On Thu, Jun 08, 2017 at 12:05:55PM -0400, Abhijit Tikekar wrote: > Hi, > > We are unable to connect one machine (CentOS 6.9) to Active Directory using > SSSD. It is giving the following error whenever we attempt the join. Exact > same settings are working for other servers. > > # net ads join -k > Failed to join domain: failed to lookup DC info for domain X.Y.LOCAL' over > rpc: NT_STATUS_CONNECTION_RESET > > But testjoin shows OK. > > # net ads testjoin > Join is OK > > Even though join says OK, users are not able to authenticate > > # net ads info > LDAP server: x.x.x.x > LDAP server name: AD-Server.x.y.local > Realm: X.Y.LOCAL > Bind Path: dc=X,dc=Y,dc=LOCAL > LDAP port: 389 > Server time: Thu, 08 Jun 2017 11:18:41 EDT > KDC server: x.x.x.x > Server time offset: 0 > > “id” and “getent passwd <username>” return nothing. > > DNS entries are correct under /etc/resolv.conf > > Here is sanitized sssd_domain.log file (Log Level – 5) > > > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_res_get_opts] (0x0100): > Lookup order: ipv4_first > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [recreate_ares_channel] > (0x0100): Initializing new c-ares channel > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sysdb_domain_init_internal] > (0x0200): DB File for x.y.local: /var/lib/sss/db/cache_x.y.local.ldb ... > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] > [sbus_server_init_new_connection] (0x0200): Adding connection 0xbec7b0. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] > [sbus_server_init_new_connection] (0x0200): Got a connection > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_client_init] (0x0100): > Set-up Backend ID timeout [0xbee680] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [get_naming_context] > (0x0200): Using value from [defaultNamingContext] as naming context. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] > (0x0100): Setting option [ldap_search_base] to [DC=x,DC=y,DC=local]. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] > (0x0100): Search base added: [DEFAULT][DC=x,DC=y,DC=local][SUBTREE][] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] > (0x0100): Setting option [ldap_netgroup_search_base] to [DC=x,DC=y,DC=local]. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] > (0x0100): Search base added: [NETGROUP][DC=x,DC=y,DC=local][SUBTREE][] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] > (0x0100): Setting option [ldap_service_search_base] to [DC=x,DC=y,DC=local]. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] > (0x0100): Search base added: [SERVICE][DC=x,DC=y,DC=local][SUBTREE][] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_set_search_base] > (0x0100): Setting option [ldap_autofs_search_base] to [DC=x,DC=y,DC=local]. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [common_parse_search_base] > (0x0100): Search base added: [AUTOFS][DC=x,DC=y,DC=local][SUBTREE][] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] > [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level > to [6] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'AD' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_resolve_server_process] > (0x0200): Found address for server AD-Server.x.y.local: [x.x.x.x] TTL 3600 > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] > (0x0100): Cancel DP ID timeout [0xbee680] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] > (0x0100): Added Frontend client [SUDO] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [child_sig_handler] > (0x0100): child [14490] finished successfully. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_kinit_done] (0x0100): > Could not get TGT: 14 [Bad address]
Please check the ldap_child.log file. SSSD is not able to get a Kerberos ticket with the help of the system keytab /etc/krb5.keytab. bye, Sumit > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_cli_connect_recv] > (0x0040): Unable to establish connection [13]: Permission denied > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_set_port_status] > (0x0100): Marking port 0 of server 'AD-Server.x.y.local' as 'not working' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'AD' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'AD' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error]) > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] > (0x0080): Going offline. Running callbacks. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] > [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get > the subdomain list while offline > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'AD' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'AD' > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error]) > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_ptask_enable] (0x0080): > Task [Check if online (periodic)]: already enabled > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [be_run_offline_cb] > (0x0080): Going offline. Running callbacks. > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] > [ad_subdomains_get_conn_done] (0x0080): No AD server is available, cannot get > the subdomain list while offline > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] > (0x0100): Cancel DP ID timeout [0xbe97f0] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [client_registration] > (0x0100): Added Frontend client [NSS] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] > (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], > [2][No such file or directory] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] > (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No > such file or directory] > (Thu Jun 8 10:39:42 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] > (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], > [2][No such file or directory] > (Thu Jun 8 10:40:00 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): > Connection is not open for dispatching. > (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): > Connection is not open for dispatching. > (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [sbus_dispatch] (0x0080): > Connection is not open for dispatching. > (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] > (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.X.Y.LOCAL], [2][No > such file or directory] > (Thu Jun 8 10:40:01 2017) [sssd[be[x.y.local]]] [remove_krb5_info_files] > (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.X.Y.LOCAL], > [2][No such file or directory] > > Capture when net ads join fails. .66 is the ad server and .109 is the CentOS > machine. > > > > Sanitized contents of sssd.conf, krb5.conf and smb.conf > > sssd.conf > [sssd] > domains = X.Y.LOCAL > services = nss, pam, sudo > config_file_version = 2 > debug_level = 5 > [nss] > [pam] > debug_level=5 > [sudo] > debug_level=0 > [domain/x.y.local] > debug_level=5 > ad_server = AD-Server.x.y.local > id_provider = ad > auth_provider = ad > access_provider = ad > sudo_provider = ad > ldap_use_tokengroups = False > krb5_realm = X.Y.LOCAL > ldap_uri = ldap://AD-Server.x.y.local > ldap_sudo_search_base > ldap_user_search_base > ldap_group_search_base > ldap_access_order = filter, expire > ad_access_filter = > cache_credentials = true > override_homedir = /home/%d/%u > default_shell = /bin/bash > > krb5.conf > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > [libdefaults] > default_realm = X.Y.LOCAL > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = yes > [realms] > X.Y.LOCAL = { > kdc = AD-Server.x.y.local:88 > admin_server = AD-Server.x.y.local:749 > } > [domain_realm] > .x.y.local = X.Y.LOCAL > x.y.local = X.Y.LOCAL > > > smb.conf > [global] > workgroup = X > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > realm = X.Y.LOCAL > security = ads > log file = /var/log/samba/log.%m > max log size = 50 > min protocol = SMB2 > > > Thanks, > > ~ abhi > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org