Forum |  HardWare.fr | News | Articles | PC | S'identifier | S'inscrire | Shop Recherche
1772 connectés 

  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Management du SI

  Intégration d'un poste Debian dans un AD

 


 Mot :   Pseudo :  
 
Bas de page
Auteur Sujet :

Intégration d'un poste Debian dans un AD

n°180460
nomiss
La rootine
Posté le 03-07-2024 à 17:38:13  profilanswer
 

Salut,
 
Je travaille sur l'intégration d'un poste pilote en Debian 12.5 dans un environnement Microsoft Active Directory.
Celà fait 2 semaines que je suis sur le sujet. J'ai bel et bien réussi à intégrer mon poste sur l'AD mais pour la partie authentification du user, je bloque.
 
J'ai cette erreur au niveau de sssd
 

Code :
  1. juin 26 16:01:25 Computer253 sssd_be[21092]: Starting up
  2. juin 26 16:01:56 Computer253 sssd[20975]: Child [21092] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.


 
 
Config sssd.conf
 

Code :
  1. [sssd]
  2.     domains = xxx.intra.domain.fr
  3.     config_file_version = 2
  4.     services = nss, pam
  5.    
  6.     [domain/xxx.intra.domain.fr]
  7.     ad_domain = xxx.intra.domain.fr
  8.     ad_server = server1, server2, server3
  9.     access_provider =ad
  10.     auth_provider = ad
  11.     id_provider = ad
  12.     default_shell = /bin/bash
  13.     krb5_store_password_if_offline = True
  14.     krb5_realm = XXX.INTRA.DOMAIN.FR
  15.     cache_credentials = True
  16.     realmd_tags = manages-system joined-with-adcli
  17.     fallback_homedir = /home/%u@%d
  18.     use_fully_qualified_names = True
  19.     ldap_id_mapping = True
  20.     debug_level = 1
  21.     enumerate = True
  22.     ldap_user_uid_number = uidNumber
  23.     ldap_user_gid_number = gidNumber


Config krb5.conf

Code :
  1. [libdefaults]
  2.     udp_preference_limit = 0
  3.     default_realm = XXX.INTRA.DOMAIN.FR
  4.     dns_lookup_realm = true
  5.     dns_lookup_kdc = true


Cette commande marche :  


root@Computer253:/var/log/sssd# getent passwd chucknorris@xxx.intra.domain.fr
chucknorris@xxx.intra.domain.fr:*:7759189:7600513:NORRIS CHUCK:/home/chucknorris@xxx.intra.domain.fr:/bin/bash


 
Une partie du log

sssd_xxx.intra.domain.fr.log


Code :
  1. *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
  2.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
  3.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [groupType]
  4.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 14
  5.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_op_add] (0x2000): New operation 14 timeout 60
  6.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_process_result] (0x2000): Trace: sh[0x559ddc9815f0], connected[1], ops[0x559decf99a80], ldap[0x559ddc89f210]
  7.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
  8.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_op_timeout] (0x1000): Issuing timeout [ldap_opt_timeout] for message id 3
  9.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_op_destructor] (0x1000): Abandoning operation 3
  10.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [generic_ext_search_handler] (0x0020): sdap_get_generic_ext_recv failed: [110]: Connexion terminée par expiration du délai d'attente [ldap_search_timeout]
  11.     ********************** BACKTRACE DUMP ENDS HERE *********************************
  12.    
  13.     (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [ad_get_slave_domain_done] (0x0020): Unable to lookup slave domain data [110]: Connexion terminée par expiration du délai d'attente
  14.     ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
  15.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [sdap_search_bases_ex_done] (0x0400): Receiving data from base [dc=intra,dc=domain,dc=fr]
  16.        *  (2024-06-26 17:01:35): [be[xxx.intra.domain.fr]] [ad_get_slave_domain_done] (0x0020): Unable to lookup slave domain data [110]: Connexion terminée par expiration du délai d'attente


