SSSD-Error when joining NS to another NS-AD

v7
activedirectory

(Ralf Jeckel) #1

NethServer Version: NS 7.4.1708
Module: Accounts provider

Hi there,

I’ve got a failure when joining a NS7 instance to an existing NS7-AD.

Every time I press save this failure appears.
This is what happens in messages.log :

Feb 22 08:42:04 nethgate esmith::event[16102]: Event: nethserver-sssd-save
Feb 22 08:42:04 nethgate systemd: Stopping System Security Services Daemon...
Feb 22 08:42:04 nethgate sssd[be[jeckel.lan]]: Shutting down
Feb 22 08:42:04 nethgate sssd[nss]: Shutting down
Feb 22 08:42:04 nethgate sssd[pam]: Shutting down
Feb 22 08:42:04 nethgate systemd: Stopped System Security Services Daemon.
Feb 22 08:42:04 nethgate esmith::event[16102]: [NOTICE] wipe out sssd databases and configuration
Feb 22 08:42:05 nethgate esmith::event[16102]: Action: /etc/e-smith/events/nethserver-sssd-save/S01nethserver-sssd-cleanup SUCCESS [0.042585]
Feb 22 08:42:05 nethgate esmith::event[16102]: expanding /etc/backup-config.d/nethserver-sssd.include
Feb 22 08:42:05 nethgate esmith::event[16102]: expanding /etc/openldap/ldap.conf
Feb 22 08:42:05 nethgate esmith::event[16102]: expanding /etc/samba/smb.conf
Feb 22 08:42:05 nethgate esmith::event[16102]: expanding /etc/sssd/sssd.conf
Feb 22 08:42:05 nethgate esmith::event[16102]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.524114]
Feb 22 08:42:06 nethgate esmith::event[16102]: Action: /etc/e-smith/events/nethserver-sssd-save/S20nethserver-sssd-conf SUCCESS [0.582505]
Feb 22 08:42:07 nethgate esmith::event[16102]: [ERROR] /usr/libexec/nethserver/smbads: failed to add service primaries to system keytab
Feb 22 08:42:07 nethgate esmith::event[16102]: [ERROR] /usr/libexec/nethserver/smbads: failed to initialize keytabs
Feb 22 08:42:07 nethgate esmith::event[16102]: Action: /etc/e-smith/events/nethserver-sssd-save/S30nethserver-sssd-initkeytabs FAILED: 5 [1.043591]
Feb 22 08:42:07 nethgate esmith::event[16102]: [WARNING] DEPRECATED! Package nethserver-squid must subscribe nethserver-sssd-save event explicitly
Feb 22 08:42:07 nethgate esmith::event[16143]: Event: nethserver-squid-update
Feb 22 08:42:07 nethgate esmith::event[16143]: Migrating existing database configuration
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database certificates
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database networks
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database routes
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database accounts
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database hosts
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database proxypass
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database fwrules
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database fwservices
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database portforward
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database tc
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database dhcp
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database squid
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database contentfilter
Feb 22 08:42:08 nethgate esmith::event[16143]: Migrating existing database vpn
Feb 22 08:42:08 nethgate esmith::event[16143]: Action: /etc/e-smith/events/nethserver-squid-update/S00initialize-default-databases SUCCESS [0.790435]
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/dnsmasq.conf
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/hosts
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/httpd/conf.d/wpad.conf
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/squid/squid.conf
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/squid/acls/no_cache.acl
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /etc/sysconfig/squid
Feb 22 08:42:08 nethgate esmith::event[16143]: expanding /var/www/html/wpad.dat
Feb 22 08:42:08 nethgate esmith::event[16143]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.669686]
Feb 22 08:42:10 nethgate esmith::event[16143]: [ERROR] /usr/libexec/nethserver/smbads: failed to add service primaries to system keytab
Feb 22 08:42:10 nethgate esmith::event[16143]: [ERROR] /usr/libexec/nethserver/smbads: failed to initialize keytabs
Feb 22 08:42:10 nethgate esmith::event[16143]: Action: /etc/e-smith/events/nethserver-squid-update/S20nethserver-sssd-initkeytabs FAILED: 5 [1.031963]
Feb 22 08:42:10 nethgate esmith::event[16143]: Action: /etc/e-smith/events/nethserver-squid-update/S30nethserver-squid-check-cache SUCCESS [0.299078]
