On Wed, Apr 05, 2017 at 08:11:01AM -0400, Abhijit Tikekar wrote: > Thanks Jakub, > > ldapsearch now completes successfully, but when users tries to > authenticate, they still get access denied. We have confirmed that user > does exist in the groups listed under access filter & both id and getent > passwd return correct user data. > > Each time user tries to log in,we get the following under krb5_child.log ( > Debug level 3) > > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] > [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_send_pac] > (0x0040): sss_pac_make_request failed [-1][2]. > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [validate_tgt] > (0x0040): sss_send_pac failed, group membership for user with principal > [first.last\@[email protected]] might not be correct. > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [sss_unique_file_ex] > (0x0040): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission > denied! > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [handle_randomized] > (0x0020): mkstemp("/tmp/krb5cc_1616401130_1o13tv") failed [13]: Permission > denied! > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [create_ccache] > (0x0020): handle_randomized failed: 13 > (Wed Apr 5 11:39:42 2017) [[sssd[krb5_child[11141]]]] [map_krb5_error] > (0x0020): 1301: [13][Permission denied] > > > > Same log with Debug level set to 9: > > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): > krb5_child started. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] > (0x1000): total buffer size: [141] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] > (0x0100): cmd [241] uid [xxxxxxxxxx] gid [yyyyyyyyyy] validate [true] > enterprise principal [true] offline [false] UPN [[email protected]] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] > (0x2000): No old ccache > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX] old_ccname: [not > set] keytab: [/etc/krb5.keytab] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [check_use_fast] > (0x0100): Not using FAST. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [k5c_precreate_ccache] (0x4000): Recreating ccache > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [become_user] > (0x0200): Trying to become user [xxxxxxxxxx][yyyyyyyyyy]. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x2000): > Running as [xxxxxxxxxx][yyyyyyyyyy]. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_setup] > (0x2000): Running as [xxxxxxxxxx][yyyyyyyyyy]. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] > from environment. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from > environment. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): > Will perform online auth > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [XYZ.LOCAL] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810727: Getting > initial credentials for first.last\@[email protected] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810806: Sending > request (225 bytes) to XYZ.LOCAL > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.810936: Sending > initial UDP request to dgram 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811646: Received > answer from dgram 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811694: Response was > from master KDC > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811716: Received > error from KDC: -1765328359/Additional pre-authentication required > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811748: Processing > preauth types: 16, 15, 19, 2 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.811763: Selected > etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819089: AS key > obtained for encrypted timestamp: aes256-cts/2DA7 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819143: Encrypted > timestamp (for 1491392737.819101): plain > 301AA011180F32303137303430353131343533375AA10502030C7F9D, encrypted > 6DF95051B1B8FC33CB5F2CF23D4915C373FD528D0D570D3C439F38C5E17F36FDAA031546B06D47748D0996FC0BAD103BA1DEB49E84AE73A1 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819155: Preauth > module encrypted_timestamp (2) (flags=1) returned: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819161: Produced > preauth for next request: 2 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819174: Sending > request (305 bytes) to XYZ.LOCAL > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.819226: Sending > initial UDP request to dgram 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820166: Received > answer from dgram 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820256: Response was > from master KDC > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820271: Received > error from KDC: -1765328332/Response too big for UDP, retry with TCP > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820278: Request or > response is too big for UDP; retrying with TCP > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820284: Sending > request (305 bytes) to XYZ.LOCAL (tcp only) > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820311: Initiating > TCP connection to stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.820537: Sending TCP > request to stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821449: Received > answer from stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821526: Response was > from master KDC > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821547: Processing > preauth types: 19 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821555: Selected > etype info: etype aes256-cts, salt "XYZ.LOCALfirst.last", params "" > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821561: Produced > preauth for next request: (empty) > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821569: AS key > determined by preauth: aes256-cts/2DA7 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821603: Decrypted AS > reply; session key is: aes256-cts/2A55 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821619: FAST > negotiation: unavailable > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_krb5_expire_callback_func] (0x2000): exp_time: [3559012] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] > (0x2000): Found keytab entry with the realm of the credential. