#2889 SSSD issue after upgrade in fedora 23 x64
Closed: Invalid None Opened 4 years ago by edg91.

Hello,

I configured several fedora 22 x64 workstation with success with sssd against a AD domain.
I followed the tutorial at https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server ("Joining the Linux client to the AD domain manually" part).

Last week, I upgrraded my workstation from fedora 22 to fedora 23 x64 (using fedup).
I did not change the sssd.conf, krb5.conf and krb5.keytab from fedora 22 to 23.

In all upgraded fedora 23 workstations, users cannot loging anymore. Here is the error i get :
sshd[9313]: pam_sss(sshd:account): Access denied for user xxxxx: 4 (System error)
sshd[9313]: Failed password for xxxxx from x.x.x.x port 49459 ssh2
audit[9313]: USER_ACCT pid=9313 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=? acct="xxxxx" exe="/usr/sbin/sshd" hostname=x.x.x.x addr=x.x.x.x terminal=ssh res=failed'
sshd[9313]: fatal: Access denied for user xxxxx by PAM account configuration [preauth]
...

Although, users can still loging in fedora 22 workstations.

Is it a known issue ? May you help me to resolve it ?

Best Regards,
Ed


We can continue the discussion on sssd-users since the list archives are useful also to other people..

Well, I activated debug_log=6 in sssd.conf

I added ad_gpo_access_control = disabled in domain section
and users loging is restablished.

In fedora 22, ad_gpo_access_control was not necessary to enable loging.
This should be added to the tutorial https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

Best Regards,
Ed

My gpo_child.log is empty

I am facing the same issue now on my fedora 22 workstation.
But to bypass the problem, I had to set ad_gpo_access_control = permissive for fedora 22 workstation (disabled does not work on fed 22)...

My sssd version on both fedora 22 & 23 is 1.13.2

I checked log files and sssd was not able to retrieve target dn for host due to referrals.

[ad_gpo_connect_done] (0x4000): server_hostname from uri: lmscad1.lmsad.polytechnique.fr
[ad_gpo_connect_done] (0x0400): sam_account_name is host/pandore-lms.lmsad.polytechnique.fr

[sdap_print_server] (0x2000): Searching 129.104.5.228
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr].
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 21

[sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
[sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr
[sdap_process_result] (0x2000): Trace: sh[0x558f4ee72290], connected[1], ops[0x558f4ee93aa0], ldap[0x558f4edf75d0]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]

[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sdap_op_destructor] (0x2000): Operation 21 finished

[generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
[generic_ext_search_handler] (0x4000):     Ref: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[generic_ext_search_handler] (0x4000):     Ref: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[generic_ext_search_handler] (0x4000):     Ref: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr

[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.

[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Aucun fichier ou dossier de ce type) [Internal Error]
[be_pam_handler_callback] (0x0100): Sending result [4][lmsad.polytechnique.fr]
[be_pam_handler_callback] (0x0100): Sent result [4][lmsad.polytechnique.fr]

I think we decided to not continue if we could not find info about host or users to prevent security problems (CVEs)

So if I do not use GPO, ad_gpo_access_control must be present in sssd.conf and must be set like this :
ad_gpo_access_control = permissive

Replying to [comment:8 edg91]:

So if I do not use GPO, ad_gpo_access_control must be present in sssd.conf and must be set like this :
ad_gpo_access_control = permissive

Using the AD provider means the client is a member of the domain, also with the policies that apply.
I would personally say that if you have a domain member and you set the access_provider to ad, then it's expected that the domain access control policies apply.

Hello,
As I followed the tutorial https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
I set "access_provider = ad" in sssd.conf
without know it imply that the domain access control policies apply.

What should I set special on my ad controler in gpo for the linux workstations ?
I did not set any access control policies on AD side.

I would be curious why we was not able to find LDAP entry about host [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr]

If you used realmd then entry should be there.
Unless you joint to one AD and switch sssd.conf to sub-domain. Otherwise I cannot explain why we got referral for this LDAP query.

