On Tue, Jun 25, 2019 at 08:25:44PM +0000, Thomas Beaudry wrote: > Hi again, > > Okay so i look at my sssd_MYDOMAIN log i get: > > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] > (0x0400): Deleting request watch > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] > (0x0400): Got answer. Processing... > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_srv_done] > (0x0400): Got 5 servers > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_dc_servers_done] > (0x0400): Found 5 domain controllers in domain MYDOMAIN.ca > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_dcs_done] > (0x0400): About to locate suitable site > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_send] > (0x0400): Resolving host dc.MYDOMAIN.ca > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of > 'dc.MYDOMAIN.ca' in files > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] > [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of > 'dc.MYDOMAIN.ca' in files > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] > [resolv_gethostbyname_next] (0x0200): No more address families to retry > (Tue Jun 25 16:17:17 2019) [sssd[be[MYDOMAIN.ca]]] > [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of > 'dc.MYDOMAIN.ca' in DNS
Looks like it took 2 seconds here to resolve a DNS record.. > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] > (0x0400): Deleting request watch > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] > [sdap_connect_host_resolv_done] (0x0400): Connecting to > ldap://dc.MYDOMAIN.ca:389 > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sss_ldap_init_send] > (0x0400): Setting 6 seconds timeout for connecting > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_connect_host_done] > (0x0400): Successful connection to ldap://dc.MYDOMAIN.ca:389 > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(DnsDomain=MYDOMAIN.ca)(NtVer=\14\00\00\00))][]. > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] > [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg > set > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_get_client_site_done] > (0x0400): Found site: Default-First-Site-Name > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [ad_srv_plugin_site_done] > (0x0400): About to discover primary and backup servers > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [fo_discover_servers_send] > (0x0400): Looking up primary servers > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] > [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 'ldap'. > Will use DNS discovery domain 'Default-First-Site-Name._sites.MYDOMAIN.ca' > (Tue Jun 25 16:17:19 2019) [sssd[be[MYDOMAIN.ca]]] [resolv_getsrv_send] > (0x0100): Trying to resolve SRV record of > '_ldap._tcp.Default-First-Site-Name._sites.MYDOMAIN.ca' ..and then another 2 seconds here, which caused a timeout in the server discovery. Does it help to increase the dns_resolver_timeout from its default of 6 seconds? Please see the note in man sssd-ad, there are several timeouts that might need to be increased in unison, can you try e.g.: ldap_opt_timeout = 20 dns_resolver_timeout = 10 (This might even be too high, but let's see..) > (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] > [fo_resolve_service_timeout] (0x0080): Service resolving timeout reached > (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] > (0x0400): Deleting request watch > (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error] > > > Thanks! > Thomas > ________________________________________ > From: Jakub Hrozek <[email protected]> > Sent: Tuesday, June 25, 2019 3:56 PM > To: [email protected] > Subject: [SSSD-users] Re: id / getent not finding AD users > > On Tue, Jun 25, 2019 at 07:25:45PM +0000, Thomas Beaudry wrote: > > Hi Jakub, > > > > Thanks for the link so i followed the troubleshooting and I notice i can't > > reach the data provider mentioned in step 4 ("If the command is reaching > > the NSS responder, does it get forwarded to the Data Provider?") > > > > > > If i look at my sssd_nss log i get with a timestamp that matches my id > > <username> command: > > > > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): > > Adding [NCE/USER/MYDOMAIN.ca/root] to negative cache permanently > > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_parse_name_for_domains] > > (0x0200): name 'root' matched without domain, user is root > > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_ncache_set_str] (0x0400): > > Adding [NCE/GROUP/MYDOMAIN.ca/root] to negative cache permanently > > (Tue Jun 25 15:14:16 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > > Deleting request: [0x41eb90:[email protected]] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [accept_fd_handler] (0x0400): Client > > connected! > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): > > Received client version [1]. > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_cmd_get_version] (0x0200): > > Offered version [1]. > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running > > command [17][SSS_NSS_GETPWNAM] with input [admin]. > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_parse_name_for_domains] > > (0x0200): name 'admin' matched without domain, user is admin > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getbynam] (0x0100): > > Requesting info for [admin] from [<ALL>] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > > Requesting info for [[email protected]] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [get_dp_name_and_id] (0x0400): Not a > > LOCAL view, continuing with provided values. > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_issue_request] (0x0400): > > Issuing request for [0x41d420:1:[email protected]] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): > > Creating request for [MYDOMAIN.ca][0x1001][FAST BE_REQ_USER][1][name=admin] > > The request gets forwarded to the data provider here.. > > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): > > Entering request [0x41d420:1:[email protected]] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [nss_cmd_getby_dp_callback] > > (0x0040): Unable to get information from Data Provider > > Error: 1, 11, Fast reply - offline > > ..but the data provider replies immediately because it had switched to > the offline mode. For one reason or another, sssd_be couldn't reach any > of the configured or auto-discovered servers. > > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [sss_dp_req_destructor] (0x0400): > > Deleting request: [0x41d420:1:[email protected]] > > (Tue Jun 25 15:14:41 2019) [sssd[nss]] [client_recv] (0x0200): Client > > disconnected! > > > > > > What would be the next step? > > I would suggest looking at the sssd_MYDOMAIN.log files and look for > messages that contain strings like "marking server XYZ as NOT_WORKING" > or "Going offline". Then look for the request a little earlier, that's > what causes sssd to go offline. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
