Ldap – sssd can’t save user. Missing uid

I am trying to sync my Debian server using sssd.

When i run the getent passwd username@domain, the user is not returned. The log says it's because i am missing an uid from the ldap lookup. However, i was under the clear impression what i didn't need it when setting ldap_id_mapping = true.

The full log for the even is:

(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0020): no uid provided for [nmw] in domain [netdesign.dk].
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_user] (0x0040): Failed to save user [somedude]
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring.
(Mon Jan 26 17:39:13 2015) [sssd[be[thecompany.dk]]] [sdap_save_users] (0x0040): Failed to check aliases for user 0. Ignoring.

The settings file is:

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = companyName.dk

[domain/companyName.dk]
#With this as false, a simple "getent passwd" for testing won't work. You must do getent passwd user@domain.com
enumerate = false
cache_credentials = true
debug_level = 3
ldap_id_mapping = true


id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldaps://172.23.1.41:636,ldaps://172.23.1.42:636
ldap_search_base = ou=companyname,dc=companyName,dc=dk
#ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

#This parameter requires that the DC present a completely validated certificate chain. If you're testing or don't care, use 'allow' or 'never'.
ldap_tls_reqcert = allow

krb5_realm = COMPANYNAME.DK
dns_discovery_domain = COMPANYNAME.DK

#ldap_schema = rfc2307bis
ldap_schema = ad
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = ou=Users,ou=companyName,dc=companyName,dc=dk
ldap_group_search_base = ou=Roles,ou=Security Groups,ou=companyName,dc=companyName,dc=dk
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName

fallback_homedir = /home/%d/%u
shell_fallback = /bin/bash

#Bind credentials
ldap_default_bind_dn = cn=user,ou=Service,ou=Misc accounts,ou=companyName,dc=companyName,dc=dk
ldap_default_authtok = 1nc0gn370

Packages installed are

sssd libpam-sss libnss-sss

What exactly am i doing wrong here?

EDIT/NEW:

I tried changing the debug level to 7 and setting 'id_provider' and 'access_provider' to 'ad'

This is the resulting log:

(Tue Jan 27 09:44:00 2015) [sssd[be[companyName.dk]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching.
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [be_client_destructor] (0x0400): Removed NSS client
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kdcinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:41 2015) [sssd[be[companyName.dk]]] [remove_krb5_info_files] (0x0200): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.companyName.DK], [2][No such file or directory]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 1911E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3731,guid=cb367efaa8d3c54884cd2f9454c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 878E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3732,guid=76e5c03e58d9e5107828a0fc54c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection 99CE20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3733,guid=1e822671b672f1c8f023390554c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [server_setup] (0x0080): CONFDB: /var/lib/sss/db/config.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [resolv_get_family_order] (0x1000): Lookup order: ipv4_first
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [fo_context_init] (0x0080): Created new fail over context, retry timeout is 30
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [confdb_get_domain_internal] (0x0020): No enumeration for [companyName.dk]!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sysdb_domain_init_internal] (0x0200): DB File for companyName.dk: /var/lib/sss/db/cache_companyName.dk.ldb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [ldb] (0x0400): asq: Unable to register control with rootdse!
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_init_connection] (0x0200): Adding connection BC2E20
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_companyName.dk,1)
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [create_socket_symlink] (0x1000): Symlinking the dbus path /var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734 to a link /var/lib/sss/pipes/private/sbus-dp_companyName.dk
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [sbus_new_server] (0x0080): D-BUS Server listening on unix:path=/var/lib/sss/pipes/private/sbus-dp_companyName.dk.3734,guid=58592e3c74d2a142966a571654c74ffb
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x1000): Loading backend [ad] with path [/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so].
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [load_backend_module] (0x0010): Unable to load ad module with path (/usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so), error: /usr/lib/x86_64-linux-gnu/sssd/libsss_ad.so: cannot open shared object file: No such file or directory
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [be_process_init] (0x0010): fatal error initializing data providers
(Tue Jan 27 09:44:43 2015) [sssd[be[companyName.dk]]] [main] (0x0010): Could not initialize backend [79]

I assume the libsss_ad.so file should be here, but it isn't.

user@server:/usr/lib/x86_64-linux-gnu/sssd$ ls -l
total 3868
-rw-r--r-- 1 root root 1405048 Mar  4  2013 libsss_ipa.so
-rw-r--r-- 1 root root  585784 Mar  4  2013 libsss_krb5.so
-rw-r--r-- 1 root root 1081880 Mar  4  2013 libsss_ldap.so
-rw-r--r-- 1 root root  479160 Mar  4  2013 libsss_proxy.so
-rw-r--r-- 1 root root  389400 Mar  4  2013 libsss_simple.so
drwxr-xr-x 2 root root    4096 Jan 26 15:05 modules

Is the sssd_ad module not included in the Debian stable dist?

Best Answer

First, you didn't say which SSSD version you're using. Given that you say it's "Debian stable", I presume 1.8.x. That version doesn't support ID mapping, sorry.

More involved answer is that SSSD serves POSIX users and requires that the users have an ID number. The ID number can either be an attribute of the user entry itself (uidNumber typically) or can be inferred from Window's SID. The latter is what you were trying to do with ldap_id_mapping=True, but that functionality was only implemented in 1.9 and later.

I guess you can use Winbind for now even on Debian stable..

Best Answer

Related Solutions

Ldap – SSSD ignoring ldap_access_filter

Make sssd respect Acctive Directory nested groups

Related Topic