Une partie du log

sssd.log


Code :
  1. *  (2024-06-26 16:59:56): [sssd] [sbus_senders_add] (0x2000): Inserting identity of sender [sssd.pac]: 0
  2.        *  (2024-06-26 16:59:56): [sssd] [monitor_sbus_RegisterService] (0x0100): Received ID registration: (pac,1)
  3.        *  (2024-06-26 16:59:56): [sssd] [mark_service_as_started] (0x0200): Marking pac as started.
  4.        *  (2024-06-26 16:59:56): [sssd] [mark_service_as_started] (0x0400): All services have successfully started, creating pid file
  5.        *  (2024-06-26 16:59:56): [sssd] [notify_startup] (0x0400): Sending startup notification to systemd
  6.        *  (2024-06-26 16:59:56): [sssd] [sbus_issue_request_done] (0x0400): sssd.monitor.RegisterService: Success
  7.        *  (2024-06-26 16:59:56): [sssd] [sbus_dispatch] (0x4000): Dispatching.
  8.        *  (2024-06-26 17:00:01): [sssd] [services_startup_timeout] (0x0400): Handling timeout
  9.        *  (2024-06-26 17:00:37): [sssd] [mt_svc_exit_handler] (0x1000): SIGCHLD handler of service xxx.intra.domain.fr called
  10.        *  (2024-06-26 17:00:37): [sssd] [svc_child_info] (0x0020): Child [24897] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG
  11.     ********************** BACKTRACE DUMP ENDS HERE *********************************
  12.    
  13.     (2024-06-26 17:01:58): [sssd] [svc_child_info] (0x0020): Child [24968] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG
  14.        *  ... skipping repetitive backtrace ...
  15.     (2024-06-26 17:02:49): [sssd] [svc_child_info] (0x0020): Child [24994] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG
  16.        *  ... skipping repetitive backtrace ...
  17.     (2024-06-26 17:03:30): [sssd] [svc_child_info] (0x0020): Child [25008] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG
  18.        *  ... skipping repetitive backtrace ...
  19.     (2024-06-26 17:04:21): [sssd] [svc_child_info] (0x0020): Child [25016] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG


sytemctl status sssd


Code :
  1. ● sssd.service - System Security Services Daemon
  2.          Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
  3.          Active: active (running) since Wed 2024-06-26 17:06:53 CEST; 2min 10s ago
  4.        Main PID: 25183 (sssd)
  5.           Tasks: 5 (limit: 37992)
  6.          Memory: 703.4M
  7.             CPU: 1min 33.427s
  8.          CGroup: /system.slice/sssd.service
  9.                  ├─25183 /usr/sbin/sssd -i --logger=files
  10.                  ├─25190 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
  11.                  ├─25191 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
  12.                  ├─25192 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
  13.                  └─25276 /usr/libexec/sssd/sssd_be --domain xxx.intra.domain.fr --uid 0 --gid 0 --logger=files
  14.    
  15.     juin 26 17:06:53 Computer253 sssd[25183]: Starting up
  16.     juin 26 17:06:53 Computer253 sssd_be[25189]: Starting up
  17.     juin 26 17:06:53 Computer253 sssd_pac[25192]: Starting up
  18.     juin 26 17:06:53 Computer253 sssd_nss[25190]: Starting up
  19.     juin 26 17:06:53 Computer253 sssd_pam[25191]: Starting up
  20.     juin 26 17:06:53 Computer253 systemd[1]: Started sssd.service - System Security Services Daemon.
  21.     juin 26 17:07:44 Computer253 sssd[25183]: Child [25189] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  22.     juin 26 17:07:44 Computer253 sssd_be[25241]: Starting up
  23.     juin 26 17:08:15 Computer253 sssd[25183]: Child [25241] ('xxx.intra.domain.fr':'%BE_xxx.intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  24.     juin 26 17:08:15 Computer253 sssd_be[25276]: Starting up


 
Quand j'essaye de me connecter avec un AD user par exemple Chuck Norris, ça ne fonctionne pas. Je dois écrire user@domain avec le bon password, ça fonctionne mais je ne passe pas sur le desktop ensuite, je reste sur l'écran de logon. La homedir est créée.
 
Je ne sais pas où agir à présent ..
 
 
[edit] Retour de mon terminal avec les config krb5, sssd.conf, pam légèrement modifée et j'ai cette erreur  
 

