Reset password don't work

Support
22

here we go:

[root@mail ~]# config show sssd
    sssd=service
        AdDns=192.168.20.199
        BindDN=ldapservice@RBTECH.LOCAL
        BindPassword=xxxxxxxxxxxxxxxxxxxxx
        DiscoverDcType=ldapuri
        LdapURI=ldaps://nsdc-mail.rbtech.local
        Provider=ad
        Realm=RBTECH.LOCAL
        ShellOverrideStatus=enabled
        Workgroup=RBTECH
        status=enabled
    [root@mail ~]# config show nsdc
    nsdc=service
        IpAddress=192.168.20.199
        ProvisionType=newdomain
        bridge=br0
        status=enabled
    [root@mail ~]# account-provider-test dump
    {
       "BindDN" : "ldapservice@RBTECH.LOCAL",
       "LdapURI" : "ldaps://nsdc-mail.rbtech.local",
       "DiscoverDcType" : "ldapuri",
       "StartTls" : "",
       "port" : 636,
       "host" : "nsdc-mail.rbtech.local",
       "isAD" : "1",
       "isLdap" : "",
       "UserDN" : "dc=rbtech,dc=local",
       "GroupDN" : "dc=rbtech,dc=local",
       "BindPassword" : "xxxxxxxxxxxx",
       "BaseDN" : "dc=rbtech,dc=local",
       "LdapUriDn" : "ldap:///dc%3Drbtech%2Cdc%3Dlocal"
    }
    [root@mail ~]# cat /etc/krb5.conf
    # ================= DO NOT MODIFY THIS FILE =================
    # 
    # Manual changes will be lost when this file is regenerated.
    #
    # Please read the developer's guide, which is available
    # at NethServer official site: https://www.nethserver.org
    #
    # 
    #
    # 10base
    #
    [logging]
     default = FILE:/var/log/krb5libs.log

    [libdefaults]
     default_realm = RBTECH.LOCAL
     dns_lookup_realm = true
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     rdns = false
     forwardable = yes


    #
    # 20realms
    #
    [realms]
     RBTECH.LOCAL = {
         kdc = nsdc-mail.rbtech.local
     }



    [root@mail ~]# klist -t -k /etc/krb5.keytab
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 11/05/2020 15:39:30 host/mail.rbtechnology.it@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/MAIL@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/mail.rbtechnology.it@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/MAIL@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/mail.rbtechnology.it@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/MAIL@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/mail.rbtechnology.it@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/MAIL@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/mail.rbtechnology.it@RBTECH.LOCAL
       2 11/05/2020 15:39:30 host/MAIL@RBTECH.LOCAL
       2 11/05/2020 15:39:30 MAIL$@RBTECH.LOCAL
       2 11/05/2020 15:39:30 MAIL$@RBTECH.LOCAL
       2 11/05/2020 15:39:30 MAIL$@RBTECH.LOCAL
       2 11/05/2020 15:39:30 MAIL$@RBTECH.LOCAL
       2 11/05/2020 15:39:30 MAIL$@RBTECH.LOCAL
       2 10/06/2021 12:23:42 smtp/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 smtp/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 smtp/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 smtp/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 smtp/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 smtp/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 smtp/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 smtp/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 smtp/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 smtp/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 pop/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:43 imap/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 cifs/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/MAIL@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/mail.rbtechnology.it@RBTECH.LOCAL
       2 10/06/2021 12:23:42 HTTP/MAIL@RBTECH.LOCAL
    [root@mail ~]#

today I have even no user anymore at the system.:

image
image1644×777 35.4 KB

1 Like
23

@trogloraspa

Hi Stefano

I’ve had similiar errors in the past at my clients and at home.
What almost always worked was a bit unconventional:

Make sure you have your system backed up!

  • Delete the Account Provider
  • Restore an earlier config-backup

That will install all needed modules and the configuration. This solved my problem, users, groups and Account Provider was all back there!

A reboot would be in order!

My 2 cents
Andy

24

Hi Andy, thanks for replying, deleting the Account Provider during working hours and all client connected can have any side effect?

It is necessary to delete it? cannot just restore the backup?

thanks

25

@trogloraspa

Well - I wouldn’t do it during working hours… :slight_smile:
Either after hours, or during lunch break (But announce maintenence beforehand!).

You can try, but in my attempts, the Account Provider was still screwed up…
It somehow ignored the screwed up bits and restored the rest.
By deleting it, the screwed up part is removed - and a working config is restored from backup…

As I have all my NethServers virtualized, it’s easy to make a quick backup of the VM using Proxmox, just to be on the safe side!

My 2 cents
Andy

26

I see, thanks I never restored a backup yet. there is a guide to follow you can suggest me to read?
and more… this works just for setting right? no data loss? ( thinking of email )

Thanks

27

@trogloraspa

With backups, rule of thumb is:
Better to have a backup to many, then one too little! :slight_smile:

As I provide this as a professional backup for my clients, I prefer to be on the safe side.
NethServer does daily backups to NAS, and keeps a week of data.

But as said, all my clients use virtualized NethServers, running on Proxmox.
Proxmox itself makes (live) backups of all VMs, also daily.
Before PBS (Proxmox Backup Server), I also kept these for a week at least. Now, with PBS, I keep several months of backups, also everything Off-Site, in case of fire, lightning, flood, whatever…

I also additionally have a script running, which stores all data to NAS via rsync, also 7 generations.

The NAS also does daily backups of everything to an external USB3 10 TB drive.

Thats my basic “Modus Operandi” - and all three backups also off-site.

https://docs.nethserver.org/en/v7/disaster_recovery.html

And, no, you should not experience any data loss, it’s only the config!

My 2 cents
Andy

1 Like
28

To me (due to lack of knowledge) all the AD/sssd stack is hard to diagnose. I find it annoying when one cannot scratch the itch. Just for the sake of it, here’s a troubleshooting guide for sssd.
https://sssd.io/troubleshooting/basics.html

Andy’s proposal could be a quicker solution and spare you some head banging against the wall moments.

My one cent.

4 Likes
29

@trogloraspa

Never forget: NEVER Trust an untested Backup!

Always test your backups (Best more than once!).
If it works three times, it’ll probably work a million times, or when the hardware dies!

After major upgrades, test again!

I even force my clients to test and verify the backups - every 3-6 months! :slight_smile:

My 2 cents
Andy

30

I agree with both @Andy_Wismer and @dnutan ,

Thinking about @trogloraspa situation it seems to me sssd is running with it’s cached user-credetials and over time they will expire for all users.

If the above is true, it may be possible to take out the dc and reinstall it while in production, BIG RISC THOUGH

Do not see strange things in the config except the ad has an second level domain name mine has a 3rth level name : ad.example.com but it seem to work in the past so an non-issue

like to suggest to dig in a bit more and try some things

can you ping the nsdc, by ip:
ping -c 4 $(config getprop sssd AdDns)

by dns:
ping -c 4 $(config getprop sssd Realm)

Check dns a bit more:

getent passwd administrator@$(hostname -d)

31

Update: I’ve restored a Configuration Backup…

User are come back to system… and it seems to be fine now.

…so far. Thanks for the help to everybody… :sweat_smile:

1 Like