LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Closed Thread
  Search this Thread
Old 08-23-2016, 03:54 AM   #1
lux209
LQ Newbie
 
Registered: Aug 2016
Posts: 3

Rep: Reputation: Disabled
SSSD can't find user from time to time


Hi all !
I'm having an issue with SSSD using Active Directory as source. The login and sudo are working fine, I'm able to filter the access based on Windows groups and do some sudo "rules".

But from time to time sssd fail to find users in the AD, if I wait few minutes or restart the service it works again, then few minutes later it will fail then work then fail and so on..

I'm using sssd on many servers and only 1 is having the issue and the config is exactly the same as the working servers.

I used the "realm" command to configure sssd like: realm join --user=sysnetlucas@my.domain.com my.domain.com

Here is my sssd config file:
[sssd]
domains = my.domain.com
config_file_version = 2
services = nss, pam
#debug_level = 8

[domain/my.domain.com]
ad_domain = my.domain.com
krb5_realm = MY.DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
simple_allow_groups = Security Group Access Admin Server dmy01t1@my.domain.com, security group Access usermydomain serve
r dmy01t1@my.domain.com
#debug_level = 8
ldap_referrals = false

The only changed I did was to add "ldap_referrals = false"

In the logs it looks like the ldap_search_ext is not the same when it works or not.. When it works I see "calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(objectSID=*))][DC=my,DC=domain,DC=com]".
And when it doesn't works I see "calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=my,DC=domain,DC=com]."

Here are the full logs when it fail:
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=sysnetlucas]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [my.domain.com] to [my.domain.com]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=my,DC=domain,DC=com]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_print_server] (0x2000): Searching 10.32.3.20
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(sAMAccountName=*)(objectSID=*))][DC=my,DC=domain,DC=com].
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 44
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_op_add] (0x2000): New operation 44 timeout 6
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0f0bb180], connected[1], ops[0x7f9d1023fab0], ldap[0x7f9d110f11c0]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Referral(10), 0000202B: RefErr: DSID-03100747, data 0, 1 access points
ref 1: 'my.domain.com'
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://my.domain.com/DC=my,DC=domain,DC=com
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_op_destructor] (0x2000): Operation 44 finished
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Success)
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0f0bb180], connected[1], ops[(nil)], ldap[0x7f9d110f11c0]
(Mon Aug 22 13:20:52 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Mon Aug 22 13:20:58 2016) [sssd[be[my.domain.com]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service
(Mon Aug 22 13:20:58 2016) [sssd[be[my.domain.com]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit


Here are the logs when the login works:
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [be_get_account_info] (0x0200): Got request for [0x3][1][name=sysnetlucas]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [my.domain.com] to [my.domain.com]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=my,DC=domain,DC=com]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_print_server] (0x2000): Searching 10.32.5.1
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=sysnetlucas)(objectclass=user)(objectSID=*))][DC=my,DC=domain,DC=com].
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 22
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_op_add] (0x2000): New operation 22 timeout 6
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0edf32a0], connected[1], ops[0x7f9d0ed87a60], ldap[0x7f9d0edfd230]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Sysnet Lucas,OU=Sysnet,OU=IT Users Services and Servers Access,OU=IT Access,OU=Special Case,DC=my,DC=domain,DC=com].
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [whenChanged]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [name]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectGUID]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [primaryGroupID]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectSid]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0x7f9d0edf32a0], connected[1], ops[0x7f9d0ed87a60], ldap[0x7f9d0edfd230]
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_op_destructor] (0x2000): Operation 22 finished
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_save_user] (0x0400): Save user
(Mon Aug 22 11:21:17 2016) [sssd[be[my.domain.com]]] [sdap_get_primary_name] (0x0400): Processing object sysnetlucas


Any help is welcome !
Thanks !
 
Old 08-28-2016, 09:50 AM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,441

Rep: Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994Reputation: 3994
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] sssd fail to find user from time to time lux209 Linux - Software 1 08-24-2016 08:17 AM
user time, system time, real time .. reg chaitanyajun12 Linux - Newbie 7 03-14-2016 05:43 PM
using sed + find in all user folders at one time rizzoid Programming 9 05-05-2014 07:07 AM
[SOLVED] I need to find out User disconnection cause at particualr time manalisharmabe Solaris / OpenSolaris 0 12-14-2013 06:45 AM
how to understand user time, sys time, wait time, idle time of CPU guixingyi Linux - Server 1 08-24-2010 10:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 10:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration