SSSD not seeing new OpenLDAP accounts?
by surfrock66 from LinuxQuestions.org on (#6Q825)
I have an OpenLDAP server running a custom schema to provide posix accounts. These are seen via SSSD, and in theory it's working fine. I used a custom schema to combine posix attributes and user attributes, so web applications can reference the same objects as linux auth. On top of that, I have kerberos with openLDAP as its database. This is slapd 2.5.18 on ubuntu server 22.04.4 LTS.
My clients are mostly Ubuntu servers and desktops. In theory, it's been working fine. All my 5 main original accounts work, show up with "getent passwd username" and I can login as them (4 users and 1 bind account). I have added many accounts to the LDAP directory, but mostly they're web-app only so I haven't messed with logging them into linux.
I had a reason to make another linux login account, so I made it same as the others...and it doesn't show up. Upon further testing, no accounts I've provisioned in a long time show up with "getent passwd user". Very roughly, it almost seems like no accounts show up since after I provisioned sssd to connect to ldap, but I can't exactly pinpoint that. I've done attribute matching, and there's nothing in the working accounts that isn't populated in the new account. I've even tried with both kerberos based password and not...doesn't change that the accounts themselves don't show with "getent passwd username".
The weird thing is, groups appear to be enumerating, which is how I'm finding the issue. I have a "ServiceAccounts" group with all my service accounts in it, and it seems it sees that, but can't find the associated accounts, as shown in this log entry.
Code:(2024-08-25 17:42:16): [be[subdomain.domain.com]] [simple_bind_send] (0x0100): [RID#4] Executing simple bind as: cn=ldapbinduser,ou=accounts,dc=subdomain,dc=domain,dc=com
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [fo_set_port_status] (0x0100): [RID#4] Marking port 389 of server 'server-dir-01.subdomain.domain.com' as 'working'
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [set_server_common_status] (0x0100): [RID#4] Marking server 'server-dir-01.subdomain.domain.com' as 'working'
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_run_online_cb] (0x0080): [RID#4] Going online. Running callbacks.
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_ptask_enable] (0x0080): [RID#4] Task [SUDO Smart Refresh]: already enabled
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_ptask_enable] (0x0080): [RID#4] Task [SUDO Full Refresh]: already enabled
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [enum_users_done] (0x0100): Users higher USN value: [20240823211435Z]
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=syncthing,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=kadmin-service,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=kdc-service,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=syncthing,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=ansible,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=www-data,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=debian-transmission,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=www-data,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=ansible,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:24): [be[subdomain.domain.com]] [enum_groups_done] (0x0100): Groups higher USN value: [20240826003745Z]
(2024-08-25 17:57:23): [be[subdomain.domain.com]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'Below is my sssd.conf (heavily redacted):
Code:[sssd]
config_file_version = 2
debug_level = 4
services = nss, pam, sudo
domains = subdomain.domain.com
[sudo]
[domain/subdomain.domain.com]
debug_level = 4
cache_credentials = true
enumerate = true
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://server-dir-01.subdomain.domain.com
ldap_search_base = dc=subdomain,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=subdomain,dc=domain,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=subdomain,dc=domain,dc=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
ldap_schema = rfc2307bis
ldap_user_object_class = domainAccount
ldap_group_object_class = domainGroup
ldap_group_member = member
ldap_default_bind_dn = cn=ldapbinduser,ou=accounts,dc=subdomain,dc=domain,dc=com
ldap_default_authtok = InsecureLDAPBindUserPassword
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/subdomain.domain.com.rootca.2032.08.24.pem
ldap_tls_cacertdir = /etc/ssl/certs
auth_provider = krb5
chpass_provider = krb5
krb5_server = server-dir-01.subdomain.domain.com
krb5_kpasswd = server-dir-01.subdomain.domain.com
krb5_realm = subdomain.domain.comLastly, my /etc/nsswitch is here:
Code:passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
sudoers: files sss
hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sssI have tried several things, like forcing a sssd cache refresh or deleting the db so it repopulates, but I'm getting nothing and no logs are pointing me in the right direction here. Any guidance to where to keep looking would be appreciated.
