mourik jan heupink - merit
2014-Jul-23 19:24 UTC
[Samba] sssd problems after dc1 is no longer online
Hi all, I hope that this request for help will be the last one, for a while to come. Today, sernet support helped my sort out our DC mess, and they did a great job. However, sssd no longer works, and I hope someone here can help out. We used to have DC1, DC2 and DC3. DC1 was the classic-upgraded, first, 'original' DC, and had to be shutdown, unfortunately. So only DC2 and DC3 remain. The domain seems to work nicely, however, sssd doesn't find my users anymore. Here is a debug_level 8 log: http://pastebin.com/hRwNjRyh Could someone tell me where the problem is? I'm guessing this logline is not good: (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406178284] But: root at epo:/var/log/sssd# kinit -k -t /etc/krb5.sssd.keytab 'EPO$@SAMBA.COMPANY.COM' root at epo:/var/log/sssd# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: EPO$@SAMBA.COMPANY.COM Valid starting Expires Service principal 23/07/2014 21:03 24/07/2014 07:03 krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM renew until 24/07/2014 21:03 Also: kinit heupink, asks for my password, and creates a ticket successfully. So, many things seem to work... But logging on (over ssh or remote desktop) does not. Auth.log tells me: Jul 23 21:04:44 epo sssd_be: canonuserfunc error -7 Jul 23 21:04:44 epo sssd_be: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb Jul 23 21:04:44 epo sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) Jul 23 21:04:47 epo xrdp-sesman: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=heupink Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=heupink Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): received for user heupink: 9 (Authentication service cannot retrieve authentication info) Finally, here is my sssd.conf: [sssd] services = nss, pam config_file_version = 2 domains = default # enable or disable the below # debug_level = 3 # debug_level = 5 debug_level = 8 [nss] [pam] [domain/default] debug_level = 8 ldap_schema = rfc2307bis id_provider = ldap access_provider = simple ldap_referrals = false ldap_force_upper_case_realm = true # on large directories, you may want to disable enumeration for performance reasons # enumerate = true auth_provider = krb5 chpass_provider = krb5 ldap_sasl_mech = gssapi ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM krb5_realm = SAMBA.COMPANY.COM #krb5_server = dc2.samba.company.com, dc3.samba.company.com krb5_server = x.y.143.15, x.y.143.16 #krb5_kpasswd = dc2.samba.company.com, dc3.samba.company.com krb5_kpasswd = x.y.143.15, x.y.143.16 ldap_krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16 ldap_search_base = dc=samba,dc=merit,dc=unu,dc=edu ldap_user_object_class = user ldap_user_name = samAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_group_object_class = group ldap_group_name = cn ldap_group_member = member I hope this is enough info, and one of the sssd guru's here can assist. Again: everything worked while dc1 was online, things stopped working when it was taken offline. Kind regards, Mourik Jan
On Wed, 2014-07-23 at 21:24 +0200, mourik jan heupink - merit wrote:> Hi all, > > I hope that this request for help will be the last one, for a while to > come. Today, sernet support helped my sort out our DC mess, and they did > a great job. However, sssd no longer works, and I hope someone here can > help out. > > We used to have DC1, DC2 and DC3. DC1 was the classic-upgraded, first, > 'original' DC, and had to be shutdown, unfortunately. So only DC2 and > DC3 remain. > > The domain seems to work nicely, however, sssd doesn't find my users > anymore. > > Here is a debug_level 8 log: http://pastebin.com/hRwNjRyh > > Could someone tell me where the problem is? I'm guessing this logline is > not good: > > (Wed Jul 23 21:04:44 2014) [sssd[be[default]]] [sdap_get_tgt_recv] > (0x0400): Child responded: 0 > [FILE:/var/lib/sss/db/ccache_SAMBA.COMPANY.COM], expired on [1406178284] > > But: > root at epo:/var/log/sssd# kinit -k -t /etc/krb5.sssd.keytab > 'EPO$@SAMBA.COMPANY.COM' > > root at epo:/var/log/sssd# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: EPO$@SAMBA.COMPANY.COM > > Valid starting Expires Service principal > 23/07/2014 21:03 24/07/2014 07:03 > krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM > renew until 24/07/2014 21:03 > > Also: kinit heupink, asks for my password, and creates a ticket > successfully. > > So, many things seem to work... But logging on (over ssh or remote > desktop) does not. Auth.log tells me: > Jul 23 21:04:44 epo sssd_be: canonuserfunc error -7 > Jul 23 21:04:44 epo sssd_be: _sasl_plugin_load failed on > sasl_canonuser_init for plugin: ldapdb > Jul 23 21:04:44 epo sssd_be: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Server not found in Kerberos > database) > Jul 23 21:04:47 epo xrdp-sesman: pam_unix(xrdp-sesman:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=heupink > Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=heupink > Jul 23 21:04:47 epo xrdp-sesman: pam_sss(xrdp-sesman:auth): received for > user heupink: 9 (Authentication service cannot retrieve authentication info) > > Finally, here is my sssd.conf: > [sssd] > services = nss, pam > config_file_version = 2 > domains = default > > # enable or disable the below > # debug_level = 3 > # debug_level = 5 > debug_level = 8 > [nss] > > [pam] > > [domain/default] > debug_level = 8 > > ldap_schema = rfc2307bis > id_provider = ldap > access_provider = simple > ldap_referrals = false > ldap_force_upper_case_realm = true > > # on large directories, you may want to disable enumeration for > performance reasons > # enumerate = true > > auth_provider = krb5 > chpass_provider = krb5 > ldap_sasl_mech = gssapi > ldap_sasl_authid = EPO$@SAMBA.COMPANY.COM > krb5_realm = SAMBA.COMPANY.COM > #krb5_server = dc2.samba.company.com, dc3.samba.company.com > krb5_server = x.y.143.15, x.y.143.16 > #krb5_kpasswd = dc2.samba.company.com, dc3.samba.company.com > krb5_kpasswd = x.y.143.15, x.y.143.16 > ldap_krb5_keytab = /etc/krb5.sssd.keytab > ldap_krb5_init_creds = trueHi 1. Unless you have a reverse zone and your x.y.143.15 and ....16 resolve properly, use the fqdn.> > ldap_uri = ldap://x.y.143.15, ldap://x.y.143.16 > ldap_search_base = dc=samba,dc=merit,dc=unu,dc=eduFor AD objects, this doesn't make sense. This domain does not correspond to anything in your realm. I could believe: ldap_search_base = cn=Users,dc=samba,dc=company,dc=com but I see no connection with samba.merit.unu.edu But it's late, too hot and everyone else has gone for a beer so we may well have missed something earlier in the thread.> > ldap_user_object_class = user > ldap_user_name = samAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_home_directory = unixHomeDirectory > ldap_user_shell = loginShell > > ldap_group_object_class = group > ldap_group_name = cn > ldap_group_member = member > > I hope this is enough info, and one of the sssd guru's here can assist. > Again: everything worked while dc1 was online, things stopped working > when it was taken offline.Maybe, but for AD I'd really recommend switching to sssd with a proper AD backend whwreupon you can forget about DNS. All the 1.11 series have it, as does the latest 1.12.0. the configuration is simple and when the cache is full it absolutely screams: [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [domain/default] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False For the usual gotchas in a S4 domain: http://linuxcostablanca.blogspot.com.es/2014/04/sssd-ad-backend-with-samba4.html HTH, Steve