Hi,
I hope, anyone can help to solve my Problem. I don't know, what happens exactly but after a reboot of my virtual gentoo-box, I'm no longer able to Login local nor remote to my gentoo System
I booted with a liveCD and then Change-rooted into my box. Journalctl didn't Show me a hint …
What more can I do?
every helps are welcome
URGENT: I cannot Login into my system!
Message
URGENT: I cannot Login into my system!
regards,
Roland
Roland
I find out that the problem seams to be with pam. I edited system-auth and commented out session required pam_ldap.so and after that I could login locally. But this is not my desired solution, because I need ldap auth on this system.
My system-auth file looks like this:
Journalctl show me following errors:
What's wrong now? Previously all worked fine.
My system-auth file looks like this:
Code: Select all
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavail ignore_unknown_user
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
account sufficient pam_ldap.so
account required pam_unix.so
account required pam_faillock.so
account optional pam_permit.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_ldap.so try_first_pass use_authok ignore_unknown_user ignore_authinf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_limits.so
session required pam_env.so
#session required pam_ldap.so
session required pam_unix.so
session optional pam_permit.so
Code: Select all
Jun 09 16:44:25 fts sshd[4234]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory
Jun 09 16:44:25 fts sshd[4234]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
regards,
Roland
Roland
Plz see my post
https://forums.gentoo.org/viewtopic-t-1127557.html
It involves installing sssd which is much better than nss-pam-ldapd.
You modify sssd.conf like this
https://forums.gentoo.org/viewtopic-t-1127557.html
It involves installing sssd which is much better than nss-pam-ldapd.
You modify sssd.conf like this
Code: Select all
id_provider = ldap
auth_provider = ldap
@alamahant
I tried your suggestion, installed sssd but couldn't login with ldap through vsftp
I have no idea how pam does work, so I need help from experience person
this is my system-auth:
and vsftp-ldap
When I try to login with FileZilla I see this error in journalctl:
this is my sssd.conf:
can anybody push me in the right direction?
I tried your suggestion, installed sssd but couldn't login with ldap through vsftp
I have no idea how pam does work, so I need help from experience person
this is my system-auth:
Code: Select all
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#password requisite pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Code: Select all
auth sufficient pam_sss.so forward_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session required pam_mkhomedir.so umask=0022 skel=/etc/vsftpd/skel
session optional pam_sss.so
Code: Select all
Jun 10 07:59:40 fts vsftpd[213742]: pam_sss(vsftpd-ldap:auth): Request to sssd failed. Connection refused
Code: Select all
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains =MY.DOMAIN.COM
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
[domain/MY.DOMAIN.COM]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://192.168.xxx.yyy
ldap_search_base = dc=my,dc=domain,dc=com
ldap_schema = rfc2307bis
dap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_user_principal = userPrincipalName
krb5_realm = MY.DOMAIN.COM
krb5_ccname_template = KEYRING:persistent:%{uid}
regards,
Roland
Roland
Maybe
in sssd.conf
Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?
Code: Select all
ldap_tls_reqcert = allow
Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?
that's good! now I'm a little bit further. The error "connection refused" from pam_sss now is gone. In exchange for this, I have now following message in journalctl:ldap_tls_reqcert = allow
Code: Select all
Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=gao rhost=10.84.7.51 user=gao
Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): received for user gao: 10 (User not known to the underlying authentication module)
No, the gentoo-box runs against a windows 2008 Domain Controller. Could this be a problem?Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?
regards,
Roland
Roland
I know nothing about vsftp-ldap.
Login to Gentoo as root and run
In case you are desperate install a centos7 vm install sssd and use
to set your network auth against the windows dc
Then use the generated pam system-auth(or whatever it is named in centos) and sssd.conf in your Gentoo.
Let me know if you need help with authconfig.
Authconfig is fantastic in this respect.
Has your Gentoo client EVER worked?
How is your nsswitch.conf?
Login to Gentoo as root and run
Code: Select all
getent passwd <any-ldap-user>
Code: Select all
authconfig
Then use the generated pam system-auth(or whatever it is named in centos) and sssd.conf in your Gentoo.
Let me know if you need help with authconfig.
Authconfig is fantastic in this respect.
Has your Gentoo client EVER worked?
How is your nsswitch.conf?
@alamahant;
I tried without success. I searched the Internet and found out that the command getent passwd without <ldap-username> should print out all ldap-users. But this didn't also work for me. I think, my sssd configuration is wrong. What exactly do I need on my gentoo-box to authenticate a user through ldap/ad? I'm confused
My goal is to login on my gentoo-box with a ldap-user-account.
