# URGENT: I cannot Login into my system!

## ROGA

Hi,

I hope, anyone can help to solve my Problem. I don't know, what happens exactly but after a reboot of my virtual gentoo-box, I'm no longer able to Login local nor remote to my gentoo System

I booted with a liveCD and then Change-rooted into my box. Journalctl didn't Show me a hint … 

What more can I do?

every helps are welcome

----------

## alamahant

Please try

```

passwd root

passwd <your-user>

```

from chroot.

----------

## ROGA

I tried this also, but no success. I created a new user and had the same result. I became no error message during login. After I enter password for root, a text appears with my last login date and time and immediately the login appears again

----------

## toralf

Did you put by accident an "exit" in your .bashrc or so ?

----------

## ROGA

 *Quote:*   

> Did you put by accident an "exit" in your .bashrc or so ?

 

no, I didn't changed anythings in .bashrc

----------

## Irre

I had problems with virtualbox on Windows 7, but not on Windows 10. After recent update everything except USB works fine again even under windows 7. I run gentoo, arc Linux and windows 10 in virtual box under windows 10 and 7.

----------

## ROGA

I find out that the problem seams to be with pam. I edited system-auth and commented out session required pam_ldap.so and after that I could login locally. But this is not my desired solution, because I need ldap auth on this system.

My system-auth file looks like this:

```
auth            required                        pam_env.so

auth            sufficient                      pam_ldap.so try_first_pass ignore_authinfo_unavail ignore_unknown_user

auth            requisite                       pam_faillock.so preauth

auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass

auth            [default=die]                   pam_faillock.so authfail

auth            optional                        pam_permit.so

account         sufficient                      pam_ldap.so

account         required                        pam_unix.so

account         required                        pam_faillock.so

account         optional                        pam_permit.so

password        required                        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        sufficient                      pam_ldap.so try_first_pass use_authok ignore_unknown_user ignore_authinf

password        required                        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        optional                        pam_permit.so

session         required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

session         required                        pam_limits.so

session         required                        pam_env.so

#session                required                        pam_ldap.so

session         required                        pam_unix.so

session         optional                        pam_permit.so

```

Journalctl show me following errors:

```

Jun 09 16:44:25 fts sshd[4234]: pam_ldap(sshd:account): error opening connection to nslcd: No such file or directory

Jun 09 16:44:25 fts sshd[4234]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)

```

What's wrong now? Previously all worked fine.

----------

## alamahant

Plz see my post

[url]

https://forums.gentoo.org/viewtopic-t-1127557.html

[/url]

It involves installing sssd which is much better than nss-pam-ldapd.

You modify sssd.conf like this

```

id_provider = ldap

auth_provider = ldap

```

----------

## ROGA

@alamahant

I tried your suggestion, installed sssd but couldn't login with ldap through vsftp

I have no idea how pam does work, so I need help from experience person

this is my system-auth:

```

auth            required                                        pam_env.so

auth            required                                        pam_faildelay.so delay=2000000

auth            [default=1 ignore=ignore success=ok]            pam_succeed_if.so uid >= 1000 quiet

auth            [default=1 ignore=ignore success=ok]            pam_localuser.so

auth            sufficient                                      pam_unix.so nullok try_first_pass

auth            requisite                                       pam_succeed_if.so uid >= 1000 quiet_success

auth            sufficient                                      pam_sss.so forward_pass

auth            required                                        pam_deny.so

account         required                                        pam_unix.so broken_shadow

account         sufficient                                      pam_localuser.so

account         sufficient                                      pam_succeed_if.so uid < 1000 quiet

account         [default=bad success=ok user_unknown=ignore]    pam_sss.so

account         required                                        pam_permit.so

#password       requisite                                       pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_only retry=3 authtok_type=

password        required                                        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        sufficient                                      pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password        sufficient                                      pam_sss.so use_authtok

password        required                                        pam_deny.so

session         optional                                        pam_keyinit.so revoke

session         required                                        pam_limits.so

-session        optional                                        pam_systemd.so

session         optional                                        pam_mkhomedir.so skel=/etc/skel/ umask=0077

session         [success=1 default=ignore]                      pam_succeed_if.so service in crond quiet use_uid

session         required                                        pam_unix.so

session         optional                                        pam_sss.so

session         required                                        pam_mkhomedir.so umask=0022 skel=/etc/skel