Feb 22 08:42:10 nethgate esmith::event[16143]: Name: squid-bypass
Feb 22 08:42:10 nethgate esmith::event[16143]: Type: hash:ip
Feb 22 08:42:10 nethgate esmith::event[16143]: Revision: 1
Feb 22 08:42:10 nethgate esmith::event[16143]: Header: family inet hashsize 1024 maxelem 65536 timeout 43200
Feb 22 08:42:10 nethgate esmith::event[16143]: Size in memory: 16528
Feb 22 08:42:10 nethgate esmith::event[16143]: References: 2
Feb 22 08:42:10 nethgate esmith::event[16143]: Members:
Feb 22 08:42:10 nethgate esmith::event[16143]: Action: /etc/e-smith/events/nethserver-squid-update/S50nethserver-squid-ipset SUCCESS [0.012119]
Feb 22 08:42:10 nethgate systemd: Reloading.
Feb 22 08:42:10 nethgate esmith::event[16143]: [INFO] service dnsmasq restart
Feb 22 08:42:10 nethgate systemd: Stopping DNS caching server....
Feb 22 08:42:10 nethgate dnsmasq[15949]: exiting on receipt of SIGTERM
Feb 22 08:42:10 nethgate systemd: Starting DNS caching server....
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Name: squid-bypass
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Type: hash:ip
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Revision: 1
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Header: family inet hashsize 1024 maxelem 65536 timeout 43200
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Size in memory: 16528
Feb 22 08:42:10 nethgate nethserver-squid-ipset: References: 2
Feb 22 08:42:10 nethgate nethserver-squid-ipset: Members:
Feb 22 08:42:10 nethgate systemd: Started DNS caching server..
Feb 22 08:42:10 nethgate dnsmasq[16188]: started, version 2.76 cachesize 4000
Feb 22 08:42:10 nethgate dnsmasq[16188]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
Feb 22 08:42:10 nethgate dnsmasq-tftp[16188]: TFTP root is /var/lib/tftpboot
Feb 22 08:42:10 nethgate dnsmasq[16188]: using nameserver 192.168.0.237#53 for domain ad.jeckel.lan
Feb 22 08:42:10 nethgate dnsmasq[16188]: using nameserver 8.8.4.4#53
Feb 22 08:42:10 nethgate dnsmasq[16188]: using nameserver 8.8.8.8#53
Feb 22 08:42:10 nethgate dnsmasq[16188]: using nameserver 192.168.0.236#53
Feb 22 08:42:10 nethgate dnsmasq[16188]: read /etc/hosts - 7 addresses
Feb 22 08:42:10 nethgate systemd: Reloading.
Feb 22 08:42:11 nethgate esmith::event[16143]: [INFO] service httpd reload
Feb 22 08:42:11 nethgate systemd: Reloaded The Apache HTTP Server.
Feb 22 08:42:11 nethgate systemd: Reloading.
Feb 22 08:42:11 nethgate esmith::event[16143]: [INFO] service squid restart
Feb 22 08:42:11 nethgate systemd: Stopping Squid caching proxy...
Feb 22 08:42:11 nethgate squid: 2018/02/22 08:42:11| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Feb 22 08:42:11 nethgate systemd: Starting Squid caching proxy...
Feb 22 08:42:11 nethgate squid: 2018/02/22 08:42:11| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Feb 22 08:42:11 nethgate squid[16248]: Squid Parent: will start 1 kids
Feb 22 08:42:11 nethgate squid[16248]: Squid Parent: (squid-1) process 16250 started
Feb 22 08:42:11 nethgate systemd: Started Squid caching proxy.
Feb 22 08:42:11 nethgate esmith::event[16143]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.354494]
Feb 22 08:42:11 nethgate esmith::event[16143]: Event: nethserver-squid-update FAILED
Feb 22 08:42:11 nethgate esmith::event[16102]: Action: /etc/e-smith/events/nethserver-sssd-save/S80nethserver-sssd-notifyclients FAILED: 1 [4.530151]
Feb 22 08:42:12 nethgate systemd: Reloading.
Feb 22 08:42:12 nethgate systemd: Starting System Security Services Daemon...
Feb 22 08:42:12 nethgate sssd: Starting up
Feb 22 08:42:12 nethgate sssd[be[jeckel.lan]]: Starting up
Feb 22 08:42:12 nethgate sssd[nss]: Starting up
Feb 22 08:42:12 nethgate sssd[pam]: Starting up
Feb 22 08:42:12 nethgate systemd: Started System Security Services Daemon.
Feb 22 08:42:12 nethgate esmith::event[16102]: [INFO] sssd has been started
Feb 22 08:42:12 nethgate esmith::event[16102]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.906522]
Feb 22 08:42:12 nethgate esmith::event[16102]: Event: nethserver-sssd-save FAILED
Feb 22 08:42:13 nethgate sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 08:42:13 nethgate sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 08:42:13 nethgate sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 08:42:13 nethgate sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.
Feb 22 08:42:13 nethgate sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = Server not found in Kerberos database.

