On Wed, Jun 24, 2015 at 05:55:28PM +0000, Carl Pettersson (EXT BN) wrote: > Hi, > We're getting this referral related error in our sssd installation. Some > environment information: > * CentOS 6.6 clients, sssd v1.11.6 > * Windows 2012R2 domain controllers, 2008R2 functional level, single domain > forest. Let's call it ad.example.com. > * We have one-way trusts to several other domains/forests, a.foo,com, > b.bar.com and c.baz.com > > We've joined the clients with adcli, and we can successfully authenticate > with accounts from the ad.example.com domain. It is also possible to > kinit myu...@a.foo.com > > but this fails: > getent passwd myu...@a.foo.com > > Looking at the logs (after setting debug_level=8), I can see this error > message: > > (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] > (0x2000): Trace: sh[0xda3140], connected[1], ops[0xda1480], ldap[0xda3720] > (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: > RefErr: DSID-0310082F, data 0, 1 access points > ref 1: 'a.foo.com' > > (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: > Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points > ref 1: 'a.foo.com' > > (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] > (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error > (Wed Jun 24 19:43:47 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] > (0x0040): Failed to retrieve users > > (There's also a row slightly after, "[ad_account_info_complete] (0x0010): > Bug: dp_error is OK on failed request", unclear if this is related, or > actually a separate bug) > > I first interpreted this as indicating that I needed to allow referral > chasing, but when I turn that on (via ldap_referrals = true), but aside from > taking much longer, it still errors:
No, it's a bug in SSSD. 6.6 is already quite old in SSSD terms, could you please try a newer version from this COPR repo? https://copr.fedoraproject.org/coprs/lslebodn/sssd-1-12/ 1.12.5 is more-or-less equivalent to what 6.7 will include.. > > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_process_result] (0x2000): Trace: sh[0xe4b9b0], connected[1], > ops[0xe4c540], ldap[0xe50a40] > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to > [ldap://a.foo.com/dc=a,dc=foo,dc=com] with fd [25]. > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] > (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error] > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_rebind_proc] > (0x1000): Failed to bind to [ldap://a.foo.com/dc=a,dc=foo,dc=com]. > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_get_generic_ext_done] (0x0400): Search result: Referral(10), 0000202B: > RefErr: DSID-0310082F, data 0, 1 access points > ref 1: 'a.foo.com' > > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] > [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: > Referral(10), 0000202B: RefErr: DSID-0310082F, data 0, 1 access points > ref 1: 'a.foo.com' > > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_done] > (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error > (Wed Jun 24 19:42:22 2015) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_users_done] > (0x0040): Failed to retrieve users > > I also suspected networking issues a while, but a Windows client on the same > subnet can authenticate fine (we only do subnet filtering in our firewalls). > > Here are my configuration files: > sssd.conf: > [sssd] > services = nss, pam, ssh, autofs > config_file_version = 2 > domains = AD.EXAMPLE.COM > > [nss] > override_homedir = /home/%d/%u > override_shell = /bin/bash > > [domain/AD.EXAMPLE.COM] > debug_level = 8 > id_provider = ad > use_fully_qualified_names = TRUE > > krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.EXAMPLE.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > # I found documentation indicating that these should be commented out while > troubleshooting > # Commenting in/out does not seem to affect the problem, however. > [realms] > # AD.EXAMPLE.COM = { > # kdc = ad102.ad.example.com > # kdc = ad201.ad.example.com > # admin_server = ad201.ad.example.com > # } > > [domain_realm] > # .ad.example.com = AD.EXAMPLE.COM > # ad.example.com = AD.EXAMPLE.COM > > What have we done wrong? > > Best regards, > Carl > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users