 2020 at 12:12 PM James Cassell wrote: > > On Thu, Jun 4, 2020, at 11:47 AM, Abhijit Tikekar wrote: > > Hi all, > > > > We recently started having issues with some SSSD clients that are > > connecting to RODC. They were all working fine when suddenly all > > authentications started getting following > > > > sshd[4487]: pam_sss(sshd:auth): received for user firstname.lastname: 4 > > (System error) > > > > Try setting krb5_validate=false in the domain section. > > V/r, > James Cassell > > > Being a RODC, keytab was created manually on a writable DC using setspn > > & ktpass and then integrated on the system using ktutil. Things were > > fine until last week when it stopped working on all such systems. We > > are not able to identify if the issue is on the system side or AD. > > Network side looks good and all required ports are open between client > > and Server. Host can also resolve RODC via DNS. Even other utilities > > such as ldapsearch, getent, id etc retrieve the results just fine. It > > is only the main login process that fails. Attaching parts of logs > > generated with debug level 10. > > > > It would be great if someone can review these and point us in the right > > direction. > > > > _*sssd_domain.log*_ > > > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_attach_req] > > (0x0400): Number of active DP request: 1 > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [sdap_id_op_connect_step] (0x4000): beginning to connect > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_server_status] > > (0x1000): Status of server 'RODC.x.y.local' is 'name resolved' > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > > (0x1000): Port status of port 0 for server 'RODC.x.y.local' is 'not > > working' > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > > (0x0080): SSSD is unable to complete the full connection request, this > > internal status does not necessarily indicate network port issues. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [fo_resolve_service_send] (0x0020): No available servers for service > > 'AD' > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [be_resolve_server_done] (0x1000): Server resolution failed: [5]: > > Input/output error > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 > > [Input/output error]) > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > > (0x2000): Going offline! > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > > (0x2000): Enable check_if_online_ptask. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_enable] > > (0x0080): Task [Check if online (periodic)]: already enabled > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_run_offline_cb] > > (0x4000): Flag indicates that offline callback were already called. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [sdap_id_op_connect_done] (0x4000): notify offline to op #1 > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to > > LDAP [11]: Resource temporarily unavailable > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [ad_subdomains_refresh_connect_done] (0x0080): No AD server is > > available, cannot get the subdomain list while offline > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_done] > > (0x0400): DP Request [Subdomains #2]: Request handler finished [0]: > > Success > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [_dp_req_recv] > > (0x0400): DP Request [Subdomains #2]: Receiving request data. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [dp_req_reply_list_success] (0x0400): DP Request [Subdomains #2]: > > Finished. Success. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_reply_std] > > (0x1000): DP Request [Subdomains #2]: Returning [Provider is Offline]: > > 1,1432158212,Offline > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [dp_table_value_destructor] (0x0400): Removing [8:8::] from > > reply table > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > > (0x0400): DP Request [Subdomains #2]: Request removed. > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > > (0x0400): Number of active DP request: 0 > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > > [sdap_id_release_conn_data] (0x4000): releasing unused connection > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sbus_dispatch] > > (0x4000): dbus conn: 0x55c31927bed0 > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_offline_cb] > > (0x0400): Back end is offline > > > > _*ldap_child.log*_ > > > > (Tue May 26
[SSSD-users]Re: Getting 4 (System error) for SSSD clients connected to RODC
On Thu, Jun 4, 2020, at 11:47 AM, Abhijit Tikekar wrote: > Hi all, > > We recently started having issues with some SSSD clients that are > connecting to RODC. They were all working fine when suddenly all > authentications started getting following > > sshd[4487]: pam_sss(sshd:auth): received for user firstname.lastname: 4 > (System error) > Try setting krb5_validate=false in the domain section. V/r, James Cassell > Being a RODC, keytab was created manually on a writable DC using setspn > & ktpass and then integrated on the system using ktutil. Things were > fine until last week when it stopped working on all such systems. We > are not able to identify if the issue is on the system side or AD. > Network side looks good and all required ports are open between client > and Server. Host can also resolve RODC via DNS. Even other utilities > such as ldapsearch, getent, id etc retrieve the results just fine. It > is only the main login process that fails. Attaching parts of logs > generated with debug level 10. > > It would be great if someone can review these and point us in the right > direction. > > _*sssd_domain.log*_ > > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_attach_req] > (0x0400): Number of active DP request: 1 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [sdap_id_op_connect_step] (0x4000): beginning to connect > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_server_status] > (0x1000): Status of server 'RODC.x.y.local' is 'name resolved' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > (0x1000): Port status of port 0 for server 'RODC.x.y.local' is 'not > working' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [get_port_status] > (0x0080): SSSD is unable to complete the full connection request, this > internal status does not necessarily indicate network port issues. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [fo_resolve_service_send] (0x0020): No available servers for service > 'AD' > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [be_resolve_server_done] (0x1000): Server resolution failed: [5]: > Input/output error > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 > [Input/output error]) > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > (0x2000): Going offline! > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_mark_offline] > (0x2000): Enable check_if_online_ptask. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_enable] > (0x0080): Task [Check if online (periodic)]: already enabled > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_run_offline_cb] > (0x4000): Flag indicates that offline callback were already called. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [sdap_id_op_connect_done] (0x4000): notify offline to op #1 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [ad_subdomains_refresh_connect_done] (0x0020): Unable to connect to > LDAP [11]: Resource temporarily unavailable > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [ad_subdomains_refresh_connect_done] (0x0080): No AD server is > available, cannot get the subdomain list while offline > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_done] > (0x0400): DP Request [Subdomains #2]: Request handler finished [0]: > Success > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [_dp_req_recv] > (0x0400): DP Request [Subdomains #2]: Receiving request data. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [dp_req_reply_list_success] (0x0400): DP Request [Subdomains #2]: > Finished. Success. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_reply_std] > (0x1000): DP Request [Subdomains #2]: Returning [Provider is Offline]: > 1,1432158212,Offline > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [dp_table_value_destructor] (0x0400): Removing [8:8::] from > reply table > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > (0x0400): DP Request [Subdomains #2]: Request removed. > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [dp_req_destructor] > (0x0400): Number of active DP request: 0 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] > [sdap_id_release_conn_data] (0x4000): releasing unused connection > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [sbus_dispatch] > (0x4000): dbus conn: 0x55c31927bed0 > (Tue May 26 23:10:52 2020) [sssd[be[x.y.local]]] [be_ptask_offline_cb] > (0x0400): Back end is offline > > _*ldap_child.log*_ > > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [main] (0x0400): > ldap_child started. > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [main] (0x2000): > context initialized > (Tue May 26 23:10:52 2020) [[sssd[ldap_child[12599 [unpack_buffer] > (0x1000): total buffer size: 73 >