What I have is a Windows 2008 Server as a LDAP/AD Server, so I do not need a openldap server, right?. And the only thing that I need to emerge is sssd, right? Than I have to modify nsswitch.conf and pam (system-auth) to use sss, right?
Can anybody check my config-files?
/etc/nsswitch.conf
/etc/pam.d/system-auth
/etc/sssd/sssd.conf
I started the sssd service interactive so it should show me the log
Output is:
I see there are failure but could not interpret them.
getent passwd <any-ldap-user>
I tried without success. I searched the Internet and found out that the command getent passwd without <ldap-username> should print out all ldap-users. But this didn't also work for me. I think, my sssd configuration is wrong. What exactly do I need on my gentoo-box to authenticate a user through ldap/ad? I'm confused
Yes it did, but I used it with nslcd. I heard that sssd is newer and better than nslcd, is this right?Has your Gentoo client EVER worked?
My goal is to login on my gentoo-box with a ldap-user-account.
What I have is a Windows 2008 Server as a LDAP/AD Server, so I do not need a openldap server, right?. And the only thing that I need to emerge is sssd, right? Than I have to modify nsswitch.conf and pam (system-auth) to use sss, right?
Can anybody check my config-files?
/etc/nsswitch.conf
Code: Select all
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
# compat Use /etc files plus *_compat pseudo-db
# db Use the pre-processed /var/db files
# dns Use DNS (Domain Name Service)
# files Use the local files in /etc
# hesiod Use Hesiod (DNS) for user lookups
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
# ldap Use LDAP directory server
# myhostname Use systemd host names
# mymachines Use systemd machine names
# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD
# resolve Use systemd resolved resolver
# sss Use System Security Services Daemon (sssd)
# systemd Use systemd for dynamic user option
# winbind Use Samba winbind support
# wins Use Samba wins support
# wrapper Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# lead to unexpected behaviour, especially with how long
# entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd: db files
# shadow: db files
# group: db files
# In alphabetical order. Re-order as required to optimize peformance.
aliases: files
ethers: files
group: files sss
gshadow: files
hosts: files dns
# Allow initgroups to default to the setting for group.
netgroup: files sss
networks: files dns
passwd: files sss
protocols: files
publickey: files
rpc: files
shadow: files sss
services: files sss
automount: files sss
sudoers: files sss
Code: Select all
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#password requisite pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
Code: Select all
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = MY.DOMAIN.COM
debug_level = 5
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
[domain/MY.DOMAIN.COM]
debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.100.100
ldap_search_base = dc=my,dc=domain,dc=com
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_tls_reqcert = allow
ldap_user_principal = userPrincipalName
krb5_realm = MY.DOMAIN.COM
krb5_ccname_template = KEYRING:persistent:%{uid}
Code: Select all
sssd -i -d 5
Code: Select all
(2021-06-11 8:01:58:620494): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.
(2021-06-11 8:01:58:622278): [sssd] [confdb_init_db] (0x0100): LDIF file to import:
dn: cn=config
version: 2
dn: cn=sssd,cn=config
cn: sssd
config_file_version: 2
services: nss, pam
domains: MY.DOMAIN.COM
debug_level: 5
dn: cn=nss,cn=config
cn: nss
filter_groups: root
filter_users: root
reconnection_retries: 3
dn: cn=pam,cn=config
cn: pam
reconnection_retries: 3
dn: cn=MY.DOMAIN.COM,cn=domain,cn=config
cn: MY.DOMAIN.COM
debug_level: 9
id_provider: ldap
auth_provider: ldap
chpass_provider: ldap
ldap_uri: ldap://192.168.100.100
ldap_search_base: dc=my,dc=domain,dc=com
ldap_schema: rfc2307bis
ldap_sasl_mech: GSSAPI
ldap_user_object_class: user
ldap_group_object_class: group
ldap_id_mapping: false
ldap_use_tokengroups: false
ldap_tls_reqcert: allow
ldap_user_principal: userPrincipalName
krb5_realm: MY.DOMAIN.COM
krb5_ccname_template: KEYRING:persistent:%{uid}
(2021-06-11 8:01:58:625429): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(2021-06-11 8:01:58:625697): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:625715): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfb7cd30.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_new] (0x0100): write_kdcinfo for realm MY.DOMAIN.COM set to true
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_init] (0x0100): No primary servers defined, using service discovery
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=my,dc=domain,dc=com
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f6272d60.
