View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0016140 | CentOS-7 | sssd | public | 2019-06-03 13:48 | 2020-06-23 08:31 |
Reporter | jorbasm | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | GNU/Linux | OS | CentOS | OS Version | 7.6.1810 |
Product Version | 7.6.1810 | ||||
Summary | 0016140: SSSD does not retrieve users when ldap_id_mapping = false | ||||
Description | SSSD works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained tail -f /var/log/sssd/sssd_company.local.log (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users otherwise (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs. (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed! This is my the sssd config file, initially setup with realm join [sssd] domains = company.local config_file_version = 2 services = nss, pam full_name_format = %1$s [domain/company.local] ad_domain = company.local krb5_realm = COMPANY.LOCAL realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = false use_fully_qualified_names = false fallback_homedir = /home/%u access_provider = ad debug_level = 9 I'm trying to map uids to AD POSIX values to keep consistency in a heterogeneus environment with Windows and CentOS 7 boxes. I have a problem configuring the latest. sssd works well with AD until ldap_id_mapping = false. When set up this variable this way, this is the log obtained tail -f /var/log/sssd/sssd_company.local.log (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_op_destructor] (0x2000): Operation 15 finished (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.company.local/DC=ForestDnsZones,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.company.local/DC=DomainDnsZones,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [generic_ext_search_handler] (0x4000): Ref: ldap://company.local/CN=Configuration,DC=company,DC=local (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Tue May 14 16:42:08 2019) [sssd[be[company.local]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users Otherwise (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Certain Users@company.local,cn=groups,cn=company.local,cn=sysdb] has set [cache, ts_cache] attrs. (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Tue May 14 17:01:55 2019) [sssd[be[company.local]]] [sdap_save_groups] (0x4000): Group 1 members processed! This is my the sssd config file, initially setup with realm join. [sssd] domains = company.local config_file_version = 2 services = nss, pam full_name_format = %1$s [domain/company.local] ad_domain = company.local krb5_realm = COMPANY.LOCAL realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = false use_fully_qualified_names = false fallback_homedir = /home/%u access_provider = ad debug_level = 9 Every time I change ldap_id_mapping value I empty the SSSD cache db sudo systemctl stop sssd sudo rm -rf /var/lib/sss/db/* sudo systemctl start sssd I thought I had to file a bug. Anyway, thanks in advance. | ||||
Steps To Reproduce | vi /etc/sssd/sssd.conf ldap_id_mapping = false sudo systemctl stop sssd sudo rm -rf /var/lib/sss/db/* sudo systemctl start sssd su - someuser su: user someuser does not exist | ||||
Tags | active directory | ||||
abrt_hash | |||||
URL | |||||
Same case but in RedHat bugtracker (2015): https://bugzilla.redhat.com/show_bug.cgi?id=1116758#c10 | |
I am also experiencing this problem. It's interesting if you take the ldap query that it's sending to AD and run that manually, it works and you get the user back. {code} (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=keimond@ad.example.com] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_attach_req] (0x0400): DP Request [Account #1]: New request. Flags [0x0001]. (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [dp_attach_req] (0x0400): Number of active DP request: 1 (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sss_domain_get_state] (0x1000): Domain AD.EXAMPLE.COM is Active (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sss_domain_get_state] (0x1000): Domain AD.EXAMPLE.COM is Active (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [DC=ad,DC=example,DC=com] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_print_server] (0x2000): Searching 10.10.10.10:389 (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=keimond)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=ad,DC=example,DC=com]. (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14 (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_op_add] (0x2000): New operation 14 timeout 6 (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_result] (0x2000): Trace: sh[0x557bcedcd9b0], connected[1], ops[0x557bceddf980], ldap[0x557bced56c20] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_op_destructor] (0x2000): Operation 14 finished (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored. (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://DomainDnsZones.ad.example.com/DC=DomainDnsZones,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ForestDnsZones.ad.example.com/DC=ForestDnsZones,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [generic_ext_search_handler] (0x4000): Ref: ldap://ad.example.com/CN=Configuration,DC=ad,DC=example,DC=com (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results. (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users (Mon Jun 22 15:49:08 2020) [sssd[be[AD.EXAMPLE.COM]]] [sdap_id_op_done] (0x4000): releasing operation connection {code} |
|
Hi keimond, Back then I had not yet set the UNIX attributes fields in Windows AD DS, in particular, the proper uid. I recall solving this issue which obviously was not an sssd bug. Regards, Jordi |
|