Saturday, June 27, 2015

linux - SSSD on Centos, Active Directory search returns zero results



Basic Info



I'm running sssd (1.13.3-22) on Centos (6.8) to authenticate with Active Directory (2012). I do not wish to use uid numbers stored in AD, so I have ldap_id_mapping set to true.




When I run "id ValidUsername" I get the response "No Such User". I look in the sssd domain log and see the ldap search for ValidUsername returned no results. When I run the same query with ldapsearch it also returns no results, but I can modify the query to exclude uidNumber and it will return a result. See details below for ldap query info.



Detailed Info



sssd_VALID.DOMAIN.CORP.log Snippet



[sdap_search_user_next_base] (0x0400): Searching for users with base [DC=valid,DC=domain,DC=corp]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=valid,DC=domain,DC=corp].
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
[sdap_search_user_process] (0x0400): Search for users, returned 0 results.

[sdap_get_users_done] (0x0040): Failed to retrieve users
[sysdb_search_by_name] (0x0400): No such entry
[sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
[be_ptask_online_cb] (0x0400): Back end is online


The ldap query sssd used is listed in the log at [sdap_get_generic_ext_step]. If I take the same query and test it by running ldap search, I also get no result:



ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))'



However, if I remove the uidNumber lookup parts of the query, I get the expected user data as a result:



ldapsearch -LLL -Y GSSAPI -N -H ldap://dc1.valid.domain.corp -b "DC=valid,DC=domain,DC=corp" '(&(sAMAccountName=ValidUsername)(objectclass=user)(sAMAccountName=*))'


If ldap_id_mapping is set to true, why is sssd querying AD for uidNumber data? I checked the user attributes and the uidNumber attribute has no value, so sssd won't work unless I populate this value. Microsoft is deprecating the management tools for unix attributes, so I'd prefer to not bother with them.



I'd don't want to use winbind, which has been flaky for me in the past.




Is there any config item I can use to force sssd to send a valid user lookup query? Or is there something else I'm missing?



sssd.conf



[sssd]
config_file_version = 2
debug_level = 6
domains = VALID.DOMAIN.CORP
services = nss, pam


[nss]
debug_level = 6

[pam]
debug_level = 6

[domain/VALID.DOMAIN.CORP]
debug_level = 8


id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
subdomains_provider = none

dyndns_update = false

ad_server = dc1.VALID.DOMAIN.corp
ad_backup_server = dc2.VALID.DOMAIN.corp


ldap_id_mapping = true
ldap_schema = ad

fallback_homedir = /home/%d/%u
default_shell = /bin/bash


smb.conf




workgroup = VALID
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = VALID.DOMAIN.CORP
security = ads
log file = /var/log/samba/log.%m
max log size = 50

Answer




It's because you set subdomains provider to none. It's a bit counter-intuitive, but the subdomains provider also retrieves information about the joined domain including the SID which is needed for ID mapping.



You have three options:




  1. enable the subdomains provider. I don't know why you disabled it, most people do that in order to work around trusted domain being unreachable

  2. if you need to keep the subdomains provider disabled, you need to manually set the domain SID, see man sssd-ldap and search for "domain_sid"

  3. If you are running 7.3, you can only enable the joined domain using ad_enabled_domains


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...