I have now created an issue on our Github repository:
We already fixed a very similar issue so we can follow the same approach to fix this one but it’ll need a bit more verification before committing. I’ll update that Github issue accordingly.
I have now created an issue on our Github repository:
We already fixed a very similar issue so we can follow the same approach to fix this one but it’ll need a bit more verification before committing. I’ll update that Github issue accordingly.
@ocelot11,
A corresponding PR to fix that issue has now been submitted:
We’ll update this post accordingly.
I also wanted to thank again that report as it has not only highlighted a couple bits such as these that could be made more robust, but it also led us to uncover two others small upstream issues. One of them has already been fixed by upstream SSSD in their more recent releases. The other relates to the specific packaging of realmd
in openSUSE, and we have now submitted a bug and a fix upstream. A good example of how a bug report has the potential to benefit not only other Rockstor users, but also our upstream packages . So thanks again, @ocelot11!
Not at all, I should be thanking you, the community, and especially the folks who are patching this! Sorry for the late reply, life got hectic for a bit, but I will be keeping my eye out for the fix! If I experience any other issues I’ll be sure to report it. Thank you!
I’ve updated the system and since I can add users to shares, however now whenever I try and access the shares on the boxes I get the error “There are currently no logon servers available to service the logon request”. In the samba log file I can see that it fails to contact the domain controller due to some kind password issue with the machine account, if I’m understanding this correctly.
Connecting to 172.16.0.20 at port 389
[2023/04/19 19:42:42.724167, 3] ../../source3/libads/ldap.c:762(ads_connect)
Connected to LDAP server Ocelot11-Ark.O11LAN.NET
[2023/04/19 19:42:42.726008, 3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2023/04/19 19:42:42.726063, 3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2023/04/19 19:42:42.726076, 3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2023/04/19 19:42:42.726088, 3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2023/04/19 19:42:42.726100, 3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2023/04/19 19:42:42.727950, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2023/04/19 19:42:42.728062, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2023/04/19 19:42:42.728077, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2023/04/19 19:42:42.728090, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'spnego' registered
[2023/04/19 19:42:42.728104, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'schannel' registered
[2023/04/19 19:42:42.728117, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2023/04/19 19:42:42.728131, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2023/04/19 19:42:42.728144, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'ntlmssp' registered
[2023/04/19 19:42:42.728157, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2023/04/19 19:42:42.728170, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_basic' registered
[2023/04/19 19:42:42.728183, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_ntlm' registered
[2023/04/19 19:42:42.728200, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'http_negotiate' registered
[2023/04/19 19:42:42.728213, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'krb5' registered
[2023/04/19 19:42:42.728226, 3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2023/04/19 19:42:42.729236, 1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2023/04/19 19:42:42.729311, 1] ../../source3/libads/sasl.c:644(ads_sasl_spnego_bind)
ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ocelot11-ark.o11lan.net with user[OCELOT11-NAS$] realm=[O11LAN.NET]: Cannot read password
[2023/04/19 19:42:42.729335, 3] ../../source3/printing/nt_printing_ads.c:756(check_published_printers)
ads_connect failed: Cannot read password
[2023/04/19 19:42:42.729644, 0] ../../source3/printing/nt_printing.c:233(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2023/04/19 19:42:42.729733, 3] ../../source3/printing/queue_process.c:359(start_background_queue)
start_background_queue: Starting background LPQ thread
[2023/04/19 19:42:42.859684, 1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh)
Failed to fetch record!
[2023/04/19 19:42:42.859773, 2] ../../source3/smbd/server.c:1364(smbd_parent_loop)
waiting for connections
[2023/04/19 19:42:48.250431, 2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
Using sssctl i can see the domain info is set correctly and it shows the connection as online. I’m not savvy in the lower-level workings of these packages or the OS, but I did read the github issues you raised and shared and I’m wondering if this is related to those issues. Either way, if you need any logs or config files or anything I can send them over. Just let me know. Thanks!
Mmm… There is one thing about which I was wondering but I have not yet seen its consequences. I this wonder if that is it.
Would you mind sharing your /etc/sssd/sssd.conf
file? As I know you initially had issues with turning the AD service on and had to do some things manually, I would like to verify a few things.
A paste of your smb.conf
file as well could prove useful. You can of course anonymize anything you’d like.
Hi @Flox, sorry for the wait.
