On 10/19/2016 10:19 AM, aleksey.maksi...@it-kb.ru wrote:
Hello SSSD guru`s!
I want to set up Active Directory domain authorization in my CentOS 7.2 servers
with SSSD.
For this I use SSSD as described here:
https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-directory-domain-with-sssd-and-realmd-for-authentication-and-configure-ad-domain-security-group-authorization-for-sudo-and-ssh-with-putty-sso/
I have set up for several servers and everything works well.
But on the last one server SSSD does not work as they should.
I attached this server to the domain using the realm utility.
It looks nice.
[root@KOM-OVIRT1 ~]# realm list
ad.holding.com
type: kerberos
realm-name: AD.HOLDING.COM
domain-name: ad.holding.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %u...@ad.holding.com
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: kom-srv-linux-adm...@ad.holding.com
However, getent does not return information about domain accounts:
[root@KOM-OVIRT1 ~]# getent passwd alek...@ad.holding.com
[root@KOM-OVIRT1 ~]#
getent for local accounts work:
[root@KOM-OVIRT1 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash
My /etc/sssd/sssd.conf:
------------------------------------------------
[sssd]
domains = ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix = ad.holding.com
[nss]
debug_level=9
[domain/ad.holding.com]
ad_server = kom-dc01.ad.holding.com, kom-dc02.ad.holding.com
ad_domain = ad.holding.com
krb5_realm = AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level=9
------------------------------------------------
/var/log/sssd/sssd_nss.log:
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400):
Creating request for [ad.holding.com][4097][1][name=aleksey]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_add_timeout] (0x2000):
0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x7f8792bce0d0:1:alek...@ad.holding.com]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000):
0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn:
0x7f8794b5b120
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply
from Data Provider - DP error code: 1 errno: 11 error message: Fast reply -
offline
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040):
Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x7f8792bce0d0:1:alek...@ad.holding.com]
------------------------------------------------
/var/log/sssd/sssd_ad.holding.com.log
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info]
(0x0200): Got request for [0x1001][1][name=aleksey]
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info]
(0x0100): Request processed. Returned 1,11,Fast reply - offline
What could be the problem?
Hello,
I cannot confirm if the link you provided has the correct steps, but if
realmd is installed then a successful realm join command should take
care of the required configuration changes and domain joining steps for you.
The log message 'Fast reply - offline' usually means that somewhere
earlier on in the logs the SSSD backend was marked offline. I would
search for 'mark_offline' in the domain log file and look just above
this to get an idea of what causes the backend to be set offline.
I also noticed this in the realm output
> permitted-groups: kom-srv-linux-adm...@ad.holding.com
Please check that you are attempting to query or resolve a user in this
AD group.
This may also be of some help:
https://fedorahosted.org/sssd/wiki/Troubleshooting
-Justin
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org