LDAP to AD problems

cswain · February 25, 2018, 12:35pm

I upgraded from 6.9 to 7.4.1708 on a new machine.
Upgrade went fairly smooth once I figured it all out.

I upgraded the LDAP to Active Directory (mostly because a majority of the clients are windows)
Upgrade seemed to work but at the very end threw an error which I don’t remember. But I worked through most of that.

Now I am at a point where I get AccountProvider_Error_82 on the Users and Groups page, Before the upgrade to AD I had a list of users, afterward the page is blank.
On the Domain accounts page I have:

NetBIOS domain name: INTERNAL
LDAP server: 192.168.100.200
LDAP server name: nsdc-hostname.internal.example.com
Realm: INTERNAL.EXAMPLE.COM
Bind Path: dc=INTERNAL,dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Sun, 25 Feb 2018 06:20:19 CST
KDC server: 192.168.100.200
Server time offset: 0
Last machine account password change: Fri, 31 Jul 2015 21:29:56 CDT

Enter HOSTNAME$@INTERNAL.EXAMPLE.COM's password:Join to domain is not valid: NT code 0xfffffff6

Running /usr/libexec/nethserver/list-users gives me

kinit: Client 'HOSTNAME$@INTERNAL.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
(82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: /tmp/krb5cc_0)

Which is similar to /var/log/messages

I looked though the forums and scoured the internet but nothing seems to quite fix the issue.

I’m stuck now, not sure how to resolve this.

Andy_Wismer · February 25, 2018, 3:48pm

Hi

I got stuck with that problem on two client machines, both were fresh 7.3 installs and working well.
Both had that issue after an update (Before the 7.3->7.4 mess).

My solution, which worked, was to delete the Account Provider, then restore from a config-backup.

The Accounts Provider was reinstalled, with previous settings, and - all accounts were there and workable!

-> If possible, make a save or image of the whole machine beforehand. My clients were virtualized on ProxMox, so this was easily possible.

Your mileage may vary.

Andy

davidep · February 25, 2018, 9:47pm

NethServer failed the AD join procedure: there should be an evidence in /var/log/messages

The output of the following commands could help to understand why it happened

 config show dns
 config show nsdc
 config show sssd
 config show smb

cswain · February 26, 2018, 1:34am

config show dns

    dns=configuration
    NameServers=208.67.222.222,208.67.220.220

Those are the OpenDNS servers

config show nsdc

nsdc=service
IpAddress=192.168.100.200
ProvisionType=ns6upgrade
bridge=br0
status=enabled

Looks correct to me

config show sssd

sssd=service
AdDns=192.168.100.200
BindDN=ldapservice@INTERNAL.EXAPMLE.COM
BindPassword=PASSWORD
LdapURI=
Provider=ad
Realm=INTERNAL.EXAMPLE.COM
Workgroup=INTERNAL
status=enabled

Does missing LdapURI hurt anything?

config show smb

smb=service
AdsLdapAccountsBranch=
AdsRealm=
AuditAlias=REMOVED
DeadTime=10080
HomeAdmStatus=disabled
InheritOwner=yes
LogonDrive=Z:
NetbiosAliasList=
OsLevel=35
RoamingProfiles=yes
ServerRole=PDC
ShareAdmStatus=disabled
Sid=S-1-5-21-REMOVED
TCPPorts=139,445
UseClientDriver=yes
UseCups=enabled
WinsServerIP=
access=green
status=enabled

I’m not knowledgeable to see any obvious red flags.

If I was to remove the Accounts Provider and then do a restore, is there a way to just restore the users or would I have to do the full thing all over again?

I did the original upgrade with rsync.