This is my SSSD (interestingly, I was able to use smbclient to dump these onto the AD server with little issue. I don’t know if that info helps.):
[sssd]
config_file_version = 2
services = nss, pam
domains = O11LAN.NET
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
[pam]
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM
[domain/O11LAN.NET]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = O11LAN.NET
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = O11LAN.NET
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
enumerate = True
simple_allow_groups = %domain admins@O11LAN.NET %domain users@O11LAN.NET
And here is my smb.conf (Note I blocked out users and names for privacy, but I left my domain name so there is no confusion when trying to debunk the problem.)
[global]
log level = 3
map to guest = Bad User
cups options = raw
log file = /var/log/samba/log.%m
printcap name = /dev/null
load printers = no
####BEGIN: Rockstor SAMBA GLOBAL CUSTOM####
workgroup = O11LAN
####END: Rockstor SAMBA GLOBAL CUSTOM####
####BEGIN: Rockstor ACTIVE DIRECTORY CONFIG####
security = ads
realm = O11LAN.NET
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
####END: Rockstor ACTIVE DIRECTORY CONFIG####
####BEGIN: Rockstor SAMBA CONFIG####
[------.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share ------.Share"
root preexec close = yes
comment = Person's NAS Share
path = /mnt2/------.Share
browseable = no
read only = no
guest ok = no
admin users = --------------@O11LAN.NET -------- --------------@O11LAN.NET
shadow:format = .BAG__%Y%m%d%H%M
shadow:basedir = /mnt2/------.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.BAG_*/
[Video.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Video.Share"
root preexec close = yes
comment = Movies and Shows
path = /mnt2/Video.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ----------------@O11LAN.NET ------------@O11LAN.NET -----------------@O11LAN.NET -----------------@O11LAN.NET ------------------@O11LAN.NET -------------@O11LAN.NET -------------------@O11LAN.NET -----------------@O11LAN.NET
shadow:format = .VID__%Y%m%d%H%M
shadow:basedir = /mnt2/Video.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.VID_*/
[Recording.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Recording.Share"
root preexec close = yes
comment = OBS and Recordings
path = /mnt2/Recording.Share
browseable = no
read only = no
guest ok = no
admin users = ----------------@O11LAN.NET -----------------@O11LAN.NET --------- --------------@O11LAN.NET
shadow:format = .REC__%Y%m%d%H%M
shadow:basedir = /mnt2/Recording.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.REC_*/
[Public.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Public.Share"
root preexec close = yes
comment = Public Files and Documents
path = /mnt2/Public.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .PUB__%Y%m%d%H%M
shadow:basedir = /mnt2/Public.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.PUB_*/
[Music.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Music.Share"
root preexec close = yes
comment = Songs and Music Videos
path = /mnt2/Music.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .MUS__%Y%m%d%H%M
shadow:basedir = /mnt2/Music.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.MUS_*/
[Game.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Game.Share"
root preexec close = yes
comment = Game Files and Saves
path = /mnt2/Game.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .GME__%Y%m%d%H%M
shadow:basedir = /mnt2/Game.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.GME_*/
[------.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share -------.Share"
root preexec close = yes
comment = Person's NAS Share
path = /mnt2/------.Share
browseable = no
read only = no
guest ok = no
admin users = -----------------@O11LAN.NET -----------------@O11LAN.NET ------ ------------@O11LAN.NET
shadow:format = .AMS__%Y%m%d%H%M
shadow:basedir = /mnt2/------.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.AMS_*/
####END: Rockstor SAMBA CONFIG####
I haven’t tried any actions to resolve the issue yet; I haven’t restarted any services or the NAS, I haven’t left and tried to re-join the domain, etc. I figured I would await instruction from someone wiser than me. If you want me to try anything out to help you figure out the issue, let me know and I can try it to the best of my ability.
Was there any update on a fix for this?
Hi there,
The fix is in and it will come with the release of the new rockstor version 4.5.9-0 (RC6).
The release is coming soon.
Thank you for the headsup! Ill keep my eyes out and switch my security back to user from ads for now in my smb.conf.
Not to necro an old post, but I swear I had seen someone else having AD issues and I was tagged in the topic. I don’t see it anymore, so maybe my imagination, but I’m having strange issues with AD again and figured I’d post to see if anyone could help get to the bottom of it.
