On Wed, Jan 31, 2018 at 01:18:27PM -0500, TomK via FreeIPA-users wrote: > On 1/31/2018 12:21 PM, TomK wrote: > > On 1/31/2018 9:41 AM, Jakub Hrozek wrote: > > > See inline.. > > > > > > On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: > > > > On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote: > > > > My bad, did not include sssd-users earlier. :( > > > > > > > > > Hey All, > > > > > > > > > > I'm wondering if anyone came across this error below. We have two > > > > > RHEL > > > > > 7.4 servers with SSSD 1.15.2: http-srv01 and http-srv02 > > > > > > > > > > Both connect to the same AD DC host below: addc-srv03.addom.com. > > > > > Verified krb5.conf and sssd.conf both are identical. We can login on > > > > > the http-srv01 and can list all groups for an AD account. > > > > > > > > > > On http-srv02 we cannot login and any group listing from the CLI > > > > > result > > > > > only in the user's local groups. No AD groups. > > > > > > > > > > Logs give us the output below. Short of adding in the entire log > > > > > which > > > > > I might not be able to do till the end of the week, what could we look > > > > > at to resolve this? > > > > > > > > > > There's very little available online on this error. The RH solution > > > > > doesn't make sense since the first host connects and > > > > > authenticates users > > > > > just fine so it's definitely GC enabled. > > > > > > > > > > > > > > > > > -- > > > > Cheers, > > > > Tom K. > > > > ------------------------------------------------------------------------------------- > > > > > > > > > > > > Living on earth is expensive, but it includes a free trip around > > > > the sun. > > > > > > > > > > > > > > > > samba-libs-4.6.2-12.el7_4.x86_64 > > > > samba-client-libs-4.6.2-12.el7_4.x86_64 > > > > sssd-1.15.2-50.el7_4.6.x86_64 > > > > openldap-2.4.44-5.el7.x86_64 > > > > sssd-ldap-1.15.2-50.el7_4.6.x86_64 > > > > sssd-common-pac-1.15.2-50.el7_4.6.x86_64 > > > > samba-winbind-clients-4.6.2-12.el7_4.x86_64 > > > > samba-common-4.6.2-12.el7_4.noarch > > > > sssd-client-1.15.2-50.el7_4.6.x86_64 > > > > sssd-proxy-1.15.2-50.el7_4.6.x86_64 > > > > samba-winbind-modules-4.6.2-12.el7_4.x86_64 > > > > python-sssdconfig-1.15.2-50.el7_4.6.noarch > > > > sssd-ipa-1.15.2-50.el7_4.6.x86_64 > > > > samba-common-libs-4.6.2-12.el7_4.x86_64 > > > > sssd-krb5-common-1.15.2-50.el7_4.6.x86_64 > > > > samba-winbind-4.6.2-12.el7_4.x86_64 > > > > sssd-krb5-1.15.2-50.el7_4.6.x86_64 > > > > sssd-ad-1.15.2-50.el7_4.6.x86_64 > > > > sssd-common-1.15.2-50.el7_4.6.x86_64 > > > > samba-common-tools-4.6.2-12.el7_4.x86_64 > > > > > > > > > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch] > > > > (0x4000): dbus > > > > conn: 0x55b2e22e8700 > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_dispatch] (0x4000): > > > > Dispatching. > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_message_handler] > > > > (0x2000): Received SBUS method > > > > org.freedesktop.sssd.dataprovider.getAccountInfo on path > > > > /org/freedesktop/sssd/dataprovider > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sbus_get_sender_id_send] > > > > (0x2000): Not a sysbus message, quit > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] > > > > [dp_get_account_info_handler] > > > > (0x0200): Got request for > > > > [0x2][BE_REQ_GROUP][name=unix-admin-group@addom] > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req] > > > > (0x0400): DP > > > > Request [Account #4]: New request. Flags [0x0001]. > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [dp_attach_req] (0x0400): > > > > Number of active DP request: 1 > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state] > > > > (0x1000): Domain ADDOM is Active > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sss_domain_get_state] > > > > (0x1000): Domain ADDOM is Active > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [sdap_id_op_connect_step] > > > > (0x4000): beginning to connect > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [fo_resolve_service_send] > > > > (0x0100): Trying to resolve service 'AD_GC' > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_server_status] > > > > (0x1000): > > > > Status of server 'addc-srv03.addom.com' is 'working' > > > > (Tue Jan 30 19:00:01 2018) [sssd[be[ADDOM]]] [get_port_status] (0x1000): > > > > Port status of port 0 for server 'addc-srv03.addom.com' is 'not working' > > > > > > What debug level are you running with? Is this the first occurence of > > > 'port not working' since sssd started? > > It's debug_level = 9. There was 1002 occurrances since I restarted sssd > > last night. If it's F/W, I'm not clear on the port this is referring > > too. > Also confirmed that port 3268 from both clients to the AD DC is blocked in > F/W. However then that raises the question why authentication works on > http-srv01 even though traffic to port 3268 is also getting denied from that > host.
The 'port' here refers to an internal sssd structure that usually maps to a network port, but not always. Is there some more context around the very first 'not working' since the sssd restart? Because here is not much, there's just connecting and then not working which leaves me puzzled. The very first state switch should have a message from "_be_fo_set_port_status" which also includes who was the caller etc. That should give some more context. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
