Nethserver admin user not working

alfred · May 23, 2017, 1:10pm

NethServer Version: 7.3.1611 (Final)
Module: Server Manager

I’ve using Server Manager with no issues, but suddenly, the user that I created for management has a restricted view. This the log:

may 23 09:58:46 groupware-test.example.local sudo[13635]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/pam-authenticate-pw
may 23 09:58:47 groupware-test.example.local perl[13636]: pam_sss(system-auth:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=neth.admin
may 23 09:58:47 groupware-test.example.local sudo[13640]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/db configuration getprop admins group
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 2 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 1 
may 23 09:58:47 groupware-test.example.local sssd_be[1059]: GSSAPI client step 2 
may 23 09:58:47 groupware-test.example.local httpd[13218]: [NOTICE] Nethgui\Authorization\User: user `neth.admin` authenticated

And the display:

About the management user:

getent passwd neth.admin
neth.admin:*:953801272:953800513:Neth Admin:/var/lib/nethserver/home/neth.admin:/usr/libexec/openssh/sftp-server

I can log as root, but I prefer to log as non-root user…

Any ideas?

davidep · May 23, 2017, 1:13pm

Is neth.admin member of domain admins?

alfred · May 23, 2017, 1:16pm

AFAIK yes he is:

uid=953801272(neth.admin) gid=953800513(Domain Users@example.local) grupos=953800513(Domain Users@example.local),953800512(Domain Admins@example.local),953800572(Denied RODC Password Replication Group@example.local)

davidep · May 23, 2017, 1:17pm

Did you try to logout/login again?

alfred · May 23, 2017, 1:18pm

Yes, of course I did many times

davidep · May 23, 2017, 1:23pm

Your group names have upper case letters (it should not happen AFAIK). I guess it’s id output.

What is the nethserver-sssd version?

 rpm -q nethserver-sssd

Try to logout, clear sssd cache

sss_cache -E

and login again

alfred · May 23, 2017, 1:38pm

I did it as you suggest, but the error remains

About ssd version:

rpm -q sssd
sssd-1.14.0-43.el7_3.14.x86_64

Thanks in advance

davidep · May 23, 2017, 1:39pm

Could you attach sssd.conf contents?

cat /etc/sssd/sssd.conf

alfred · May 23, 2017, 1:46pm

@davidep yes, I could

 [sssd]
domains = example.local, legacy
config_file_version = 2
services = nss, pam
[domain/example.local]
use_fully_qualified_names = True
id_provider = ad
access_provider = ad
ad_domain = example.local
krb5_realm = EXAMPLE.LOCAL
krb5_store_password_if_offline = True
ldap_id_mapping = True
ad_maximum_machine_account_password_age = 0
cache_credentials = True
override_homedir = /var/lib/nethserver/home/%u
default_shell = /usr/libexec/openssh/sftp-server
realmd_tags = manages-system joined-with-samba
[domain/legacy]
use_fully_qualified_names = False
id_provider = ad
access_provider = ad
ad_domain = example.local
krb5_realm = EXAMPLE.LOCAL
krb5_store_password_if_offline = True
ldap_id_mapping = True
ad_maximum_machine_account_password_age = 0
cache_credentials = True
override_homedir = /var/lib/nethserver/home/%u
default_shell = /usr/libexec/openssh/sftp-server
[nss]

TIA

davidep · May 23, 2017, 1:50pm

Looks like nethserver-sssd is not at latest version. Try to run

yum update

The output of id neth.admin should be lower case.

alfred · May 23, 2017, 2:15pm

@davidep yay! I’ve just updated only nethserver-sssd.noarch (also installed openldap by dependency), logout and login and now it works!

But I wonder if it was the upgrade or the service restart… because changelog is:

 * lun may 22 2017 Giacomo Sanchietti <giacomo.sanchietti@nethesis.it> - 1.2.1-1
- Default userPrincipalName is not an email address - Bug NethServer/dev#5284

* mié may 10 2017 Giacomo Sanchietti <giacomo.sanchietti@nethesis.it> - 1.2.0-1
- Account provider: allow reset of local providers - NethServer/dev#5252
- Accounts provider guided configuration - NethServer/dev#5253
- Upgrade from NS 6 via backup and restore - NethServer/dev#5234

* lun mar 06 2017 Giacomo Sanchietti <giacomo.sanchietti@nethesis.it> - 1.1.9-1
- LDAP users not listed with remote accounts provider - Bug NethServer/dev#5229

Has anyone of this issues has to do with the problem?

davidep · May 23, 2017, 2:23pm

openldap-clients, I suppose

The “legacy” domain has been dropped here one month ago:

Issue was “Upgrade from NS 6 via backup and restore #5234”

I don’t know why your glibc/nss/sssd configuration was returning group names with upper-case characters. I never observed it before.