On Fri, Mar 29, 2013 at 12:11:42PM +0000, Rowland Penny wrote: > On 29/03/13 11:21, Jakub Hrozek wrote: > >On Thu, Mar 28, 2013 at 09:22:32PM +0000, Rowland Penny wrote: > >>Hello, I am trying to use sssd instead of winbind against a samba 4 > >>AD server. After looking around the internet, I have got to the > >>point where I can get a domain users info with 'getent passwd > >><domainuser>' and 'id <domainuser>'. I can also create a directory > >>and chmod it <domainuser>:users, what I cannot do is login into the > >>computer through ssh or the login GUI on the computer. This is on > >>Linux Mint 14 using sssd 1.9.1. > >> > >>Does anybody have any idea why sssd seems to work but fails in a > >>very important way. > >Can you paste or attach tail of /var/log/secure, your (sanitized) > >sssd.conf and the relevant portion of /var/log/sssd/sssd_$domain.log > >after raising debug_level to 6 or higher in the domain section? > >_______________________________________________ > >sssd-users mailing list > >[email protected] > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > OK, as requested here are the three files. Sorry but the domain > logfile is a bit large. >
No problem. > getent passwd testuser > testuser:*:3000016:100:testuser:/home/HOME/testuser:/bin/bash > > id testuser > uid=3000016(testuser) gid=100(users) groups=100(users) > > but testuser cannot login via ssh or the login gui > > /var/log/auth.log ^^ thanks, I always forget how is the file called on Debian derivatives. > Mar 29 11:27:23 mint-VirtualBox mdm[1061]: pam_sss(mdm:auth): > received for user testuser: 9 (Authentication service cannot > retrieve authentication info) Looks like SSSD couldn't connect to the authentication server.. > > /etc/sssd/sssd.conf > > [sssd] > #debug_level = 3 > config_file_version = 2 > reconnection_retries = 3 > sbus_timeout = 30 > domains = DOMAIN > services = nss, pam > > [nss] > # The following prevents SSSD from searching for the root user/group in > # all domains (you can add here a comma-separated list of system > accounts that > # are always going to be /etc/passwd users, or that you want to filter out). > filter_groups = root > filter_users = root > reconnection_retries = 3 > > [pam] > > [domain/DOMAIN] > description = LDAP domain with AD server > debug_level = 9 > cache_credentials = true > enumerate = False > > id_provider = ldap > auth_provider = krb5 > chpass_provider = krb5 > access_provider = ldap > > # Uncomment if service discovery is not working > ldap_uri = ldap://adserver.domain.lan/ > > # Define these only if anonymous binds are not allowed and no keytab > is available > ldap_default_bind_dn = CN=Administrator,CN=Users,DC=domain,DC=lan > ldap_default_authtok_type = password > ldap_default_authtok = P4$$w0rd* > > ldap_schema = rfc2307bis > > ldap_search_base = dc=domain,dc=lan > > # It looks like the ?sub?search notation is also accepted: > http://sgallagh.wordpress.com/2011/12/22/sssd-tips-and-tricks-vol-2-ldap/ > #ldap_user_search_base = cn=Users,dc=domain,dc=lan?sub?uid=* > ldap_user_search_base = cn=Users,dc=domain,dc=lan > ldap_user_object_class = person > > ldap_user_domain_directory = unixHomeDirectory > ldap_user_principal = userPrincipalName > ldap_user_name = sAMAccountName > ldap_user_gecos = displayName > ldap_user_uuid = objectGUID > ldap_user_modify_timestamp = whenChanged > > ldap_group_search_base = dc=domain,dc=lan > ldap_group_object_class = group > ldap_group_name = sAMAccountName > ldap_group_uuid = objectGUID > ldap_group_modify_timestamp = whenChanged > ldap_group_nesting_level = 2 > > ldap_access_order = expire > ldap_account_expire_policy = ad > ldap_force_upper_case_realm = True > > ldap_pwd_policy = none > > #krb5_server = domain.lan Did you comment out krb5_server in order to use service discovery on purpose? It's a valid usecase, just checking if it was the intent. > krb5_realm = DOMAIN.LAN > dns_discovery_domain = domain.lan > > # Probably required with sssd 1.8.x and newer > krb5_canonicalize = false > > # Uncomment if using SASL/GSSAPI to bind and a valid /etc/krb5.keytab exists > #ldap_sasl_mech = GSSAPI > # Uncomment and adjust if the default principal host/fqdn@REALM is > not available > #[email protected] > > > /var/log/sssd/sssd_DOMAIN.log > <snip first part of the log> Here comes the account request... > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_get_account_info] > (0x0100): Got request for [4099][1][name=mdm] > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [sdap_id_op_connect_step] (0x4000): beginning to connect > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] > (0x1000): Status of server 'adserver.domain.lan' is 'name not > resolved' ..sssd begins to connect.. > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_port_status] > (0x1000): Port status of port 389 for server 'adserver.domain.lan' > is 'neutral' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set > to 10 seconds ...triggers name resolution.. > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] > (0x1000): Status of server 'adserver.domain.lan' is 'name not > resolved' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [resolv_is_address] > (0x4000): [adserver.domain.lan] does not look like an IP address > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_step] (0x2000): Querying files > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A > record of 'adserver.domain.lan' in files > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [set_server_common_status] (0x0100): Marking server > 'adserver.domain.lan' as 'resolving name' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_step] (0x2000): Querying files > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA > record of 'adserver.domain.lan' in files > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_next] (0x0200): No more address families to > retry > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_step] (0x2000): Querying DNS > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A > record of 'adserver.domain.lan' in DNS > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 > seconds > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout > watcher > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [request_watch_destructor] (0x0400): Deleting request watch > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [resolv_gethostbyname_done] (0x0040): querying hosts database failed > [5]: Input/output error > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_done] (0x0020): Failed