LDAP Client Authentication using SSSD: Groups issue

389-dsauthenticationldapopenldapsssd

I have been able to setup 389 LDAP server and SSSD client authentication. However, whenever I login using ldap user after each login it displays the error

ttt@dsl's password: 
Last login: Thu Dec  6 12:52:06 2012
id: cannot find name for group ID 6006

I tried with multiple different users and multiple types. I am using Centos 6 on both server and client side. getent shadow does not return ldap users and this feature request have been denied by Redhat.https://bugzilla.redhat.com/show_bug.cgi?id=751291.

Or shall I switch back to nss_ldap/pam_ldap, but I may not get password caching that sssd provides.

Update:

root@dsl etc]# cat /etc/sssd/sssd.conf 
[domain/default]
ldap_tls_reqcert = never
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ma,dc=net
#krb5_realm = EXAMPLE.COM
#krb5_server = kerberos.example.com
ldap_group_member = uniquemember
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.ma.net
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
enumerate = false
[sssd]
services = nss, pam
config_file_version = 2

#domains = LDAP
domains = 
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[sudo]

[autofs]

[ssh]

[root@dsl etc]#

After login as user I can successfully execute id command, still wondering why it always says no such group.

[root@ldap02 ~]# ssh ttt@dsl
ttt@dsl's password: 
Last login: Thu Dec  6 13:18:16 2012 from 10.2.3.69
id: cannot find name for group ID 6006
[ttt@dsl ~]$ id ttt
uid=6006(ttt) gid=6006 groups=6006

Also

[root@dsl ~]# groups ttt
ttt : groups: cannot find name for group ID 6006
6006
[root@dsl ~]# groups ttt

Best Answer

Finally I was able to resolve it. This article helped me a lot.

Here is what I did. On SSSD side everything was configured fine, however, I did not configure the LDAP side. In order to Unix users (posix users) to work properly, we have to create posix groups and assign appropriate values.

For for each user, apart from assigning posix group ID and User ID, you need to attach them to a posix group as well. You can add this from 389 admin console as well. While creating group just click on the "posix group" section. Or from command prompt use this article

Related Solutions

Linux – Samba standalone server using LDAP for authentication: SID mismatch

I had a similar issue. What I had to do was edit the sambaSID entries for the domain, user and group in LDAP so they would match with what my server had. If not you will get the following error message in the Samba log in your server. To see this log be sure log level = 2 in your smb.conf.:

[2015/12/03 14:39:19.753690,  1] ../source3/auth/server_info.c:346(samu_to_SamInfo3)
  The primary group domain sid(S-1-5-21-748580849-194208185-3916830000-513) does not match the domain sid(S-1-5-21-2566626306-4294080665-3504248766) for someuser(S-1-5-21-2566626306-4294080665-3504248766-11678)
[2015/12/03 14:39:19.753733,  0] ../source3/auth/check_samsec.c:492(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
[2015/12/03 14:39:19.753755,  2] ../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [someuser] -> [bbogaert] FAILED with error NT_STATUS_UNSUCCESSFUL
[2015/12/03 14:39:19.753777,  2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_UNSUCCESSFUL

On your server run net getdomainsid. This will return the localsid and domainsid. These values should match. If they do not run net setdomainsid to the value of SID for local machine.

root@TheWiggle:~# net getdomainsid
SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000
SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000

Now on your LDAP server take the value of SID for domain and make sure this is the value for attribute sambaSID for sambaDomainName=THISDOMAIN.

Also make sure sambaSID and sambaPrimaryGroupID of the users, and sambaSID of the group are composed of the SID for domain and a unique value for attribute.

For example the sambaSID for someuser would be S-1-5-21-748580849-194208185-3916830000-99999 and their sambaPrimaryGroupID would be S-1-5-21-748580849-194208185-3916830000-555. The sambaSID for the group would be S-1-5-21-748580849-194208185-3916830000-77777

Hope this helps!!!

Ldap – CentOS 6 SSSD SSH/Console Login Issues

According to that log, it looks like SSSD's LDAP provider crashed and had to be restarted. That's why you got access-denied.

See specifically:

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].

and then it goes to

(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Fri Jun 21 22:42:46 2013) [sssd[be[default]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first

Those lines indicate that the server is starting up again. At a guess, I'd say something went wrong while processing the ldap password policy on the client, since the last thing before it crashed was a reference to the LDAP code for the ldap_pwd_exop.

Check /var/log/messages for indications of a crash and file a bug with CentOS. Ideally, install the debuginfo for the sssd, openldap and ding-libs packages, then attach to the sssd_be process with gdb and get a backtrace of the crash to include in the bug report.

Best Answer

Related Solutions

Linux – Samba standalone server using LDAP for authentication: SID mismatch

Ldap – CentOS 6 SSSD SSH/Console Login Issues

Related Topic