Could not connect to AD

NethServer Version: 7.6.1810
Module: SSSD

Hi everybody!
Suddenly my ns (used for fax and Nexcloud) always binded to AD, now stops comunicating with ldap/kerberos intermittently (sometimes users show, sometimes not) but always with the error in the provider section.
I’ve noticed this problem after a dcpromo of another win2016 to DC in another site (with correct subnet definition). The primary site always had two domain controller.
I’ve search arount but i haven’t find any solution. The very strange thing is that on the new remote site i’ve deployed another NS correctly binded to new AD in the new site. I don’t think the two AD in the main site was the problem: other machines (firewall and antispam) glued to AD ldap are working fine.

Investigating in the log section i have spotted tsig error in the past, previously of the new DC/site.

Jul 31 14:37:19 cloud.***.it httpd[17206]: [ERROR] NethServer\Tool\UserProvider: Errore generico account provider: SSSD terminato con codice 1
Jul 31 14:37:19 cloud.***.it httpd[17206]: [ERROR] (Connessione scaduta): IO::Socket::INET: connect: timeout

i reeeeally appreciate help!
thanks

Hi @cedemi,
a bit of things i hope you may find useful

1. By an italian guy, please post english logs; it will help a lot to understand non italian people who want to support you
2. Please, elaborate more the enviroment: devices, setups, connections (even if the user is still the same between the NethServer installations)
3. Search! Did you take a read on this topic? Account provider generic error: SSSD exit code 1

Take care…

1 - ok, what specific log could be useful? messages, sssd…

2 - Well, this is a mixed virtual environment, whith at the head of the network two young Win2016 domain controllers, and many other servers. Both DCs and NS are virtual, but on different hypervisors (vmware 6.7).NS was joined to AD with a specific domain user, the same for other integration services and for the second off-site NS that works. Maybe is the problem is not related between new site/second NS and the problem spotted on the first NS because old logs, maybe indicate that problem is not correlated (btw dns is absolute OK, i’ve hard checked yesterday)

May 17 09:25:21 cloud sssd: ; TSIG error with server: tsig verify failure
May 17 09:25:21 cloud sssd: update failed: REFUSED
May 17 09:25:21 cloud sssd: ; TSIG error with server: tsig verify failure
May 17 09:25:21 cloud sssd: update failed: REFUSED
May 17 09:25:21 cloud sssd: ; TSIG error with server: tsig verify failure
May 17 09:25:21 cloud sssd: update failed: REFUSED
May 17 09:25:21 cloud sssd: ; TSIG error with server: tsig verify failure

Other low level tests was restore an old NS vm backup (and obiviously rejoined), change ip/dns os NS, but nothing changed.

BTW the problem is intermittent: users and groups shows on dash/account tab and half on time not but always failed on “Domain accounts” tab.

I’ve tryed to connetc with plain ldap but is not working

3 - for me, create a new 3d is the last chance: i’ve parsed every single similar post here and many other resources before open this request

Hi @cedemi

welcome to Nethserver Community.

I don’t know which vm is on which hypervisor but did you set the vmware network switch on the relevant hypervisors to promisc mode?

http://docs.nethserver.org/en/v7/accounts.html#installing-on-a-virtual-machine

Hi,

originally when i have installed NS vm was not setted, but this check was done if not first, on second time.

other relevant log:

[sssd[be[domain.lan]]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply]

[sssd[nss]] [sss_dp_get_reply] (0x0010): The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]
…and many others…

i manually start sssd service in debug: i hope is useful

[root@cloud ~]# systemctl stop sssd.service
[root@cloud ~]# sssd -i -d 4
(Thu Aug 1 11:24:06:127794 2019) [sssd] [confdb_init_db] (0x0100): LDIF file to import:
dn: cn=config
version: 2

dn: cn=sssd,cn=config
cn: sssd
domains: domain.it
config_file_version: 2
services: nss, pam
default_domain_suffix: domain.it

dn: cn=domain.it,cn=domain,cn=config
cn: domain.it
use_fully_qualified_names: True
id_provider: ad
access_provider: ad
ad_domain: intranet.domain.it
krb5_realm: INTRANET.domain.IT
krb5_store_password_if_offline: True
ldap_id_mapping: True
ad_maximum_machine_account_password_age: 0
cache_credentials: True
override_homedir: /var/lib/nethserver/home/%u
default_shell: /usr/libexec/openssh/sftp-server
realmd_tags: manages-system joined-with-samba

