Hi again, Thanks a lot for guiding me so far :) I have got sssd-1.9.2 package from Timo, Ubuntu sssd package maintainer for Ubuntu Quantal.
SSSD is configured against AD as auth/id - provider sssd.conf [sssd] debug_level = 0x1310 config_file_version = 2 services = nss, pam domains = nat.c.sdu.dk [nss] filter_groups = root filter_users = root [pam] [domain/nat.c.sdu.dk] debug_level = 0x1310 enumerate = False min_id = 1000 max_id = 20000 auth_provider = ad id_provider = ad access_provider = ad chpass_provider = ad ad_server = nat.c.sdu.dk ad_hostname = testina4$.nat.c.sdu.dk ad_domain = nat.c.sdu.dk From log: (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_process] (0x0200): Found address for server nat.c.sdu.dk: [10.144.5.18] TTL 455 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: testina4$ (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'nat.c.sdu.dk' as 'not working (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_server_status] (0x1000): Status of server 'nat.c.sdu.dk' is 'name resolved' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [get_port_status] (0x1000): Port status of port 0 for server 'nat.c.sdu.dk' is 'not working' (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline (Tue Nov 6 13:42:35 2012) [sssd[be[nat.c.sdu.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.NAT.C.SDU.DK], [2][No such file or directory ----- The error "port status of port 0 .." is not working - jumps out. Testina4 is my linux host, joined to the AD by msktutils application - but maybe it hasn't get enough permissions granted to make a query in domain??? root@testina4:/etc/sssd# klist -e -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 13 [email protected] (arcfour-hmac) 13 [email protected] (aes128-cts-hmac-sha1-96) 13 [email protected] (aes256-cts-hmac-sha1-96) 14 [email protected] (arcfour-hmac) 14 [email protected] (aes128-cts-hmac-sha1-96) 14 [email protected] (aes256-cts-hmac-sha1-96) 14 host/[email protected] (arcfour-hmac) 14 host/[email protected] (aes128-cts-hmac-sha1-96) 14 host/[email protected] (aes256-cts-hmac-sha1-96) 9 [email protected] (arcfour-hmac) 9 [email protected] (aes128-cts-hmac-sha1-96) 9 [email protected] (aes256-cts-hmac-sha1-96) I can get object data for 'testina4' and AD 'imadatestuser' from command line run from 'testina4' (after I run kinit as AD adminuser) : ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=computer)(name=testina4))' # extended LDIF # # LDAPv3 # base <ou=Linux computers,ou=ADResources,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=computer)(name=testina4)) # requesting: ALL # with pagedResults control: size=1000 # # testina4, Linux computers, ADResources, nat.c.sdu.dk dn: CN=testina4,OU=Linux computers,OU=ADResources,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: testina4 distinguishedName: CN=testina4,OU=Linux computers,OU=ADResources,DC=nat,DC=c,D C=sdu,DC=dk instanceType: 4 whenCreated: 20121019130319.0Z whenChanged: 20121105144001.0Z uSNCreated: 158837247 uSNChanged: 161473679 name: testina4 objectGUID:: os+KTql470WRz9dZ/6U3Tw== userAccountControl: 4096 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 129959868084813523 lastLogoff: 0 lastLogon: 129966788793794911 localPolicyFlags: 0 pwdLastSet: 129959870279509463 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YoRy4AAA== accountExpires: 9223372036854775807 logonCount: 42 sAMAccountName: testina4$ sAMAccountType: 805306369 dNSHostName: testina4.nat.c.sdu.dk servicePrincipalName: host/testina4 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk isCriticalSystemObject: FALSE dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 129966000010645525 msDS-SupportedEncryptionTypes: 28 # search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie= # numResponses: 2 # numEntries: 1 