[Freeipa-users] SSS problems with eDirectory

Scott Duckworth sduckwo at clemson.edu
Thu Jul 22 15:10:25 UTC 2010 

On Wed, Jul 21, 2010 at 6:18 PM, Dmitri Pal <dpal at redhat.com> wrote:

> Scott Duckworth wrote:
> > On Wed, Jul 21, 2010 at 5:58 PM, Dmitri Pal <dpal at redhat.com
> > <mailto:dpal at redhat.com>> wrote:
> >
> >     Scott Duckworth wrote:
> >     > I'm trying to setup a vanilla installation of Fedora 13 to
> >     > authenticate against an eDirectory server.  We have this working on
> >     > RHEL5 using nss_ldap and pam_ldap, but doing this same
> configuration
> >     > on Fedora 13 did not work.  So I'm now attempting the configuration
> >     > using SSS.  I used the graphical tools to setup the basics, then
> >     > started editing /etc/sssd/sssd.conf to get the specifics right.
> >     >
> >     > The directory server uses rfc2307bis groups.  User DNs do not have
> >     > memberOf attributes or any shadow or kerberos attributes.
> >      Kerberos is
> >     > not available, LDAP is used for authentication.
> >     >
> >     > The SSSD client is sssd-1.2.1-15.fc13.x86_64.
> >     >
> >     > /etc/sssd/sssd.conf:
> >     > [sssd]
> >     > config_file_version = 2
> >     > reconnection_retries = 3
> >     > sbus_timeout = 30
> >     > services = nss, pam
> >     > domains = CLEMSONU
> >     > [nss]
> >     > debug_level = 7
> >     > filter_groups = root
> >     > filter_users = root
> >     > reconnection_retries = 3
> >     > entry_cache_timeout = 1
> >     > entry_cache_nowait_timeout = 1
> >     > [pam]
> >     > debug_level = 7
> >     > reconnection_retries = 3
> >     > [domain/CLEMSONU]
> >     > debug_level = 20
> >     > enumerate = False
> >     > cache_credentials = False
> >     > id_provider = ldap
> >     > auth_provider = ldap
> >     Try adding here
> >
> >     ldap_schema = rfc2307bis
> >
> >
> > No difference.
>
> I assume you restarted SSSD and probably cleared the cache since it
> might already got it wrong.
>
> Instructions for cleaning:
> Beginning with version 0.6.0, SSSD maintains a separate database file
> for each domain. This means that each domain has its own cache, and in
> the event that problems occur and maintenance is necessary, it is very
> easy to purge the cache for a single domain, by stopping |sssd| and
> deleting the corresponding cache file. These cache files are stored in
> the |/var/lib/sss/db/| directory.
> All cache files are named according to the domain that they represent,
> for example |cache_/|DOMAINNAME|/.ldb|.
>

I removed all files from /var/lib/sss/db/ and restarted sssd.  Same
behavior.  nscd is disabled, so I don't think it's caching at any level.

Here is what I ran:

[root at duck2 ~]# getent passwd sduckwo
sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash
[root at duck2 ~]# groups sduckwo
sduckwo : cuuser
[root at duck2 ~]# getent group coes_socunix
coes_socunix:*:120105:sduckwo

And here is what the domain log shows:

(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sbus_message_handler] (9):
Received SBUS method [getAccountInfo]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [be_get_account_info] (4):
Got request for [4098][1][name=coes_socunix]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6):
calling ldap_search_ext with
[(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU].
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [objectClass]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [cn]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [userPassword]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [gidNumber]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [member]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [nsUniqueId]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [modifyTimestamp]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (8):
ldap_search_ext called, msgid = 6
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0xc55ad0], connected[1], ops[0xd5d5a0], ldap[0xc55cf0]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry] (9):
OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU].
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0xc55ad0], connected[1], ops[0xd5d5a0], ldap[0xc55cf0]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_process]
(6): Search for groups, returned 1 results.
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0xc55ad0], connected[1], ops[(nil)], ldap[0xc55cf0]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: ldap_result found nothing!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb
transaction (nesting: 0)
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (7):
Adding original DN [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to
attributes of [coes_socunix].
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (6):
Storing info for group coes_socunix
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_groups_loop] (9):
Group 0 processed!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (7):
Adding member users to group [coes_socunix]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (9):
[IPA or AD Schema]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #0 (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU):
[name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb]
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #1 (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #2 (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #3 (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #4 (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #5 (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #6 (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7):     member #7 (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found!
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (6):
Storing members for group coes_socunix
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb
transaction (nesting: 0)
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done] (9):
Saving 1 Groups - Done
(Thu Jul 22 10:59:15 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success

It looks like it's only recognizing user DNs which have already been cached.


> If this does not help then you need to wait till tomorrow for Steve
> Gallagher to reply to you. He is gone for the day.
>
> --
> Thank you,
> Dmitri Pal
>
> Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100722/e0e796c8/attachment.htm>

More information about the Freeipa-users mailing list