AD new user can't connect

lclaude · April 21, 2024, 7:38am

NethServer Version: 7.9.2009
Module: Active Directory local

Hello all,

On an NS7 with a local Active Directory, when I create a new user, everything seams ok at the creation step, but it can’t connect.
It can’t connect to nextcloud, to /user-settings, and other installed applications.

There is a lot of free space disk
the directory /var/lib/nethserver/home is drwxr-xr-x root:root
the directory /var/lib/nethserver/home/mynewusername isn’t created
On the old server-manager I can see the key icon in ‘users and groups’, like if the user is locked. And I do not have the button to modify it’s status
In cockpit, the new user isn’t locked. I have the button to lock users but this action don’t work, users are never locked after I press on.

Here is the Log/message after creating '‘newuser’:

Apr 21 09:32:30 myhostname esmith::event[22449]: Event: user-create newuser new user /usr/libexec/openssh/sftp-server
Apr 21 09:32:31 myhostname esmith::event[22449]: User ‘newuser’ added successfully
Apr 21 09:32:31 myhostname esmith::event[22449]: Unix username: newuser
Apr 21 09:32:31 myhostname esmith::event[22449]: [NOTICE] clearing sssd cache for user newuser@mydomain.com
Apr 21 09:32:31 myhostname esmith::event[22512]: Event: password-policy-update newuser no
Apr 21 09:32:31 myhostname esmith::event[22512]: [NOTICE] clearing sssd cache for user newuser@mydomain.com
Apr 21 09:32:31 myhostname esmith::event[22512]: Unix username: newuser
Apr 21 09:32:31 myhostname esmith::event[22826]: Event: password-modify newuser@ /tmp/ng-tO0Fhe
Apr 21 09:32:31 myhostname esmith::event[22826]: [NOTICE] Skipping user newuser@, it doesn’t belong to our domain.
Apr 21 09:32:31 myhostname esmith::event[22826]: [NOTICE] Skipping user newuser@, it doesn’t belong to our domain.
Apr 21 09:34:45 myhostname esmith::event[23389]: Event: user-lock newuser@
Apr 21 09:34:45 myhostname esmith::event[23389]: [NOTICE] Skipping user newuser@, it doesn’t belong to our domain.
Apr 21 09:34:45 myhostname esmith::event[23389]: [NOTICE] clearing sssd cache for user newuser@@mydomain.com

And now, I don’t know what to do… please help me

mrmarkuz · April 21, 2024, 8:43am

Did you remove the domain to hide it or is there no domain? Usually it looks like:

Event: password-modify testuser2@ad.domain.tld

Maybe there is an unwanted special character in the username or password? Please try creating a user with simple name and password.

Let’s also check general AD access:

account-provider-test

lclaude · April 21, 2024, 10:39am

hummm yes, it’s probably the way.
I didn’t remove the domain to show the log,
here is a new copy of log/message of creating a new user :

Apr 21 12:21:31 myhostname esmith::event[24221]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.101473]
Apr 21 12:21:31 myhostname esmith::event[24221]: [NOTICE] clearing sssd cache for user newuser2@mydomain.com
Apr 21 12:21:31 myhostname esmith::event[24221]: No cache object matched the specified search
Apr 21 12:21:31 myhostname esmith::event[24221]: No cache object matched the specified search
Apr 21 12:21:31 myhostname esmith::event[24221]: Action: /etc/e-smith/events/user-create/S90nethserver-sssd-clear-cache SUCCESS [0.012936]
Apr 21 12:21:31 myhostname esmith::event[24221]: Event: user-create SUCCESS
Apr 21 12:21:31 myhostname esmith::event[24284]: Event: password-policy-update newuser2 no
Apr 21 12:21:31 myhostname esmith::event[24284]: [NOTICE] clearing sssd cache for user newuser2@mydomain.com
Apr 21 12:21:31 myhostname esmith::event[24284]: No cache object matched the specified search
Apr 21 12:21:31 myhostname esmith::event[24284]: No cache object matched the specified search
Apr 21 12:21:31 myhostname esmith::event[24284]: Action: /etc/e-smith/events/password-policy-update/S10nethserver-sssd-clear-cache SUCCESS [0.013117]
Apr 21 12:21:31 myhostname esmith::event[24284]: Unix username: newuser2
Apr 21 12:21:31 myhostname esmith::event[24284]: NT username:
Apr 21 12:21:31 myhostname esmith::event[24284]: Account Flags: [UX ]
Apr 21 12:21:31 myhostname esmith::event[24284]: User SID: S-1-5-21-2111352877-3102599041-2665905435-1125
Apr 21 12:21:31 myhostname esmith::event[24284]: Primary Group SID: S-1-5-21-2111352877-3102599041-2665905435-513
Apr 21 12:21:31 myhostname esmith::event[24284]: Full Name: nu2
Apr 21 12:21:31 myhostname esmith::event[24284]: Home Directory:
Apr 21 12:21:31 myhostname esmith::event[24284]: HomeDir Drive: (null)
Apr 21 12:21:31 myhostname esmith::event[24284]: Logon Script:
Apr 21 12:21:31 myhostname esmith::event[24284]: Profile Path:
Apr 21 12:21:31 myhostname esmith::event[24284]: Domain:
Apr 21 12:21:31 myhostname esmith::event[24284]: Account desc:
Apr 21 12:21:31 myhostname esmith::event[24284]: Workstations:
Apr 21 12:21:31 myhostname esmith::event[24284]: Munged dial:
Apr 21 12:21:31 myhostname esmith::event[24284]: Logon time: 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Logoff time: 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Kickoff time: Thu, 14 Sep 30828 04:48:05 CEST
Apr 21 12:21:31 myhostname esmith::event[24284]: Password last set: 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Password can change: 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Password must change: 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Last bad password : 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Bad password count : 0
Apr 21 12:21:31 myhostname esmith::event[24284]: Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Apr 21 12:21:31 myhostname esmith::event[24284]: Action: /etc/e-smith/events/password-policy-update/S30nethserver-dc-password-policy SUCCESS [0.310657]
Apr 21 12:21:31 myhostname esmith::event[24284]: Event: password-policy-update SUCCESS
Apr 21 12:21:32 myhostname esmith::event[24598]: Event: password-modify newuser2@ /tmp/ng-J1Q9xT
Apr 21 12:21:32 myhostname esmith::event[24598]: Action: /etc/e-smith/events/password-modify/S25password-set SUCCESS [0.002298]
Apr 21 12:21:32 myhostname esmith::event[24598]: [NOTICE] Skipping user newuser2@, it doesn’t belong to our domain.
Apr 21 12:21:32 myhostname esmith::event[24598]: Action: /etc/e-smith/events/password-modify/S30nethserver-dc-password-set SUCCESS [0.002324]
Apr 21 12:21:32 myhostname esmith::event[24598]: [NOTICE] Skipping user newuser2@, it doesn’t belong to our domain.
Apr 21 12:21:32 myhostname esmith::event[24598]: Action: /etc/e-smith/events/password-modify/S40nethserver-dc-user-unlock SUCCESS [0.00237]