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821678: Retrieving > host/[email protected] from MEMORY:/etc/krb5.keytab (vno 0, > enctype 0) with result: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821685: Resolving > unique ccache of type MEMORY > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821698: Initializing > MEMORY:M2bO4Sd with default princ [email protected] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821706: Removing > [email protected] -> krbtgt/[email protected] from MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821713: Storing > [email protected] -> krbtgt/[email protected] in MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821728: Getting > credentials [email protected] -> host/[email protected] using > ccache MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821747: Retrieving > [email protected] -> host/[email protected] from > MEMORY:M2bO4Sd with result: -1765328243/Matching credential not found > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821775: Retrieving > [email protected] -> krbtgt/[email protected] from MEMORY:M2bO4Sd with > result: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821784: Found cached > TGT for service realm: [email protected] -> krbtgt/[email protected] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821791: Requesting > tickets for host/[email protected], referrals on > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821815: Generated > subkey for TGS request: aes256-cts/AB86 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821826: etypes > requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821901: Sending > request (1553 bytes) to XYZ.LOCAL > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.821950: Initiating > TCP connection to stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.822167: Sending TCP > request to stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823154: Received > answer from stream 10.105.11.10:88 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823260: Response was > from master KDC > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823300: TGS reply is > for [email protected] -> host/[email protected] with session > key rc4-hmac/81A7 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823318: TGS request > result: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823328: Received > creds for desired service host/[email protected] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823335: Removing > [email protected] -> host/[email protected] from > MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823342: Storing > [email protected] -> host/[email protected] in MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823366: Creating > authenticator for [email protected] -> host/[email protected], > seqnum 0, subkey (null, session key rc4-hmac/81A7 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823410: Retrieving > host/[email protected] from MEMORY:/etc/krb5.keytab (vno 2, > enctype rc4-hmac) with result: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823466: Decrypted > AP-REQ with specified server principal host/[email protected]: > rc4-hmac/4965 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823478: AP-REQ > ticket: [email protected] -> host/[email protected], session > key rc4-hmac/81A7 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823609: Negotiated > enctype based on authenticator: rc4-hmac > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823625: Initializing > MEMORY:rd_req2 with default princ [email protected] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823635: Removing > [email protected] -> host/[email protected] from > MEMORY:rd_req2 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823642: Storing > [email protected] -> host/[email protected] in MEMORY:rd_req2 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823654: Destroying > ccache MEMORY:M2bO4Sd > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [validate_tgt] > (0x0400): TGT verified using key for [host/[email protected]]. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823690: Retrieving > [email protected] -> host/[email protected] from > MEMORY:rd_req2 with result: 0/Success > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823733: Retrieving > host/[email protected] from MEMORY:/etc/krb5.keytab (vno 2, > enctype rc4-hmac) with result: 0/Success > > > > > > > > > *(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [sss_send_pac] > (0x0040): sss_pac_make_request failed [-1][2].(Wed Apr 5 11:45:37 2017) > [[sssd[krb5_child[11215]]]] [validate_tgt] (0x0040): sss_send_pac failed, > group membership for user with principal [first.last\@[email protected]] > might not be correct.(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_child_krb5_trace_cb] (0x4000): [11215] 1491392737.823772: Destroying > ccache MEMORY:rd_req2(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [sss_get_ccache_name_for_principal] (0x4000): Location: > [FILE:/tmp/krb5cc_xxxxxxxxxx_XXXXXX](Wed Apr 5 11:45:37 2017) > [[sssd[krb5_child[11215]]]] [sss_get_ccache_name_for_principal] (0x2000): > krb5_cc_cache_match failed: [-1765328243][Can't find client principal > [email protected] in cache collection](Wed Apr 5 11:45:37 2017) > [[sssd[krb5_child[11215]]]] [sss_unique_file_ex] (0x0040): > mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg") failed [13]: Permission > denied!(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [handle_randomized] (0x0020): mkstemp("/tmp/krb5cc_xxxxxxxxxx_C2Mqqg")
