Hello, Thank you for your kind help.
I could not see it (successfully subdomains discovering) in the logs. It seems the subdmains forced set null. << log part 1 >> [sssd[be[labsso]]] [client_registration] (0x0100): Cancel DP ID timeout [0x1acb120] [sssd[be[labsso]]] [client_registration] (0x0100): Added Frontend client [PAM] [sssd[be[labsso]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][] [sssd[be[labsso]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' [sssd[be[labsso]]] [get_server_status] (0x1000): Status of server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' is 'name not resolved' [sssd[be[labsso]]] [get_port_status] (0x1000): Port status of port 0 for server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' is 'neutral' [sssd[be[labsso]]] [get_server_status] (0x1000): Status of server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' is 'name not resolved' [sssd[be[labsso]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'jpbw0-in00-is82.labsso.labroot.isops.example.com' in files [sssd[be[labsso]]] [set_server_common_status] (0x0100): Marking server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' as 'resolving name' [sssd[be[labsso]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'jpbw0-in00-is82.labsso.labroot.isops.example.com' in files [sssd[be[labsso]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry [sssd[be[labsso]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'jpbw0-in00-is82.labsso.labroot.isops.example.com' in DNS << end log part 1 >> I also found an error (malformed search filter) when searching trustedDomain with "cn=(null)". << log part 2 >> [sssd[be[labsso]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'jpbw0-in00-is82.labsso.labroot.isops.example.com' as 'working' [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=domain][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com]. [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] [sssd[be[labsso]]] [be_run_online_cb] (0x0080): Going online. Running callbacks. [sssd[be[labsso]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set [sssd[be[labsso]]] [ad_master_domain_next_done] (0x0400): Found SID [S-1-5-21-1401708884-2744904820-804000056]. [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(DnsDomain=LABSSO)(NtVer=\14\00\00\00))][]. [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [netlogon] [sssd[be[labsso]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set [sssd[be[labsso]]] [ad_master_domain_netlogon_done] (0x0080): No netlogon data available. Flat name might not be usable [sssd[be[labsso]]] [ad_subdomains_master_dom_done] (0x0400): SSSD needs to look up the forest root domain [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))(cn=(null)))][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com]. [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [flatName] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustPartner] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [securityIdentifier] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustType] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [trustAttributes] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter [sssd[be[labsso]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter [sssd[be[labsso]]] [ad_subdomains_get_root_domain_done] (0x0040): sdap_get_generic_send request failed. [sssd[be[labsso]]] [get_subdomains_callback] (0x0400): Backend returned: (3, 1432158235, <NULL>) [Internal Error (Unknown PAM error)] [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [objectclass=domain][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com]. [sssd[be[labsso]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 1432158235 error message: Internal Error (Unknown PAM error) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40cf30:domains@labbu] [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [labbu][forced][] [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40cf30:domains@labbu] [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40cf30:domains@labsso] [sssd[be[labbu]]] [be_get_subdomains] (0x0400): Got get subdomains [forced][] [sssd[be[labbu]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' << end of log part 2 >> May I missed something on subdomain configuration on AD side ? # I can see correct hierarchy (labroot -> labsso -> labbu) thru "Active Directory Domains and Trusts" on Windows. Could you kindly how to check the subdomain configuration on AD side ? Also how sssd AD provider discover subdomains ? Thank you for your kind support. Shoji 2014-08-04 21:55 GMT+09:00 Jakub Hrozek <[email protected]>: > On Fri, Aug 01, 2014 at 08:20:16PM +0900, 杉山昌治 wrote: >> Hello Jakub, >> >> 2014-07-31 18:02 GMT+09:00 Jakub Hrozek <[email protected]>: >> > On Wed, Jul 30, 2014 at 01:18:40PM +0900, 杉山昌治 wrote: >> >> Hello Jakub, >> >> >> >> Thank you for your quick reply and explanation. >> >> I