LDAP client internal error (AccountProvider_Error_82) no groups or users shown

Bug
1

Hello,

when first time facing this error fixing for me the restart

systemctl -M nsdc stop samba
systemctl -M nsdc start samba

but after a period of time
the error back again and restarting the service or server not helped :frowning:

logs :sunny:

on :9090/nethserver#/users-groups

shown there is no users shown on users and groups page

on :980/en-US/Account

shown there is no users shown on users and groups page and error


LDAP client internal error (AccountProvider_Error_82)

account-provider-test dump

{
   "BindDN" : "ldapservice@ad.tst.loc",
   "LdapURI" : "ldap://ad.tst.loc",
   "DiscoverDcType" : "ldapuri",
   "StartTls" : "1",
   "port" : 389,
   "host" : "ad.tst.loc",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "dc=ad,dc=tst,dc=loc",
   "GroupDN" : "dc=ad,dc=tst,dc=loc",
   "BindPassword" : "r_",
   "BaseDN" : "dc=ad,dc=tst,dc=loc",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Dtst%2Cdc%3Dloc"
}

ping $(config getprop nsdc IpAddress)

PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
64 bytes from 192.168.1.45: icmp_seq=1 ttl=64 time=0.107 ms
64 bytes from 192.168.1.45: icmp_seq=2 ttl=64 time=0.079 ms
64 bytes from 192.168.1.45: icmp_seq=3 ttl=64 time=0.074 ms
^C
--- 192.168.1.45 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.074/0.086/0.107/0.018 ms

systemctl status nsdc

● nsdc.service - NethServer Domain Controller container
   Loaded: loaded (/usr/lib/systemd/system/nsdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-02-17 21:36:17 +03; 5min ago
     Docs: man:systemd-nspawn(1)
 Main PID: 1947 (systemd-nspawn)
   Status: "Container running."
    Tasks: 33
   Memory: 231.2M
   CGroup: /machine.slice/nsdc.service
           β”œβ”€1947 /usr/bin/systemd-nspawn --quiet --keep-unit --boot --network-bridge=br0 --machine=nsdc --capability=CAP_SYS_TIME
           β”œβ”€1958 /usr/lib/systemd/systemd
           └─system.slice
             β”œβ”€samba.service
             β”‚ β”œβ”€4271 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4454 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4455 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4456 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4457 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4458 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4459 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4460 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€4461 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4462 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4463 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4464 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4465 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4466 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4467 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4468 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4469 /usr/sbin/samba -i --debug-stderr
             β”‚ β”œβ”€4470 /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€4479 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€4480 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€4535 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€5263 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€5266 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€5268 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             β”‚ β”œβ”€5697 /usr/sbin/samba -i --debug-stderr
             β”‚ └─5706 /usr/sbin/samba -i --debug-stderr
             β”œβ”€console-getty.service
             β”‚ └─4264 /sbin/agetty --noclear --keep-baud console 115200,38400,9600 vt220
             β”œβ”€ntpd.service
             β”‚ └─4274 /usr/sbin/ntpd -u ntp:ntp -g
             β”œβ”€systemd-logind.service
             β”‚ └─4260 /usr/lib/systemd/systemd-logind
             β”œβ”€dbus.service
             β”‚ └─4244 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
             └─systemd-journald.service
               └─4084 /usr/lib/systemd/systemd-journald

Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Reached target Network.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Started Samba domain controller daemon.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Started Login Service.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Started Network Time Service.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Reached target Multi-User System.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Reached target Graphical Interface.
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: Starting Update UTMP about System Runlevel Changes...
Feb 17 21:36:30 th.tst.loc systemd-nspawn[1947]: [  OK  ] Started Update UTMP about System Runlevel Changes.
Feb 17 21:36:32 th.tst.loc systemd-nspawn[1947]: CentOS Linux 7 (Core)
Feb 17 21:36:32 th.tst.loc systemd-nspawn[1947]: Kernel 3.10.0-1062.9.1.el7.x86_64 on an x86_64

journalctl nsdc

Failed to add match 'nsdc': Invalid argument
Failed to add filters: Invalid argument

journalctl -M nsdc

-- Logs begin at Thu 2020-01-09 16:55:19 +03, end at Mon 2020-02-17 21:36:39 +03. --
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd-journal[17]: Runtime journal is using 8.0M (max allowed 794.2M, trying to leave 1.1G free of 7.7G available β†’ current limit 794.2
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd-journal[17]: Journal started
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Started Rebuild Journal Catalog.
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Starting Flush Journal to Persistent Storage...
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd-journal[17]: Permanent journal is using 8.0M (max allowed 4.0G, trying to leave 4.0G free of 43.9G available β†’ current limit 4.0G
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd-journal[17]: Time spent on flushing to /var is 3.927ms for 5 entries.
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Started Flush Journal to Persistent Storage.
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Starting Create Volatile Files and Directories...
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Started Create Volatile Files and Directories.
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Starting Update UTMP about System Boot/Shutdown...
Jan 09 16:55:19 nsdc-th.ad.tst.loc systemd[1]: Started Update UTMP about System Boot/Shutdown.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Started Rebuild Hardware Database.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Starting Update is Completed...
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Started Update is Completed.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Reached target System Initialization.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Listening on NSDC container remote command server.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Listening on D-Bus System Message Bus Socket.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Reached target Sockets.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Started Daily Cleanup of Temporary Directories.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Reached target Timers.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Reached target Basic System.
Jan 09 16:55:20 nsdc-th.ad.tst.loc systemd[1]: Started D-Bus System Message Bus.

/usr/libexec/nethserver/list-users >/dev/null; echo $?

(82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database
82

config show sssd

sssd=service
    AdDns=192.168.1.45
    BaseDN=dc=ad,dc=tst,dc=loc
    BindDN=ldapservice@ad.tst.loc
    BindPassword=xxxxxxxxxxxxx
    DiscoverDcType=ldapuri
    GroupDN=dc=ad,dc=tst,dc=loc
    LdapURI=ldap://ad.tst.loc
    Provider=ad
    Realm=AD.TST.LOC
    StartTls=enabled
    UserDN=dc=ad,dc=tst,dc=loc
    Workgroup=TST
    status=enabled

config show nsdc

nsdc=service
    IpAddress=192.168.1.45
    ProvisionType=newdomain
    bridge=br0
    status=enabled

Maybe related error:

when try to login using ssh get this error
SSH protocol v.1 is no longer supported
but when checking conf it’s set to v2!?
Best Regards

2

after digging right and left :smile:
I remember changed the domain/sub-domain from nsdc-th.ad.tst.loc to ad.ih.loc of LDAP URI
so back it to the original status (name) and then AD worked well

why?

  1. conflict with IP, because the ad.tst.loc (new name) had the same IP as nsdc-th.tst.loc (old/default name)
  2. the new name of (LDAP URI) not changed in some where in config.
    Best Regards