dn: cn=nss,cn=config
cn: nss
filter_users: ldapservice

(Thu Aug 1 11:24:06:195001 2019) [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled
(Thu Aug 1 11:24:06:195206 2019) [sssd] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Thu Aug 1 11:24:06 2019) [sssd] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Thu Aug 1 11:24:06 2019) [sssd] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd] [start_service] (0x0100): Queueing service domain.it for startup
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [monitor_common_send_id] (0x0100): Sending ID: (%BE_domain.it,1)
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [id]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [auth]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [access]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [chpass]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [sudo]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [autofs]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [selinux]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [hostid]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [subdomains]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_load_configuration] (0x0100): Using [ad] provider for [session]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_common_options] (0x0100): No AD server set, will use service discovery!
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_common_options] (0x0100): Setting ad_hostname to [cloud.domain.it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_common_options] (0x0100): Setting domain option case_sensitive to [false]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [krb5_service_new] (0x0100): write_kdcinfo for realm INTRANET.domain.IT set to false
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_failover_init] (0x0100): No primary servers defined, using service discovery
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [_ad_servers_init] (0x0100): Added service discovery for AD
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_set_sdap_options] (0x0100): Option krb5_realm set to INTRANET.domain.IT
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_sasl_options] (0x0100): Will look for cloud.domain.it@INTRANET.domain.IT in default keytab
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_authid set to CLOUD$
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_sasl_options] (0x0100): Option ldap_sasl_realm set to INTRANET.domain.IT
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_dyndns_init] (0x0100): Dynamic DNS updates are on. Checking for nsupdate…
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_idmap_init] (0x0100): Initializing [1] domains for ID-mapping
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_machine_account_password_renewal_init] (0x0100): Automatic machine account renewal disabled.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_auth_options] (0x0100): Option krb5_server set to (null)
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_auth_options] (0x0100): Option krb5_realm set to INTRANET.domain.IT
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_get_auth_options] (0x0100): Option krb5_use_kdcinfo set to true
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sss_krb5_check_options] (0x0100): No KDC explicitly configured, using defaults.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sss_krb5_check_options] (0x0100): No kpasswd server explicitly configured, using the KDC or defaults.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sss_krb5_check_options] (0x0100): ccache is of type FILE
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [parse_krb5_map_user] (0x0100): krb5_map_user is empty!
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ad].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_target_init] (0x0100): Target [hostid] is not supported by module [ad].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_set_search_bases] (0x0100): Search base not set. SSSD will attempt to discover it later, when connecting to the LDAP server.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_target_init] (0x0100): Target [session] is not supported by module [ad].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘AD’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_ldap._tcp.domain._sites.intranet.domain.it’
(Thu Aug 1 11:24:06 2019) [sssd] [client_registration] (0x0100): Received ID registration: (%BE_domain.it,1)
(Thu Aug 1 11:24:06 2019) [sssd] [mark_service_as_started] (0x0100): Now starting services!
(Thu Aug 1 11:24:06 2019) [sssd] [start_service] (0x0100): Queueing service nss for startup
(Thu Aug 1 11:24:06 2019) [sssd] [start_service] (0x0100): Queueing service pam for startup
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in DNS
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_ldap._tcp.domain._sites.intranet.domain.it’
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_ldap._tcp.intranet.domain.it’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x56546069f820]
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service ‘AD’ as ‘resolved’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ‘dc01.intranet.domain.it’ in files
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc01.intranet.domain.it’ as ‘resolving name’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of ‘dc01.intranet.domain.it’ in files
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ‘dc01.intranet.domain.it’ in DNS
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc01.intranet.domain.it’ as ‘name resolved’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_resolve_callback] (0x0100): Constructed uri ‘ldap://dc01.intranet.domain.it’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [ad_resolve_callback] (0x0100): Constructed GC uri ‘ldap://dc01.intranet.domain.it’
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [confdb_get_domain_internal] (0x0100): Default domain suffix set. Changing default for use_fully_qualified_names to True.
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1)
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?P[^\]+)\(?P.+))|((?P<name>[^@]+)@(?P<domain>.+))|(^(?P[^@\]+)$))].
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x5654606acc10]
(Thu Aug 1 11:24:06 2019) [sssd] [client_registration] (0x0100): Received ID registration: (pam,1)
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x5654606acc10]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_register] (0x0100): Added Frontend client [PAM]