Code :
  1. root@Computer253:/var/log/sssd# systemctl status sssd
  2. ● sssd.service - System Security Services Daemon
  3.      Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
  4.      Active: active (running) since Wed 2024-07-03 17:03:26 CEST; 7min ago
  5.    Main PID: 18260 (sssd)
  6.       Tasks: 2 (limit: 37992)
  7.      Memory: 19.5M
  8.         CPU: 3min 32.115s
  9.      CGroup: /system.slice/sssd.service
  10.              ├─18260 /usr/sbin/sssd -i --logger=files
  11.              └─18715 /usr/libexec/sssd/sssd_be --domain intra.domain.fr --uid 0 --gid 0 --logger=files
  12. juil. 03 17:09:12 Computer253 sssd_be[18610]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  13. juil. 03 17:09:12 Computer253 sssd_be[18610]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
  14. juil. 03 17:09:43 Computer253 sssd[18260]: Child [18610] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  15. juil. 03 17:09:43 Computer253 sssd_be[18652]: Starting up
  16. juil. 03 17:09:43 Computer253 sssd_be[18652]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  17. juil. 03 17:09:43 Computer253 sssd_be[18652]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
  18. juil. 03 17:10:34 Computer253 sssd[18260]: Child [18652] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  19. juil. 03 17:10:34 Computer253 sssd_be[18715]: Starting up
  20. juil. 03 17:10:34 Computer253 sssd_be[18715]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  21. juil. 03 17:10:34 Computer253 sssd_be[18715]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb


Spoiler :

root@Computer253:/var/log/sssd# cat /etc/krb5.conf
 
[libdefaults]
udp_preference_limit = 0
default_realm = intra.domain.fr
dns_lookup_realm = true
dns_lookup_kdc = true
root@Computer253:/var/log/sssd# cat /etc/sssd.conf
cat: /etc/sssd.conf: Aucun fichier ou dossier de ce type
root@Computer253:/var/log/sssd# systemctl status sssd
● sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Wed 2024-07-03 17:03:26 CEST; 7min ago
   Main PID: 18260 (sssd)
      Tasks: 2 (limit: 37992)
     Memory: 19.5M
        CPU: 3min 32.115s
     CGroup: /system.slice/sssd.service
             ├─18260 /usr/sbin/sssd -i --logger=files
             └─18715 /usr/libexec/sssd/sssd_be --domain intra.domain.fr --uid 0 --gid 0 --logger=files
 
juil. 03 17:09:12 Computer253 sssd_be[18610]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
juil. 03 17:09:12 Computer253 sssd_be[18610]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
juil. 03 17:09:43 Computer253 sssd[18260]: Child [18610] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
juil. 03 17:09:43 Computer253 sssd_be[18652]: Starting up
juil. 03 17:09:43 Computer253 sssd_be[18652]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
juil. 03 17:09:43 Computer253 sssd_be[18652]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
juil. 03 17:10:34 Computer253 sssd[18260]: Child [18652] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
juil. 03 17:10:34 Computer253 sssd_be[18715]: Starting up
juil. 03 17:10:34 Computer253 sssd_be[18715]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
juil. 03 17:10:34 Computer253 sssd_be[18715]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
 
root@Computer253:/var/log/sssd# cat /etc/krb5.conf
 
[libdefaults]
udp_preference_limit = 0
default_realm = intra.domain.fr
dns_lookup_realm = true
dns_lookup_kdc = true
root@Computer253:/var/log/sssd# cat /etc/sssd/sssd.conf  
 
[sssd]
domains = intra.domain.fr
default_domain_suffix = intra.domain.fr
config_file_version = 2
# services = nss, pam
implicit_pac_responder = False
 
[domain/intra.domain.fr]
access_provider =ad
ad_domain = intra.domain.fr
# ad_server = server1, server2, server3
# auth_provider = ad
cache_credentials = True
default_shell = /bin/bash
debug_level = 3
enumerate = True
fallback_homedir = /home/%u@%d
override_homedir = /home/%u@%d
id_provider = ad
ldap_id_mapping = True
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
krb5_store_password_if_offline = True
krb5_realm = intra.domain.fr
realmd_tags = manages-system joined-with-adcli  
use_fully_qualified_names = True
dyndns_update = False
 
root@Computer253:/var/log/sssd# cat /etc/pam.conf  
# ---------------------------------------------------------------------------#
# /etc/pam.conf             #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#
 
# Format:
# serv. module    ctrl       module [path] ...[args..]       #
# name type    flag            #
                     
root@Computer253:/var/log/sssd# cat /etc/pam.d/common-auth  
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
 
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required   pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
root@Computer253:/var/log/sssd# cat /etc/pam.d/common-
common-account                 common-auth                    common-password                common-session                 common-session-noninteractive  
 
root@Computer253:/var/log/sssd# cat /etc/pam.d/common-account  
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#
 
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so  
# here's the fallback if no module succeeds
account requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required   pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient   pam_localuser.so  
account [default=bad success=ok user_unknown=ignore] pam_sss.so  
# end of pam-auth-update config
 
root@Computer253:/var/log/sssd# cat /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
 