to resolve server > 'adserver.domain.lan': Could not contact DNS servers And fails because the underlying resolver library cannot contact DNS servers. > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [set_server_common_status] (0x0100): Marking server > 'adserver.domain.lan' as 'not working' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x0080): Couldn't resolve server > (adserver.domain.lan), resolver returned (5) > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x1000): Trying with the next one! > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] > (0x1000): Status of server 'adserver.domain.lan' is 'not working' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [get_server_status] > (0x1000): Status of server 'adserver.domain.lan' is 'not working' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0020): No available servers for service > 'LDAP' > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_done] (0x1000): Server resolution failed: 5 > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] > [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline > (5 [Input/output error]) > (Fri Mar 29 11:27:13 2013) [sssd[be[DOMAIN]]] [be_mark_offline] > (0x2000): Going offline! As a result of failed DNS resolution, the sssd goes offline. Later in the logfiles I see that the SSSD succeeded in connecting to the LDAP server, but the only authentication request captured in the logs is: > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_pam_handler] > (0x1000): Wait queue of user [testuser] is empty, running request > immediately. > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): > tevent: Added timed event "ltdb_callback": 0x99a7ae0 > > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): > tevent: Added timed event "ltdb_timeout": 0x99a7ba8 > > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): > tevent: Destroying timer event 0x99a7ba8 "ltdb_timeout" > > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [ldb] (0x4000): > tevent: Ending timer event 0x99a7ae0 "ltdb_callback" > > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send] > (0x0100): No ccache file for user [testuser] found. > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [krb5_auth_send] > (0x4000): Ccache_file is [not set] and is not active and TGT is not > valid. > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service > 'KERBEROS' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] > (0x1000): Port status of port 0 for server '(no name)' is 'neutral' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set > to 10 seconds > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] > (0x0200): The status of SRV lookup is neutral > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] > (0x0400): SRV resolution of service 'KERBEROS'. Will use DNS > discovery domain 'domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont] > (0x0100): Searching for servers via SRV query > '_KERBEROS._udp.domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send] > (0x0100): Trying to resolve SRV record of > '_KERBEROS._udp.domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 > seconds > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout > watcher > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [request_watch_destructor] (0x0400): Deleting request watch > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done] > (0x0020): SRV query failed: [Could not contact DNS servers] > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status] > (0x0100): Marking port 0 of server '(no name)' as 'not working' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status] > (0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV > lookup meta-server), resolver returned (5) > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x1000): Trying with the next one! > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service > 'KERBEROS' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] > (0x1000): Port status of port 0 for server '(no name)' is 'neutral' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set > to 10 seconds > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] > (0x0200): The status of SRV lookup is neutral > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_send] > (0x0400): SRV resolution of service 'KERBEROS'. Will use DNS > discovery domain 'domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_cont] > (0x0100): Searching for servers via SRV query > '_KERBEROS._tcp.domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolv_getsrv_send] > (0x0100): Trying to resolve SRV record of > '_KERBEROS._tcp.domain.lan' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [schedule_request_timeout] (0x2000): Scheduling a timeout of 5 > seconds > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout > watcher > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [request_watch_destructor] (0x0400): Deleting request watch > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [resolve_srv_done] > (0x0020): SRV query failed: [Could not contact DNS servers] > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [fo_set_port_status] > (0x0100): Marking port 0 of server '(no name)' as 'not working' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [set_srv_data_status] > (0x0100): Marking SRV lookup of service 'KERBEROS' as 'not resolved' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV > lookup meta-server), resolver returned (5) > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_process] (0x1000): Trying with the next one! > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0100): Trying to resolve service > 'KERBEROS' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] > (0x1000): Port status of port 0 for server '(no name)' is 'not > working' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [get_port_status] > (0x1000): Port status of port 0 for server '(no name)' is 'not > working' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [fo_resolve_service_send] (0x0020): No available servers for service > 'KERBEROS' > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] > [be_resolve_server_done] (0x1000): Server resolution failed: 5 > (Fri Mar 29 11:27:23 2013) [sssd[be[DOMAIN]]] [be_mark_offline] > (0x2000): Going offline! ^^ Which fails after the service resolution via DNS failed. Does authentication work if you set krb5_server to adserver.domain.lan ? _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