(Thu Aug 1 11:24:06 2019) [sssd[pam]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_user_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [USER][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_group_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [GROUP][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_netgroup_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_host_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [HOST][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_service_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_set_search_base] (0x0100): Setting option [ldap_autofs_search_base] to [DC=intranet,DC=domain,DC=it].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][DC=intranet,DC=domain,DC=it][SUBTREE][]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [7]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=intranet,DC=domain,DC=it]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘AD’
(Thu Aug 1 11:24:06 2019) [[sssd[ldap_child[3245]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [CLOUD$@INTRANET.domain.IT]
(Thu Aug 1 11:24:06 2019) [[sssd[ldap_child[3245]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0100): child [3245] finished successfully.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: CLOUD$
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]
(Thu Aug 1 11:24:06 2019) [sssd] [client_registration] (0x0100): Received ID registration: (nss,1)
(Thu Aug 1 11:24:06 2019) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [fo_set_port_status] (0x0100): Marking port 389 of server ‘dc01.intranet.domain.it’ as ‘working’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc01.intranet.domain.it’ as ‘working’
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x56546069f820]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [dp_client_register] (0x0100): Added Frontend client [NSS]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_ptask_enable] (0x0080): Task [Subdomains Refresh]: already enabled
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_ptask_enable] (0x0080): Task [SUDO Full Refresh]: already enabled
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ‘cloud.domain.it’ in DNS
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of ‘cloud.domain.it’ in DNS
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0100): child [3246] finished successfully.
; TSIG error with server: tsig verify failure
update failed: REFUSED
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0020): child [3250] failed with status [2].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158239]: Dynamic DNS update failed
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [sdap_dyndns_update_ptr_done] (0x0080): nsupdate failed, retrying
; TSIG error with server: tsig verify failure
update failed: REFUSED
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0020): child [3254] failed with status [2].
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158239]: Dynamic DNS update failed
(Thu Aug 1 11:24:06 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0100): child [3258] finished successfully.
(Thu Aug 1 11:24:16 2019) [sssd[be[domain.it]]] [sdap_sudo_load_sudoers_done] (0x0040): Received 0 sudo rules
[nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_OPEN_SESSION
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.it
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): user: apache
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): service: crond
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: cron
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 3306
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: apache
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘AD_GC’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_ldap._tcp.domain._sites.intranet.domain.it’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in DNS
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_gc._tcp.domain._sites.intranet.domain.it’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of ‘_gc._tcp.intranet.domain.it’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service ‘AD_GC’ as ‘resolved’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc02.intranet.domain.it’ as ‘resolving name’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of ‘dc02.intranet.domain.it’ in files
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of ‘dc02.intranet.domain.it’ in DNS
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc02.intranet.domain.it’ as ‘name resolved’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [ad_resolve_callback] (0x0100): Constructed uri ‘ldap://dc02.intranet.domain.it’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [ad_resolve_callback] (0x0100): Constructed GC uri ‘ldap://dc02.intranet.domain.it:3268’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [7]
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,DC=intranet,DC=domain,DC=it]
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘AD’
(Thu Aug 1 11:25:01 2019) [[sssd[ldap_child[3307]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [CLOUD$@INTRANET.domain.IT]
(Thu Aug 1 11:25:01 2019) [[sssd[ldap_child[3307]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab]
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: CLOUD$
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [child_sig_handler] (0x0100): child [3307] finished successfully.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [fo_set_port_status] (0x0100): Marking port 3268 of server ‘dc02.intranet.domain.it’ as ‘working’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [set_server_common_status] (0x0100): Marking server ‘dc02.intranet.domain.it’ as ‘working’
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sysdb_get_real_name] (0x0040): Cannot find user [apache@domain.it] in cache
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sysdb_get_real_name] (0x0040): Cannot find user [apache@domain.it] in cache
(Thu Aug 1 11:25:01 2019) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.
(Thu Aug 1 11:25:01 2019) [sssd[nss]] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [check_if_pac_is_available] (0x0040): find_user_entry failed.
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sysdb_get_real_name] (0x0040): Cannot find user [apache@domain.it] in cache
(Thu Aug 1 11:25:01 2019) [sssd[be[domain.it]]] [sysdb_get_real_name] (0x0040): Cannot find user [apache@domain.it] in cache
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_cmd_close_session] (0x0100): entering pam_cmd_close_session
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_CLOSE_SESSION
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: domain.it
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): user: apache
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): service: crond
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: cron
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 3306
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: apache
(Thu Aug 1 11:25:02 2019) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal.