| View previous topic :: View next topic |
| Author |
Message |
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
 Posted: Wed Jun 09, 2021 7:34 am Post subject: URGENT: I cannot Login into my system! |
 |
|
Hi,
I hope, anyone can help to solve my Problem. I don't know, what happens exactly but after a reboot of my virtual gentoo-box, I'm no longer able to Login local nor remote to my gentoo System
I booted with a liveCD and then Change-rooted into my box. Journalctl didn't Show me a hint …
What more can I do?
every helps are welcome
_________________
regards,
Roland |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Jun 09, 2021 9:00 am Post subject: |
|
|
Please try
| Code: |
passwd root
passwd <your-user>
|
from chroot.
_________________
 |
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Wed Jun 09, 2021 9:49 am Post subject: |
|
|
I tried this also, but no success. I created a new user and had the same result. I became no error message during login. After I enter password for root, a text appears with my last login date and time and immediately the login appears again
_________________
regards,
Roland |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Wed Jun 09, 2021 10:03 am Post subject: |
|
|
| Did you put by accident an "exit" in your .bashrc or so ? |
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Wed Jun 09, 2021 11:03 am Post subject: |
|
|
| Quote: | | Did you put by accident an "exit" in your .bashrc or so ? |
no, I didn't changed anythings in .bashrc
_________________
regards,
Roland |
|
| Back to top |
|
|
Irre
Guru
Joined: 09 Nov 2013
Posts: 434
Location: Stockholm
|
| Posted: Wed Jun 09, 2021 1:20 pm Post subject: |
|
|
| I had problems with virtualbox on Windows 7, but not on Windows 10. After recent update everything except USB works fine again even under windows 7. I run gentoo, arc Linux and windows 10 in virtual box under windows 10 and 7. |
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Wed Jun 09, 2021 2:52 pm Post subject: |
|
|
I find out that the problem seams to be with pam. I edited system-auth and commented out session required pam_ldap.so and after that I could login locally. But this is not my desired solution, because I need ldap auth on this system.
My system-auth file looks like this:
| Code: | auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass ignore_authinfo_unavail ignore_unknown_user
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
account sufficient pam_ldap.so
account required pam_unix.so
account required pam_faillock.so
account optional pam_permit.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_ldap.so try_first_pass use_authok ignore_unknown_user ignore_authinf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
session required pam_limits.so
session required pam_env.so
#session required pam_ldap.so
session required pam_unix.so
session optional pam_permit.so
|
Journalctl show me following errors:
| Code: |
Jun 09 16:44:25 fts sshd[4234]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory
Jun 09 16:44:25 fts sshd[4234]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
|
What's wrong now? Previously all worked fine.
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Wed Jun 09, 2021 5:24 pm Post subject: |
|
|
Plz see my post
[url]
https://forums.gentoo.org/viewtopic-t-1127557.html
[/url]
It involves installing sssd which is much better than nss-pam-ldapd.
You modify sssd.conf like this
| Code: |
id_provider = ldap
auth_provider = ldap
|
_________________
|
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Thu Jun 10, 2021 6:24 am Post subject: |
|
|
@alamahant
I tried your suggestion, installed sssd but couldn't login with ldap through vsftp
I have no idea how pam does work, so I need help from experience person
this is my system-auth:
| Code: |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#password requisite pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
|
and vsftp-ldap
| Code: |
auth sufficient pam_sss.so forward_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session required pam_mkhomedir.so umask=0022 skel=/etc/vsftpd/skel
session optional pam_sss.so
|
When I try to login with FileZilla I see this error in journalctl:
| Code: |
Jun 10 07:59:40 fts vsftpd[213742]: pam_sss(vsftpd-ldap:auth): Request to sssd failed. Connection refused
|
this is my sssd.conf:
| Code: |
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains =MY.DOMAIN.COM
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
[domain/MY.DOMAIN.COM]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://192.168.xxx.yyy
ldap_search_base = dc=my,dc=domain,dc=com
ldap_schema = rfc2307bis
dap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_user_principal = userPrincipalName
krb5_realm = MY.DOMAIN.COM
krb5_ccname_template = KEYRING:persistent:%{uid}
|
can anybody push me in the right direction?
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Jun 10, 2021 8:17 am Post subject: |
|
|
Maybe
| Code: |
ldap_tls_reqcert = allow
|
in sssd.conf
Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?
_________________
|
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Thu Jun 10, 2021 9:20 am Post subject: |
|
|
| Quote: | | ldap_tls_reqcert = allow |
that's good! now I'm a little bit further. The error "connection refused" from pam_sss now is gone. In exchange for this, I have now following message in journalctl:
| Code: |
Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=gao rhost=10.84.7.51 user=gao
Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): received for user gao: 10 (User not known to the underlying authentication module)
|
| Quote: | | Also is this Gentoo machine the one that runs the openldap server and the kdc?or different? |
No, the gentoo-box runs against a windows 2008 Domain Controller. Could this be a problem?
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Jun 10, 2021 9:55 am Post subject: |
|
|
I know nothing about vsftp-ldap.
