No, sorry. Can't be incorrect passwords. The people aren't even typing in their passwords. These are connections being made by email clients constantly running. Different platforms and email clients. 🙁
Sent from my iPhone > On Aug 18, 2017, at 4:05 AM, Jakub Hrozek <[email protected]> wrote: > >> On Thu, Aug 17, 2017 at 10:04:08PM -0400, Mark London wrote: >> Hi all - Sorry to bother you with this problem that I've been working all >> day to fix. I've been using SSSD on Redhat for many years, using LDAP to >> authenticate a Windows domain. With a new server with Redhat 7, I'm seeing >> intermittent login failures for only a small set of users. There is >> nothing I can find common to these user accounts. The failures happen 24 >> hours a day (it's authentication for an IMAP mail server, so logins occur >> constant). I've flushed all the SSSD caching files and started from scratch, >> and that did not help. I turned on SSSD debugging, and here's an example >> that shows LDAP authentication failing for a user, but only a small while >> afterwards, it works. I googled, the ldap error message, and could only >> find it for people who were always constantly not able to to authenticate. >> Not an intermittent problem, like mine. >> >> Any recommendations for other ways to debug this problem (domain server LDAP >> logging?) would be appreciated. If there is not the proper forum to ask >> this question, please advise me on a better place to post it (besides >> stackoverflow, which I'll do as a last resort). My sssd.conf file , occurs >> after these log entries. >> >> -------------------------------------------------------------------------------- >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [sdap_ldap_connect_callback_add] >> (0x1000): New LDAP connection to [ldaps://psfcd.psfc.mit.edu:636/??base] >> with fd[24]. >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [fo_set_port_status] (0x0100): >> Marking port 636 of server 'psfcd.psfc.mit.edu' as 'working' >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [set_server_common_status] >> (0x0100): Marking server 'psfcd.psfc.mit.edu' as 'working' >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [fo_set_port_status] (0x0400): >> Marking port 636 of duplicate server 'psfc.psfc.mit.edu' as 'working' >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_send] (0x0100): >> Executing simple bind as: CN=Smith\, John,OU=Smith Group,OU=PSFC >> Users,DC=psfc,DC=mit,DC=edu >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x1000): >> Server returned no controls. >> (Thu Aug 17 21:01:30 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x0400): >> Bind result: Invalid credentials(49), 80090308: LdapErr: DSID-0C09042F, >> comment: AcceptSecurityContext error, data 52e, v2580 > > I hope this doesn't sound condescending, but are you sure it's not just > a mistyped password? > > Because Invalid Credentials is effectively 'can't bind to LDAP', the > 'data' field gives an extended error description. In this case it's 52e > which is IIRC really 'wrong credentials'. Other codes include 'can't > login at this time', 'expired credentials' etc.. > >> >> (Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [fo_set_port_status] (0x0400): >> Marking port 636 of duplicate server 'psfcd.psfc.mit.edu' as 'working' >> (Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_send] (0x0100): >> Executing simple bind as: CN=Smith\, John,OU=Smith Group,OU=PSFC >> Users,DC=psfc,DC=mit,DC=edu >> (Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x1000): >> Server returned no controls. >> (Thu Aug 17 21:02:16 2017) [sssd[be[PSFC]]] [simple_bind_done] (0x0400): >> Bind result: Success(0), no errmsg set >> -------------------------------------------------------------------------------- >> >> i tried increasing the SSSD debugging level, without anything interesting >> appearing. If it would help, though , I'll post it, with all the complete >> lines. >> >> I should add that i have windows password account locking disabled. I've >> attached my sssd.conf file below. I am aware that sssd can authenticate >> directly to AD. However, the domain server and mail server are on separate >> networks, and I have no idea if ports can't be opened on the firewall, to >> allow this to happen. Opening up the LDAP port on the firewall, seemed to >> be the obviously easier choice. Thanks very much! - Mark >> >> -------------------------------------------------------------------------------- >> [sssd] >> config_file_version = 2 >> reconnection_retries = 3 >> sbus_timeout = 30 >> services = nss, pam >> >> domains = PSFC >> >> [nss] >> filter_groups = root >> filter_users = root >> reconnection_retries = 3 >> debug_level = 0 >> >> ; entry_cache_timeout = 600 >> ; entry_cache_nowait_timeout = 300 >> >> [pam] >> reconnection_retries = 3 >> debug_level = 0 >> >> [domain/PSFC] >> description = LDAP domain with AD server >> enumerate = false >> min_id = 501 >> cache_credentials = false >> debug_level = 7 >> ldap_purge_cache_timeout = 0 >> ldap_enumeration_refresh_timeout = 300 >> ldap_referrals = false >> id_provider = ldap >> chpass_provider = none >> auth_provider = ldap >> ldap_tls_reqcert = allow >> ldap_uri = >> ldaps://psfcd1.psfc.mit.edu,ldaps://psfcd2.psfc.mit.edu,ldaps://psfcd3.psfc.mit.edu >> ldap_schema = rfc2307bis >> ldap_search_base = dc=psfc,dc=mit,dc=edu >> ldap_user_search_base = dc=psfc,dc=mit,dc=edu >> ldap_group_search_base = dc=psfc,dc=mit,dc=edu >> ldap_default_bind_dn = CN=ADldapreadonly,OU=Computer Group,OU=PSFC >> Users,DC=psfc,DC=mit,DC=edu >> ldap_default_authtok_type = password >> ldap_default_authtok = MY_PASSWORD >> ldap_user_object_class = person >> ldap_user_name = sAMAccountName >> ldap_user_uid_number = msSFU30UidNumber >> ldap_user_gid_number = msSFU30GidNumber >> ldap_user_home_directory = msSFU30HomeDirectory >> ldap_user_shell = msSFU30LoginShell >> ldap_user_principal = userPrincipalName >> ldap_group_object_class = group >> ldap_group_member = msSFU30PosixMember >> ldap_user_member_of = msSFU30PosixMemberOf >> ldap_group_name = name >> ldap_group_gid_number = msSFU30GidNumber >> ldap_force_upper_case_realm = True >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
