Account provider generic error: SSSD exit code 1

accounts-provider
v7

#1

I updated a production server and was presented with a red banner for my trouble.

“Account provider generic error: SSSD exit code 1”

Dashboard shows 7.4.1708.

/messages

Oct 28 16:48:21 server7c [sssd[ldap_child[17207]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'burbledo.COM'. Unable to create GSSAPI-encrypted LDAP connection.
Oct 28 16:48:21 server7c [sssd[ldap_child[17207]]]: Cannot contact any KDC for realm 'burbledo.COM'
Oct 28 16:48:22 server7c logger: Shorewall reloaded
Oct 28 16:48:22 server7c esmith::event[17079]: [NOTICE] Shorewall restart
Oct 28 16:48:22 server7c esmith::event[17079]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart SUCCESS [4.233884]
Oct 28 16:48:22 server7c systemd: Reloading.
Oct 28 16:48:22 server7c esmith::event[17079]: [INFO] service lsm is disabled: skipped
Oct 28 16:48:22 server7c esmith::event[17079]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.422545]
Oct 28 16:48:22 server7c esmith::event[17079]: Event: nethserver-firewall-base-save SUCCESS
Oct 28 16:48:22 server7c esmith::event[17078]: Action: /etc/e-smith/events/firewall-adjust/S20firewall-adjust SUCCESS [6.719383]
Oct 28 16:48:22 server7c esmith::event[17078]: Event: firewall-adjust SUCCESS
Oct 28 16:48:57 server7c httpd: [EXCEPTION] RuntimeException 1405610072: Nethgui\Model\SystemTasks: Socket read error (in /usr/share/nethesis/Nethgui/Model/SystemTasks.php:166)
Oct 28 16:49:04 server7c [sssd[ldap_child[17304]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'burbledo.COM'. Unable to create GSSAPI-encrypted LDAP connection.
Oct 28 16:49:04 server7c [sssd[ldap_child[17304]]]: Cannot contact any KDC for realm 'burbledo.COM'
Oct 28 16:49:27 server7c admin-todos: [ERROR] admin-todos: /etc/nethserver/todos.d/20admin-user exit code 9
Oct 28 16:49:36 server7c httpd: [ERROR] NethServer\Tool\GroupProvider: Account provider generic error: SSSD exit code 1
Oct 28 16:49:36 server7c httpd: [ERROR] (1) SASL:[GSSAPI]: Failed to start authentication backend: NT_STATUS_INTERNAL_ERROR at /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm line 126.
Oct 28 16:49:38 server7c sshd[17431]: Did not receive identification string from 192.168.124.107 port 51649
Oct 28 16:49:38 server7c [sssd[ldap_child[17438]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Cannot contact any KDC for realm 'burbledo.COM'. Unable to create GSSAPI-encrypted LDAP connection.
Oct 28 16:49:38 server7c [sssd[ldap_child[17438]]]: Cannot contact any KDC for realm 'burbledo.COM'
Oct 28 16:49:39 server7c admin-todos: (1) SASL:[GSSAPI]: Failed to start authentication backend: NT_STATUS_INTERNAL_ERROR at /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm line 126.
Oct 28 16:50:21 server7c httpd: [ERROR] NethServer\Tool\GroupProvider: Account provider generic error: SSSD exit code 1
Oct 28 16:50:21 server7c httpd: [ERROR] (1) SASL:[GSSAPI]: Failed to start authentication backend: NT_STATUS_INTERNAL_ERROR at /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm line 126.
Oct 28 16:50:23 server7c admin-todos: (1) SASL:[GSSAPI]: Failed to start authentication backend: NT_STATUS_INTERNAL_ERROR at /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm line 126.


