Support Questions

rgarcia · ‎10-21-2015

After integrating HDP 2.3.2 with AD, Kerberized it successfully I installed SSSD across all node and applied the configuration below, SSSD is not able to communicate with AD.

[sssd]
config_file_version = 2
domains = AD-HDP.COM
services = nss
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
debug_level = 5
[domain/AD-HDP.COM]
id_provider = ldap
ldap_default_bind_dn = CN=adadmin,CN=Rommel_Garcia_Accounts,DC=AD-HDP,DC=COM
ldap_default_authtok_type = password
ldap_default_authtok = ldappw
auth_provider = none
min_id = 1000
ad_server = ad-hdp-com.cloud.hortonworks.com
ldap_uri = ldaps://ad-hdp-com.cloud.hortonworks.com
ldap_schema = ad
ldap_id_mapping = true
cache_credentials = true
ldap_referrals = false

When I try to run in any of the HDP node 'su - hr1', hr1 is not recognized as a user but it exists in AD.

Here's the sssd log entries.

/var/log/sssd/sssd.log:

(Wed Oct 21 08:59:40:805458 2015) [sssd] [get_monitor_config] (0x0010): Invalid service ns

(Wed Oct 21 08:59:40:805637 2015) [sssd] [main] (0x0020): SSSD couldn't load the configuration database.

/var/log/sssd/sssd_nss.log

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS)

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for AD-HDP.COM: /var/lib/sss/db/cache_AD-HDP.COM.ldb

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP

(Wed Oct 21 09:03:52 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor

All of the SSSD services across all nodes runs fine. Do I need to configure SSSD to work with Kerberos? How?

rgarcia · ‎10-26-2015

There was a bug in CentOS 6.5 gdm module where it was not picking up the latest change in nsswitch.conf file and the only resolution available is to reboot the machine as stated in this RHEL thread https://bugzilla.redhat.com/show_bug.cgi?id=621700. SSD is now working with AD.

View solution in original post

rgarcia · ‎10-23-2015

SSSD seems to work fine based on the sssd_nss.log below. When i run 'getent passswd' it returns all users from AD but I'm not able to get anything when I run 'id {ad_user}'.

(Thu Oct 22 22:31:15 2015) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x1965160

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/service without fallback

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [monitor_common_send_id] (0x0100): Sending ID: (nss,1)

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_init_connection] (0x0400): Adding connection 0x19639e0

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sbus_conn_add_interface] (0x1000): Will register path /org/freedesktop/sssd/dataprovider without fallback

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,NSS)

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sysdb_domain_init_internal] (0x0200): DB File for AD-HDP.COM: /var/lib/sss/db/cache_AD-HDP.COM.ldb

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [ldb] (0x0400): asq: Unable to register control with rootdse!

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_process_init] (0x0400): Responder Initialization complete

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/AD-HDP.COM/root] to negative cache permanently

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/AD-HDP.COM/root] to negative cache permanently

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/sh in /etc/shells

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/bash in /etc/shells

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /sbin/nologin in /etc/shells

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_get_etc_shells] (0x0400): Found shell /bin/dash in /etc/shells

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [nss_process_init] (0x0400): NSS Initialization complete

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41df60:domains@AD-HDP.COM]

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [AD-HDP.COM][]

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41df60:domains@AD-HDP.COM]

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [id_callback] (0x0100): Got id ack and version (1) from Monitor

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success

(Thu Oct 22 22:31:16 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41df60:domains@AD-HDP.COM]

rgarcia · ‎10-26-2015

There was a bug in CentOS 6.5 gdm module where it was not picking up the latest change in nsswitch.conf file and the only resolution available is to reboot the machine as stated in this RHEL thread https://bugzilla.redhat.com/show_bug.cgi?id=621700. SSD is now working with AD.

Cloudera Community

Support Questions

SSSD Wont Work with AD After Its Installed and Configured