My clients are mostly Ubuntu servers and desktops. In theory, it's been working fine. All my 5 main original accounts work, show up with "getent passwd username" and I can login as them (4 users and 1 bind account). I have added many accounts to the LDAP directory, but mostly they're web-app only so I haven't messed with logging them into linux.
I had a reason to make another linux login account, so I made it same as the others...and it doesn't show up. Upon further testing, no accounts I've provisioned in a long time show up with "getent passwd user". Very roughly, it almost seems like no accounts show up since after I provisioned sssd to connect to ldap, but I can't exactly pinpoint that. I've done attribute matching, and there's nothing in the working accounts that isn't populated in the new account. I've even tried with both kerberos based password and not...doesn't change that the accounts themselves don't show with "getent passwd username".
The weird thing is, groups appear to be enumerating, which is how I'm finding the issue. I have a "ServiceAccounts" group with all my service accounts in it, and it seems it sees that, but can't find the associated accounts, as shown in this log entry.
Code:(2024-08-25 17:42:16): [be[subdomain.domain.com]] [simple_bind_send] (0x0100): [RID#4] Executing simple bind as: cn=ldapbinduser,ou=accounts,dc=subdomain,dc=domain,dc=com
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [fo_set_port_status] (0x0100): [RID#4] Marking port 389 of server 'server-dir-01.subdomain.domain.com' as 'working'
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [set_server_common_status] (0x0100): [RID#4] Marking server 'server-dir-01.subdomain.domain.com' as 'working'
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_run_online_cb] (0x0080): [RID#4] Going online. Running callbacks.
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_ptask_enable] (0x0080): [RID#4] Task [SUDO Smart Refresh]: already enabled
(2024-08-25 17:42:16): [be[subdomain.domain.com]] [be_ptask_enable] (0x0080): [RID#4] Task [SUDO Full Refresh]: already enabled
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [enum_users_done] (0x0100): Users higher USN value: [20240823211435Z]
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=syncthing,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=kadmin-service,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=kdc-service,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=syncthing,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=ansible,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=www-data,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=debian-transmission,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=www-data,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:23): [be[subdomain.domain.com]] [sdap_fill_memberships] (0x0080): Member [cn=ansible,ou=accounts,dc=subdomain,dc=domain,dc=com] was not found in cache. Is it out of scope?
(2024-08-25 17:42:24): [be[subdomain.domain.com]] [enum_groups_done] (0x0100): Groups higher USN value: [20240826003745Z]
(2024-08-25 17:57:23): [be[subdomain.domain.com]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'Below is my sssd.conf (heavily redacted):
Code:[sssd]
config_file_version = 2
debug_level = 4
services = nss, pam, sudo
domains = subdomain.domain.com
[sudo]
[domain/subdomain.domain.com]
debug_level = 4
cache_credentials = true
enumerate = true
id_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://server-dir-01.subdomain.domain.com
ldap_search_base = dc=subdomain,dc=domain,dc=com
ldap_group_search_base = ou=groups,dc=subdomain,dc=domain,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=subdomain,dc=domain,dc=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
ldap_schema = rfc2307bis
ldap_user_object_class = domainAccount
ldap_group_object_class = domainGroup
ldap_group_member = member
ldap_default_bind_dn = cn=ldapbinduser,ou=accounts,dc=subdomain,dc=domain,dc=com
ldap_default_authtok = InsecureLDAPBindUserPassword
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/subdomain.domain.com.rootca.2032.08.24.pem
ldap_tls_cacertdir = /etc/ssl/certs
auth_provider = krb5
chpass_provider = krb5
krb5_server = server-dir-01.subdomain.domain.com
krb5_kpasswd = server-dir-01.subdomain.domain.com
krb5_realm = subdomain.domain.comLastly, my /etc/nsswitch is here:
Code:passwd: files systemd sss
group: files systemd sss
shadow: files sss
gshadow: files
sudoers: files sss
hosts: files mdns4_minimal [NOTFOUND=return] dns mymachines
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sssI have tried several things, like forcing a sssd cache refresh or deleting the db so it repopulates, but I'm getting nothing and no logs are pointing me in the right direction here. Any guidance to where to keep looking would be appreciated.