On (04/04/17 11:04), Abhijit Tikekar wrote: >Hi, > >Trying to configure SSSD on a CentOS server and running into some issues. >Hoping to get some guidance here... > >All the install steps are successful and at the end "net ads testjoin" >confirms that join is valid. Computer object gets created on AD(Windows). >But authentication attempts result in access denied and, following is >recorded under the logs(Log level for domain set to 2) > Try to use higher debug_level. Maybe even the full (9)
>(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] >(0x0020): No selinux module provided for [xyz.local] !! >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] >(0x0020): No host info module provided for [xyz.local] !! >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more >information (Server not found in Kerberos database) >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): >ldap_sasl_bind failed (-2)[Local error] >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed >[11]: Resource temporarily unavailable >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] >(0x0020): No available servers for service 'AD' >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] >(0x0020): Failed to connect, going offline (5 [Input/output error]) Please look into /var/log/sssd/ldap_child.log >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] >(0x0020): No available servers for service 'AD' >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] >(0x0020): Failed to connect, going offline (5 [Input/output error]) >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more >information (Server not found in Kerberos database) >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): >ldap_sasl_bind failed (-2)[Local error] >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more >information (Server not found in Kerberos database) >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): >ldap_sasl_bind failed (-2)[Local error] >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed >[11]: Resource temporarily unavailable >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] >(0x0020): No available servers for service 'AD' >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] >(0x0020): Failed to connect, going offline (5 [Input/output error]) >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed >[1432158234]: Dynamic DNS update not possible while offline >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not >possible while offline > > >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " >Failed to connect, going offline (5 [Input/output error])" although not >sure if they are all related to a common failure. > >Although when I try to use ldapsearch directly, it gives the same SASL >error. > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b >"dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" >SASL/GSSAPI authentication started >ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: >Unspecified GSS failure. Minor code may provide more information (Server >not found in Kerberos database) It is a little bit suspicious that ldapsearch fails. If ldap_child.log is not usefull for troubleshooting then please try to debug with ldapsearch. ldapsearch -d 7 ... I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. You might try to increase it. >Here is sssd.conf: > >[sssd] >domains = XYZ.LOCAL >services = nss, pam, sudo >config_file_version = 2 >debug_level = 0 >[nss] >[pam] >[sudo] >debug_level=2 >[domain/xyz.local] >debug_level=2 >ad_server = AD-Server.xyz.local >id_provider = ad >auth_provider = ad >access_provider = ad >sudo_provider = ad >ldap_id_mapping = true >ldap_use_tokengroups = False >ldap_sasl_mech = GSSAPI >krb5_realm = XYZ.LOCAL >ldap_uri = ldap://AD-Server.xyz.local >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local >ldap_user_search_base = dc=xyz,dc=local >ldap_user_object_class = user >ldap_group_search_base = ou=Groups,dc=xyz,dc=local >ldap_group_object_class = group >ldap_user_home_directory = unixHomeDirectory >ldap_user_principal = userPrincipalName >ldap_access_order = filter, expire >ldap_account_expire_policy = ad >ldap_access_filter = ... Is there any reason why you configuread all ldap_* options? I think default provided with id_provider ad (e.g. ldap_schema = ad) shoudl be fine. >cache_credentials = true >override_homedir = /home/%d/%u >default_shell = /bin/bash >ldap_schema = ad > LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
