[CentOS] sssd.conf file missing

Thu Jun 23 14:04:21 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Kaplan, Andrew H. wrote:
> Hello --
>
> I have not touched that file.
>
> What change(s) do I need to make there?
>
Please stop top posting.

That *may* affect you later, when you try to NFS mount directories, or it
may be confusing the issue. In any case, it *requires* editing.

First, put in a Domain = <yourdomain>.<TLD>

Then, make sure that Method = nsswitch is uncommented.

Finally, and this is the part that leads me to think there may be an
issue, comment out or delete *all* references in the UMICH_SCHEMA stanza.

Then restart idmapd (on 7, I think it's systemctl restart nfs-idmapd (or
something like that). This is, as I noted, more for NFS, but the
UMICH_SCHEMA being live in there, if idpad is running, makes me nervous.

         mark


>
>
> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of m.roth at 5-cent.us
> Sent: Thursday, June 23, 2016 9:36 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] sssd.conf file missing
>
> Kaplan, Andrew H. wrote:
>> Hello --
>>
>> I made the suggested changes to the sssd.conf file, and the results
>> are the same.
>>
>> Just to make sure my syntax is correct:
>>
>> The following section was added to the end of the file:
>>
>> [sssd]
>> debug_level = 4
>> config_file_version = 2
>> domains = company/company.org
>>
> One little detail you may have missed: have you edited /etc/idmapd.conf?
>
>          mark
>>
>> -----Original Message-----
>> From: l at avc.su [mailto:l at avc.su]
>> Sent: Thursday, June 23, 2016 9:08 AM
>> To: Kaplan, Andrew H.; CentOS mailing list
>> Subject: Re: [CentOS] sssd.conf file missing
>>
>> OK, lets dig further.
>>
>> Does your sssd.conf have [sssd] section?
>> Something like
>>
>> [sssd]
>> debug_level = 4
>> config_file_version = 2
>> domains     = your-domain-name-here
>>
>> If it's not there, add it and modify the [your-domain-name-here]
>> section so it'll look like this:
>> [domain/your-domain-name-here]
>>
>>
>> 23.06.2016, 15:51, "Kaplan, Andrew H." <ahkaplan at partners.org>:
>>> Hello –
>>>
>>> Thank-you for your e-mail. I corrected the syntax in the file, and I
>>> have confirmed the permissions are correct:
>>>
>>> -rw-------. 1 root root 266 Jun 23 08:45 sssd.conf
>>>
>>> Unfortunately, the error condition and messages listed in my initial
>>> e-mail are still present.
>>>
>>> From: l at avc.su [mailto:l at avc.su]
>>> Sent: Thursday, June 23, 2016 8:34 AM
>>> To: CentOS mailing list; Kaplan, Andrew H.
>>> Subject: Re: [CentOS] sssd.conf file missing
>>>
>>> Hello Andrew.
>>>
>>> The sssd.conf should be owned by root:root, mode 0600.
>>>
>>> Also please note this line in your config:
>>>
>>> [<domain>.org]
>>> enumate = true
>>>
>>> it's enumerate, not enumate.
>>>
>>> 23.06.2016, 15:24, "Kaplan, Andrew H." <ahkaplan at partners.org>:
>>>
>>>> Hello --
>>>>
>>>> We are running CentOS 7.2 on a virtual machine, and we are trying to
>>>> set up LDAP authentication. The ldap packages that are currently
>>>> installed on the system are the following:
>>>>
>>>> python-sss 1.13.0-40.el7_2.4
>>>> python-sssdconfig 1.13.0-40.el7_2.4
>>>> sssd 1.13.0-40.el7_2.4
>>>> sssd-ad 1.13.0-40.el7_2.4
>>>> sssd-client 1.13.0-40.el7_2.4
>>>> sssd-common 1.13.0-40.el7_2.4
>>>> sssd-common-pac 1.13.0-40.el7_2.4
>>>> sssd-dbus 1.13.0-40.el7_2.4
>>>> sssd-ipa 1.13.0-40.el7_2.4
>>>> sssd-krb5 1.13.0-40.el7_2.4
>>>> sssd-krb5-common 1.13.0-40.el7_2.4
>>>> sssd-ldap 1.13.0-40.el7_2.4
>>>> sssd-libwbclient 1.13.0-40.el7_2.4
>>>> sssd-libwbclient-devel 1.13.0-40.el7_2.4 sssd-proxy
>>>> 1.13.0-40.el7_2.4 sssd-tools 1.13.0-40.el7_2.4
>>>>
>>>> I ran the following commands to set up LDAP/AD authentication:
>>>>
>>>> # ln -s /bin/bash /bin/PHSshell
>>>> # ln -s /home /PHShome
>>>> # authconfig --enablesssdauth --enablemkhomedir --enablesssd -update
>>>> # chkconfig sssd on # service sssd restart
>>>>
>>>> Initially, I ran into problems because I had not created an
>>>> sssd.conf file. Eventually I did create one, and its contents are the
>>>> following:
>>>>
>>>> [<domain>.org]
>>>> enumate = true
>>>> cache_credentials = TRUE
>>>>
>>>> id_provider = ldap
>>>> auth_provider = ldap
>>>> chpass_provider = ldap
>>>>
>>>> ldap_uri = ldap://ldap.<domain>.org
>>>> ldap_search_base = dc=<domain>,dc=org tls_reqcert = demand
>>>> ldap_tls_cacert /etc/pki/tls/certs/ca-bundle.crt
>>>>
>>>> If there are any additions or corrections that I need to make,
>>>> please let me know.
>>>>
>>>> I reran the service sssd restart command, and the error message that
>>>> I am seeing via journalctl -xe is the following:
>>>>
>>>> Unit sssd.service has begun starting up.
>>>> Jun 22 16:05:34 roadtest2.partners.org sssd[6384]: SSSD couldn't
>>>> load the configuration database [5]: Input/output error.
>>>> Jun 22 16:05:34 roadtest2.partners.org systemd[1]: sssd.service:
>>>> control process exited, code=exited status=4 Jun 22 16:05:34
>>>> roadtest2.partners.org systemd[1]: Failed to start System Security
>>>> Services Daemon.
>>>> -- Subject: Unit sssd.service has failed
>>>> -- Defined-By: systemd
>>>> -- Support:
>>>> http://lists.freedesktop.org/mailman.../systemd-devel<http://lists.f
>>>> r eedesktop.org/mailman/listinfo/systemd-devel>
>>>>
>>>> --
>>>> -- Unit sssd.service has failed.
>>>> --
>>>> -- The result is failed.
>>>> Jun 22 16:05:34 roadtest2.partners.org systemd[1]: Unit sssd.service
>>>> entered failed state.
>>>> Jun 22 16:05:34 roadtest2.partners.org systemd[1]: sssd.service
>>>> failed.
>>>> Jun 22 16:05:34 roadtest2.partners.org polkitd[787]: Unregistered
>>>> Authentication Agent for unix-process:6369:52587318 (system bus name
>>>> :1.2287, object path
>>>> /org/freedesktop/PolicyKit1/AuthenticationAgent,
>>>> locale en_US.UTF-8) (disconnected from bus)
>>>>
>>>> Any ideas?
>>>>
>>>> The information in this e-mail is intended only for the person to
>>>> whom it is addressed. If you believe this e-mail was sent to you in
>>>> error and the e-mail contains patient information, please contact
>>>> the Partners Compliance HelpLine at
>>>> http://www.partners.org/complianceline . If the e-mail was sent to
>>>> you in error but does not contain patient information, please
>>>> contact the sender and properly dispose of the e-mail.
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>