[SSSD-users] Re: Active Directory domain authorization on CentOS 7.2 servers with SSSD

Justin Stephenson Wed, 19 Oct 2016 11:55:34 -0700

On 10/19/2016 10:19 AM, aleksey.maksi...@it-kb.ru wrote:

Hello SSSD guru`s!


I want to set up Active Directory domain authorization in my CentOS 7.2 servers 
with SSSD.

For this I use SSSD as described here:
https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-directory-domain-with-sssd-and-realmd-for-authentication-and-configure-ad-domain-security-group-authorization-for-sudo-and-ssh-with-putty-sso/

I have set up for several servers and everything works well.
But on the last one server SSSD does not work as they should.


I attached this server to the domain using the realm utility.
It looks nice.

[root@KOM-OVIRT1 ~]# realm list

ad.holding.com
  type: kerberos
  realm-name: AD.HOLDING.COM
  domain-name: ad.holding.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common
  login-formats: %u...@ad.holding.com
  login-policy: allow-permitted-logins
  permitted-logins:
  permitted-groups: kom-srv-linux-adm...@ad.holding.com

However, getent does not return information about domain accounts:

[root@KOM-OVIRT1 ~]# getent passwd alek...@ad.holding.com
[root@KOM-OVIRT1 ~]#

getent for local accounts work:

[root@KOM-OVIRT1 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash


My /etc/sssd/sssd.conf:
------------------------------------------------
[sssd]
domains = ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix = ad.holding.com

[nss]
debug_level=9

[domain/ad.holding.com]
ad_server = kom-dc01.ad.holding.com, kom-dc02.ad.holding.com
ad_domain = ad.holding.com
krb5_realm = AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level=9
------------------------------------------------

/var/log/sssd/sssd_nss.log:

(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): 
Creating request for [ad.holding.com][4097][1][name=aleksey]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 
0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): 
Entering request [0x7f8792bce0d0:1:alek...@ad.holding.com]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 
0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 
0x7f8794b5b120
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply 
from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - 
offline
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): 
Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): 
Deleting request: [0x7f8792bce0d0:1:alek...@ad.holding.com]

------------------------------------------------

/var/log/sssd/sssd_ad.holding.com.log

(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] 
(0x0200): Got request for [0x1001][1][name=aleksey]
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] 
(0x0100): Request processed. Returned 1,11,Fast reply - offline

What could be the problem?


Hello,

I cannot confirm if the link you provided has the correct steps, but ifrealmd is installed then a successful realm join command should takecare of the required configuration changes and domain joining steps for you.

The log message 'Fast reply - offline' usually means that somewhereearlier on in the logs the SSSD backend was marked offline. I wouldsearch for 'mark_offline' in the domain log file and look just abovethis to get an idea of what causes the backend to be set offline.


I also noticed this in the realm output

  >   permitted-groups: kom-srv-linux-adm...@ad.holding.com

Please check that you are attempting to query or resolve a user in thisAD group.


This may also be of some help:

    https://fedorahosted.org/sssd/wiki/Troubleshooting

-Justin

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Active Directory domain authorization on CentOS 7.2 servers with SSSD

Reply via email to