```

and vsftp-ldap

```

auth            sufficient                                              pam_sss.so forward_pass

account         [default=bad success=ok user_unknown=ignore]            pam_sss.so

password        sufficient                                              pam_sss.so use_authtok

session         required                                                pam_mkhomedir.so umask=0022 skel=/etc/vsftpd/skel

session         optional                                                pam_sss.so

```

When I try to login with FileZilla I see this error in journalctl:

```

Jun 10 07:59:40 fts vsftpd[213742]: pam_sss(vsftpd-ldap:auth): Request to sssd failed. Connection refused

```

this is my sssd.conf:

```

[sssd]

config_file_version = 2

services = nss, pam

# SSSD will not start if you do not configure any domains.

# Add new domain configurations as [domain/<NAME>] sections, and

# then add the list of domains (in the order you want them to be

# queried) to the "domains" attribute below and uncomment it.

 domains =MY.DOMAIN.COM

[nss]

# The following prevents SSSD from searching for the root user/group in

# all domains (you can add here a comma-separated list of system accounts that

# are always going to be /etc/passwd users, or that you want to filter out).

filter_groups = root

filter_users = root

reconnection_retries = 3

[pam]

reconnection_retries = 3

# An example Active Directory domain. Please note that this configuration

# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis

# compliant attribute names. To support UNIX clients with AD 2003 or older,

# you must install Microsoft Services For UNIX and map LDAP attributes onto

# msSFU30* attribute names.

[domain/MY.DOMAIN.COM]

id_provider = ldap

auth_provider = krb5

chpass_provider = krb5

ldap_uri = ldap://192.168.xxx.yyy

ldap_search_base = dc=my,dc=domain,dc=com

ldap_schema = rfc2307bis

dap_sasl_mech = GSSAPI

ldap_user_object_class = user

ldap_group_object_class = group

ldap_id_mapping =false

ldap_use_tokengroups = false

ldap_user_principal = userPrincipalName

krb5_realm = MY.DOMAIN.COM

krb5_ccname_template = KEYRING:persistent:%{uid}

```

can anybody push me in the right direction?

----------

## alamahant

Maybe

```

ldap_tls_reqcert = allow

```

in sssd.conf

Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?

----------

## ROGA

 *Quote:*   

> ldap_tls_reqcert = allow

 

that's good! now I'm a little bit further. The error "connection refused" from pam_sss now is gone. In exchange for this, I have now following message in journalctl:

```

Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=gao rhost=10.84.7.51 user=gao

Jun 10 11:11:40 fts vsftpd[7046]: pam_sss(vsftpd-ldap:auth): received for user gao: 10 (User not known to the underlying authentication module)

```

 *Quote:*   

> Also is this Gentoo machine the one that runs the openldap server and the kdc?or different?

 

No, the gentoo-box runs against a windows 2008 Domain Controller. Could this be a problem?

----------

## alamahant

I know nothing about vsftp-ldap.

Login to Gentoo as root and run

```

getent passwd <any-ldap-user>

```

In case you are desperate install a centos7 vm install sssd and use

```

authconfig 

```

to set your network auth against the windows dc

Then use the generated pam system-auth(or whatever it is named in centos) and sssd.conf in your Gentoo.

Let me know if you need help with authconfig.

Authconfig is fantastic in this respect.

Has your Gentoo client EVER worked?

How is your nsswitch.conf?