The “nethgate” is to join. It’s a gateway with Firewall, proxy, webfiltering and so on, red and green interface. “ns7ad1” is a NS7 AD with fileserver, nextcloud, sogo, and so on, only green interface.
The “ldap-nethgate” user is a user I created on the AD only for this purpose, as in the docs discribed.

What did I do wrong??? :thinking: :thinking:


(Michael Träumner) #2

Hi @flatspin
Some questions:

  • Did you try it with ldaps:// instead of ldap://
  • How did you get your Bind DN? With account-provider-test dump it looks different for me

(Ralf Jeckel) #3

Hi Michael,

thanks for reply.

With ldaps and STARTTLS No same failure.

With the credential from accountprovider dump I get no connection.
I created a user especially for bind purpose.
I followed the docs:
http://docs.nethserver.org/en/latest/accounts.html#join-an-existing-active-directory-domain


(Markus Neuberger) #5

Please try it with user@AD.DOMAIN.TLD:

grafik

You may use the ldapservice user. You can find the credentials on your AD Nethserver in Accounts Provider settings or with account-provider-test dump.


(Ralf Jeckel) #6

Hi @mrmarkuz ,

tried that before with
userx@ad.domain.tld and administrator@ad.domain.tld, but both the same result.
I’m not good with ldap, but isn’t userx@ad.domain.tld the same as cn=userx,cn=user,dc=ad,dc=domain,dc=tld?

Also tried the credentials from account provider dump. :thinking:

The error is about keytab. Do you know something about it?

PS Sorry for late replying. Fighting with my AS400 right now. PTF procedure for Java is ridicolous on that system! :roll_eyes:


(Michael Träumner) #7

It has something to do with kerberos, but I don’t know more about it.


(Markus Neuberger) #8

Found a kerberos problem, maybe some steps in this thread may inspire you find the error:


(Ralf Jeckel) #9

This command causes the error:
/usr/libexec/nethserver/smbads initkeytab

on the AD itself it works, but on the joind machine it gives back:

[ERROR] /usr/libexec/nethserver/smbads: failed to add service primaries to system keytab                          
[ERROR] /usr/libexec/nethserver/smbads: failed to initialize keytabs 

keytab dump on joined machine:

 klist -t -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 02/21/2018 17:51:44 host/nethgate.jeckel.lan@AD.JECKEL.LAN
   2 02/21/2018 17:51:44 host/NETHGATE@AD.JECKEL.LAN
   2 02/21/2018 17:51:44 host/nethgate.jeckel.lan@AD.JECKEL.LAN
   2 02/21/2018 17:51:44 host/NETHGATE@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/nethgate.jeckel.lan@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/NETHGATE@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/nethgate.jeckel.lan@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/NETHGATE@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/nethgate.jeckel.lan@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 host/NETHGATE@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 NETHGATE$@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 NETHGATE$@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 NETHGATE$@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 NETHGATE$@AD.JECKEL.LAN
   2 02/21/2018 17:51:45 NETHGATE$@AD.JECKEL.LAN

For the moment I have to give up…


(Davide Principi) #10

Could you paste /etc/krb5.conf contents?

