Centos 6.8 sssd fails to save user info

General support questions
Post Reply
darlingtonm
Posts: 2
Joined: 2018/05/10 14:27:59

Centos 6.8 sssd fails to save user info

Post by darlingtonm » 2018/05/10 15:15:36

Good day

I run an applicaiton using Centos 6.8 and i want to use sssd, ldap client and novell edirectory for authenticating users on the application.

I can connect to edirectory sucessfully and i can see the users are returned from the edirectory server for each querry however, sssd seems to fail to save user information.
Below is my configuration:
(SSSD.CONF)
[sssd]
config_file_version = 2
domains = EDldap
services = nss, pam

[nss]
filter_users = root, ldap, named, avahi, haldaemon, dbus, radiusd, news, nscd, ccsadmin, csgmon, ucmdb

[pam]

[domain/EDldap]
debug_level = 7
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://meqa.domain.corp
ldap_search_base = o=auth
ldap_id_use_start_tls = false

enumerate = true
cache_credentials = true
ldap_schema = rfc2307bis
ldap_user_fullname = fullName
override_homedir = /home/ldapusers/%u

ldap_default_bind_dn = cn=username,ou=services,o=auth
ldap_default_authtok_type = password
ldap_default_authtok = pass

(EDLDAP LOG)
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'meqa.domain.corp' as 'working'
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [o=auth]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))][o=auth].
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [fullName]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Thu May 10 16:50:24 2018) [sssd[be[EDldap]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Michael,ou=Users,o=Auth].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Suarez,ou=Users,o=Auth].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Roooney,ou=Users,o=Auth].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_search_user_process] (0x0400): Search for users, returned 3 results.
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing objectMichael
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing userMichael
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Michael].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Michael].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for userMichael
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing object Suarez
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing user Suarez
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Suarez].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Suarez].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for user Suarez
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing object Roooney
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing user Roooney
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Roooney].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Roooney].
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for user Roooney
(Thu May 10 16:50:26 2018) [sssd[be[EDldap]]] [enum_users_done] (0x0100): Users higher USN value: [20180510075404Z]


If i check the log of a working Centos 7 box, with similar configuration, i see the below

(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Michael,ou=Users,o=Auth].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Suarez,ou=Users,o=Auth].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_parse_entry] (0x1000): OriginalDN: [cn=Roooney,ou=Users,o=Auth].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_search_user_process] (0x0400): Search for users, returned 3 results.
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing object Michael
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing user Michael@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Michael@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Michael@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for user Michael@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Michael@edldap,cn=users,cn=EDldap,cn=sysdb] has set [ts_cache] attrs.
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing object Suarez
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing user Suarez@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Suarez@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Suarez@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for user Suarez@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Suarez@edldap,cn=users,cn=EDldap,cn=sysdb] has set [ts_cache] attrs.
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Save user
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0][Success]
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_get_primary_name] (0x0400): Processing object Roooney
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Processing user Roooney@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Original memberOf is not available for [Roooney@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): User principal is not available for [Roooney@edldap].
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sdap_save_user] (0x0400): Storing info for user Roooney@edldap
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Roooney@edldap,cn=users,cn=EDldap,cn=sysdb] has set [ts_cache] attrs.
(Thu May 10 16:40:47 2018) [sssd[be[EDldap]]] [enum_users_done] (0x0100): Users higher USN value: [20180510075404Z]


the difference seems to be here
1. Working box is centos 7, non-working box is centos 6.8
1. on the working server, domain is added to the username eg Roooney@edldap, while on centos 6.8 its plain Roooney
2. the line, [sssd[be[EDldap]]] [sysdb_set_entry_attr] (0x0200): Entry [name=Roooney@edldap,cn=users,cn=EDldap,cn=sysdb] has set [ts_cache] attrs, is not there in the non-working centos6.8 box

hence my conclusion that sssd is failing to save the user information.

Can someone assist guide me where i am getting lost. there could be a setting somewhere l have missed maybe for sssd to successfully save my users.

Any further information, i will gladly provide.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Centos 6.8 sssd fails to save user info

Post by TrevorH » 2018/05/10 16:33:38

Your first step is to update to 6.9 which has been out for more than a year. RHEL 6.10 is in beta upstream and CentOS 6.10 will follow once that goes GA.

There are numerous high severity security vulnerabilities in 6.8 that are only fixed by updating to 6.9.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

darlingtonm
Posts: 2
Joined: 2018/05/10 14:27:59

Re: Centos 6.8 sssd fails to save user info

Post by darlingtonm » 2018/05/10 16:45:12

Thanks for the Response Trevor

Unfortunately the server runs a cisco application (Cisco Policy Suite), a radius server and i cant update on the fly just like that.
I will engage cisco to see if they have a plan of update on their servers.

Post Reply