Having trouble on an Ubuntu 16.04 (Xenial) box with sssd1.13.4-1ubuntu1.12.
The backend goes offline and authentications fail. We have debug_level=9. We expect the server to be talking with one of three DCs in its site. The Forrest DCs are behind a firewall for us. Any ideas on what may be the cause and the cure? Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_OUR.DOMAIN.COM], expired on [1554479058] (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1554443958 (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: OURHOST$ (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed) (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)] (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. Called from: ../src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_recv: 2039 (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'ADSFDC01.Domain.com' as 'not working' (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working' (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ADSFDC01.Domain.com' as 'not working' (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [sdap_handle_release] (0x2000): Trace: sh[0x2ee3c10], connected[1], ops[(nil)], ldap[0x3012d40], destructor_lock[0], release_memory[0] (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Going offline! (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_mark_offline] (0x2000): Enable check_if_online_ptask. (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_enable] (0x0400): Task [Check if online (periodic)]: enabling task (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 62 seconds from now [1554443120] (Fri Apr 5 05:44:18 2019) [sssd[be[our.domain.com]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. Config: [sssd] config_file_version = 2 domains = our.domain.com services = nss, pam, pac debug_level = 9 reconnection_retries = 3 [pac] [nss] debug_level = 9 [pam] debug_level = 9 [domain/our.domain.com] debug_level = 9 id_provider = ad auth_provider = ad ad_site=SITE access_provider = ad ldap_id_mapping = False ad_gpo_access_control = permissive ad_access_filter=DOM:our.domain.com:(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-NOC_Linux_Admins,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SEC-SOS_Linux_Access,OU=Security,OU=Groups,dc=our,dc=domain,dc=com)(memberOf:1.2.840.113556.1.4.1941:=CN=SRV-ourhost_LocalAdmins,OU=Local Servers,OU=Groups,dc=our,dc=domain,dc=com))) [https://cdn.f5.com/webcommon/email-signature/images/f5-logo-rgb-30x30.jpg]<https://f5.com/> Jay McCanta | Principal Systems Administrator D +1 (206) 272-7998 M +1-206-434-1080
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
