Learn more about these different git repos.
Other Git URLs
Kerberos config:
[libdefaults] default_realm = ad.domain.com
krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true ticket_lifetime = 1h renew_lifetime = 1d
v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true
[realms]
[domain_realm] .ad.domain.com = ad.domain.com ad.domain.com = ad.domain.com
[login] krb4_convert = true krb4_get_tickets = false
SSSD Config:
cat /etc/sssd/sssd.conf [sssd] domains = ad.domain.com config_file_version = 2 services = nss, pam, ssh
[nss] filter_groups = root filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam] reconnection_retries = 3
[domain/ad.domain.com] debug_level = 6 ad_domain = ad.domain.com krb5_realm = AD.DOMAIN.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad sudo_provider = none subdomain_enumerate = all krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%d/%u access_provider = ad min_id = 1000 ad_access_filter = memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com ldap_user_search_filter = memberOf=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com ldap_user_ssh_public_key = sshPublicKey krb5_lifetime = 1h krb5_renewable_lifetime = 1d krb5_renew_interval = 30m
PAM modules:
Should look like the followings:
/etc/pam.d/common-account:account:
account sufficient pam_localuser.so account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/common-auth:
auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass
/etc/pam.d/common-password:
password requisite pam_pwquality.so retry=3 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password sufficient pam_sss.so use_authtok
/etc/pam.d/common-session:
session optional pam_mkhomedir.so skel=/etc/skel umask=027 session required pam_unix.so session optional pam_sss.so session optional pam_systemd.so
*SSH Config: /etc/ssh/sshd_config
# cat /etc/ssh/sshd_config AuthorizedKeysFile %h/.ssh/authorized_keys AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
SSSD Logs:
/var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(|memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com))][CN=svc_rsn_vmware,OU=Service Accounts,DC=adm,DC=domain,DC=com]. /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search filter /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [1432158235]: Malformed search filter /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_nested_group_single_step_done] (0x0020): Error processing direct membership [1432158235]: Unknown error 1432158235 /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [sdap_nested_done] (0x0020): Nested group processing failed: [1432158235][Unknown error 1432158235] /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request /var/log/sssd/sssd_ad.domain.com.log:(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158235,Internal Error (Unknown PAM error) /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=954005429] /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_req_set_domain] (0x0400): Changing request domain from [ad.domain.com] to [ad.domain.com] /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [ad_account_info_handler] (0x0400): This ID is from different domain /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success /var/log/sssd/sssd_ad.domain.com.log-(Fri Feb 5 08:49:37 2016) [sssd[be[ad.domain.com]]] [be_get_account_info] (0x0100): Got request for [4098][1][idnumber=954005429]
id user@ad.domain.com getent passwd user@ad.domain.com getent group AD-Group-Access@ad.domain.com}}}
Please try to put the filter option in braces as shown in the man pages
... ad_access_filter = (memberOf=CN=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com) ldap_user_search_filter = (memberOf=Main-Group,OU=Other,OU=Adm Groups,DC=adm,DC=domain,DC=com) ...
cc: => sbose
No reply for 10 days and I suspect Sumit's reply solves this ticket. Closing.
resolution: => worksforme status: new => closed
Metadata Update from @alingramescu: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3991
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.