[Freeipa-users] Clients are reading AD info inconsistently

Fri Mar 27 15:18:29 UTC 2015

On Fri, Mar 27, 2015 at 02:23:27PM +0000, Guertin, David S. wrote:
> >To see why the login fails it would be good to
> >know how you try to log in (I assume ssh) and which authentication method
> >is used (password, ssh key, Kerberos ticket).
> >Additionally the SSSD log files might be needed, most important here are the
> >logs from the PAM and PAC responders and the domain log.
> 
> Yes, this is SSH. There are a few hints in the log files on the client:
> 
> sssd_ipa.middlebury.edu.log:
> 
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [ipa_s2n_exop_send] (0x0400): Executing extended operation
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [ipa_s2n_exop_send] (0x2000): ldap_extended_operation sent, msgid = 12
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [sdap_process_result] (0x2000): Trace: sh[0xe7f410], connected[1], ops[0xe80680], ldap[0xe641d0]
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_EXTENDED]
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [ipa_s2n_exop_done] (0x0400): ldap_extended_operation result: Protocol error(2), (null)

The most likely reason for 'Protocol error' is that the server this
client is connected to does not support the special LDAP extended
operation used by SSSD on IPA clients to get the data for users and
groups from trusted domains. And the most likely reason for this is that
ipa-adtrust-install is not run on that server. Please note that while
'ipa trust-add ...' must be only run once on one of the IPA servers,
ipa-adtrust-install must be run on all, e.g. to enable the LDAP extended
operation mentioned above.

You can check if the exop is enabled on the servers by running

ldapsearch -h localhost -x -b '' -s base|grep 2.16.840.1.113730.3.8.10.4

on each server. YOu should see 1, for RHEL-7.1 even 2 lines of output.

> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed.
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [sdap_id_op_done] (0x4000): releasing operation connection
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,1432158221,Account info lookup failed
> (Fri Mar 27 09:29:14 2015) [sssd[be[ipa.middlebury.edu]]] [sdap_process_result] (0x2000): Trace: sh[0xe7f410], connected[1], ops[(nil)], ldap[0xe641d0]
> 
> Sssd_nss.log:
> 
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:juser at middlebury.edu]
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [middlebury.edu][4097][1][name=juser]
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x6b5a10
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:juser at middlebury.edu]
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x6b5a10
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x6b0aa0
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 1432158221 error message: Account info lookup failed
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
> Error: 3, 1432158221, Account info lookup failed
> Will try to return what we have in cache
> (Fri Mar 27 09:29:14 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:juser at middlebury.edu]
> 
> I don't see any errors in sssd_pam.log, sssd_pac.log, or sssd_ssh.log.
> 
> Is this an indication that something is wrong with the trust relationship? If so, why is it happening on this client but not the other one? Any why are the servers working properly?

Maybe the clients are connected to different servers and only one of
them has the exop enabled? The servers itself lookup the AD users and
groups directly from the AD DC. Since the users are available on the
server and one client is already working I expect that the trust
relationship is fine.

HTH

bye,
Sumit

> 
> David Guertin