Is this the correct forum for sssd? It have been developed by RedHat, but my distro is Mint, and I’m not a customer of RedHat.. so this is why i post here.
My setup is a nasbox running FreeNAS/FreeBSD with a lot of services, including a Jail with OpenLDAP.
OpenLDAP is openldap-server-2.4.45
The Groups is based on LDAP object classes posixGroup and top.
And the users is based LDAP object classes internetOrgPerson, posixAccount, and top.
The protocols are plain, and plain over SSL. (LDAP/LDAPS)
No AD/Samba scheme, no kerberos.
One of my clients are an Linux Mint lenovo G510 labtop.
I started out with a pam_ldap.so configuration...
This worked ok as long as I had network to the LDAP server.
With the pam_ldap config I could perform:
ldapsearch, getent passwd and getent group
and I could perform logon to ldap defined accounts via. Gui, and console.
But without network connection I could not even perform gui login with a local account.
So i decided to change to sssd instead in order to have the data cached locally.
With the sssd configuration I can perform ldapsearch (no surprise since it is not sharing any configuration with sssd)
But I cant get nss to work.
getent passwd and getent group only show local data, i.e. data from ldap are not shown.
Same problem with login. (only local accounts)
I can see from service side logs that data is requested, and found.
I can see from /var/log/sssd/sssd_LDAP1.log that data is received, and it regularly preforms a query to resync from last sync time stamp.
I can see that ldap account data is stored in /var/lib/sss/db/cache_LDAP1.ldb (My ldap user and group names exist in binary file)
I get an error in /var/log/sssd/sssd_nss.log every time the sssd service is started with: systemctl restart sssd
(Mon Feb 12 19:27:24 2018) [sssd[nss]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]
inxi -Fxz
Code: Select all
System: Host: labdog Kernel: 4.10.0-40-generic x86_64 (64 bit gcc: 5.4.0)
Desktop: Cinnamon 3.4.6 (Gtk 3.18.9-1ubuntu3.3) Distro: Linux Mint 18.2 Sonya
Machine: System: LENOVO product: 20238 v: Lenovo G510
Mobo: LENOVO model: INVALID v: 31900058Std Bios: LENOVO v: 79CN46WW(V3.05) date: 12/23/2013
CPU: Quad core Intel Core i7-4700MQ (-HT-MCP-) cache: 6144 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 19157
clock speeds: max: 3400 MHz 1: 999 MHz 2: 1366 MHz 3: 999 MHz 4: 1000 MHz 5: 999 MHz 6: 1067 MHz
7: 1010 MHz 8: 1000 MHz
Graphics: Card-1: Intel 4th Gen Core Processor Integrated Graphics Controller bus-ID: 00:02.0
Card-2: Advanced Micro Devices [AMD/ATI] Mars [Radeon HD 8670A/8670M/8750M] bus-ID: 01:00.0
Display Server: X.Org 1.18.4 drivers: ati,radeon,intel (unloaded: fbdev,vesa)
Resolution: 1366x768@59.99hz
GLX Renderer: Mesa DRI Intel Haswell Mobile GLX Version: 3.0 Mesa 12.0.6 Direct Rendering: Yes
Audio: Card-1 Intel 8 Series/C220 Series High Definition Audio Controller
driver: snd_hda_intel bus-ID: 00:1b.0
Card-2 Intel Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
driver: snd_hda_intel bus-ID: 00:03.0
Sound: Advanced Linux Sound Architecture v: k4.10.0-40-generic
Network: Card-1: Broadcom BCM43142 802.11b/g/n driver: wl bus-ID: 08:00.0
IF: wlp8s0 state: up mac: <filter>
Card-2: Qualcomm Atheros QCA8172 Fast Ethernet driver: alx port: 3000 bus-ID: 09:00.0
IF: enp9s0 state: down mac: <filter>
Drives: HDD Total Size: 240.1GB (28.1% used) ID-1: /dev/sda model: KINGSTON_SUV400S size: 240.1GB
Partition: ID-1: / size: 212G used: 56G (28%) fs: ext4 dev: /dev/dm-1
ID-2: /boot size: 473M used: 125M (28%) fs: ext2 dev: /dev/sda2
ID-3: swap-1 size: 8.49GB used: 0.00GB (0%) fs: swap dev: /dev/dm-2
RAID: No RAID devices: /proc/mdstat, md_mod kernel module present
Sensors: System Temperatures: cpu: 50.0C mobo: N/A gpu: N/A
Fan Speeds (in rpm): cpu: N/A
Info: Processes: 283 Uptime: 1 day Memory: 4626.2/7893.3MB Init: systemd runlevel: 5 Gcc sys: 5.4.0
Client: Shell (bash 4.3.481) inxi: 2.2.35
/etc/ldap/ldap.conf
Code: Select all
BASE dc=somedomain,dc=dk
URI ldap://login.somedomain.dk
BINDDN uid=LDAP_Client,ou=software,dc=somedomain,dc=dk
BINDPW xxxxx
ldapsearch -x -w xxxxx -D "uid=LDAP_Client,ou=software,dc=somedomain,dc=dk" uid=admin
Code: Select all
# extended LDIF
#
# LDAPv3
# base <dc=somedomain,dc=dk> (default) with scope subtree
# filter: uid=admin
# requesting: ALL
#
# admin, people, somedomain.dk
dn: uid=admin,ou=people,dc=somedomain,dc=dk
givenName: XXXXX YYYYYY
sn: ZZZZZZ (admin)
displayName: XXXXX YYYYYY ZZZZZZ (admin)
cn: XXXXX YYYYYY ZZZZZZ (admin)
uidNumber: 10000
gidNumber: 10001
homeDirectory: /home/admin
loginShell: /bin/csh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: admin
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
/etc/ldap.conf Only used in pam_ldap config
Code: Select all
BASE dc=somedomain,dc=dk
URI ldap://login.somedomain.dk
BINDDN uid=LDAP_Client,ou=software,dc=somedomain,dc=dk
BINDPW xxxxx
TLS_CACERT /etc/ssl/login.somedomain.dk.CAfullcain.pem
TLS_CIPHER_SUITE HIGH:MEDIUM:+SSLv3
cat /etc/pam.d/common-auth
Hmm...I just discovered that there is an entry with pam_ldap.so replace with pam_sssd.so?
Code: Select all
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=4 default=ignore] pam_unix.so nullok_secure
auth [success=3 default=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ccreds.so minimum_uid=1000 action=store
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
# end of pam-auth-update config
/etc/nsswitch.conf:
Code: Select all
passwd: files sss
group: files sss
shadow: files sss
sudoers: files sss
#passwd: files ldap
#group: files ldap
#shadow: files ldap
Code: Select all
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP1
[domain/LDAP1]
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://login.somedomain.dk
ldap_default_bind_dn = uid=LDAP_Client,ou=software,dc=somedomain,dc=dk
ldap_default_authtok = xxxxx
ldap_search_base = dc=somedomain,dc=dk
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /usr/local/etc/ssl/login.somedomain.dk.CAfullcain.pem
ldap_schema = rfc2307
chpass_provider = ldap
entry_cache_timeout = 600
ldap_network_timeout = 2
slapd server side log
Code: Select all
Feb 11 11:22:46 Login slapd[5941]: conn=21136 fd=29 ACCEPT from IP=10.0.0.48:41882 (IP=0.0.0.0:389)
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=1 BIND dn="uid=LDAP_Client,ou=software,dc=somedomain,dc=dk" method=128
Feb 11 11:22:46 Login slapd[5941]: [color=#FF0000]slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1[/color]
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=1 BIND dn="uid=LDAP_Client,ou=software,dc=somedomain,dc=dk" mech=SIMPLE ssf=0
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=1 RESULT tag=97 err=0 text=
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=2 SRCH base="dc=somedomain,dc=dk" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))"
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=2 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=2 SEARCH RESULT tag=101 err=0 nentries=2 text=
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=3 SRCH base="dc=somedomain,dc=dk" scope=2 deref=0 filter="(&(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=3 SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=3 SEARCH RESULT tag=101 err=0 nentries=5 text=
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=4 SRCH base="dc=somedomain,dc=dk" scope=2 deref=0 filter="(&(objectClass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))"
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=4 SRCH attr=objectClass cn ipServicePort ipServiceProtocol modifyTimestamp
Feb 11 11:22:46 Login slapd[5941]: conn=21136 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
systemctl status sssd
Code: Select all
● sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2018-02-11 19:37:41 CET; 23h ago
Main PID: 6101 (sssd)
CGroup: /system.slice/sssd.service
├─6101 /usr/sbin/sssd -i -f
├─6102 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain LDAP1 --uid 0 --gid 0 --debug-to-files
├─6105 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
└─6106 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
Code: Select all
ls -l /var/lib/sss/db
total 4084
-rw------- 1 root root 1609728 Feb 12 19:21 cache_LDAP1.ldb
-rw------- 1 root root 1286144 Feb 11 19:21 config.ldb
-rw------- 1 root root 1286144 Feb 11 19:21 sssd.ldb
If I remove sssd, delete database, and reinstall then then db files get cached again.
apt-get remove sssd
rm /var/lib/sss/db/*
apt-get install sssd
Code: Select all
ls -l /var/log/sssd/
total 1924
-rw------- 1 root root 0 Feb 11 19:22 ldap_child.log
-rw------- 1 root root 1959945 Feb 12 18:41 sssd_LDAP1.log
-rw------- 1 root root 0 Feb 11 19:22 sssd.log
-rw------- 1 root root 260 Feb 11 19:37 sssd_nss.log
-rw------- 1 root root 0 Feb 11 19:22 sssd_pam.log
Code: Select all
/var/log/sssd/sssd_nss.log
(Mon Feb 12 19:27:24 2018) [sssd[nss]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]