|
SSSD can't find user from time to time
Hi all !
I'm having an issue with SSSD using Active Directory as source. The login and sudo are working fine, I'm able to filter the access based on Windows groups and do some sudo "rules". But from time to time sssd fail to find users in the AD, if I wait few minutes or restart the service it works again, then few minutes later it will fail then work then fail and so on.. I'm using sssd on many servers and only 1 is having the issue and the config is exactly the same as the working servers. I used the "realm" command to configure sssd like: realm join --user=sysnetlucas@my.domain.com my.domain.com Here is my sssd config file: [sssd] domains = my.domain.com config_file_version = 2 services = nss, pam #debug_level = 8 [domain/my.domain.com] ad_domain = my.domain.com krb5_realm = MY.DOMAIN.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad simple_allow_groups = Security Group Access Admin Server dmy01t1@my.domain.com, security group Access usermydomain serve r dmy01t1@my.domain.com #debug_level = 8 ldap_referrals = false The only changed I did was to add "ldap_referrals = false" In the logs it looks like the ldap_search_ext is not the same when it works or not.. When it works I see "calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(objectSID=*))][DC=my,DC=domain,DC=com]". And when it doesn't works I see "calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=my,DC=domain,DC=com]." Here are the full logs when it fail: (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=sysnetlucas] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [my.domain.com] to [my.domain.com] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=my,DC=domain,DC=com] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_print_server] (0x2000): Searching 10.32.3.20 (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=my,DC=domain,DC=com]. (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44 (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_op_add] (0x2000): New operation 44 timeout 6 (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0f0bb180], connected[1], ops[0x7f9d1023fab0], ldap[0x7f9d110f11c0] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100747, data 0, 1 access points ref 1: 'my.domain.com' (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://my.domain.com/DC=my,DC=domain,DC=com (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_op_destructor] (0x2000): Operation 44 finished (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success) (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0f0bb180], connected[1], ops[(nil)], ldap[0x7f9d110f11c0] (Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Mon Aug 22 13:20:58 2016) [sssd[be[my.domain.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Aug 22 13:20:58 2016) [sssd[be[my.domain.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit Here are the logs when the login works: (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=sysnetlucas] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [my.domain.com] to [my.domain.com] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=my,DC=domain,DC=com] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_print_server] (0x2000): Searching 10.32.5.1 (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(objectSID=*))][DC=my,DC=domain,DC=com]. (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22 (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_op_add] (0x2000): New operation 22 timeout 6 (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0edf32a0], connected[1], ops[0x7f9d0ed87a60], ldap[0x7f9d0edfd230] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sysnet Lucas,OU=Sysnet,OU=IT Users Services and Servers Access,OU=IT Access,OU=Special Case,DC=my,DC=domain,DC=com]. (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0edf32a0], connected[1], ops[0x7f9d0ed87a60], ldap[0x7f9d0edfd230] (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_op_destructor] (0x2000): Operation 22 finished (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_save_user] (0x0400): Save user (Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_primary_name] (0x0400): Processing object sysnetlucas Any help is welcome ! Thanks ! |
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.
|
| All times are GMT -5. The time now is 01:22 AM. |