Oct 28 16:30:32 Updated: nethserver-base-3.1.1-1.ns7.noarch
Oct 28 16:30:40 Updated: 1:grub2-common-2.02-0.65.el7.centos.2.noarch
Oct 28 16:30:43 Installed: 1:grub2-tools-minimal-2.02-0.65.el7.centos.2.x86_64
Oct 28 16:30:50 Installed: 1:grub2-tools-2.02-0.65.el7.centos.2.x86_64
Oct 28 16:30:52 Updated: nethserver-mysql-1.1.3-1.ns7.noarch
Oct 28 16:31:00 Updated: nethserver-sssd-1.3.2-1.ns7.noarch
Oct 28 16:31:08 Installed: 1:grub2-tools-extra-2.02-0.65.el7.centos.2.x86_64
Oct 28 16:31:19 Updated: 1:grub2-pc-modules-2.02-0.65.el7.centos.2.noarch
Oct 28 16:31:20 Updated: 1:grub2-pc-2.02-0.65.el7.centos.2.x86_64
Oct 28 16:31:28 Updated: kernel-tools-libs-3.10.0-693.5.2.el7.x86_64
Oct 28 16:34:13 Updated: nextcloud-12.0.3-1.el7.noarch
Oct 28 16:34:14 Updated: nethserver-nextcloud-1.1.8-1.ns7.noarch
Oct 28 16:34:20 Updated: kernel-tools-3.10.0-693.5.2.el7.x86_64
Oct 28 16:34:21 Installed: 1:grub2-2.02-0.65.el7.centos.2.x86_64
Oct 28 16:34:24 Updated: nethserver-dc-1.3.0-1.ns7.x86_64
Oct 28 16:34:26 Updated: nethserver-samba-audit-1.1.3-1.ns7.noarch
Oct 28 16:34:31 Updated: nethserver-firewall-base-3.2.7-1.ns7.noarch
Oct 28 16:34:33 Updated: nethserver-duc-1.4.3-1.ns7.noarch
Oct 28 16:34:35 Updated: nethserver-release-7-5.ns7.noarch
Oct 28 16:34:44 Updated: python-perf-3.10.0-693.5.2.el7.x86_64
Oct 28 16:35:03 Updated: tzdata-2017c-1.el7.noarch
Oct 28 16:35:09 Updated: wget-1.14-15.el7_4.1.x86_64
Oct 28 16:35:11 Updated: epel-release-7-11.noarch
Oct 28 16:35:40 Installed: kernel-3.10.0-693.5.2.el7.x86_64
Oct 28 16:35:44 Updated: nethserver-lang-en-1.2.3-1.ns7.noarch
Oct 28 16:36:02 Erased: 1:grub2-tools-efi-2.02-0.64.el7.centos.x86_64

Nextcloud, filesharing httpd all seem to work, but this is a production server and I’m not leaving it like this so I’m reverting it back.

edit; I knew I’d seen this and it appears to be the same issue that @Andy_Wismer encountered 5 days ago.


Release of NethServer 7.4.1708 Final
SSSD ldap error: Cannot contact any KDC
(Nacef Ben Tahar) #2

hello
if it’s a vm, as activating the AD fonction it will create a new ip, you have to activate promocious mode for the card for green network
you will have a br0 card, hope that it will resolve your problem


(Davide Principi) #3

Could you paste your /etc/krb5.conf file?


(André Wismer) #4

@fasttech
I still have one server with that same problem - all my other nethservers (about 8) at clients and my own one updated perfectly.

This one server is a productive server, albeit not yet heavily used. Luckily it is a virtual server, as that means I can do rollbacks per remote almost anytime. And I have daily saves of that box.

@nacef
This machine has been running as a VM for 3-4 Months now, AD always worked, so did bridging (Promiscious Mode enabled on the host). The update changed the game!

–> At the moment that one server hasn’t got the updates all the others have.
I would like to fix it.

@davidep
If you want, I can “update” that server now and it will reproduce the same error - then I could post the requested /etc/krb5.conf file…

Andy


#5

Pre or post update?


(Davide Principi) #6

Should be equal!


#7

As soon as I can find a window, I’ll update the container, then check that config, run the upgrade and recheck the config. Probably be a few days though.

I wish I had time to create a network just for this stuff, then I could clone the server and beat on it. Sigh.


#8

So, I have not updated this problem child production server… but,
I did get a chance to update my test environment… a NS DC vm and it’s hardware NS domain client server, I updated the container first, it pulled down so many pkgs that I thought it had brought the software center into play and the server had finished its 7.4 update… but no, the container upgrade went fine, so I went to the software center and finished the 7.4 update for the server, rebooted, new kernel, all good, then I checked the NS client server and it was connected to the dc, so I updated it to 7.4 and rebooted, all good, Nextcloud, file sharing, etc.

Figures it’s production server that being an ass. Sigh.


(Davide Principi) #9

These are really good news @fasttech ! :smile:


(Indra) #10

Does this mean updating server with Active Directory Accounts provider and Samba file sharing is safe now?


(Markus Neuberger) #11

Yes, I’d say it’s safe. Many servers tested as I read here in the forum and nearly no problems. The samba bug was fixed very fast and some time ago. It’s always good to have a backup but updating is safe.


(Indra) #12

Thank you, next week I’m back in the office and will upgrade after making a snapshot.


(Federico Ballarini) #13

I have removed LDAP provider and reinstalled it: it works! :wink:


(Davide Principi) #14

2 posts were split to a new topic: SSSD code 1: could not resolve domain of Active Directory