View Issue Details

IDProjectCategoryView StatusLast Update
0009982CentOS-7sssdpublic2016-01-15 09:50
Reporterhger 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
PlatformCentosOS7.2OS Version7.2.1511
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0009982: User accounts from ldap using sssd where ldap is active direcory 2008 r2
DescriptionWith the new release of sssd 1.13.0 our user authentication against AD-ldap broke
Steps To ReproduceInstall Centos 7.2.1511 minimal.
yum install sssd authconfig -y
authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
cat>/etc/sssd/sssd.conf << EOF
[domain/esss.lu.se]
id_provider = ldap
cache_credentials = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_shell = /bin/bash
 
ldap_schema = AD
ldap_search_base = dc=esss,dc=lu,dc=se
ldap_uri = ldap://esss.lu.se
ldap_id_use_start_tls = True
ldap_default_bind_dn = cn=readonly,cn=Users,dc=esss,dc=lu,dc=se
ldap_default_authtok_type = password
ldap_default_authtok = Password!
ldap_id_mapping = True
 
# This is bad. We allow all certificates (even self-signed)
ldap_tls_reqcert = never
 
[sssd]
debug_level = 5
domains = esss.lu.se
services = nss, pam
config_file_version = 2
 
[nss]
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]
 
[pac]

EOF

chmod 600 /etc/sssd/sssd.conf
systemctl enable sssd
systemctl start sssd

id user produces actual output.
Additional InformationInstalling new Centos box and instead installing sssd version 1.12.2 or earlier works fine.
TagsNo tags attached.
abrt_hash
URL

Activities

troelsarvin

troelsarvin

2016-01-04 10:58

reporter   ~0025246

What is meant by "broke": What breaks, and how?
lslebodn

lslebodn

2016-01-06 09:47

reporter   ~0025278

You are using ldap provider with Active Directory.

We recommend to disable referrals in this case
@see https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server
# Unless you know you need referrals, turn them off
ldap_referrals = false


BTW there is a similar ticket in upstream
https://fedorahosted.org/sssd/ticket/2906#comment:9
lslebodn

lslebodn

2016-01-15 09:16

reporter   ~0025360

Upstream ticket is fixed https://fedorahosted.org/sssd/ticket/2906.

If you want I can provide test build. Feel free to ask for it on sssd-users mailing list or here.
hger

hger

2016-01-15 09:47

reporter   ~0025362

Yes it worked with the referrals turned off. Thank you.
lslebodn

lslebodn

2016-01-15 09:50

reporter   ~0025363

Would you like to test patched version of sssd?
without using workaround to disable referrals?

Issue History

Date Modified Username Field Change
2015-12-22 08:28 hger New Issue
2016-01-04 10:58 troelsarvin Note Added: 0025246
2016-01-06 09:47 lslebodn Note Added: 0025278
2016-01-15 09:16 lslebodn Note Added: 0025360
2016-01-15 09:47 hger Note Added: 0025362
2016-01-15 09:50 lslebodn Note Added: 0025363