Project

General

Profile

Bug #67926

SSSD Not Started after LDAP Configured

Added by Nick Niehoff 10 months ago. Updated 9 months ago.

Status:
Closed
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Need additional information from Author
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I configured LDAP correctly and looked in /etc/local/sssd/sssd.conf all of the correct values where there but the the sssd service was not started. I had to add sssd_enable="YES" to /etc/rc.conf. Now users are showing up correctly in getent passwd etc. I assume the UI should have enabled the service when I configured LDAP. Did I do something wrong or is this truly a bug?

History

#1 Updated by Dru Lavigne 10 months ago

  • Category changed from Middleware to Services
  • Assignee changed from Release Council to William Grzybowski

#2 Updated by William Grzybowski 10 months ago

  • Assignee changed from William Grzybowski to Andrew Walker
  • Target version changed from Backlog to 11.2-U2

#3 Updated by Andrew Walker 10 months ago

Hi Nick, can you generate a debug file by clicking "System"->"Advanced"->"Save Debug" and attaching to this ticket.

#4 Updated by Nick Niehoff 10 months ago

  • File debug.tgz added

See Attached.

#5 Updated by Andrew Walker 10 months ago

Can you please upload your config file (don't export secret seed)

#6 Updated by Dru Lavigne 10 months ago

  • Status changed from Unscreened to Blocked
  • Reason for Blocked set to Need additional information from Author

#7 Updated by Nick Niehoff 10 months ago

I'm sorry I didn't realize I only had 8 hours to respond.

sssd.conf:

[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = IPA-SERVER1

[nss]

[pam]

[domain/IPA-SERVER1]
description = IPA-SERVER1
enumerate = true
cache_credentials = true
id_provider = ldap
ldap_schema = rfc2307
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldaps://ipa-server1.ipa.example.com
ldap_search_base = dc=ipa,dc=example,dc=com
ldap_user_search_base = dc=ipa,dc=example,dc=com?subtree?(objectclass=posixAccount)
ldap_group_search_base = dc=ipa,dc=example,dc=com?subtree?(objectclass=posixGroup)
ldap_tls_cacert = /etc/certificates/CA/FreeIPA.crt

#8 Updated by Dru Lavigne 10 months ago

  • Status changed from Blocked to Unscreened
  • Reason for Blocked deleted (Need additional information from Author)

#9 Updated by Andrew Walker 10 months ago

  • File krb5.keytab.py added
  • File krb5.conf added

Hi Nick,
I mean the freenas config. "System"->"General"->"Save Config"

It looks like you have a kerberized ldap environment. There is a bug in the version of FreeNAS you're using that results in an incorrect krb5.conf file. I am going to attach two files to this ticket. You should do the following when you can tolerate a service disruption:
1) clone your boot environment
2) use the attached krb5.conf and krb5.keytab.py files to replace the ones that are under "/usr/local/lib/python3.6/site-packages/middlewared/etc_files/"
3) run the command "service middlewared restart"
4) restart the ldap service by running the command "/etc/directoryservice/LDAP/ctl restart"

#10 Updated by Nick Niehoff 10 months ago

Andrew,
Is there anyway to export the config without private data, such as the private SSL key? I'm ok uploading the config but not with that kind of data in it. Also, I am not using a kerberized ldap environment, yet, I just have ldap configured without kerberos at this point.

Nick

#11 Updated by Andrew Walker 10 months ago

Nick Niehoff wrote:

Andrew,
Is there anyway to export the config without private data, such as the private SSL key? I'm ok uploading the config but not with that kind of data in it. Also, I am not using a kerberized ldap environment, yet, I just have ldap configured without kerberos at this point.

Nick

No. I was actually able to get what I needed from your debug file. Try removing your keytab from the FreeNAS UI, then run the command manually "/etc/directoryservice/LDAP/ctl restart" and see if LDAP stays up.

#12 Updated by Dru Lavigne 10 months ago

  • Target version changed from 11.2-U2 to 11.2-U3

#13 Updated by Nick Niehoff 10 months ago

I have no keytab in the UI.

#14 Updated by Andrew Walker 10 months ago

Nick Niehoff wrote:

I have no keytab in the UI.

Nick can you send the output of "sh -x /etc/directoryserivce/LDAP/ctl restart"?

#15 Updated by Andrew Walker 10 months ago

  • Status changed from Unscreened to Blocked
  • Reason for Blocked set to Need additional information from Author

#16 Updated by Dru Lavigne 9 months ago

  • File deleted (debug.tgz)

#17 Updated by Dru Lavigne 9 months ago

  • File deleted (krb5.keytab.py)

#18 Updated by Dru Lavigne 9 months ago

  • File deleted (krb5.conf)

#19 Updated by Dru Lavigne 9 months ago

  • Status changed from Blocked to Closed
  • Target version changed from 11.2-U3 to N/A

Also available in: Atom PDF