Hi, Trying to configure SSSD on a CentOS server and running into some issues. Hoping to get some guidance here...
All the install steps are successful and at the end "net ads testjoin" confirms that join is valid. Computer object gets created on AD(Windows). But authentication attempts result in access denied and, following is recorded under the logs(Log level for domain set to 2) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No selinux module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] (0x0020): No host info module provided for [xyz.local] !! (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD' (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158234]: Dynamic DNS update not possible while offline (Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not possible while offline I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " Failed to connect, going offline (5 [Input/output error])" although not sure if they are all related to a common failure. Although when I try to use ldapsearch directly, it gives the same SASL error. ]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b "dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Here is sssd.conf: [sssd] domains = XYZ.LOCAL services = nss, pam, sudo config_file_version = 2 debug_level = 0 [nss] [pam] [sudo] debug_level=2 [domain/xyz.local] debug_level=2 ad_server = AD-Server.xyz.local id_provider = ad auth_provider = ad access_provider = ad sudo_provider = ad ldap_id_mapping = true ldap_use_tokengroups = False ldap_sasl_mech = GSSAPI krb5_realm = XYZ.LOCAL ldap_uri = ldap://AD-Server.xyz.local ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local ldap_user_search_base = dc=xyz,dc=local ldap_user_object_class = user ldap_group_search_base = ou=Groups,dc=xyz,dc=local ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_access_order = filter, expire ldap_account_expire_policy = ad ldap_access_filter = ... cache_credentials = true override_homedir = /home/%d/%u default_shell = /bin/bash ldap_schema = ad # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 04/04/17 13:58:20 04/04/17 23:58:05 krbtgt/[email protected] renew until 04/11/17 13:58:20 04/04/17 14:00:09 04/04/17 23:58:05 ldap/[email protected] renew until 04/11/17 13:58:20 # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 host/[email protected] 2 [email protected] 2 [email protected] 2 [email protected] 2 [email protected] 2 [email protected] # net ads testjoin Join is OK Please let me know if I need to increase logging level to capture additional details. Many Thanks, ~ Abhi
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