Also output of

config show dns
config show nsdc
config show sssd

(Ralf Jeckel) #11
[root@nethgate ~]#cat /etc/krb5.conf                                                                                                                                             
# Configuration snippets may be placed in this directory as well                                                                                                                 
includedir /etc/krb5.conf.d/                                                                                                                                                     
                                                                                                                                                                                 
includedir /var/lib/sss/pubconf/krb5.include.d/                                                                                                                                  
[logging]                                                                                                                                                                        
 default = FILE:/var/log/krb5libs.log                                                                                                                                            
 kdc = FILE:/var/log/krb5kdc.log                                                                                                                                                 
 admin_server = FILE:/var/log/kadmind.log                                                                                                                                        
                                                                                                                                                                                 
[libdefaults]                                                                                                                                                                    
 dns_lookup_realm = false                                                                                                                                                        
 ticket_lifetime = 24h                                                                                                                                                           
 renew_lifetime = 7d                                                                                                                                                             
 forwardable = true                                                                                                                                                              
 rdns = false                                                                                                                                                                    
# default_realm = EXAMPLE.COM                                                                                                                                                    
 default_ccache_name = KEYRING:persistent:%{uid}                                                                                                                                 
                                                                                                                                                                                 
 default_realm = AD.JECKEL.LAN                                                                                                                                                   
[realms]                                                                                                                                                                         
# EXAMPLE.COM = {                                                                                                                                                                
#  kdc = kerberos.example.com                                                                                                                                                    
#  admin_server = kerberos.example.com                                                                                                                                           
# }                                                                                                                                                                              
                                                                                                                                                                                 
 AD.JECKEL.LAN = {                                                                                                                                                               
 }                                                                                                                                                                               
                                                                                                                                                                                 
[domain_realm]                                                                                                                                                                   
# .example.com = EXAMPLE.COM                                                                                                                                                     
# example.com = EXAMPLE.COM                                                                                                                                                      
 ad.jeckel.lan = AD.JECKEL.LAN                                                                                                                                                   
 .ad.jeckel.lan = AD.JECKEL.LAN              

and

[root@nethgate ~]# config show dns                                                                                                                                               
dns=configuration                                                                                                                                                                
    NameServers=192.168.0.236,192.168.0.237,8.8.4.4        

and

[root@nethgate ~]# config show sssd                                                                                                                                              
sssd=service                                                                                                                                                                     
    AdDns=192.168.0.237                                                                                                                                                          
    BaseDN=DC=ad,DC=jeckel,DC=lan                                                                                                                                                
    BindDN=administrator@ad.jeckel.lan                                                                                                                                           
    BindPassword=Stralis-012                                                                                                                                                     
    GroupDN=DC=ad,DC=jeckel,DC=lan                                                                                                                                               
    LdapURI=ldap://nsdc-ns7ad1.ad.jeckel.lan                                                                                                                                     
    Provider=ad                                                                                                                                                                  
    Realm=AD.JECKEL.LAN                                                                                                                                                          
    StartTls=enabled                                                                                                                                                             
    UserDN=DC=ad,DC=jeckel,DC=lan                                                                                                                                                
    Workgroup=AD                                                                                                                                                                 
    status=enabled             

config show nsdc returns nothing. All done on the client machine not the AD itself.
IP 236 is AD, 237 nsdc-container, external DNS servers are 37.235.1.174 and 37.235.1.177 on the AD.

And thanks for your help @davidep


(Davide Principi) #12

NameServers must be either internal or external: do not mix them.


Try this procedure

  • Unbind account provider
  • If nethgateway is not used by LAN clients as DNS, set NameServers to .236 only
  • If nethgateway hasn’t mail-sever, change its FQDN to nethgateway.ad.jeckel.lan
  • join AD again

(Davide Principi) #13

3 posts were split to a new topic: Use the nsdc container as DNS (?)


(Ralf Jeckel) #15

o.k. thanks. Will do it tomorrow.
Good night, sleep well :sleeping: and until tomorrow. :sun_with_face:


(Ralf Jeckel) #16

Goood morning Davide,

did as you told me and it works!!! :grinning:
I think it was all about the FQDN.

Maybe this should written to documenation as a hint for best practice:

Please note that best practice is to set your AD as the only DNS-Server,
and pay attention to your FQDN to set the domain properly according to
the domain of the AD.

Or similar.

Thanks a lot for your help.

So long,my friend!


(Davide Principi) #17

For anyone interested, a PR to the manual is welcome. About the FQDN, remember that a mail server has specific needs regarding the domain suffix: it must be a public DNS domain. On the opposite AD should be a private DNS domain. If both are needed in the same server, set FQDN to public domain and AD domain as private third level.

This is the relevant manual section:

http://docs.nethserver.org/en/v7/accounts.html#dns-and-ad-domain

To modify it:

https://github.com/NethServer/docs/edit/master/administrator-manual/en/accounts.rst