Edit

Greped though /var/log/messages for errors got the following

esmith::event[5888]: Job for sssd.service failed because the control
process exited with error code. See "systemctl status sssd.service" and
"journalctl -xe" for details.

systemctl status sssd.service -l

● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/sssd.service.d
           └─journal.conf
   Active: failed (Result: exit-code) since Sun 2018-02-25 06:46:11 CST; 12h ago
 Main PID: 6461 (code=exited, status=1/FAILURE)

Feb 25 06:46:10 hostname.internal.example.com sssd[pam][6466]: Starting up
Feb 25 06:46:10 hostname.internal.example.com sssd[nss][6467]: Starting up
Feb 25 06:46:10 hostname.internal.example.com sssd[pam][6468]: Starting up
Feb 25 06:46:11 hostname.internal.example.com sssd[be[internal.example.com]][6469]: Starting up
Feb 25 06:46:11 hostname.internal.example.com sssd[be[internal.example.com]][6469]: Failed to read keytab [default]: No such file or directory
Feb 25 06:46:11 hostname.internal.example.com sssd[6461]: Exiting the SSSD. Could not restart critical service [internal.example.com].
Feb 25 06:46:11 hostname.internal.example.com systemd[1]: sssd.service: main process exited, code=exited, status=1/FAILURE
Feb 25 06:46:11 hostname.internal.example.com systemd[1]: Failed to start System Security Services Daemon.
Feb 25 06:46:11 hostname.internal.example.com systemd[1]: Unit sssd.service entered failed state.
Feb 25 06:46:11 hostname.internal.example.com systemd[1]: sssd.service failed.

Ok so I’m missing a keytab?

here are the only errors I see in journalctl

Feb 25 06:46:51 hostname.internal.example.com admin-todos[7097]: kinit: Client 'hostname$@INTERNAL.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
Feb 25 06:46:51 hostname.internal.example.com admin-todos[7097]: (82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
Feb 25 06:46:51 hostname.internal.example.com admin-todos[7097]: No Kerberos credentials available (default cache: /tmp/krb5cc_0)
Feb 25 06:47:07 hostname.internal.example.com sudo[7169]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/list-users
Feb 25 06:47:07 hostname.internal.example.com httpd[4176]: [ERROR] NethServer\Tool\UserProvider: AccountProvider_Error_82
Feb 25 06:47:07 hostname.internal.example.com httpd[4176]: [ERROR] kinit: Client 'hostname$@INTERNAL.EXAMPLE.COM' not found in Kerberos database while getting initial credentials
(82) GSSAPI Error (init): Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: /tmp/krb5cc_0)
Feb 25 06:47:07 hostname.internal.example.com sudo[7173]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/list-groups
Feb 25 06:47:11 hostname.internal.example.com sudo[7187]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/bin/net ads info
Feb 25 06:47:11 hostname.internal.example.com sudo[7191]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/bin/net ads testjoin
Feb 25 06:47:11 hostname.internal.example.com sudo[7195]:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/bin/net ads search -P (&(sAMAccountName=hostname$)(objectCategory=computer)) name sAMAccountName distinguishedName servicePrincipalName objectSid dNSHostName pwdLastSet lastLogon whenCreated whenChanged accountExpires

davidep · February 26, 2018, 6:36am

Yes the config seems ok. I expect a join failure error message in /var/log/messages* (grep also past rotated logs).

No need to reinstall by now. I’ll be back soon with a few commands.

Meanwhile could you attach /etc/krb5.conf?

cswain · February 26, 2018, 7:56am

/etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = INTERNAL.EXAMPLE.COM
[realms]
 INTERNAL.EXAMPLE.COM = {
 }

[domain_realm]
 internal.example.com = INTERNAL.EXAMPLE.COM
 .internal.example.com = INTERNAL.EXAMPLE.COM

Looking for join in /var/log/messages I did find these

Feb 25 05:04:59 hostname realmd: Failed to join domain: failed to lookup DC info for domain 'internal.example.com' over rpc: Logon failure
Feb 25 05:05:08 hostname realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.GU06EZ -U Administrator ads join internal.example.com
Feb 25 05:05:08 hostname realmd: Failed to join domain: failed to lookup DC info for domain 'internal.example.com' over rpc: Logon failure
Feb 25 05:07:45 hostname realmd: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2GR5EZ -U Administrator ads join internal.example.com
Feb 25 05:07:45 hostname realmd: Failed to join domain: failed to lookup DC info for domain 'internal.example.com' over rpc: Logon failure

davidep · February 26, 2018, 8:13am

Really interesting: did you create an “administrator” account during the past ns6 lifetime?