----------

## ROGA

@alamahant;

 *Quote:*   

> getent passwd <any-ldap-user>

 

I tried without success. I searched the Internet and found out that the command getent passwd without <ldap-username> should print out all ldap-users. But this didn't also work for me. I think, my sssd configuration is wrong. What exactly do I need on my gentoo-box to authenticate a user through ldap/ad? I'm confused  :Sad: 

 *Quote:*   

> 
> 
> Has your Gentoo client EVER worked?
> 
> 

 

Yes it did, but I used it with nslcd. I heard that sssd is newer and better than nslcd, is this right?

My goal is to login on my gentoo-box with a ldap-user-account.

What I have is a Windows 2008 Server as a LDAP/AD Server, so I do not need a openldap server, right?. And the only thing that I need to emerge is sssd, right? Than I have to modify nsswitch.conf and pam (system-auth) to use sss, right?

Can anybody check my config-files?

/etc/nsswitch.conf

```

#

# /etc/nsswitch.conf

#

# An example Name Service Switch config file. This file should be

# sorted with the most-used services at the beginning.

#

# Valid databases are: aliases, ethers, group, gshadow, hosts,

# initgroups, netgroup, networks, passwd, protocols, publickey,

# rpc, services, and shadow.

#

# Valid service provider entries include (in alphabetical order):

#

#       compat                  Use /etc files plus *_compat pseudo-db

#       db                      Use the pre-processed /var/db files

#       dns                     Use DNS (Domain Name Service)

#       files                   Use the local files in /etc

#       hesiod                  Use Hesiod (DNS) for user lookups

#

# See `info libc 'NSS Basics'` for more information.

#

# Commonly used alternative service providers (may need installation):

#

#       ldap                    Use LDAP directory server

#       myhostname              Use systemd host names

#       mymachines              Use systemd machine names

#       mdns*, mdns*_minimal    Use Avahi mDNS/DNS-SD

#       resolve                 Use systemd resolved resolver

#       sss                     Use System Security Services Daemon (sssd)

#       systemd                 Use systemd for dynamic user option

#       winbind                 Use Samba winbind support

#       wins                    Use Samba wins support

#       wrapper                 Use wrapper module for testing

#

# Notes:

#

# 'sssd' performs its own 'files'-based caching, so it should generally

# come before 'files'.

#

# WARNING: Running nscd with a secondary caching service like sssd may

#          lead to unexpected behaviour, especially with how long

#          entries are cached.

#

# Installation instructions:

#

# To use 'db', install the appropriate package(s) (provide 'makedb' and

# libnss_db.so.*), and place the 'db' in front of 'files' for entries

# you want to be looked up first in the databases, like this:

#

# passwd:       db      files

# shadow:       db      files

# group:        db      files

# In alphabetical order. Re-order as required to optimize peformance.

aliases:        files

ethers:         files

group:          files   sss

gshadow:        files

hosts:          files   dns

# Allow initgroups to default to the setting for group.

netgroup:       files   sss

networks:       files   dns

passwd:         files   sss

protocols:      files

publickey:      files

rpc:            files

shadow:         files   sss

services:       files   sss

automount:      files   sss

sudoers:        files   sss

```

/etc/pam.d/system-auth

```

auth            required                                        pam_env.so

auth            required                                        pam_faildelay.so delay=2000000

auth            [default=1 ignore=ignore success=ok]            pam_succeed_if.so uid >= 1000 quiet

auth            [default=1 ignore=ignore success=ok]            pam_localuser.so

auth            sufficient                                      pam_unix.so nullok try_first_pass

auth            requisite                                       pam_succeed_if.so uid >= 1000 quiet_success

auth            sufficient                                      pam_sss.so forward_pass

auth            sufficient                                      pam_sss.so use_first_pass

auth            required                                        pam_deny.so

account         required                                        pam_unix.so broken_shadow

account         sufficient                                      pam_localuser.so

account         sufficient                                      pam_succeed_if.so uid < 1000 quiet

account         [default=bad success=ok user_unknown=ignore]    pam_sss.so

account         required                                        pam_permit.so

#password       requisite                                       pam_pwquality.so config=/etc/security/passwdqc.conf try_first_pass local_users_

password        required                                        pam_passwdqc.so config=/etc/security/passwdqc.conf

password        sufficient                                      pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password        sufficient                                      pam_sss.so use_authtok

password        required                                        pam_deny.so

session         optional                                        pam_keyinit.so revoke

session         required                                        pam_limits.so

-session        optional                                        pam_systemd.so

session         optional                                        pam_mkhomedir.so skel=/etc/skel/ umask=0077

session         [success=1 default=ignore]                      pam_succeed_if.so service in crond quiet use_uid

session         required                                        pam_unix.so

session         optional                                        pam_sss.so

session         required                                        pam_mkhomedir.so umask=0022 skel=/etc/skel

