On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote: > On (04/04/17 11:04), Abhijit Tikekar wrote: > >Hi, > > > >Trying to configure SSSD on a CentOS server and running into some issues. > >Hoping to get some guidance here... > > > >All the install steps are successful and at the end "net ads testjoin" > >confirms that join is valid. Computer object gets created on AD(Windows). > >But authentication attempts result in access denied and, following is > >recorded under the logs(Log level for domain set to 2) > > > Try to use higher debug_level. Maybe even the full (9) > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > >(0x0020): No selinux module provided for [xyz.local] !! > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > >(0x0020): No host info module provided for [xyz.local] !! > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more > >information (Server not found in Kerberos database)
This is the error. Is this centos-6? If yes, then setting rdns=false in krb5.conf and SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 already) > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): > >ldap_sasl_bind failed (-2)[Local error] > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > >[11]: Resource temporarily unavailable > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] > >(0x0020): No available servers for service 'AD' > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > Please look into /var/log/sssd/ldap_child.log > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] > >(0x0020): No available servers for service 'AD' > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more > >information (Server not found in Kerberos database) > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): > >ldap_sasl_bind failed (-2)[Local error] > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more > >information (Server not found in Kerberos database) > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] (0x0020): > >ldap_sasl_bind failed (-2)[Local error] > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > >[11]: Resource temporarily unavailable > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] (0x0040): > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily unavailable > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [fo_resolve_service_send] > >(0x0020): No available servers for service 'AD' > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sdap_id_op_connect_done] > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS update > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed > >[1432158234]: Dynamic DNS update not possible while offline > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_dyndns_nsupdate_done] > >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not > >possible while offline > > > > > >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI and " > >Failed to connect, going offline (5 [Input/output error])" although not > >sure if they are all related to a common failure. > > > >Although when I try to use ldapsearch directly, it gives the same SASL > >error. > > > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b > >"dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" > >SASL/GSSAPI authentication started > >ldap_sasl_interactive_bind_s: Local error (-2) > > additional info: SASL(-1): generic failure: GSSAPI Error: > >Unspecified GSS failure. Minor code may provide more information (Server > >not found in Kerberos database) > It is a little bit suspicious that ldapsearch fails. > If ldap_child.log is not usefull for troubleshooting > then please try to debug with ldapsearch. > > ldapsearch -d 7 ... > > I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. > You might try to increase it. > > > >Here is sssd.conf: > > > >[sssd] > >domains = XYZ.LOCAL > >services = nss, pam, sudo > >config_file_version = 2 > >debug_level = 0 > >[nss] > >[pam] > >[sudo] > >debug_level=2 > >[domain/xyz.local] > >debug_level=2 > >ad_server = AD-Server.xyz.local > >id_provider = ad > >auth_provider = ad > >access_provider = ad > >sudo_provider = ad > >ldap_id_mapping = true > >ldap_use_tokengroups = False > >ldap_sasl_mech = GSSAPI > >krb5_realm = XYZ.LOCAL > >ldap_uri = ldap://AD-Server.xyz.local > >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local > >ldap_user_search_base = dc=xyz,dc=local > >ldap_user_object_class = user > >ldap_group_search_base = ou=Groups,dc=xyz,dc=local > >ldap_group_object_class = group > >ldap_user_home_directory = unixHomeDirectory > >ldap_user_principal = userPrincipalName > >ldap_access_order = filter, expire > >ldap_account_expire_policy = ad > >ldap_access_filter = ... > > Is there any reason why you configuread all ldap_* options? > I think default provided with id_provider ad (e.g. ldap_schema = ad) > shoudl be fine. > > >cache_credentials = true > >override_homedir = /home/%d/%u > >default_shell = /bin/bash > >ldap_schema = ad > > > > LS > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
