0

I am struggling with making sssd use LDAP users to login on my Linux-Server (Oracle Linux 8.9, basically identical to RHEL, but free).

Goal

Using the users (e.g. "John") existing on the LDAP-Server (Microsoft AD DC) to log in on my Linux-Server

Current Errors

Whenever I enter the command "id John" or "su - John" I receive the error "no such user".

Strangely, all my sssd logs are not showing anything. The logs itself are working, because I had other issues before (e.g. "Port working, but In order to perform this operation a successful bind must be completed on the connection"), but I managed to solve all this problems using the logs.

But currently, nothing new gets printed to the logs, no matter if I use "id" or "su"

What is working

"ldapsearch" is working perfectly fine and prints out my LDAP-Tree - including "John"

ldapsearch -D "CN=mybind,OU=myunit,DC=my,DC=domain,DC=com" -W

Right now I really do not have any idea anymore why it is not working. I double and triple checked all IPs etc. In my opinion it should work, or at least give me usable logs. Any help is appreciated.

/etc/openldap/ldap.conf

# See ldap.conf(5) for details # This file should be world readable but not world writable. BASE DC=my,DC=domain,DC=com URI ldaps://dc.my.domain.com:636 TLS_CACERT /etc/openldap/cacerts/ca.cert.pem TLS_CACERTDIR /etc/openldap/cacerts #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never # When no CA certificates are specified the Shared System Certificates # are in use. In order to have these available along with the ones specified # by TLS_CACERTDIR one has to include them explicitly: #TLS_CACERT /etc/pki/tls/cert.pem # System-wide Crypto Policies provide up to date cipher suite which should # be used unless one needs a finer grinded selection of ciphers. Hence, the # PROFILE=SYSTEM value represents the default behavior which is in place # when no explicit setting is used. (see openssl-ciphers(1) for more info) #TLS_CIPHER_SUITE PROFILE=SYSTEM # Turning this off breaks GSSAPI used with krb5 when rdns = false #SASL_NOCANON on

/etc/sssd/sssd.conf

 [sssd] config_file_version = 2 services = nss, pam, autofs domains = default [nss] homedir_substring = /export/home [pam] [domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = AD ldap_uri = ldaps://dc.my.domain.com:636 ldap_chpass_uri = ldaps://dc.my.domain.com:636 ldap_search_base = DC=my,DC=domain,DC=com ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = demand cache_credentials = False entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_connection_expire_timeout = 60 ldap_default_bind_dn = CN=mybind,OU=myunit,DC=my,DC=domain,DC=com ldap_default_authtok = mypassword

/etc/nsswitch.conf

# Generated by authselect on Tue May 7 10:30:31 2024 # Do not modify this file manually. # If you want to make changes to nsswitch.conf please modify # /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'. # # Note that your changes may not be applied as they may be # overwritten by selected profile. Maps set in the authselect # profile takes always precedence and overwrites the same maps # set in the user file. Only maps that are not set by the profile # are applied from the user file. # # For example, if the profile sets: # passwd: sss files # and /etc/authselect/user-nsswitch.conf contains: # passwd: files # hosts: files dns # the resulting generated nsswitch.conf will be: # passwd: sss files # from profile # hosts: files dns # from user file passwd: files sss systemd group: files sss systemd netgroup: sss files automount: sss files services: sss files # Included from /etc/authselect/user-nsswitch.conf # # /etc/nsswitch.conf # # Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # Valid databases are: aliases, ethers, group, gshadow, hosts, # initgroups, netgroup, networks, passwd, protocols, publickey, # rpc, services, and shadow. # # Valid service provider entries include (in alphabetical order): # # compat Use /etc files plus *_compat pseudo-db # db Use the pre-processed /var/db files # dns Use DNS (Domain Name Service) # files Use the local files in /etc # hesiod Use Hesiod (DNS) for user lookups # nis Use NIS (NIS version 2), also called YP # nisplus Use NIS+ (NIS version 3) # # See `info libc 'NSS Basics'` for more information. # # Commonly used alternative service providers (may need installation): # # ldap Use LDAP directory server # myhostname Use systemd host names # mymachines Use systemd machine names # mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD # resolve Use systemd resolved resolver # sss Use System Security Services Daemon (sssd) # systemd Use systemd for dynamic user option # winbind Use Samba winbind support # wins Use Samba wins support # wrapper Use wrapper module for testing # # Notes: # # # WARNING: Running nscd with a secondary caching service like sssd may # lead to unexpected behaviour, especially with how long # entries are cached. # # Installation instructions: # # To use 'db', install the appropriate package(s) (provide 'makedb' and # libnss_db.so.*), and place the 'db' in front of 'files' for entries # you want to be looked up first in the databases, like this: # # passwd: db files # shadow: db files # group: db files # In order of likelihood of use to accelerate lookup. shadow: files sss hosts: files dns myhostname aliases: files ethers: files gshadow: files # Allow initgroups to default to the setting for group. # initgroups: files networks: files dns protocols: files publickey: files rpc: files