# here are the per-package modules (the "Primary" block)
session [default=1]   pam_permit.so
# here's the fallback if no module succeeds
session requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required   pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so  
session optional pam_sss.so  
session optional pam_systemd.so
session optional pam_mkhomedir.so skel=/etc/skel umask=077
session optional pam_mount.so  
# end of pam-auth-update config
 

Message cité 1 fois
Message édité par nomiss le 03-07-2024 à 17:39:31
mood
Publicité
Posté le 03-07-2024 à 17:38:13  profilanswer
 

n°180463
darxmurf
meow
Posté le 04-07-2024 à 15:51:44  profilanswer
 

nomiss a écrit :

Salut,

 

Je travaille sur l'intégration d'un poste pilote en Debian 12.5 dans un environnement Microsoft Active Directory.
Celà fait 2 semaines que je suis sur le sujet. J'ai bel et bien réussi à intégrer mon poste sur l'AD mais pour la partie authentification du user, je bloque.

 

J'ai cette erreur au niveau de sssd

  

[/spoiler]

 

j'ai une ancienne conf AD+ldap+kerberos (donc pas SSSD) mais mon fichier krb5.conf contient beaucoup plus d'infos [:paysan] mais comme SSSD en a aussi visiblement, c'est peut être normal de ton côté.


Message édité par darxmurf le 04-07-2024 à 15:52:06

---------------
Des trucs - flickr - Instagram
n°180466
nomiss
La rootine
Posté le 04-07-2024 à 16:13:47  profilanswer
 

Salut,
 
Je suis intéressé si jamais tu peux le partager
 
Petite nouveauté, je me suis rendu compte que la doc de https://medium.com/@aurelson/debian [...] fdb8be0a19 ne disait pas d'installer le paquet samba mais seulement samba-common-bin. J'ai installé samba et depuis j'ai pu me connecter avec mon utilisateur mais ce n'est pas parfait j'ai encore des erreurs, ma config n'est pas encore stabilisé.
 
Configuration Samba
 

Code :
  1. root@Computer253:/home# samba --version
  2. Version 4.17.12-Debian
  3. root@Computer253:/home# systemctl status samba
  4. ○ samba-ad-dc.service - Samba AD Daemon
  5.      Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; preset: enabled)
  6.      Active: inactive (dead) (Result: exec-condition) since Thu 2024-07-04 15:56:05 CEST; 3s ago
  7.   Condition: start condition failed at Thu 2024-07-04 15:56:04 CEST; 4s ago
  8.        Docs: man:samba(8)
  9.              man:samba(7)
  10.              man:smb.conf(5)
  11.     Process: 11546 ExecCondition=/usr/share/samba/is-configured samba (code=exited, status=1/FAILURE)
  12.         CPU: 25ms
  13. juil. 04 15:56:05 Computer253 systemd[1]: Starting samba-ad-dc.service - Samba AD Daemon...
  14. juil. 04 15:56:05 Computer253 systemd[1]: samba-ad-dc.service: Skipped due to 'exec-condition'.
  15. juil. 04 15:56:05 Computer253 systemd[1]: Condition check resulted in samba-ad-dc.service - Samba AD Daemon being skipped.
  16. root@Computer253:/home# cat /etc/samba/smb.conf
  17. [global]
  18. workgroup = DOMAIN
  19. realm = INTRA.DOMAIN.FR
  20. encrypt passwords = yes
  21. client protection = encrypt
  22. client signing = yes
  23. # client use spnego = yes
  24. kerberos method = secrets and keytab
  25. security = ads


 
 