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking MY.DOMAIN.COM as started.
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0100): Now starting services!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service nss for startup
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service pam for startup
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 8:01:58:671473): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:671521): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58:671850): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:671895): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbabb80.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb9be40]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbadf80.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb9be40]
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62790c0.
(2021-06-11 8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking pam as started.
(2021-06-11 8:01:58): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140
(2021-06-11 8:01:58): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f627e880.
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking nss as started.
(2021-06-11 8:01:58): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
regards,
Roland
Roland
Gentoo has to use the window dns server in /etc/resolv.conf
Try this
From Gentoo
Ideally it should ask for Admin password and print all DIT.
If not then the Windows AD ldap uses crazy formats and you will have to modify yourr sssd.conf accordingly.
Try also cn=Manager or try to find out what is the name of ldap administartative account in windows.
Try this
From Gentoo
Code: Select all
ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W
If not then the Windows AD ldap uses crazy formats and you will have to modify yourr sssd.conf accordingly.
Try also cn=Manager or try to find out what is the name of ldap administartative account in windows.
good hint! I changed this so sssd now could find my dc. Now when I started sssd new interactively with debug-level 4 I see following:Gentoo has to use the window dns server in /etc/resolv.conf
Code: Select all
sssd -i -d 4
(2021-06-11 11:44:04:144893): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.
(2021-06-11 11:44:04:146705): [sssd] [confdb_init_db] (0x0100): LDIF file to import:
dn: cn=config
version: 2
dn: cn=sssd,cn=config
cn: sssd
config_file_version: 2
services: nss, pam
domains: MY.DOMAIN.COM
debug_level: 5
dn: cn=nss,cn=config
cn: nss
filter_groups: root
filter_users: root
reconnection_retries: 3
dn: cn=pam,cn=config
cn: pam
reconnection_retries: 3
dn: cn=MY.DOMAIN.COM,cn=domain,cn=config
cn: MY.DOMAIN.COM
debug_level: 9
enumerate: true
id_provider: ldap
auth_provider: ldap
chpass_provider: ldap
ldap_uri: ldap://dc-1.MY.DOMAIN.COM
ldap_search_base: dc=my,dc=domain,dc=com
ldap_schema: rfc2307bis
ldap_user_object_class: user
ldap_group_object_class: group
ldap_id_mapping: false
ldap_use_tokengroups: false
ldap_tls_reqcert: allow
(2021-06-11 11:44:04:150137): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(2021-06-11 11:44:04): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [session] is not supported by module [ldap].
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)
(2021-06-11 11:44:04): [sssd] [mark_service_as_started] (0x0100): Now starting services!
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service nss for startup
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service pam for startup
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025570d70]
(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025577b40]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025570d70]
(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025577b40]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)
(2021-06-11 11:44:04): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/initgroups.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140
(2021-06-11 11:44:04): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)
(2021-06-11 11:44:04): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in files
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'resolving name'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc-1.MY.DOMAIN.COM' in files
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in DNS
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'name resolved'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [dc=my,dc=domain,dc=com].
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SUDO][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,dc=my,dc=domain,dc=com]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc-1.MY.DOMAIN.COM' as 'working'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'working'
(2021-06-11 11:44:29): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
(2021-06-11 11:44:29): [nss] [nss_endent] (0x0100): Resetting enumeration state
(2021-06-11 11:44:42): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
(2021-06-11 11:44:52): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
this gave me following error:ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W
Code: Select all
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1
I put the command
Code: Select all
# sssctl domain-list
MY.DOMAIN.COM Code: Select all
# sssctl domain-status MY.DOMAIN.COM
Online status: Online
Active servers:
LDAP: dc-1.my.domain.com
Discovered LDAP servers:
- dc-1.my.domain.comDoes you have further good tips?
regards,
Roland
Roland
You are having trouble because the windows ad ldap is stupid and behaves differently than linux.
Windows is stupid period.
Maybe go back to using
nss-pam-ldapd
following this
https://www.server-world.info/en/note?o ... enldap&f=8
Windows is stupid period.
Maybe go back to using
nss-pam-ldapd
following this
https://www.server-world.info/en/note?o ... enldap&f=8
Plz if still in sssd try WITHOUT these
and add also
in addition to what you have already.
Better NOT use ip.
Code: Select all
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_user_principal = userPrincipalName
Code: Select all
krb5_server = <fqdn-of-windows>
ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt
ldap_uri = ldap://<fqdn-of-windows>/
krb5_kpasswd = <fqdn-of-windows>
Better NOT use ip.