understand the domain local group defined in the sub-domain >> >> (LABBU=labbu.sso.example.com) is not able to be a group for a user who >> >> enrolled >> >> So, I created a new universal group (U-Role-Labbu-Test) in the LABBU >> >> domain and assigned "U-Role-ISOps-Server" (in LABSSO domain) as a >> >> member. >> >> Thru Windows server, I can see "U-Role-Labbu-Test (LABBU)" in "Member >> >> Of" tab of "U-Role-ISOps-Server (LABSSO)" group. >> >> So I believed I could get the new group information thru LABSSO domain >> >> server. >> >> >> >> User/Groups in Domain sso.example.com >> >> ======================== >> >> User test_user (MemberOf=G-Group-Server) >> >> Group G-Role-ISOps-Server (Type: Global Group, >> >> Members=test_user,MemberOf=U-Role-ISOps-Server) >> >> Group U-Role-ISOps-Server (Type: Universal >> >> Group,Members=G-Role-ISOps-Server,MemberOf=U-Role-Labbu-Test) >> >> >> >> User/Groups in Domain labbu.sso.example.com >> >> ======================== >> >> Group D-Role-ISOps-Server (Type: Domain Local >> >> Group,Members=U-Role-ISOps-Server) >> >> Group U-Role-Labbu-Test (Type: Universal >> >> Group,Members=U-Role-ISOps-Server) >> > >> > OK, but which domain is the client enrolled with? You'll only see >> > domain-local groups of the same domain. If your client is enrolled with >> > labbu.sso.example.com then I would expect to see the group, if it's >> > enrolled with sso.example.com then I don't think you would be listed as >> > a group member.. >> >> Yes, the client enrolled with "labbu.sso.example.com". >> So the domain local group should not be listed up. >> >> > >> >> >> >> I also confirmed the "MemberOf" attribute is set. >> >> >> >> << ldapsearch result >> >> >> [root@jpbl0-in00-is11 ~]# ldapsearch -Y GSSAPI -LLL -H >> >> "ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268"; -b >> >> "DC=labsso,DC=labroot,DC=isops,DC=example,DC=com" >> >> "(&(name=u-role-isops-server)(objectclass=group)(name=*))" >> >> >> >> SASL/GSSAPI authentication started >> >> SASL username: >> >> host/jpbl0-in00-is11.lab.isops.example....@labsso.labroot.isops.example.com >> >> SASL SSF: 56 >> >> SASL data security layer installed. >> >> dn: >> >> CN=U-Role-ISOps-Server,OU=UGroups,OU=BU0-ISOps,OU=Roles,DC=labsso,DC=labro >> >> ot,DC=isops,DC=example,DC=com >> >> objectClass: top >> >> objectClass: group >> >> cn: U-Role-ISOps-Server >> >> description: Server Team in Troy's Org >> >> member: >> >> CN=G-Role-ISOps-Server,OU=BU0-ISOps,OU=Roles,DC=labsso,DC=labroot,DC=i >> >> sops,DC=example,DC=com >> >> distinguishedName: >> >> CN=U-Role-ISOps-Server,OU=UGroups,OU=BU0-ISOps,OU=Roles,DC= >> >> labsso,DC=labroot,DC=isops,DC=example,DC=com >> >> instanceType: 4 >> >> whenCreated: 20131029182314.0Z >> >> whenChanged: 20140709064747.0Z >> >> uSNCreated: 17692 >> >> memberOf: >> >> CN=U-Role-Labbu-Test,OU=BU0-ISOps,OU=Roles,DC=labbu,DC=labsso,DC=lab >> >> root,DC=isops,DC=example,DC=com >> >> uSNChanged: 4548023 >> >> name: U-Role-ISOps-Server >> >> objectGUID:: RQlz+uYst0mHr6qbRRXZ+A== >> >> objectSid:: AQUAAAAAAAUVAAAAVGGMU3Tsm6M4EewvXgQAAA== >> >> sAMAccountName: U-Role-ISOps-Server >> >> sAMAccountType: 268435456 >> >> groupType: -2147483640 >> >> objectCategory: >> >> CN=Group,CN=Schema,CN=Configuration,DC=labroot,DC=isops,DC=example >> >> ,DC=com >> >> dSCorePropagationData: 16010101000000.0Z >> >> >> >> Then I modified sssd.config only use "LABSSO" domain and tried to >> >> retrieve group information of "U-Role-Labbu-Test" by "getent group >> >> U-Role-Labbu-Test" command. But it returned nothing. I tried both case >> >> "ad_enable_gc=False" and "ad_enable_gct=True", but the result was the >> >> same. >> >> >> >> I checked log message when invoked "getent group U-Role-Labbu-Test" >> >> command. >> >> It looks like the AD provider used normal LDAP port for >> >> ldap_search_ext() rather global catalog port (3268). >> >> It also looks like the AD provider checks the AD server with global >> >> catalog port (3268) to detect its compatibility level. >> >> I believed the AD provider tried to search in the global catalog first >> >> to search a specified group name. >> >> >> >> << log messages >> >> >> [sssd[be[sso-ad-ad]]] [be_resolve_server_process] (0x0200): Found >> >> address for server jpbw0-in00-is82.labsso.labroot.isops.example.com: >> >> [10.58.30.95] TTL 3600 >> >> [sssd[be[sso-ad-ad]]] [ad_resolve_callback] (0x0100): Constructed uri >> >> 'ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com' >> >> [sssd[be[sso-ad-ad]]] [ad_resolve_callback] (0x0100): Constructed GC >> >> uri 'ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268' >> >> [sssd[be[sso-ad-ad]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds >> >> timeout for connecting >> >> [sssd[be[sso-ad-ad]]] [sdap_ldap_connect_callback_add] (0x1000): New >> >> LDAP connection to >> >> [ldap://jpbw0-in00-is82.labsso.labroot.isops.example.com:3268/??base] >> >> with