I fixed the documented procedure to manually join NS7 to its own AD domain, please try it and report back if it works correctly:

nethserver-dc/README.rst at 392be7aa7f9480f3a6062e2ca467e2d44898a8fc · DavidePrincipi/nethserver-dc · GitHub

Edit: added commit

cswain · February 26, 2018, 10:38am

No, no administrator account. There is a default admin. And using the procedure in the docs I changed the administrator account to my domain admin (not a real DA account, but one I set up with rights to access all computers)

config setprop admins user customadmin group customadmins
/etc/e-smith/events/actions/system-adjust custom

changing customadmin to the name of my domain admin account.

Following the steps gets me this:

[root@hostname ~]#  host -t SRV _ldap._tcp.$(config getprop sssd Realm)
_ldap._tcp.INTERNAL.EXAMPLE.COM has SRV record 0 100 389 nsdc-hostname.internal.example.com.
[root@hostname ~]# signal-event nethserver-sssd-leave
[root@hostname ~]# realm join -v -U admin $(config getprop sssd Realm)
 * Resolving: _ldap._tcp.internal.example.com
 * Performing LDAP DSE lookup on: 192.168.100.200
 * Successfully discovered: internal.example.com
realm: Already joined to this domain
[root@hostname ~]# signal-event nethserver-sssd-save
[root@hostname ~]# getent passwd administrator@$(hostname -d)
[root@hostname ~]#

Same result of I use the DA account, returns no response.

davidep · February 26, 2018, 11:05am

Thank you for reporting back. I amended the procedure again. Could you check out the new version?

Fix README Manual join procedure by DavidePrincipi · Pull Request #73 · NethServer/nethserver-dc · GitHub

Whole file view:

nethserver-dc/README.rst at 737b4eed309c26a6455b930a34c1d717dc774ec3 · DavidePrincipi/nethserver-dc · GitHub

cswain · February 26, 2018, 11:28am

Ok so even though the DA account works on the old system it doesn’t seem to exist on the new one?

[root@hostname ~]# realm join -v -U daAccount $(config getprop sssd Realm)
 * Resolving: _ldap._tcp.internal.example.com
 * Performing LDAP DSE lookup on: 192.168.100.200
 * Successfully discovered: internal.example.com
Password for daAccount:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.RSM6EZ -U daAccount ads join internal.example.com
Enter daAccount's password:
Failed to join domain: failed to lookup DC info for domain 'internal.example.com' over rpc: Password expired
 ! The daAccount account, password, or credentials are invalid
realm: Couldn't join realm: The daAccount account, password, or credentials are invalid

I tried a normal user and got this… so maybe I just don’t have a working admin account?

[root@hostname ~]# realm join -v -U noramluser $(config getprop sssd Realm)
 * Resolving: _ldap._tcp.internal.example.com
 * Performing LDAP DSE lookup on: 192.168.100.200
 * Successfully discovered: internal.example.com
Password for noramluser:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2LQGFZ -U noramluser ads join internal.example.com
Enter noramluser's password:
Failed to join domain: User specified does not have administrator privileges
 ! Insufficient permissions to join the domain internal.example.com
realm: Couldn't join realm: Insufficient permissions to join the domain internal.example.com

Is there a CLI way to see what users I have on NS7?

davidep · February 26, 2018, 7:50pm

It seems your “da” account password is expired…

Get a nsdc shell:

systemd-run -M nsdc -i -t /bin/bash

Then use samba-tool user command.

I’d try to fix “da” password then repeat the manual join procedure

cswain · February 26, 2018, 10:47pm

Was able to get the account enabled and password reset (do I feel foolish for missing that).
For future readers of this thread the command to get nsdc shell is

systemd-run -M nsdc -t /bin/bash

Followed the manual join from the beginning and it failed with being unable to find the host. went ahead and ran through all the commands to the end. Then started over and it worked.

So it looks like all my problems where because of the disabled account, which isn’t disabled on my old system.

Thank you @davidep for all the help.