```

/etc/sssd/sssd.conf

```

[sssd]

config_file_version = 2

services = nss, pam

# SSSD will not start if you do not configure any domains.

# Add new domain configurations as [domain/<NAME>] sections, and

# then add the list of domains (in the order you want them to be

# queried) to the "domains" attribute below and uncomment it.

domains = MY.DOMAIN.COM

debug_level = 5

[nss]

# The following prevents SSSD from searching for the root user/group in

# all domains (you can add here a comma-separated list of system accounts that

# are always going to be /etc/passwd users, or that you want to filter out).

filter_groups = root

filter_users = root

reconnection_retries = 3

[pam]

reconnection_retries = 3

# An example Active Directory domain. Please note that this configuration

# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis

# compliant attribute names. To support UNIX clients with AD 2003 or older,

# you must install Microsoft Services For UNIX and map LDAP attributes onto

# msSFU30* attribute names.

[domain/MY.DOMAIN.COM]

debug_level = 9

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

ldap_uri = ldap://192.168.100.100

ldap_search_base = dc=my,dc=domain,dc=com

ldap_schema = rfc2307bis

ldap_sasl_mech = GSSAPI

ldap_user_object_class = user

ldap_group_object_class = group

ldap_id_mapping =false

ldap_use_tokengroups = false

ldap_tls_reqcert = allow

ldap_user_principal = userPrincipalName

krb5_realm = MY.DOMAIN.COM

krb5_ccname_template = KEYRING:persistent:%{uid}

```

I started the sssd service interactive so it should show me the log

```

sssd -i -d 5