Update

ssd_default.log with debug_level 6

(2024-05-08 7:59:45): [be[default]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=John@default] (2024-05-08 7:59:45): [be[default]] [dp_attach_req] (0x0400): [RID#6] DP Request [Account #6]: REQ_TRACE: New request. [sssd.nss CID #2] Flags [0x0001]. (2024-05-08 7:59:45): [be[default]] [dp_attach_req] (0x0400): [RID#6] Number of active DP request: 1 (2024-05-08 7:59:45): [be[default]] [sdap_search_user_next_base] (0x0400): [RID#6] Searching for users with base [dc=my,dc=domain,dc=com] (2024-05-08 7:59:45): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#6] calling ldap_search_ext with [(&(sAMAccountName=John)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=my,dc=domain,dc=com]. (2024-05-08 7:59:45): [be[default]] [sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Success(0), no errmsg set (2024-05-08 7:59:45): [be[default]] [sdap_search_user_process] (0x0400): [RID#6] Search for users, returned 0 results. (2024-05-08 7:59:45): [be[default]] [sysdb_search_by_name] (0x0400): [RID#6] No such entry (2024-05-08 7:59:45): [be[default]] [sysdb_delete_user] (0x0400): [RID#6] Error: 2 (No such file or directory) (2024-05-08 7:59:45): [be[default]] [dp_req_done] (0x0400): [RID#6] DP Request [Account #6]: Request handler finished [0]: Success (2024-05-08 7:59:45): [be[default]] [_dp_req_recv] (0x0400): [RID#6] DP Request [Account #6]: Receiving request data. (2024-05-08 7:59:45): [be[default]] [dp_req_destructor] (0x0400): [RID#6] DP Request [Account #6]: Request removed. (2024-05-08 7:59:45): [be[default]] [dp_req_destructor] (0x0400): [RID#6] Number of active DP request: 0 (2024-05-08 7:59:45): [be[default]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2024-05-08 7:59:45): [be[default]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][idnumber=John] (2024-05-08 7:59:45): [be[default]] [dp_attach_req] (0x0400): [RID#7] DP Request [Account #7]: REQ_TRACE: New request. [sssd.nss CID #2] Flags [0x0001]. (2024-05-08 7:59:45): [be[default]] [dp_attach_req] (0x0400): [RID#7] Number of active DP request: 1 (2024-05-08 7:59:45): [be[default]] [sdap_search_user_next_base] (0x0400): [RID#7] Searching for users with base [dc=my,dc=domain,dc=com] (2024-05-08 7:59:45): [be[default]] [sdap_get_generic_ext_step] (0x0400): [RID#7] calling ldap_search_ext with [(&(uidNumber=John)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=my,dc=domain,dc=com]. (2024-05-08 7:59:45): [be[default]] [sdap_get_generic_op_finished] (0x0400): [RID#7] Search result: Success(0), no errmsg set (2024-05-08 7:59:45): [be[default]] [sdap_search_user_process] (0x0400): [RID#7] Search for users, returned 0 results. (2024-05-08 7:59:45): [be[default]] [sysdb_search_user_by_uid] (0x0400): [RID#7] No such entry (2024-05-08 7:59:45): [be[default]] [sysdb_delete_user] (0x0400): [RID#7] Error: 2 (No such file or directory) (2024-05-08 7:59:45): [be[default]] [dp_req_done] (0x0400): [RID#7] DP Request [Account #7]: Request handler finished [0]: Success (2024-05-08 7:59:45): [be[default]] [_dp_req_recv] (0x0400): [RID#7] DP Request [Account #7]: Receiving request data. (2024-05-08 7:59:45): [be[default]] [dp_req_destructor] (0x0400): [RID#7] DP Request [Account #7]: Request removed. (2024-05-08 7:59:45): [be[default]] [dp_req_destructor] (0x0400): [RID#7] Number of active DP request: 0 (2024-05-08 7:59:45): [be[default]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success
Improve this question
3
  • If your authentication service is AD why are you using the LDAP connector rather than the AD one? Commented May 7, 2024 at 14:57
  • Because that would require an AD-join with realmd, no? And our windows administrators do not want to have linux servers appearing in the domain tree (don't ask me why, it was a discussion I could not win). But using ldap should work, since I have a running instance of netbox on the given server, which is using ldap to authenticate the web application users. Using the same parameters for netbox as I did for sssd is working perfectly, but I don't get why it isn't working for sssd Commented May 7, 2024 at 17:13
  • Thanks. Really helpful to understand why you weren't taking the "obvious" route Commented May 7, 2024 at 17:33

1 Answer 1

Reset to default
0

Looking at the log files with debug_level = 6 enabled, it's evident that the LDAP query is being performed but no results are returned:

[RID#6] Searching for users with base [dc=my,dc=domain,dc=com] [RID#6] calling ldap_search_ext with [(&(sAMAccountName=John)(objectclass=user)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=my,dc=domain,dc=com]. [RID#6] Search result: Success(0), no errmsg set [RID#6] Search for users, returned 0 results.

The issue here turns out to be that the uidNumber value is not populated in the Active Directory (AD/LDAP) source. The correct solution here is to ensure that the UID and GID are derived from the AD SID value:

ldap_id_mapping = true
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.