Would you be able to provide LDIF from AD for your client?

cc: => lslebodn@redhat.com

This is the LDIF export of pandore-lms host :
"CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr",computer,pandore-lms,,"CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr",4,pandore-lms,pandore-lms$,,,,,host/pandore-lms.lmsad.polytechnique.fr;host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR,"CN=Computer,CN=Schema,CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr",,,,,,host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR

All my users and hosts are placed in an OU "lms"

I did no used realmd, but followed the "Joining the Linux client to the AD domain manually"

dn: CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: pandore-lms
distinguishedName: CN=pandore-lms,OU=lms,DC=lmsad,DC=polytechnique,DC=fr
instanceType: 4
whenCreated: 20151202083834.0Z
whenChanged: 20151202105542.0Z
uSNCreated: 11101209
uSNChanged: 11113060
name: pandore-lms
objectGUID:: qbhxr64cQEKSrWLtaYSoaQ==
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 130941710813626077
localPolicyFlags: 0
pwdLastSet: 130935191148506091
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAA4roN0aVPjV8LacHGcQwAAA==
accountExpires: 9223372036854775807
logonCount: 194
sAMAccountName: pandore-lms$
sAMAccountType: 805306369
userPrincipalName:
host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
servicePrincipalName: host/pandore-lms.lmsad.polytechnique.fr
servicePrincipalName:
host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
objectCategory:
CN=Computer,CN=Schema,CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr
isCriticalSystemObject: FALSE
dSCorePropagationData: 20151202105542.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130935193511199080

Thank you very much for ldif.
I think I know where is a problem.
sssd used wrong value for ldap_sasl_authid from keytab.

253 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x2000): authid contains realm [LMSAD.POLYTECHNIQUE.FR]
254 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x0100): Will look for host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR in /etc/krb5.keytab
255 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): trying to select the most appropriate principal from keytab
256 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [find_principal_in_keytab] (0x4000): Trying to find principal host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR in keytab.
257 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [match_principal] (0x1000): Principal matched to the sample (host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR).
258 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): Selected primary: host/pandore-lms.lmsad.polytechnique.fr
259 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [select_principal_from_keytab] (0x0200): Selected realm: LMSAD.POLYTECHNIQUE.FR
260 (Thu Dec  3 12:33:37 2015) [sssd[be[lmsad.polytechnique.fr]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to host/pandore-lms.lmsad.polytechnique.fr
}}}

Could you try to explicitly set the option ldap_sasl_authid in domain section?

ldap_sasl_authid = pandore-lms$

I changed
ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
to
ldap_sasl_authid = pandore-lms$
in sssd.conf

I get :

déc. 10 16:22:41 pandore-lms audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sssd comm="systemd" exe="/usr/lib/syste
déc. 10 16:22:41 pandore-lms sssd[10860]: Starting up
déc. 10 16:22:41 pandore-lms sssd[be[lmsad.polytechnique.fr]][10861]: Starting up
déc. 10 16:22:41 pandore-lms sssd[nss][10862]: Starting up
déc. 10 16:22:41 pandore-lms sssd[pam][10863]: Starting up
déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthe
déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Preauthentication failed

And AD users cannot login

Here is the content of my sssd.conf :

[sssd]

config_file_version = 2

domains = lmsad.polytechnique.fr

services = nss, pam

#debug_level=9

[domain/lmsad.polytechnique.fr]

cache_credentials = False
#cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad

krb5_keytab = /etc/krb5.keytab

ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr

ldap_id_mapping = False

ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
#ldap_sasl_authid = pandore-lms$
ldap_krb5_keytab = /etc/krb5.keytab

use_fully_qualified_names = False

ad_gpo_access_control = permissive

#debug_level=9

[nss]

[pam]
#debug-level=9

[sudo]

[autofs]

[ssh]
#debug_level=9

[pac]

_comment0: I changed
ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
to
ldap_sasl_authid = pandore-lms$
in sssd.conf

I get :
déc. 10 16:22:41 pandore-lms audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sssd comm="systemd" exe="/usr/lib/syste
déc. 10 16:22:41 pandore-lms sssd[10860]: Starting up
déc. 10 16:22:41 pandore-lms sssd[be[lmsad.polytechnique.fr]][10861]: Starting up
déc. 10 16:22:41 pandore-lms sssd[nss][10862]: Starting up
déc. 10 16:22:41 pandore-lms sssd[pam][10863]: Starting up
déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthe
déc. 10 16:22:41 pandore-lms [sssd[ldap_child[10864]]][10864]: Preauthentication failed

And AD users cannot login

Here is the content of my sssd.conf :

[sssd]

config_file_version = 2

domains = lmsad.polytechnique.fr

services = nss, pam

debug_level=9

[domain/lmsad.polytechnique.fr]

cache_credentials = False

cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad

krb5_keytab = /etc/krb5.keytab

ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr

ldap_id_mapping = False

ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR

ldap_sasl_authid = pandore-lms$

ldap_krb5_keytab = /etc/krb5.keytab

use_fully_qualified_names = False

ad_gpo_access_control = permissive

debug_level=9

[nss]