```

Output is:

```

(2021-06-11  8:01:58:620494): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.

(2021-06-11  8:01:58:622278): [sssd] [confdb_init_db] (0x0100): LDIF file to import:

dn: cn=config

version: 2

dn: cn=sssd,cn=config

cn: sssd

config_file_version: 2

services: nss, pam

domains: MY.DOMAIN.COM

debug_level: 5

dn: cn=nss,cn=config

cn: nss

filter_groups: root

filter_users: root

reconnection_retries: 3

dn: cn=pam,cn=config

cn: pam

reconnection_retries: 3

dn: cn=MY.DOMAIN.COM,cn=domain,cn=config

cn: MY.DOMAIN.COM

debug_level: 9

id_provider: ldap

auth_provider: ldap

chpass_provider: ldap

ldap_uri: ldap://192.168.100.100

ldap_search_base: dc=my,dc=domain,dc=com

ldap_schema: rfc2307bis

ldap_sasl_mech: GSSAPI

ldap_user_object_class: user

ldap_group_object_class: group

ldap_id_mapping: false

ldap_use_tokengroups: false

ldap_tls_reqcert: allow

ldap_user_principal: userPrincipalName

krb5_realm: MY.DOMAIN.COM

krb5_ccname_template: KEYRING:persistent:%{uid}

(2021-06-11  8:01:58:625429): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled

(2021-06-11  8:01:58:625697): [sssd] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58:625715): [sssd] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11  8:01:58): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.

(2021-06-11  8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup

(2021-06-11  8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [sssd] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62560a0.

(2021-06-11  8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup

(2021-06-11  8:01:58:633512): [sssd] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58:633572): [sssd] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfb7cd30.

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_new] (0x0100): write_kdcinfo for realm MY.DOMAIN.COM set to true

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [krb5_service_init] (0x0100): No primary servers defined, using service discovery

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [ldap_get_autofs_options] (0x0200): Option ldap_autofs_search_base set to dc=my,dc=domain,dc=com

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].

(2021-06-11  8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f6272d60.

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)

(2021-06-11  8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking MY.DOMAIN.COM as started.

(2021-06-11  8:01:58): [sssd] [mark_service_as_started] (0x0100): Now starting services!

(2021-06-11  8:01:58): [sssd] [start_service] (0x0100): Queueing service nss for startup

(2021-06-11  8:01:58): [sssd] [start_service] (0x0100): Queueing service pam for startup

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

(2021-06-11  8:01:58:671473): [sssd] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58:671521): [sssd] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58:671850): [sssd] [become_user] (0x0200): Trying to become user [0][0].

(2021-06-11  8:01:58:671895): [sssd] [become_user] (0x0200): Already user [0].

(2021-06-11  8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11  8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11  8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbabb80.

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb9be40]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_server_new_connection] (0x0200): Adding connection 0x55d1bfbadf80.

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x55d1bfb7c440]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11  8:01:58(2021-06-11  8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(2021-06-11  8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11  8:01:58(2021-06-11  8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [pam] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): DB File for MY.DOMAIN.COM: /var/lib/sss/db/cache_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [nss] [sysdb_domain_init_internal] (0x0200): Timestamp file for MY.DOMAIN.COM: /var/lib/sss/db/timestamps_MY.DOMAIN.COM.ldb

(2021-06-11  8:01:58): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(2021-06-11  8:01:58): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb7c440]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x55d1bfb9be40]

(2021-06-11  8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f62790c0.

(2021-06-11  8:01:58): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(2021-06-11  8:01:58): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11  8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [pam] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)

(2021-06-11  8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking pam as started.

(2021-06-11  8:01:58): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

(2021-06-11  8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284

(2021-06-11  8:01:58): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140

(2021-06-11  8:01:58): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(2021-06-11  8:01:58): [sssd] [sbus_server_new_connection] (0x0200): Adding connection 0x5585f627e880.

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11  8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11  8:01:58): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11  8:01:58): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized

(2021-06-11  8:01:58): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [nss] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root

(2021-06-11  8:01:58): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)

(2021-06-11  8:01:58): [sssd] [mark_service_as_started] (0x0200): Marking nss as started.

(2021-06-11  8:01:58): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

```

I see there are failure but could not interpret them.

----------

## alamahant

Gentoo has to use the window dns server in /etc/resolv.conf

Try this

From Gentoo

```

ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W

```

Ideally it should ask for Admin password and print all DIT.

If not then the Windows AD ldap uses crazy formats and you will have to modify yourr sssd.conf accordingly.

Try also cn=Manager or try to find out what is the name of ldap administartative account in windows.

----------

## ROGA

 *Quote:*   

> 
> 
> Gentoo has to use the window dns server in /etc/resolv.conf
> 
> 

 