fd [17]. >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x0400): calling >> >> ldap_search_ext with [(objectclass=*)][]. >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [*] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [altServer] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [namingContexts] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [supportedControl] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [supportedExtension] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [supportedFeatures] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [supportedLDAPVersion] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [supportedSASLMechanisms] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [domainControllerFunctionality] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [defaultNamingContext] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [lastUSN] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [highestCommittedUSN] >> >> [sssd[be[sso-ad-ad]]] [sdap_parse_entry] (0x1000): OriginalDN: []. >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_done] (0x0400): Search >> >> result: Success(0), no errmsg set >> >> [sssd[be[sso-ad-ad]]] [sdap_get_server_opts_from_rootdse] (0x0100): >> >> Setting AD compatibility level to [4] >> >> << snipped >> >> >> [sssd[be[sso-ad-ad]]] [sdap_get_groups_next_base] (0x0400): Searching >> >> for groups with base [DC=labsso,DC=labroot,DC=isops,DC=example,DC=com] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x0400): calling >> >> ldap_search_ext with >> >> [(&(name=u-role-labbu-test)(objectclass=group)(name=*))][DC=labsso,DC=labroot,DC=isops,DC=example,DC=com]. >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [objectClass] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [name] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [gidNumber] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [member] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [objectSID] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [whenChanged] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [uSNChanged] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_step] (0x1000): Requesting >> >> attrs: [groupType] >> >> [sssd[be[sso-ad-ad]]] [sdap_get_generic_ext_done] (0x0400): Search >> >> result: Success(0), no errmsg set >> >> [sssd[be[sso-ad-ad]]] [sdap_get_groups_process] (0x0400): Search for >> >> groups, returned 0 results. >> >> [sssd[be[sso-ad-ad]]] [sysdb_search_group_by_name] (0x0400): No such entry >> >> [sssd[be[sso-ad-ad]]] [sysdb_delete_group] (0x0400): Error: 2 (No such >> >> file or directory) >> >> [sssd[be[sso-ad-ad]]] [acctinfo_callback] (0x0100): Request processed. >> >> Returned 0,0,Success >> >> >> >> Could you kindly help me what's wrong on my configuration or the AD >> >> provider to get the new grouop (U-Role-Labbu-Test : defined in LABBU >> >> sub-domain) thru LABSSO domain ? >> >> >> >> Regards, >> >> Shoji >> > >> > The above search ran to completion but didn't find anything. Can you check >> > if the domain-local group u-role-labbu-test is present in GC? I suspect >> > it wouldn't.. >> > >> > You can try if disabling GC makes a difference here: >> > ad_enable_gc = False >> >> I checked sssd log file and found "Domain not found for SID >> S-1-5......-1149" as below. >> >> << log file >> >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): >> Processing membership SID >> [S-1-5-21-1401708884-2744904820-804000056-1172] >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): >> SID [S-1-5-21-1401708884-2744904820-804000056-1172] maps to GID >> [638201172] >> [sssd[be[sso]]] [sysdb_search_group_by_gid] (0x0400): No such entry >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): >> Processing membership SID >> [S-1-5-21-1176919450-1931656763-3149421143-1149] >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x0080): >> Domain not found for SID >> S-1-5-21-1176919450-1931656763-3149421143-1149 >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): >> Processing membership SID >> [S-1-5-21-1401708884-2744904820-804000056-1170] >> [sssd[be[sso]]] [sdap_ad_tokengroups_initgr_mapping_done] (0x1000): >> SID [S-1-5-21-1401708884-2744904820-804000056-1170] maps to GID >> [638201170] >> [sssd[be[sso]]] [sysdb_search_group_by_gid] (0x0400): No such entry >> >> Where >> SID S-1-*-1172 = U-Role-LABSSO (SSO domain, Universal Group) >> SID S-1-*-1170 = G-Role-LABSSO (SSO domain, Global Group) >> SID S-1-*-1149 = U-Role-LABBU (BU domain, Universal Group) >> >> So it looks like sssd failed to get domain of U-Role-LABBU. >> I suspect this is a possible cause. >> Is there any hint why the domain was not found ? > > I think earlier in the logs where we discover the subdomains, all SIDs > should be listed, do you see the one that SSSD later claims matches no > domain? > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