[pam]

debug-level=9

[sudo]

[autofs]

[ssh]

debug_level=9

[pac]
=> 1449762707870823

Replying to [comment:16 edg91]:

Here is the content of my sssd.conf :
{{{
[sssd]

config_file_version = 2

domains = lmsad.polytechnique.fr

services = nss, pam

debug_level=9

[domain/lmsad.polytechnique.fr]

cache_credentials = False

cache_credentials = true

id_provider = ad
auth_provider = ad
access_provider = ad

krb5_keytab = /etc/krb5.keytab

ad_server = lmscad1.lmsad.polytechnique.fr,lmscad2.lmsad.polytechnique.fr

ldap_id_mapping = False

ldap_sasl_authid = host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR

ldap_sasl_authid = pandore-lms$

}}}
I assume it's just copy&paste error.
BTW I checked the wiki https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
and it contain following line which is commented by default.

# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM

Was principal missing in keytab or why did you uncommented it? Could you share content of keytab
klist -kt?

[root@pandore-lms ~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
   3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR

_comment0: [root@pandore-lms ~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal


3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR => 1449841929673110

OK,
you have principal "PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR" in keytab. I think you needn't specify in sssd.conf.

So, could you try without ldap_sasl_authid in sssd.conf? If it does not work. Could you provide new version of log files?

Hello,

I tried without ldap_sasl_authid in sssd.conf
Please find all logs in attached parts.

It does not work without ldap_sasl_authid

I would like to apologize for late response caused by Christmas break.

There is an error in ldap_child.log.
sssd was not able to kinit with principal "PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR" which is really weird. we can see this principal in comment:18

Could you try kinit from command line?

kinit -k 'PANDORE-LMS$'

or

kinit -k 'PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR'

_comment0: I would like to apologize for late response caused by Christmas break.

There is an error in ldap_child.log.
sssd was not able to kinit with principal "PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR" which is really weird. we can see this principal in comment:18

Could you try kinit from command line?
{{{
kinit -k PANDORE-LMS$

or

kinit -k PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
}}}

=> 1452185779860013

Hello,
Thank you, the keytab was wrong for my pandore-lms workstation
I rebuilt it, now I get :
[root@pandore-lms etc]# kinit -k PANDORE-LMS\$@LMSAD.POLYTECHNIQUE.FR
[root@pandore-lms etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR

Valid starting Expires Service principal
08/01/2016 09:50:58 08/01/2016 19:50:58 krbtgt/LMSAD.POLYTECHNIQUE.FR@LMSAD.POLYTECHNIQUE.FR
renew until 15/01/2016 09:50:58

However, I cannot log in the linux workstation without specify
ad_gpo_access_control = permissive
in sssd.conf

I joined a zip file of all my sssd logs when ad_gpo_access_control is not set (commented) in sssd.conf.

_comment0: Hello,
Thank you, the keytab was wrong for my pandore-lms workstation
I rebuilt it, now I get :
[root@pandore-lms etc]# kinit -k PANDORE-LMS\$@LMSAD.POLYTECHNIQUE.FR
[root@pandore-lms etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR

Valid starting Expires Service principal
08/01/2016 09:50:58 08/01/2016 19:50:58 krbtgt/LMSAD.POLYTECHNIQUE.FR@LMSAD.POLYTECHNIQUE.FR
renew until 15/01/2016 09:50:58

However, I cannot log in the linux workstation without specify
ad_gpo_access_control = permissive
in sssd.conf

I joined a zip file of all my sssd logs when ad_gpo_access_control is not set (uncommented) in sssd.conf.

=> 1452243704869933

It's because sssd cannot find host for GPO.
sssd-1.13.1+ uses part of host principal for finding LDAP host entry. It was changed because GPO did not work for hostnames longer than 16 characters @see #2692

[ad_gpo_connect_done] (0x4000): server_hostname from uri: lmscad1.lmsad.polytechnique.fr
[ad_gpo_connect_done] (0x0400): sam_account_name is host/pandore-lms.lmsad.polytechnique.fr

[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=host/pandore-lms.lmsad.polytechnique.fr))][dc=lmsad,dc=polytechnique,dc=fr].
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [distinguishedName]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 13
[sdap_op_add] (0x2000): New operation 13 timeout 6
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sdap_op_destructor] (0x2000): Operation 13 finished
[generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
[generic_ext_search_handler] (0x4000):     Ref: ldap://ForestDnsZones.lmsad.polytechnique.fr/DC=ForestDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[generic_ext_search_handler] (0x4000):     Ref: ldap://DomainDnsZones.lmsad.polytechnique.fr/DC=DomainDnsZones,DC=lmsad,DC=polytechnique,DC=fr
[generic_ext_search_handler] (0x4000):     Ref: ldap://lmsad.polytechnique.fr/CN=Configuration,DC=lmsad,DC=polytechnique,DC=fr

[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.

