FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-11-2010, 05:08 AM
John Nissley
 
Default Error No matching domain found for 5001 in sssd_nss.log

I will admit that getting fedora 13 to authenticate against my dirsrv
ldap server has been an interesting experience. I still do not think I
have it right since getent passwd does not display the ldap users but
for some reason I am able to log in with my ldap user name and password
and the home directory mapping is pulled out of ldap.

This error is in my sssd.nss.log file after reboot when I try to log in.
[sssd[nss]] [nss_cmd_getgrgid_callback] (0): No matching domain found
for [5001], fail!
The interesting thing is that the uid for the user trying to
authenticate is 5001 so that must be coming back from the ldap server.

Here is what matters in my nsswitch.conf file.
passwd: files sss
shadow: files sss
group: files sss

If I change that to files ldap then getent passwd will return my ldap
users but then initial boot takes about 10 minutes since the computer
tries to contact the ldap server during boot up before the ethernet card
has been brought up.

Here is what matters from my sssd.conf file.
[domain/xxxxxxx] (where xxxxxxx is the domain in ldap)
ldap_id_use_start_tls = True
cache_credentials = True
debug_level = 0
ldap_search_base = dc=nissley,dc=org
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
cache_credentials = True
min_id = 100
ldap_uri = ldap://192.168.10.7
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = allow

I do have an issue with a self signed certificate so that is why I am
using the ldap_tls_reqcert = allow setting.

Can some on please help me straighten out my network login via ldap
problem I am having. I was doing the same network login to the same
ldap server with Fedora 12 and had no issues at all. Fedora 13 requires
tls or ldaps which is where my problems started. I was not using either
of them when using Fedora 12.

Thank you.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-11-2010, 06:31 AM
JD
 
Default Error No matching domain found for 5001 in sssd_nss.log

On 07/10/2010 10:08 PM, John Nissley wrote:
> I will admit that getting fedora 13 to authenticate against my dirsrv
> ldap server has been an interesting experience. I still do not think I
> have it right since getent passwd does not display the ldap users but
> for some reason I am able to log in with my ldap user name and password
> and the home directory mapping is pulled out of ldap.
>
> This error is in my sssd.nss.log file after reboot when I try to log in.
> [sssd[nss]] [nss_cmd_getgrgid_callback] (0): No matching domain found
> for [5001], fail!
> The interesting thing is that the uid for the user trying to
> authenticate is 5001 so that must be coming back from the ldap server.

Perhaps the devs at
https://fedorahosted.org/sssd/
might shed a better light on this.
However, I did not find a mailing list dedicated to sssd.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-11-2010, 06:34 AM
JD
 
Default Error No matching domain found for 5001 in sssd_nss.log

On 07/10/2010 11:31 PM, JD wrote:
> On 07/10/2010 10:08 PM, John Nissley wrote:
>> I will admit that getting fedora 13 to authenticate against my dirsrv
>> ldap server has been an interesting experience. I still do not think I
>> have it right since getent passwd does not display the ldap users but
>> for some reason I am able to log in with my ldap user name and password
>> and the home directory mapping is pulled out of ldap.
>>
>> This error is in my sssd.nss.log file after reboot when I try to log in.
>> [sssd[nss]] [nss_cmd_getgrgid_callback] (0): No matching domain found
>> for [5001], fail!
>> The interesting thing is that the uid for the user trying to
>> authenticate is 5001 so that must be coming back from the ldap server.
>
> Perhaps the devs at
> https://fedorahosted.org/sssd/
> might shed a better light on this.
> However, I did not find a mailing list dedicated to sssd.
>
I spoke too soon:
https://fedorahosted.org/mailman/listinfo/sssd-devel
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-19-2010, 02:20 PM
Stephen Gallagher
 
Default Error No matching domain found for 5001 in sssd_nss.log

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/11/2010 01:08 AM, John Nissley wrote:
> I will admit that getting fedora 13 to authenticate against my dirsrv
> ldap server has been an interesting experience. I still do not think I
> have it right since getent passwd does not display the ldap users but
> for some reason I am able to log in with my ldap user name and password
> and the home directory mapping is pulled out of ldap.

By default, SSSD does not return answers to 'getpwent' requests, only
'getpwuid' and 'getpwnam' (and the group equivalents). This is to avoid
returning ridiculous numbers of replies from very large deployments.

If you want this behavior, add 'enumerate=true' to the
[domain/<yourdomain>] section in /etc/sssd/sssd.conf (<yourdomain> is
usually 'default', unless you created it manually)

>
> This error is in my sssd.nss.log file after reboot when I try to log in.
> [sssd[nss]] [nss_cmd_getgrgid_callback] (0): No matching domain found
> for [5001], fail!
> The interesting thing is that the uid for the user trying to
> authenticate is 5001 so that must be coming back from the ldap server.
>

Note the error message. It's performing a getgrgid request, not a
getpwuid request. That means that it's looking for a group in ldap with
the same ID (5001) that it cannot find. Probably this means that your
user is specified as having UID=5001, primary GID=5001, but LDAP doesn't
actually have a group stored with GID=5001

<snip>
>
> Can some on please help me straighten out my network login via ldap
> problem I am having. I was doing the same network login to the same
> ldap server with Fedora 12 and had no issues at all. Fedora 13 requires
> tls or ldaps which is where my problems started. I was not using either
> of them when using Fedora 12.

SSSD doesn't allow you to perform authentication without using TLS or
LDAPS because doing so sends your password unencrypted over the
internet. The old way of doing things - nss_ldap - used to allow this.
When we developed the SSSD we decided to be more strict, since no good
can come of allowing unencrypted passwords on the wire.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxEX0kACgkQeiVVYja6o6PRhACfbcPAex0rpM MrMNrCtZJ8/EFS
CusAoJUa/NnI5OjdRlstY/X4J3gzSkBq
=kO0b
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 11:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org