Login to Gentoo as root and run
| Code: |
getent passwd <any-ldap-user>
|
In case you are desperate install a centos7 vm install sssd and use
to set your network auth against the windows dc
Then use the generated pam system-auth(or whatever it is named in centos) and sssd.conf in your Gentoo.
Let me know if you need help with authconfig.
Authconfig is fantastic in this respect.
Has your Gentoo client EVER worked?
How is your nsswitch.conf?
_________________
|
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Fri Jun 11, 2021 6:18 am Post subject: |
|
|
@alamahant;
| Quote: | | getent passwd <any-ldap-user> |
I tried without success. I searched the Internet and found out that the command getent passwd without <ldap-username> should print out all ldap-users. But this didn't also work for me. I think, my sssd configuration is wrong. What exactly do I need on my gentoo-box to authenticate a user through ldap/ad? I'm confused 
| Quote: |
Has your Gentoo client EVER worked?
|
Yes it did, but I used it with nslcd. I heard that sssd is newer and better than nslcd, is this right?
My goal is to login on my gentoo-box with a ldap-user-account.
What I have is a Windows 2008 Server as a LDAP/AD Server, so I do not need a openldap server, right?. And the only thing that I need to emerge is sssd, right? Than I have to modify nsswitch.conf and pam (system-auth) to use sss, right?
Can anybody check my config-files?
/etc/nsswitch.conf
| Code: |
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
# compat Use /etc files plus *_compat pseudo-db
# db Use the pre-processed /var/db files
# dns Use DNS (Domain Name Service)
# files Use the local files in /etc
# hesiod Use Hesiod (DNS) for user lookups
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
# ldap Use LDAP directory server
# myhostname Use systemd host names
# mymachines Use systemd machine names
# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD
# resolve Use systemd resolved resolver
# sss Use System Security Services Daemon (sssd)
# systemd Use systemd for dynamic user option
# winbind Use Samba winbind support
# wins Use Samba wins support
# wrapper Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# lead to unexpected behaviour, especially with how long
# entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd: db files
# shadow: db files
# group: db files
# In alphabetical order. Re-order as required to optimize peformance.
aliases: files
ethers: files
group: files sss
gshadow: files
hosts: files dns
# Allow initgroups to default to the setting for group.
netgroup: files sss
networks: files dns
passwd: files sss
protocols: files
publickey: files
rpc: files
shadow: files sss
services: files sss
automount: files sss
sudoers: files sss
|
/etc/pam.d/system-auth
| Code: |
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
#password requisite pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
|
/etc/sssd/sssd.conf
| Code: |
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = MY.DOMAIN.COM
debug_level = 5
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
[domain/MY.DOMAIN.COM]
debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.100.100
ldap_search_base = dc=my,dc=domain,dc=com
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_tls_reqcert = allow
ldap_user_principal = userPrincipalName
krb5_realm = MY.DOMAIN.COM
krb5_ccname_template = KEYRING:persistent:%{uid}
|
I started the sssd service interactive so it should show me the log
Output is:
| Code: |
(2021-06-11 8:01:58:620494): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.
(2021-06-11 8:01:58:622278): [sssd] [confdb_init_db] (0x0100): LDIF file to import:
dn: cn=config
version: 2
dn: cn=sssd,cn=config
cn: sssd
config_file_version: 2
services: nss, pam
domains: MY.DOMAIN.COM
debug_level: 5
dn: cn=nss,cn=config
cn: nss
filter_groups: root
filter_users: root
reconnection_retries: 3
dn: cn=pam,cn=config
cn: pam
reconnection_retries: 3
dn: cn=MY.DOMAIN.COM,cn=domain,cn=config
cn: MY.DOMAIN.COM
debug_level: 9
id_provider: ldap
auth_provider: ldap
chpass_provider: ldap
ldap_uri: ldap://192.168.100.100
ldap_search_base: dc=my,dc=domain,dc=com
ldap_schema: rfc2307bis
ldap_sasl_mech: GSSAPI
ldap_user_object_class: user
ldap_group_object_class: group
ldap_id_mapping: false
ldap_use_tokengroups: false
ldap_tls_reqcert: allow
ldap_user_principal: userPrincipalName
krb5_realm: MY.DOMAIN.COM
krb5_ccname_template: KEYRING:persistent:%{uid}
(2021-06-11 8:01:58:625429): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(2021-06-11 8:01:58:625697): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:625715): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfb7cd30.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_new] (0x0100): write_kdcinfo for realm MY.DOMAIN.COM set to true
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_init] (0x0100): No primary servers defined, using service discovery
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=my,dc=domain,dc=com
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f6272d60.
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking MY.DOMAIN.COM as started.
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0100): Now starting services!
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service nss for startup
(2021-06-11 8:01:58): [sssd] [start_service] (0x0100): Queueing service pam for startup
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 8:01:58:671473): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:671521): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58:671850): [sssd] [become_user] (0x0200): Trying to become user [0][0].
(2021-06-11 8:01:58:671895): [sssd] [become_user] (0x0200): Already user [0].