Configuration SSSD
 

Code :
  1. root@Computer253:/home# systemctl status sssd
  2. ● sssd.service - System Security Services Daemon
  3.      Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
  4.      Active: active (running) since Thu 2024-07-04 13:58:06 CEST; 2h 3min ago
  5.    Main PID: 6011 (sssd)
  6.       Tasks: 4 (limit: 37992)
  7.      Memory: 208.6M
  8.         CPU: 39min 26.209s
  9.      CGroup: /system.slice/sssd.service
  10.              ├─ 6011 /usr/sbin/sssd -i --logger=files
  11.              ├─ 6014 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
  12.              ├─ 6015 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
  13.              └─12148 /usr/libexec/sssd/sssd_be --domain intra.domain.fr --uid 0 --gid 0 --logger=files
  14. juil. 04 16:00:25 Computer253 sssd_be[11975]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  15. juil. 04 16:00:25 Computer253 sssd_be[11975]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
  16. juil. 04 16:00:56 Computer253 sssd[6011]: Child [11975] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  17. juil. 04 16:00:56 Computer253 sssd_be[12115]: Starting up
  18. juil. 04 16:00:56 Computer253 sssd_be[12115]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  19. juil. 04 16:00:56 Computer253 sssd_be[12115]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
  20. juil. 04 16:01:37 Computer253 sssd[6011]: Child [12115] ('intra.domain.fr':'%BE_intra.domain.fr') was terminated by own WATCHDOG. Consult corresponding logs to figure out the reason.
  21. juil. 04 16:01:37 Computer253 sssd_be[12148]: Starting up
  22. juil. 04 16:01:37 Computer253 sssd_be[12148]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
  23. juil. 04 16:01:37 Computer253 sssd_be[12148]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
  24. root@Computer253:/home# systemctl list-units --failed
  25.   UNIT                 LOAD   ACTIVE SUB    DESCRIPTION                             
  26. ● apparmor.service     loaded failed failed Load AppArmor profiles                 
  27. ● sssd-nss.socket      loaded failed failed SSSD NSS Service responder socket
  28. ● sssd-pam-priv.socket loaded failed failed SSSD PAM Service responder private socket
  29. ● sssd-pam.socket      loaded failed failed SSSD PAM Service responder socket
  30. LOAD   = Reflects whether the unit definition was properly loaded.
  31. ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
  32. SUB    = The low-level unit activation state, values depend on unit type.
  33. 4 loaded units listed.
  34. root@Computer253:/home# cat /etc/sssd/sssd.conf
  35. [sssd]
  36. domains = INTRA.DOMAIN.FR
  37. default_domain_suffix = intra.domain.fr
  38. config_file_version = 2
  39. services = nss, pam
  40. implicit_pac_responder = False
  41. [domain/intra.domain.fr]
  42. access_provider = ad
  43. ad_domain = intra.domain.fr
  44. # ad_server = server1, server2, server3
  45. # auth_provider = ad
  46. cache_credentials = True
  47. default_shell = /bin/bash
  48. debug_level = 3
  49. enumerate = True
  50. fallback_homedir = /home/%u@%d
  51. override_homedir = /home/%u@%d
  52. id_provider = ad
  53. ldap_id_mapping = True
  54. ldap_user_uid_number = uidNumber
  55. ldap_user_gid_number = gidNumber
  56. krb5_store_password_if_offline = True
  57. krb5_realm = intra.domain.fr
  58. realmd_tags = manages-system joined-with-adcli
  59. use_fully_qualified_names = True
  60. dyndns_update = False


 
Je ne sais pas pourquoi j'ai ces erreurs  

  UNIT                 LOAD   ACTIVE SUB    DESCRIPTION                              
● apparmor.service     loaded failed failed Load AppArmor profiles                  
● sssd-nss.socket      loaded failed failed SSSD NSS Service responder socket
● sssd-pam-priv.socket loaded failed failed SSSD PAM Service responder private socket
● sssd-pam.socket      loaded failed failed SSSD PAM Service responder socket


Message édité par nomiss le 04-07-2024 à 16:15:23
n°180699
darxmurf
meow
Posté le 09-10-2024 à 12:36:13  profilanswer
 

Salut,
 
De toutes les machines que j'ai intégré à un AD, si t'as un samba qui tourne, il ne faut pas mettre SSSD. Samba a besoin de winbind et ça se tape dessus avec SSSD.


---------------
Des trucs - flickr - Instagram

Aller à :
Ajouter une réponse
  FORUM HardWare.fr
  Systèmes & Réseaux Pro
  Management du SI

  Intégration d'un poste Debian dans un AD

 

Sujets relatifs
Timezone et poste de travailGoogle WorkSpace : Ajouter une sychro Azure AD, impact sur l'existant
[AWS] AWS Managed Microsoft AD ou pas[AD] droits d'accès
Ajouter le champ CompanyName dans l'ADAzure AD avec mix de licences 365 possible?
Compte AD, Historique accès aux dossiers + modif. fichiersExpiration MDP pour comptes à privilèges AD
Plus de sujets relatifs à : Intégration d'un poste Debian dans un AD


Copyright © 1997-2022 Hardware.fr SARL (Signaler un contenu illicite / Données personnelles) / Groupe LDLC / Shop HFR