Please check your permissions of /tmp. Normally /tmp should have 1777 permissions.. > failed [13]: Permission denied!(Wed Apr 5 11:45:37 2017) > [[sssd[krb5_child[11215]]]] [create_ccache] (0x0020): handle_randomized > failed: 13(Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [map_krb5_error] (0x0020): 1301: [13][Permission denied]* > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] > (0x0200): Received error code 1432158209 > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] > [pack_response_packet] (0x2000): response packet size: [20] > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [k5c_send_data] > (0x4000): Response sent. > (Wed Apr 5 11:45:37 2017) [[sssd[krb5_child[11215]]]] [main] (0x0400): > krb5_child completed successfully > > > Thanks, > > ~ Abhi > > > > > On Tue, Apr 4, 2017 at 11:54 AM, Jakub Hrozek <[email protected]> wrote: > > > On Tue, Apr 04, 2017 at 05:15:58PM +0200, Lukas Slebodnik wrote: > > > On (04/04/17 11:04), Abhijit Tikekar wrote: > > > >Hi, > > > > > > > >Trying to configure SSSD on a CentOS server and running into some > > issues. > > > >Hoping to get some guidance here... > > > > > > > >All the install steps are successful and at the end "net ads testjoin" > > > >confirms that join is valid. Computer object gets created on > > AD(Windows). > > > >But authentication attempts result in access denied and, following is > > > >recorded under the logs(Log level for domain set to 2) > > > > > > > Try to use higher debug_level. Maybe even the full (9) > > > > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > > > >(0x0020): No selinux module provided for [xyz.local] !! > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_process_init] > > > >(0x0020): No host info module provided for [xyz.local] !! > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > > more > > > >information (Server not found in Kerberos database) > > > > > > This is the error. > > > > Is this centos-6? If yes, then setting rdns=false in krb5.conf and > > SASL_NOCANON in ldap.conf helped (both are the defaults on centos-7 > > already) > > > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > > (0x0020): > > > >ldap_sasl_bind failed (-2)[Local error] > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > > > >[11]: Resource temporarily unavailable > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] [be_ptask_done] > > (0x0040): > > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily > > unavailable > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > [fo_resolve_service_send] > > > >(0x0020): No available servers for service 'AD' > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > [sdap_id_op_connect_done] > > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > > Please look into /var/log/sssd/ldap_child.log > > > > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > [fo_resolve_service_send] > > > >(0x0020): No available servers for service 'AD' > > > >(Tue Apr 4 14:28:43 2017) [sssd[be[xyz.local]]] > > [sdap_id_op_connect_done] > > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > > more > > > >information (Server not found in Kerberos database) > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > > (0x0020): > > > >ldap_sasl_bind failed (-2)[Local error] > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [ad_sasl_log] (0x0040): > > > >SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide > > more > > > >information (Server not found in Kerberos database) > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [sasl_bind_send] > > (0x0020): > > > >ldap_sasl_bind failed (-2)[Local error] > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > > >[sdap_sudo_refresh_connect_done] (0x0020): SUDO LDAP connection failed > > > >[11]: Resource temporarily unavailable > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] [be_ptask_done] > > (0x0040): > > > >Task [SUDO Full Refresh]: failed with [11]: Resource temporarily > > unavailable > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > [fo_resolve_service_send] > > > >(0x0020): No available servers for service 'AD' > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > [sdap_id_op_connect_done] > > > >(0x0020): Failed to connect, going offline (5 [Input/output error]) > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > > >[sdap_dyndns_update_addrs_done] (0x0040): Can't get addresses for DNS > > update > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > > >[ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed > > > >[1432158234]: Dynamic DNS update not possible while offline > > > >(Tue Apr 4 14:29:48 2017) [sssd[be[xyz.local]]] > > [ad_dyndns_nsupdate_done] > > > >(0x0040): Updating DNS entry failed [1432158234]: Dynamic DNS update not > > > >possible while offline > > > > > > > > > > > >I see couple of obvious errors here, mainly the ones for SASL: GSSAPI > > and " > > > >Failed to connect, going offline (5 [Input/output error])" although not > > > >sure if they are all related to a common failure. > > > > > > > >Although when I try to use ldapsearch directly, it gives the same SASL > > > >error. > > > > > > > >]# ldapsearch -H ldap://AD-Server.xyz.local/ -Y GSSAPI -N -b > > > >"dc=xyz,dc=local" "(&(objectClass=user)(sAMAccountName=first.last))" > > > >SASL/GSSAPI authentication started > > > >ldap_sasl_interactive_bind_s: Local error (-2) > > > > additional info: SASL(-1): generic failure: GSSAPI Error: > > > >Unspecified GSS failure. Minor code may provide more information > > (Server > > > >not found in Kerberos database) > > > It is a little bit suspicious that ldapsearch fails. > > > If ldap_child.log is not usefull for troubleshooting > > > then please try to debug with ldapsearch. > > > > > > ldapsearch -d 7 ... > > > > > > I am not sure whether bitmast 7 is enough for troubleshooting sasl issue. > > > You might try to increase it. > > > > > > > > > >Here is sssd.conf: > > > > > > > >[sssd] > > > >domains = XYZ.LOCAL > > > >services = nss, pam, sudo > > > >config_file_version = 2 > > > >debug_level = 0 > > > >[nss] > > > >[pam] > > > >[sudo] > > > >debug_level=2 > > > >[domain/xyz.local] > > > >debug_level=2 > > > >ad_server = AD-Server.xyz.local > > > >id_provider = ad > > > >auth_provider = ad > > > >access_provider = ad > > > >sudo_provider = ad > > > >ldap_id_mapping = true > > > >ldap_use_tokengroups = False > > > >ldap_sasl_mech = GSSAPI > > > >krb5_realm = XYZ.LOCAL > > > >ldap_uri = ldap://AD-Server.xyz.local > > > >ldap_sudo_search_base = ou=Groups,dc=xyz,dc=local > > > >ldap_user_search_base = dc=xyz,dc=local > > > >ldap_user_object_class = user > > > >ldap_group_search_base = ou=Groups,dc=xyz,dc=local > > > >ldap_group_object_class = group > > > >ldap_user_home_directory = unixHomeDirectory > > > >ldap_user_principal = userPrincipalName > > > >ldap_access_order = filter, expire > > > >ldap_account_expire_policy = ad > > > >ldap_access_filter = ... > > > > > > Is there any reason why you configuread all ldap_* options? > > > I think default provided with id_provider ad (e.g. ldap_schema = ad) > > > shoudl be fine. > > > > > > >cache_credentials = true > > > >override_homedir = /home/%d/%u > > > >default_shell = /bin/bash > > > >ldap_schema = ad > > > > > > > > > > LS > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