alongina@testina4:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=person)(sAMAccountName=imadatestuser))' SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) alongina@testina4:~$ kinit Password for [email protected]: alongina@testina4:~$ ldapsearch -E pr=1000/noprompt -H ldap://nat.c.sdu.dk -Y GSSAPI -b 'ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk' '(&(objectClass=person)(sAMAccountName=imadatestuser))' SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <ou=ADusers,dc=nat,dc=c,dc=sdu,dc=dk> with scope subtree # filter: (&(objectClass=person)(sAMAccountName=imadatestuser)) # requesting: ALL # with pagedResults control: size=1000 # # IMADAtest Testesen, Odense, Institut for Matematik og Datalogi, ADUsers, na t.c.sdu.dk dn: CN=IMADAtest Testesen,OU=Odense,OU=Institut for Matematik og Datalogi,OU=A DUsers,DC=nat,DC=c,DC=sdu,DC=dk objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IMADAtest Testesen sn: Testesen l: Odense M title: Professor postalCode: 5230 givenName: IMADAtest distinguishedName: CN=IMADAtest Testesen,OU=Odense,OU=Institut for Matematik o g Datalogi,OU=ADUsers,DC=nat,DC=c,DC=sdu,DC=dk instanceType: 4 whenCreated: 20091005131413.0Z whenChanged: 20121019141347.0Z displayName: IMADAtest Testesen uSNCreated: 20103944 memberOf:: Q049Y29tbW9uX3VzZXJzLE9VPUbDpmxsZXMsT1U9SW5zdGl0dXR0ZXIsT1U9QURHcm9 1cHMsREM9bmF0LERDPWMsREM9c2R1LERDPWRr memberOf:: Q049bmF0LWxlY3R1cmVzLE9VPUbDpmxsZXMsT1U9SW5zdGl0dXR0ZXIsT1U9QURHcm9 1cHMsREM9bmF0LERDPWMsREM9c2R1LERDPWRr memberOf: CN=Imada-terminal-users,OU=Institut for Matematik og Datalogi (IMADA ),OU=Institutter,OU=ADGroups,DC=nat,DC=c,DC=sdu,DC=dk uSNChanged: 117297654 department: Institut for Matematik og Datalogi name: IMADAtest Testesen objectGUID:: xevmnsllekOUPs5dy6xBUw== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 homeDirectory: \\sdu-data0.c.sdu.dk\staff\imadatestuser homeDrive: M: badPasswordTime: 129951292226925867 lastLogoff: 0 lastLogon: 129951296097614099 logonHours:: //////////////////////////// pwdLastSet: 129951295698649008 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAANYoCGg16WjOCi6YolSgAAA== accountExpires: 0 logonCount: 1 sAMAccountName: imadatestuser sAMAccountType: 805306368 userPrincipalName: [email protected] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=c,DC=sdu,DC=dk dSCorePropagationData: 20121026084647.0Z dSCorePropagationData: 20120525083005.0Z dSCorePropagationData: 20120328164019.0Z dSCorePropagationData: 20111214110440.0Z dSCorePropagationData: 16010714223649.0Z lastLogonTimestamp: 129951296097540185 unixHomeDirectory: /home/imadatestuser # search result search: 4 result: 0 Success control: 1.2.840.113556.1.4.319 false MIQAAAAFAgEABAA= pagedresults: cookie= # numResponses: 2 # numEntries: 1 Longina -----Original Message----- From: Stephen Gallagher [mailto:[email protected]] Sent: 26. oktober 2012 15:22 To: End-user discussions about the System Security Services Daemon Cc: Longina Przybyszewska; Timo Aaltonen Subject: Re: [SSSD-users] startup problem On Fri 26 Oct 2012 09:15:16 AM EDT, Longina Przybyszewska wrote: > I have compiled 1.9.2 version and installed in the /usr/local/ > > This way the other programs cant' use the new libraries > > The preferable way would be installing in the same places as native package > would do. > > The native version In Ubuntu-quantal is 1.9.1 so the worse case > would be event. regular upgrade to 1.9.2 some day. > > What are the relevant install options to 'configure' ? > SSSD has some pieces that *must* be in the standard locations or it will not function properly. These are the nss_sss.so.2 NSS libraries and the pam_sss.so PAM library. If you are not familiar with packaging, you might have better luck coordinating with Timo Aaltonen, the Ubuntu/Debian maintainer for SSSD. I believe he keeps an Ubuntu PPA with the latest bits somewhere. CCing him on the conversation. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