good hint! I changed this so sssd now could find my dc.  Now when I started sssd new interactively with debug-level 4 I see following:

```

 sssd -i -d 4

(2021-06-11 11:44:04:144893): [sssd] [sss_ini_read_sssd_conf] (0x0100): File /etc/sssd/sssd.conf does not exist.

(2021-06-11 11:44:04:146705): [sssd] [confdb_init_db] (0x0100): LDIF file to import:

dn: cn=config

version: 2

dn: cn=sssd,cn=config

cn: sssd

config_file_version: 2

services: nss, pam

domains: MY.DOMAIN.COM

debug_level: 5

dn: cn=nss,cn=config

cn: nss

filter_groups: root

filter_users: root

reconnection_retries: 3

dn: cn=pam,cn=config

cn: pam

reconnection_retries: 3

dn: cn=MY.DOMAIN.COM,cn=domain,cn=config

cn: MY.DOMAIN.COM

debug_level: 9

enumerate: true

id_provider: ldap

auth_provider: ldap

chpass_provider: ldap

ldap_uri: ldap://dc-1.MY.DOMAIN.COM

ldap_search_base: dc=my,dc=domain,dc=com

ldap_schema: rfc2307bis

ldap_user_object_class: user

ldap_group_object_class: group

ldap_id_mapping: false

ldap_use_tokengroups: false

ldap_tls_reqcert: allow

(2021-06-11 11:44:04:150137): [sssd] [confdb_ensure_files_domain] (0x0100): The implicit files domain is disabled

(2021-06-11 11:44:04): [sssd] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11 11:44:04): [sssd] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11 11:44:04): [sssd] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service MY.DOMAIN.COM for startup

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [be_res_get_opts] (0x0100): Lookup order: ipv4_first

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [recreate_ares_channel] (0x0100): Initializing new c-ares channel

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_signal_handler] (0x0020): We do not listen to this signal!

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [id]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [auth]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [permit] provider for [access]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [chpass]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [sudo]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [autofs]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [selinux]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [hostid]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [subdomains]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [session]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_load_configuration] (0x0100): Using [ldap] provider for [resolver]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [DEFAULT][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [USER][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [GROUP][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [NETGROUP][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [HOST][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SERVICE][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPHOST][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [IPNETWORK][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [krb5_try_kdcip] (0x0100): No KDC found in configuration, trying legacy option

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [get_sdap_service] (0x0100): Service name for discovery set to ldap

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sysdb_idmap_get_mappings] (0x0080): Could not locate ID mappings: [Datei oder Verzeichnis nicht gefunden]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sssm_ldap_sudo_init] (0x0080): Sudo init handler called but SSSD is built without sudo support, ignoring

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [AUTOFS][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [selinux] is not supported by module [ldap].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [subdomains] is not supported by module [ldap].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_target_init] (0x0100): Target [session] is not supported by module [ldap].

(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table

(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.domain_MY_2eDOMAIN_2eCOM' from table

(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (%BE_MY.DOMAIN.COM,1)

(2021-06-11 11:44:04): [sssd] [mark_service_as_started] (0x0100): Now starting services!

(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service nss for startup

(2021-06-11 11:44:04): [sssd] [start_service] (0x0100): Queueing service pam for startup

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025570d70]

(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(?P<name>[^@]+)@?(?P<domain>[^@]*$)].

(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_init] (0x0100): Set-up Backend ID timeout [0x558025577b40]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.2' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [nss]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025570d70]

(2021-06-11 11:44:04): [nss] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(2021-06-11 11:44:04): [nss] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [pam] [sss_names_init_from_args] (0x0100): Using re [(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))].

(2021-06-11 11:44:04): [pam] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s].

(2021-06-11 11:44:04): [pam] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Added Frontend client [pam]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_client_register] (0x0100): Cancel DP ID timeout [0x558025577b40]

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.3' from table

(2021-06-11 11:44:04(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.pam' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured

(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pam,1)

(2021-06-11 11:44:04): [pam] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/passwd.

(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'PASSWD' mmap cache: timeout = 300, slots = 209712

(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/group.

(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'GROUP' mmap cache: timeout = 300, slots = 157284

(2021-06-11 11:44:04): [nss] [sss_mc_destroy_file] (0x0010): Failed to lock file /var/lib/sss/mc/initgroups.

(2021-06-11 11:44:04): [nss] [sss_mmap_cache_init] (0x0100): Fast 'INITGROUPS' mmap cache: timeout = 300, slots = 262140

(2021-06-11 11:44:04): [nss] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192]

(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key ':1.4' from table

(2021-06-11 11:44:04): [sssd] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [dp_find_method] (0x0100): Target [subdomains] is not initialized

(2021-06-11 11:44:04): [be[MY.DOMAIN.COM]] [sbus_issue_request_done] (0x0040): sssd.dataprovider.getDomains: Error [1432158215]: DP target is not configured

(2021-06-11 11:44:04): [pam] [sss_ptr_hash_delete] (0x0020): Unable to remove key 'sssd.nss' from table

(2021-06-11 11:44:04): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (nss,1)

(2021-06-11 11:44:04): [nss] [sss_monitor_service_init_done] (0x0100): Got id ack and version (1) from Monitor

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in files

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'resolving name'

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'dc-1.MY.DOMAIN.COM' in files

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'dc-1.MY.DOMAIN.COM' in DNS

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'name resolved'

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [dc=my,dc=domain,dc=com].

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [common_parse_search_base] (0x0100): Search base added: [SUDO][dc=my,dc=domain,dc=com][SUBTREE][]

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4]

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_get_server_opts_from_rootdse] (0x0100): Will look for schema at [CN=Schema,CN=Configuration,dc=my,dc=domain,dc=com]

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [sdap_cli_auth_step] (0x0100): expire timeout is 900

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [fo_set_port_status] (0x0100): Marking port 389 of server 'dc-1.MY.DOMAIN.COM' as 'working'

(2021-06-11 11:44:14): [be[MY.DOMAIN.COM]] [set_server_common_status] (0x0100): Marking server 'dc-1.MY.DOMAIN.COM' as 'working'

(2021-06-11 11:44:29): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:

SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].

Please, consider enabling SELinux in your system.

(2021-06-11 11:44:29): [nss] [nss_endent] (0x0100): Resetting enumeration state

(2021-06-11 11:44:42): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:

SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].

Please, consider enabling SELinux in your system.

(2021-06-11 11:44:52): [nss] [get_client_cred] (0x0080): The following failure is expected to happen in case SELinux is disabled:

SELINUX_getpeercon failed [95][Die Operation wird nicht unterstützt].

Please, consider enabling SELinux in your system.