I can see in log files that you have overridden option ldap_sasl_authid. GPO should work if you change it to PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR or if you remove it. (sssd will try to use userPrincipal for host)

Thank you very much
I commented ldap_sasl_authid and ad_gpo_access_control.
It working now.

Best Regards

Thank you very much for confirmation. The change in behaviour between sssd-1.12 and sssd-1.13 was caused by fixing bug #2692.

owner: somebody => lslebodn

I will close the ticket as works for me

resolution: => worksforme
status: new => closed

Hello,

I am very sorry but I am still facing issues with sssd login against AD on fedora workstation

The issue is when users try to logon through the logon screen litghdm, it says that passords is wrong (but that is not the case).
However, It is working through ssh authentication...

To enable users logon through litghdm, I set again ad_gpo_access_control = permissive in sssd.conf
With that, logon is possible for users.

For information, on my fedora workstation, MATE is the default desktop.

All currently supported versions of fedora (22+) has sssd-1.13.3 and there should not be any and problems with GPO unless you have different UPN for host in keytab.

Please provide log files from sssd (at least permissive mode) and output of keytab on that machine klist -kt

Pleas find logs in attached parts
In logs, I try :

  • first login through ssh -> works
  • login through lightdm -> login failed

    [root@pandore-lms ~]# klist -kt
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp Principal


    3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
    3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR

_comment0: Pleas find logs in attached parts
In logs, I try :
- first login through ssh -> works
- login through lightdm -> login failed

[root@pandore-lms ~]# klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal


3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 host/pandore-lms.lmsad.polytechnique.fr@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR
3 01/01/1970 01:00:00 PANDORE-LMS$@LMSAD.POLYTECHNIQUE.FR => 1452773735328169

Replying to [comment:30 edg91]:

Pleas find logs in attached parts
In logs, I try :
- first login through ssh -> works
- login through lightdm -> login failed

It works as expected. Because service lightdm is not allowed by default. However the log file says there was a pam service xrdp-sesman

[be_pam_handler] (0x0100): Got request with the following data
[pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT
[pam_print_data] (0x0100): domain: lmsad.polytechnique.fr
[pam_print_data] (0x0100): user: guigne
[pam_print_data] (0x0100): service: xrdp-sesman
[pam_print_data] (0x0100): tty: xrdp-sesman
[pam_print_data] (0x0100): ruser: 
[pam_print_data] (0x0100): rhost: 
[pam_print_data] (0x0100): authtok type: 0
[pam_print_data] (0x0100): newauthtok type: 0
[pam_print_data] (0x0100): priv: 1
[pam_print_data] (0x0100): cli_pid: 2231
[pam_print_data] (0x0100): logon name: not set 
[sdap_access_send] (0x0400): Performing access check for user [guigne]

[sdap_account_expired_ad] (0x0400): Performing AD access check for user [guigne]
[sdap_account_expired_ad] (0x4000): User account control for user [guigne] is [10200].
[sdap_account_expired_ad] (0x4000): Expiration time for user [guigne] is [9223372036854775807].

[ad_gpo_access_send] (0x0400): using default right
[ad_gpo_access_send] (0x0400): service xrdp-sesman maps to Denied
[ad_gpo_access_done] (0x0040): GPO-based access control failed.

[be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
[be_pam_handler_callback] (0x0100): Sending result [6][lmsad.polytechnique.fr]
[be_pam_handler_callback] (0x0100): Sent result [6][lmsad.polytechnique.fr]

If it is a really lightdm and not a remote session than
you should append it to the GPO map ad_gpo_map_interactive for remote session you might append it to ad_gpo_map_remote_interactive

You need to list also default values and not just xrdp-sesman
e.g.

[domain/ad.example.com]
ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman

Hello,
Thanks for this explanation. I apologized because that's true I used xrdp session instead of lightdm to get logs. In this 2 cases, ad_gpo_map_interactive was not set in sssd.conf.

