Created attachment 552449 [details] sssd logs Description of problem: With sssd-1.7.0-1.fc16.i686 I'm getting expired kerberos tickets on login. It appears to not setup the ldap server properly.
The issue here is that the LDAP server in question has multiple entries for 'namingContexts' in the rootDSE, but does not have a 'defaultNamingContext' attribute to identify which is the primary. However, this should only be necessary if there are ldap_*_search_base attributes that were not populated by the config file. In this particular user's case, the ldap_search_base option is in use, which should be sufficient. So the correct fix here is to identify why we're caring about the inability to identify the default naming context, since we aren't using it for anything. Thanks for the bug report.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1152
Ok, I see what's happening here now. You have "ldap_user_search_base", "ldap_group_search_base" and "ldap_netgroup_search_base". However, SSSD 1.7.0 added another option "ldap_sudo_search_base" (which wasn't supposed to be exposed in the default build, since it's experimental). The safest workaround at the moment is to just specify "ldap_search_base", since that serves as the default base for any others we might add (such as "ldap_services_search_base" which is coming in SSSD 1.8.0.) The reason we don't fail at startup is because we assume that any search base not specified is going to auto-detect from the LDAP server's RootDSE namingContexts attribute. In your case, that entry isn't safe to use (because there are multiple namingContexts attributes and no way to determine which is the correct one). I'm going to update https://fedorahosted.org/sssd/ticket/1152 to propose that we should fail at startup if only a subset of the search bases are specified in the config file (and "ldap_search_base" isn't set for default values). I'll also open a new ticket to track allowing multiple namingContexts values to set multiple search bases.
https://fedorahosted.org/sssd/ticket/1155 is the ticket to track the multiple search bases.
I already am setting ldap_search_base and that's the only search_base I'm setting: # grep -F search_base /etc/sssd/sssd.conf ldap_search_base = dc=nwra,dc=com Wasn't sure if this was in line with your analysis above.
Hmm, you're right. I originally thought it was unset (looking at the logs), but I now see otherwise. Ok, then the real bug here is that the SUDO search base isn't being set to the ldap_search_base. I'll look into why that is. Thanks for the information.
sssd-1.7.0-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/FEDORA-2012-0237/sssd-1.7.0-3.fc16
Package sssd-1.7.0-5.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.7.0-5.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0237/sssd-1.7.0-5.fc16 then log in and leave karma (feedback).
sssd-1.8.0-5.fc17.beta3 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/sssd-1.8.0-5.fc17.beta3
Package sssd-1.8.0-5.fc17.beta3: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3 then log in and leave karma (feedback).
Package sssd-1.8.0-5.fc17.beta3.1: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-5.fc17.beta3.1' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1 then log in and leave karma (feedback).
sssd-1.8.0-5.fc17.beta3.1 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-2196/sssd-1.8.0-5.fc17.beta3.1
sssd-1.8.0-6.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/sssd-1.8.0-6.fc16
Package sssd-1.8.0-6.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing sssd-1.8.0-6.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-2725/sssd-1.8.0-6.fc16 then log in and leave karma (feedback).
sssd-1.8.0-6.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.8.1-7.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.