| Summary: | "getent passwd username" do not work if enumeration is not enabled with AD backend | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Nirupama Karandikar <nkarandi> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED WORKSFORME | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | grajaiya, jgalipea, lslebodn, mkosek, nsoman, pbrezina |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-14 09:33:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Nirupama Karandikar
2013-11-12 12:31:07 UTC
Do fully qualified names work? getent passwd username@ADTEST in your case. Hi Jakub, I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain logs gives same error as previous. ---------------------------------- (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=sssduser1] (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] (0x4000): beginning to connect (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD_GC' (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] (0x0020): No available servers for service 'AD_GC' (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): Going offline! (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned 3,11,Internal Error (Have exhausted maximum number of retries for service) (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection ---------------------------------- Thanks, Niru (In reply to Nirupama Karandikar from comment #2) > Hi Jakub, > > I tried "getent passwd sssduser1@ADTEST", still it do not work. The domain > logs gives same error as previous. > > ---------------------------------- > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_get_account_info] > (0x0100): Got request for [4097][1][name=sssduser1] > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_step] > (0x4000): beginning to connect > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'AD_GC' > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'AD_GC' > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_resolve_server_done] > (0x1000): Server resolution failed: 5 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ It look like disabled global catalog on you AD. > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error]) > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_mark_offline] (0x2000): > Going offline! > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [be_run_offline_cb] (0x0080): > Going offline. Running callbacks. > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] > (0x4000): notify offline to op #1 > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [ad_account_info_complete] > (0x0010): Bug: dp_error is OK on failed request(Tue Nov 12 18:29:05 2013) > [sssd[be[ADTEST]]] [acctinfo_callback] (0x0100): Request processed. Returned > 3,11,Internal Error (Have exhausted maximum number of retries for service) > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_release_conn_data] > (0x4000): releasing unused connection This bug was fixed in the sssd 1.11.2. Hi Jakub,
Under NTDS settings on my AD DC, I can see Global Catalog is working on it. Also I am able to telnet to port 3268.
# telnet 10.65.207.124 3268
Trying 10.65.207.124...
Connected to 10.65.207.124.
Escape character is '^]'.
Am I missing anything ?
If I understood correctly, the following error is coming due to AD GC is not reachable. However when enable enumerate it able to pull users/groups at start of the service.
> (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done]
> (0x0020): Failed to connect, going offline (5 [Input/output error])
Is "enumerate" doing anything special here ?
Thanks,
Niru
AD Enumeration reads data from LDAP while regular lookups connect to GC. It's known bug, but it has not been fixed in upstream yet. https://fedorahosted.org/sssd/ticket/2142 (In reply to Nirupama Karandikar from comment #5) > Hi Jakub, > > Under NTDS settings on my AD DC, I can see Global Catalog is working on it. > Also I am able to telnet to port 3268. > > > # telnet 10.65.207.124 3268 > Trying 10.65.207.124... > Connected to 10.65.207.124. > Escape character is '^]'. > > Am I missing anything ? > > If I understood correctly, the following error is coming due to AD GC is not > reachable. However when enable enumerate it able to pull users/groups at > start of the service. > > > (Tue Nov 12 18:29:05 2013) [sssd[be[ADTEST]]] [sdap_id_op_connect_done] > > (0x0020): Failed to connect, going offline (5 [Input/output error]) > > Is "enumerate" doing anything special here ? > > Thanks, > > Niru Can you paste or attach larger portion of the logs or give us access to the linux client you are debugging? Hi Jakub, It seems that there was some temporary issue AD Global Catalogue. It working for me now. I also tried on newly build RHEL7 and it works for me now. Niru (In reply to Nirupama Karandikar from comment #8) > Hi Jakub, > > It seems that there was some temporary issue AD Global Catalogue. It working > for me now. > > I also tried on newly build RHEL7 and it works for me now. > > Niru Great, I'll close the bug for now but please reopen if it hits again. |