I Added "ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman" under [domain/lmsad.polytechnique.fr] in /etc/sssd/sssd.conf and restart sssd service

Althought, I did still not succeed to login in xrdp. I added the logs.
It still said with ad_gpo_map_interactive that :
(Thu Jan 14 14:29:04 2016) [sssd[be[lmsad.polytechnique.fr]]] [ad_gpo_access_send] (0x0400):

service xrdp-sesman maps to Denied

(Thu Jan 14 14:29:04 2016) [sssd[be[lmsad.polytechnique.fr]]] [ad_gpo_access_done] (0x0040):

GPO-based access control failed

.

How set lightdm in ad_gpo_map_interactive ?
Like this ?
ad_gpo_map_interactive = +login +su +su-l +gdm-fingerprint +gdm-password +gdm-smartcard +kdm +xrdp-sesman +lightdm

I would like to apologize for small confusion. You needn't add all default services into ad_gpo_map_interactive. I think it is well explained in the manual page sssd-ad.

BTW. Do you have set in GPO InteractiveLogonRight or
DenyInteractiveLogonRight for your host?

Because sshd is different service and should be in RemoteInteractiveLogonRight and DenyRemoteInteractiveLogonRight.

You might test with log-in on tty. In this case, the pam service "login" should be used. You should check sssd log files whether there is [pam_print_data] (0x0100): service: login or no. And you might also check if access was allowed. Check return code in be_pam_handler_callback
for [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT

Hello,

OK, I did not set GPO InteractiveLogonRight / DenyInteractiveLogonRight for my host.
I do not want to manage GPO for all hosts, so I set ad_gpo_access_control = disabled
Thank you for the explanations

Please, I need advices for a linux workstations in centos 7.
I set sssd.conf as in fedora workstations, but I am facing new issues. Users can only login through ssh, login through lightdm does not work, and xrdp works only first time after xrdp service is started.
I know that it is for fedora support, but maybe can you identify my issue ? or tell me where I could find help ?
I attached logs of my centos 7 workstations.
When I try to logon through xrdp at 2nd time, I get a "sssd[krb5_child ... Permission denied"
When I try to logon through lightdm, I get a "sssd[krb5_child ... Unknown code UUz 1"

I try to logon tty on the centos 7 workstation, I get a "Cannot make/remove an entry for the specified session" message and a "sssd[krb5_child ... Permission denied"

Here are attached the logs for tty logon test

Replying to [comment:34 edg91]:

Hello,

OK, I did not set GPO InteractiveLogonRight / DenyInteractiveLogonRight for my host.
I do not want to manage GPO for all hosts, so I set ad_gpo_access_control = disabled
Thank you for the explanations

So it's not a bug in sssd. It was just a configuration issue.

Please, I need advices for a linux workstations in centos 7.
I set sssd.conf as in fedora workstations, but I am facing new issues. Users can only login through ssh, login through lightdm does not work, and xrdp works only first time after xrdp service is started.
I know that it is for fedora support, but maybe can you identify my issue ? or tell me where I could find help ?
I attached logs of my centos 7 workstations.
When I try to logon through xrdp at 2nd time, I get a "sssd[krb5_child ... Permission denied"
When I try to logon through lightdm, I get a "sssd[krb5_child ... Unknown code UUz 1"
Fedora issue is unrelated to this ticket.
There was failure in authentication and not in authorization(GPO).
I read log files and I have a suspicion.
Could you provide exact version of following pacakges sssd-ad, krb5-libs, crypto-policies

rpm -q sssd-ad krb5-libs crypto-policies

Please also provide an output of command:

file /etc/krb5.conf.d/crypto-policies

If it is broken-link then please upgrade package crypto-policies

Hello,

As this is a centos 7 workstation, crypto-policies package is not available :

rpm -q sssd-ad krb5-libs crypto-policies

sssd-ad-1.13.0-40.el7_2.1.x86_64
krb5-libs-1.13.2-10.el7.x86_64
le paquet crypto-policies n'est pas installé

(the packages crypto-policies is not isntalled)

Is there a equivalent package for centos 7 ?

I misread your last two comments. I though there is a problem on fedora and you have a problem on CentOS 7.
So It cannot be related to version of krb5-libs, crypto-policies

Please open different ticket for this issue. There is a problem with authentication. Please attach log files (you might use tty.zip. sssd.conf and also krb5.conf

Ok, I open a ticket for the authentication problem with centos 7

Metadata Update from @edg91:
- Issue assigned to lslebodn
- Issue set to the milestone: NEEDS_TRIAGE

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3930

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata