Thanks Jakub, ldapsearch now completes successfully, but when users tries to authenticate, they still get access denied. We have confirmed that user does exist in the groups listed under access filter & both id and getent passwd return correct user data.
Each time user tries to log in,we get the following under krb5_child.log ( Debug level 3) (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@[email protected]] might not be correct. (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission denied! (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache] (0x0020): handle_randomized failed: 13 (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied] Same log with Debug level set to 9: (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child started. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x1000): total buffer size: [141] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true] enterprise principal [true] offline [false] UPN [[email protected]] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x2000): No old ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not set] keytab: [/etc/krb5.keytab] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast] (0x0100): Not using FAST. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user] (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup] (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): Will perform online auth (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [XYZ.LOCAL] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting initial credentials for first.last\@[email protected] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending request (225 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received error from KDC: -1765328359/Additional pre-authentication required (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing preauth types: 16, 15, 19, 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key obtained for encrypted timestamp: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted timestamp (for 1491392737.819101): plain 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced preauth for next request: 2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending request (305 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending initial UDP request to dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received answer from dgram 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or response is too big for UDP; retrying with TCP (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending request (305 bytes) to XYZ.LOCAL (tcp only) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing preauth types: 19 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced preauth for next request: (empty) (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key determined by preauth: aes256-cts/2DA7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS reply; session key is: aes256-cts/2A55 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST negotiation: unavailable (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving host/[email protected] from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving unique ccache of type MEMORY (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing MEMORY:M2bO4Sd with default princ [email protected] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing [email protected] -> krbtgt/[email protected] from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing [email protected] -> krbtgt/[email protected] in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting credentials [email protected] -> host/[email protected] using ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving [email protected] -> host/[email protected] from MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving [email protected] -> krbtgt/[email protected] from MEMORY:M2bO4Sd with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached TGT for service realm: [email protected] -> krbtgt/[email protected] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting tickets for host/[email protected], referrals on (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated subkey for TGS request: aes256-cts/AB86 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending request (1553 bytes) to XYZ.LOCAL (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating TCP connection to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP request to stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received answer from stream 10.105.11.10:88 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was from master KDC (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is for [email protected] -> host/[email protected] with session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received creds for desired service host/[email protected] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing [email protected] -> host/[email protected] from MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing [email protected] -> host/[email protected] in MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating authenticator for [email protected] -> host/[email protected], seqnum 0, subkey (null, session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving host/[email protected] from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted AP-REQ with specified server principal host/[email protected]: rc4-hmac/4965 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ ticket: [email protected] -> host/[email protected], session key rc4-hmac/81A7 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated enctype based on authenticator: rc4-hmac (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing MEMORY:rd_req2 with default princ [email protected] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing [email protected] -> host/[email protected] from MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing [email protected] -> host/[email protected] in MEMORY:rd_req2 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying ccache MEMORY:M2bO4Sd (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0400): TGT verified using key for [host/[email protected]]. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving [email protected] -> host/[email protected] from MEMORY:rd_req2 with result: 0/Success (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving host/[email protected] from MEMORY:/etc/krb5.keytab (vno 2, enctype rc4-hmac) with result: 0/Success *(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [first.last\@[email protected]] might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x4000): Location: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000): krb5_cc_cache_match failed: [-1765328243][Can't find client principal [email protected] in cache collection](Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [map_krb5_error] (0x0020): 1301: [13][Permission denied]* (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [pack_response_packet] (0x2000): response packet size: [20] (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] (0x4000): Response sent. (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): krb5_child completed successfully Thanks, ~ Abhi On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek <[email protected]> wrote: > On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote: > > On (04/04/17 11:04), Abhijit Tikekar wrote: > > >Hi, > > > > > >Trying to configure SSSD on a CentOS server and running into some > issues. > > >Hoping to get some guidance here... > > > > > >All the install steps are successful and at the end "net ads testjoin" > > >confirms that join is valid. Computer object gets created on > AD(Windows). > > >But authentication attempts result in access denied and, following is > > >recorded under the logs(Log level for domain set to 2) > > > > > Try to use higher debug_level. Maybe even the full (9) > > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > > >(0x0020): No selinux module provided for [xyz.local] !! > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > > >(0x0020): No host info module provided for [xyz.local] !! > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more > > >information (Server not found in Kerberos database) > > > This is the error. > > Is this centos-6? If yes, then setting rdns=false in krb5.conf and > SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 > already) > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > (0x0020): > > >ldap_sasl_bind failed (-2)[Local error] > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > > >[11]: Resource temporarily unavailable > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] > (0x0040): > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily > unavailable > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > [fo_resolve_service_send] > > >(0x0020): No available servers for service 'AD' > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > [sdap_id_op_connect_done] > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > Please look into /var/log/sssd/ldap_child.log > > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > [fo_resolve_service_send] > > >(0x0020): No available servers for service 'AD' > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > [sdap_id_op_connect_done] > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more > > >information (Server not found in Kerberos database) > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > (0x0020): > > >ldap_sasl_bind failed (-2)[Local error] > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > more > > >information (Server not found in Kerberos database) > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > (0x0020): > > >ldap_sasl_bind failed (-2)[Local error] > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > > >[11]: Resource temporarily unavailable > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] > (0x0040): > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily > unavailable > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > [fo_resolve_service_send] > > >(0x0020): No available servers for service 'AD' > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > [sdap_id_op_connect_done] > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS > update > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed > > >[1432158234]: Dynamic DNS update not possible while offline > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > [ad_dyndns_nsupdate_done] > > >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not > > >possible while offline > > > > > > > > >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI > and " > > >Failed to connect, going offline (5 [Input/output error])" although not > > >sure if they are all related to a common failure. > > > > > >Although when I try to use ldapsearch directly, it gives the same SASL > > >error. > > > > > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b > > >"dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" > > >SASL/GSSAPI authentication started > > >ldap_sasl_interactive_bind_s: Local error (-2) > > > additional info: SASL(-1): generic failure: GSSAPI Error: > > >Unspecified GSS failure. Minor code may provide more information > (Server > > >not found in Kerberos database) > > It is a little bit suspicious that ldapsearch fails. > > If ldap_child.log is not usefull for troubleshooting > > then please try to debug with ldapsearch. > > > > ldapsearch -d 7 ... > > > > I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. > > You might try to increase it. > > > > > > >Here is sssd.conf: > > > > > >[sssd] > > >domains = XYZ.LOCAL > > >services = nss, pam, sudo > > >config_file_version = 2 > > >debug_level = 0 > > >[nss] > > >[pam] > > >[sudo] > > >debug_level=2 > > >[domain/xyz.local] > > >debug_level=2 > > >ad_server = AD-Server.xyz.local > > >id_provider = ad > > >auth_provider = ad > > >access_provider = ad > > >sudo_provider = ad > > >ldap_id_mapping = true > > >ldap_use_tokengroups = False > > >ldap_sasl_mech = GSSAPI > > >krb5_realm = XYZ.LOCAL > > >ldap_uri = ldap://AD-Server.xyz.local > > >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local > > >ldap_user_search_base = dc=xyz,dc=local > > >ldap_user_object_class = user > > >ldap_group_search_base = ou=Groups,dc=xyz,dc=local > > >ldap_group_object_class = group > > >ldap_user_home_directory = unixHomeDirectory > > >ldap_user_principal = userPrincipalName > > >ldap_access_order = filter, expire > > >ldap_account_expire_policy = ad > > >ldap_access_filter = ... > > > > Is there any reason why you configuread all ldap_* options? > > I think default provided with id_provider ad (e.g. ldap_schema = ad) > > shoudl be fine. > > > > >cache_credentials = true > > >override_homedir = /home/%d/%u > > >default_shell = /bin/bash > > >ldap_schema = ad > > > > > > > LS > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