```

But in fact sssd still doesn't work

 *Quote:*   

> ldapsearch -x -D "cn=Administrator,dc=my,dc=domain" -H "ldap://<fqdn-or-ip-of-windows>/" -b "dc=my,dc=domain" -W

 

this gave me following error:

```
Enter LDAP Password:

ldap_bind: Invalid credentials (49)

        additional info: 80090308: LdapErr: DSID-0C090400, comment: AcceptSecurityContext error, data 52e, v1db1

```

I'm the owner of the windows domain, so I know the credentials by the administrator. I don't understand the above message: invalid credentials (49). Where is the problem?

I put the command

```
# sssctl domain-list 

MY.DOMAIN.COM 
```

followed by

```
# sssctl domain-status MY.DOMAIN.COM

Online status: Online

Active servers:

LDAP: dc-1.my.domain.com

Discovered LDAP servers:

- dc-1.my.domain.com
```

Does you have further good tips?

----------

## alamahant

You are having trouble because the windows ad ldap is stupid and behaves differently than linux.

Windows is stupid period.

Maybe go back to using

nss-pam-ldapd

following this

https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=8

----------

## ROGA

you're right. I will try to go back to nss-pam-ldapd ... 

 *Quote:*   

> Windows is stupid period.

 

I think so too  :Smile: 

Thank's for your time

----------

## alamahant

Plz if still in sssd try WITHOUT these

```

ldap_schema = rfc2307bis

ldap_sasl_mech = GSSAPI

ldap_user_object_class = user

ldap_group_object_class = group

ldap_id_mapping =false

ldap_use_tokengroups = false

ldap_user_principal = userPrincipalName

```

and add also

```

krb5_server = <fqdn-of-windows>

ldap_tls_cacertdir = /etc/ssl/certs/ca-certificates.crt

ldap_uri = ldap://<fqdn-of-windows>/

krb5_kpasswd = <fqdn-of-windows>

```

in addition to what you have already.

Better NOT use ip.

----------