(2021-06-11 8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbabb80.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb9be40]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbadf80.
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb
(2021-06-11 8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb9be40]
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62790c0.
(2021-06-11 8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking pam as started.
(2021-06-11 8:01:58): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284
(2021-06-11 8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140
(2021-06-11 8:01:58): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f627e880.
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root
(2021-06-11 8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)
(2021-06-11 8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking nss as started.
(2021-06-11 8:01:58): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
|
I see there are failure but could not interpret them.
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Fri Jun 11, 2021 8:29 am Post subject: |
|
|
Gentoo has to use the window dns server in /etc/resolv.conf
Try this
From Gentoo
| Code: |
ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W
|
Ideally it should ask for Admin password and print all DIT.
If not then the Windows AD ldap uses crazy formats and you will have to modify yourr sssd.conf accordingly.
Try also cn=Manager or try to find out what is the name of ldap administartative account in windows.
_________________
|
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Fri Jun 11, 2021 10:09 am Post subject: |
|
|
| Quote: |
Gentoo has to use the window dns server in /etc/resolv.conf
|
good hint! I changed this so sssd now could find my dc. Now when I started sssd new interactively with debug-level 4 I see following:
| Code: |
sssd -i -d 4
(2021-06-11 11:44:04:144893): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.
(2021-06-11 11:44:04:146705): [sssd] [confdb_init_db] (0x0100): LDIF file to import:
dn: cn=config
version: 2
dn: cn=sssd,cn=config
cn: sssd
config_file_version: 2
services: nss, pam
domains: MY.DOMAIN.COM
debug_level: 5
dn: cn=nss,cn=config
cn: nss
filter_groups: root
filter_users: root
reconnection_retries: 3
dn: cn=pam,cn=config
cn: pam
reconnection_retries: 3
dn: cn=MY.DOMAIN.COM,cn=domain,cn=config
cn: MY.DOMAIN.COM
debug_level: 9
enumerate: true
id_provider: ldap
auth_provider: ldap
chpass_provider: ldap
ldap_uri: ldap://dc-1.MY.DOMAIN.COM
ldap_search_base: dc=my,dc=domain,dc=com
ldap_schema: rfc2307bis
ldap_user_object_class: user
ldap_group_object_class: group
ldap_id_mapping: false
ldap_use_tokengroups: false
ldap_tls_reqcert: allow
(2021-06-11 11:44:04:150137): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(2021-06-11 11:44:04): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [session] is not supported by module [ldap].
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)
(2021-06-11 11:44:04): [sssd] [mark_service_as_started] (0x0100): Now starting services!
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service nss for startup
(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service pam for startup
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025570d70]
(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].
(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025577b40]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025570d70]
(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].
(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(2021-06-11 11:44:04): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025577b40]
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table
(2021-06-11 11:44:04(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)
(2021-06-11 11:44:04): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284
(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/initgroups.
(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140
(2021-06-11 11:44:04): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table
(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized
(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured
(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table
(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)
(2021-06-11 11:44:04): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in files
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'resolving name'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc-1.MY.DOMAIN.COM' in files
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in DNS
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'name resolved'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [dc=my,dc=domain,dc=com].
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SUDO][dc=my,dc=domain,dc=com][SUBTREE][]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,dc=my,dc=domain,dc=com]
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc-1.MY.DOMAIN.COM' as 'working'
(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'working'
(2021-06-11 11:44:29): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
(2021-06-11 11:44:29): [nss] [nss_endent] (0x0100): Resetting enumeration state
(2021-06-11 11:44:42): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
(2021-06-11 11:44:52): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].
Please, consider enabling SELinux in your system.
|
But in fact sssd still doesn't work
| Quote: | | ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W |
this gave me following error:
| Code: | Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1
|
I'm the owner of the windows domain, so I know the credentials by the administrator. I don't understand the above message: invalid credentials (49). Where is the problem?
I put the command
| Code: | # sssctl domain-list
MY.DOMAIN.COM |
followed by
| Code: | # sssctl domain-status MY.DOMAIN.COM
Online status: Online
Active servers:
LDAP: dc-1.my.domain.com
Discovered LDAP servers:
- dc-1.my.domain.com |
Does you have further good tips?
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
|
| Back to top |
|
|
ROGA
Apprentice
Joined: 17 Feb 2018
Posts: 156
Location: Zurich, Switzerland
|
| Posted: Fri Jun 11, 2021 2:17 pm Post subject: |
|
|
you're right. I will try to go back to nss-pam-ldapd ...
| Quote: | | Windows is stupid period. |
I think so too
Thank's for your time
_________________
regards,
Roland |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Fri Jun 11, 2021 10:34 pm Post subject: |
|
|
Plz if still in sssd try WITHOUT these
| Code: |
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_id_mapping =false
ldap_use_tokengroups = false
ldap_user_principal = userPrincipalName
|
and add also
| Code: |
krb5_server = <fqdn-of-windows>
ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt
ldap_uri = ldap://<fqdn-of-windows>/
krb5_kpasswd = <fqdn-of-windows>
|
in addition to what you have already.
Better NOT use ip.
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
