Learn more about these different git repos.
Other Git URLs
Hello,
we're using sssd to authenticate against an AD. Our config is:
[sssd] debug_level=9 domains = munzinger.de config_file_version = 2 services = nss, pam default_tkt_enctypes = aes-256-cts arcfour-hmac-md5 default_tgs_enctypes = aes-256-cts arcfour-hmac-md5 [domain/munzinger.de] ad_domain = munzinger.de krb5_realm = MUNZINGER.DE realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%d/%u access_provider = ad debug_level=9 enumerate = True ldap_idmap_range_min = 10000 ldap_idmap_autorid_compat = true override_homedir = /home/MUNZINGER/%u
We recently tried to switch to sssd 1.14.1 but we coudn't login with it. Attached is the full log.
The interesting stuff is:
(Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [ldb] (0x4000): cancel ldb transaction (nesting: 2) (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [sysdb_mod_group_member] (0x0080): ldb_modify failed: [No such attribute](16)[attribute 'member': no matching attribute value while deleting attribute on 'name=Benutzer@munzinger.de,cn=groups,cn=munzinger.de,cn=sysdb'] (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [sysdb_error_to_errno] (0x0020): LDB returned unexpected error: [No such attribute] (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [sysdb_mod_group_member] (0x0400): Error: 14 (Bad address) (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [sysdb_update_members_ex] (0x0020): Could not remove member [wb@munzinger.de] from group [name=Benutzer@munzinger.de,cn=groups,cn=munzinger.de,cn=sysdb]. Skipping
and
(Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [ad_gpo_get_sids] (0x0020): Missing SID for cache entry [name=Benutzer@munzinger.de,cn=groups,cn=munzinger.de,cn=sysdb]. (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [ad_gpo_filter_gpos_by_dacl] (0x0040): Unable to retrieve SIDs: [1432158252](User/Group SIDs not found) (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [ad_gpo_process_gpo_done] (0x0040): Unable to filter GPO list by DACKL: [1432158252](User/Group SIDs not found) (Tue Sep 6 15:45:47 2016) [sssd[be[munzinger.de]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Tue Sep 6 15:45:47 2016) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [4 (System error)][munzinger.de] (Tue Sep 6 15:45:47 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]: System error.
We found out that if we reverse https://git.fedorahosted.org/cgit/sssd.git/commit/?id=0d628f98500a0fd642ba0c720c40393460988f73 everything works again but I guess thats not a real solution.
Ask if you need any more information.
Cheers David
The group 'Benutzer@munzinger.de' is a built-in group (SID S-1-5-32-545). Can you check if the group is stored in the cache and what attributes are stored by calling
ldbsearch -H /var/lib/sss/db/cache_munzinger.de.ldb -b name=Benutzer@munzinger.de,cn=groups,cn=munzinger.de,cn=sysdb
as root.
Fields changed
cc: => sbose
orig.log is after cleaning the cache and a failed login try [[BR]] reverted.log is with 0d628f9 reverted, cache cleaned and a successfull login
The processing of built-in groups is currently a bit inconsistent. SSSD does not create object from built-in groups in the cache, but when processing membership a minimal object is create indirectly.
I wonder if you can check if the login issue occurs as well if enumeration is disabled. For this please set 'enumerate = False' in sssd.conf, stop SSSD, remove the cache with 'rm /var/lib/sss/db/cache_munzinger.de.ldb' and start SSSD again.
Is there a reason for using 'enumerate = True'? I'm asking to get a better understanding of the use-cases of 'enumerate = True'.
Setting enumerate = False and clearing the cache does indeed fix the problem.
We used enumerate = True because being able to see all users/groups and cache them with
getent passwd getent group
is quite nice. But we can live without it for now.
Thanks!
milestone: NEEDS_TRIAGE => SSSD Deferred summary: Bug in sysdb_mod_group_member => Built-in groups are not created during enumeration
rhbz: => todo
attachment log.tar.gz
attachment cache.tar.gz
Metadata Update from @wbmun: - Issue set to the milestone: SSSD Patches welcome
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4210
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.