[Pkg-sssd-devel] Bug#838853: SSSD error: There is no domain information for SID
Ali Ibrahim
ibrahimaeali at gmail.com
Sun Sep 25 18:53:54 UTC 2016
Package: sssd
Version: 1.11.7-3
Severity: important
Hi,
I have SSSD configured to use the simple access provider and have
restricted which Active Directory groups can login:
$ tail /etc/sssd/sssd.conf
access_provider = simple
simple_allow_groups = linux_domain_users
When I try to login using SSH with a user who is a member of that group,
the connection closes on the server side and this error appears in sssd's
log file:
[simple_check_process_group] (0x0020): There is no domain information for
SID S-1-5-21-3129309019-3453757689-3676435247-1105
However, getent seems to work fine:
$ getent passwd bob
bob:*:1311401108:1311400513:Bob:/home/testing.home/bob:/bin/bash
$ getent group linux_domain_users
linux_domain_users:*:1311401105:bob
I am also able to su into the account as the root user.
SSSD logs from /var/log/sssd/sssd_testing.home.log:
(Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]] [be_get_account_info]
(0x0100): Got request for [4097][1][name=bob]
(Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]]
[sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping
[S-1-5-21-3129309019-3453757689-3676435247][S-1-5-21-3129309019-3453757689-3676435247][6556]
(Sun Sep 25 17:59:46 2016) [sssd[be[testing.home]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_get_account_info]
(0x0100): Got request for [3][1][name=bob]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [sysdb_store_group]
(0x0080): A group with the same GID [1311400513] was removed from the cache
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler]
(0x0100): Got request with the following data
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): domain: testing.home
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): user: bob
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): service: sshd
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): tty: ssh
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): ruser:
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): rhost: ::1
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): authtok type: 1
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): priv: 1
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): cli_pid: 5198
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_resolve_server_process] (0x0200): Found address for server
addc.testing.home: [10.200.1.10] TTL 3600
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [fo_set_port_status]
(0x0100): Marking port 636 of server 'addc.testing.home' as 'working'
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[set_server_common_status] (0x0100): Marking server 'addc.testing.home' as
'working'
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [simple_bind_send]
(0x0100): Executing simple bind as: CN=Bob,CN=Users,DC=testing,DC=home
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [sdap_pam_auth_done]
(0x0100): Password successfully cached for bob
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>)
[Success]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Sending result [0][testing.home]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Sent result [0][testing.home]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [be_pam_handler]
(0x0100): Got request with the following data
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): command: PAM_ACCT_MGMT
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): domain: testing.home
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): user: bob
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): service: sshd
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): tty: ssh
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): ruser:
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): rhost: ::1
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): authtok type: 0
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): priv: 1
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]] [pam_print_data]
(0x0100): cli_pid: 5198
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[simple_access_obtain_filter_lists] (0x0200): Allow users list is empty.
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[simple_access_obtain_filter_lists] (0x0200): Deny users list is empty.
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[simple_access_obtain_filter_lists] (0x0200): Deny groups list is empty.
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[simple_access_check_send] (0x0200): Simple access check for bob
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[simple_check_process_group] (0x0020): There is no domain information for
SID S-1-5-21-3129309019-3453757689-3676435247-1105
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>)
[Success]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Sending result [6][testing.home]
(Sun Sep 25 17:59:49 2016) [sssd[be[testing.home]]]
[be_pam_handler_callback] (0x0100): Sent result [6][testing.home]
SSHD logs from /var/log/auth.log:
Sep 25 17:59:49 debian-8 sshd[15919]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=bob
Sep 25 17:59:49 debian-8 sshd[15919]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=bob
Sep 25 17:59:49 debian-8 sshd[15919]: pam_sss(sshd:account): Access denied
for user bob: 6 (Permission denied)
Sep 25 17:59:49 debian-8 sshd[15919]: Failed password for bob from
127.0.0.1 port 36081 ssh2
Sep 25 17:59:49 debian-8 sshd[15919]: fatal: Access denied for user bob by
PAM account configuration [preauth]
I am using Debian GNU/Linux 8 (jessie) and kernel 3.16.7-ckt20-1+deb8u4.
I have the exact same configuration set on CentOS 6 and 7, Ubuntu 14.04 and
16.04, and Fedora 24. Only observed this issue on Debian 8.3.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-sssd-devel/attachments/20160925/199d2636/attachment.html>
More information about the Pkg-sssd-devel
mailing list