mrmarkuz · April 21, 2024, 10:47am

Please share the result of

config show sssd

Does

account-provider-test dump

work and list the domain values?

lclaude · April 21, 2024, 11:47am

[root@myhostname ~]# config show sssd
sssd=service
AdDns=192.168.1.202
BindDN=ldapservice@AD.MYDOMAIN.FR
BindPassword=HIDDEN
DiscoverDcType=ldapuri
LdapURI=ldaps://nsdc-myhostname.ad.mydomain.com.fr
Provider=ad
Realm=AD.MYDOMAIN.FR
ShellOverrideStatus=enabled
Workgroup=MYDOMAIN
status=enabled

[root@myhostname ~]# account-provider-test dump
{
“BindDN” : “ldapservice@AD.MYDOMAIN.FR”,
“LdapURI” : “ldaps://nsdc-myhostname.ad.mydomain.fr”,
“DiscoverDcType” : “ldapuri”,
“StartTls” : “”,
“port” : 636,
“host” : “nsdc-myhostname.ad.mydomain.fr”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “dc=ad,dc=mydomain,dc=fr”,
“GroupDN” : “dc=ad,dc=mydomain,dc=fr”,
“BindPassword” : “HIDDEN”,
“BaseDN” : “dc=ad,dc=mydomain,dc=fr”,
“LdapUriDn” : “ldap:///dc%3Dad%2Cdc%3Dmydomain%2Cdc%3Dfr”
}

And for account-provider-test, it seems to me coherent with my domain

mrmarkuz · April 21, 2024, 1:18pm

Does following command work:

id newuser2

lclaude · April 21, 2024, 2:35pm

yes :

[root@myhostname ~]# id newuser2
uid=183801126(newuser2@mydomain.fr) gid=183800513(domain users@mydomain.fr) groupes=183800513(domain users@mydomain.fr)

mrmarkuz · April 21, 2024, 2:43pm

The action /etc/e-smith/events/actions/nethserver-dc-password-set seems to fail.

Let’s check domain in hostname config:

hostname -d

lclaude · April 21, 2024, 2:46pm

it returns mydomain.ext

mrmarkuz · April 21, 2024, 2:49pm

It should be the same as the one from the logs:

Everything seems to be correct, I’m out of ideas for now…

lclaude · April 21, 2024, 2:52pm

many thanks for your time and your help @mrmarkuz !

I hope other users could help me with new ideas…

mrmarkuz · April 21, 2024, 3:45pm

Please try the following commands:

List the user newuser2:

usr/libexec/nethserver/list-users -s "newuser2@mydomain.com"

Set password for newuser2 manually, replace SECRET with your wanted password:

nsdc-run -e -- /usr/bin/samba-tool user setpassword newuser2 '--newpassword=SECRET'

lclaude · April 21, 2024, 4:01pm

it return:

{“newuser2”:{“locked”:0,“gecos”:“nu”,“expired”:0,“groups”:,“shell”:“/usr/libexec/openssh/sftp-server”,“new”:1,“expires”:“no”}}

and youpiiii, now I can connect (nextcloud, sogo, etc.).
It works \o/
Many many many thanks to you!!