I’ve been neck deep into other projects lately and wanted to store an extra copy of some files and figured id continue to take advantage of my NAS setup. I recalled a post saying that it was fixed under 5.0.1 but when trying to connect to the share my AD credentials wern’t working. Checking in the users I could see that AD was still enumerating to rockstor, and unfortunately due to some over-zealous troubleshooting I never found out why samba was rejecting my credentials.
I decided to just remove and re-add the machine to the domain however upon trying to re-join I received an error that the machine was still domain joined. I cleaned the old account out of AD just incase, however the error continued. I saw that the SSSD config still contained the old information, as did my samba config. I thought perhaps re-installing samba and sssd would purge the old config with a new one, unfortunately doing so somehow borked the entire installation. At this point, I decided to reinstall and re-import my disks. That went OK. I updated the system to 4.6.1. That went OK. I renamed it the same as the old system, set its static IP and DNS info, and samba workgroup and that was all fine.
Then I tried to rejoin the domain. Again it said the domain was already joined, which should be impossible since this was a completely new install and despite having the same name, I purged the old account out of AD so it shouldn’t be picking up on that. I have to assume some left over object is left in AD which rockstor or sssd or samba is looking at instead of the machine account? Unfortunately I’m far from a master when it comes to the inner workings of AD or any of this linux software to know where to look from here. Later I plan on re-naming the NAS to see if that solves my issue. However, a few other issues seemed to have cropped up from this. Because the box is mostly brand new, I don’t know what could have gone catastrophically wrong.
I poked around somewhat in the command line and tried “sudo sssd realm discover” which failed. So out of curiosity I did a “sudo realm discover myrealm.realm” and it succeeded. Trying to join the realm with “sudo realm join myrealm.realm” fails, telling me the domain is joined. Checking systemctl it says SSSD is not running. If I try and start it, it fails with exit code 4 and for whatever reason the SSSD config still has the default configuration despite rockstor supposedly having tried to join the domain. I change the samba workgroup to “WORKGROUP” and then back, but SSSD is still throwing a fit. I’ll post what logs I can below.
This is the error in the dialog (I’ve replaced the user account and domain info for privacy reasons:
Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U user DOMAIN.SITE. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']
Traceback (most recent call last):
File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
yield
File "/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py", line 195, in post
join_domain(config, method=method)
File "/opt/rockstor/src/rockstor/system/directory_services.py", line 270, in join_domain
return run_command(cmd, input=("{}\n".format(config.get("password"))), log=True)
File "/opt/rockstor/src/rockstor/system/osi.py", line 251, in run_command
raise CommandException(cmd, out, err, rc)
system.exceptions.CommandException: Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U user DOMAIN.SITE. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']
This was the text from the shell when trying to start the SSSD service:
ocelot11-nas:~ # sudo systemctl start sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xeu sssd.service" for details.
ocelot11-nas:~ # sudo systemctl status sssd
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
lines 1-12/12 (END)...skipping...
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
...skipping...
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
...skipping...
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
...skipping...
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
set mark: ...skipping...
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
set mark: ...skipping...
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Daemon.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
byte 1146/1146 (END)...skipping...
× sssd.service - System Security Services Daemon
Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib/systemd/system/sssd.service;;; disabled; preset: disabled);;
Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
Main PID: 9824 (code=exited, status=4)
CPU: 77ms
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Daemon.
ocelot11-nas:~ # sudo journalctl -xe
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit sssd.service has finished with a failure.
░░
░░ The job identifier is 2530 and the job result is failed.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Reached target User and Group Name Lookups.
░░ Subject: A start job for unit nss-user-lookup.target has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit nss-user-lookup.target has finished successfully.
░░
░░ The job identifier is 2649.
Jul 24 19:54:19 ocelot11-nas sudo[9818]: pam_unix(sudo:session): session closed for user root
Jul 24 19:55:20 ocelot11-nas sudo[10284]: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/systemctl status sssd
Jul 24 19:55:20 ocelot11-nas sudo[10284]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Created slice User Background Tasks Slice.
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has finished successfully.
░░
░░ The job identifier is 16.
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Starting Cleanup of User's Temporary Files and Directories...
░░ Subject: A start job for unit UNIT has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has begun execution.
░░
░░ The job identifier is 15.
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Finished Cleanup of User's Temporary Files and Directories.
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has finished successfully.
░░
░░ The job identifier is 15.
Jul 24 19:58:44 ocelot11-nas sudo[10284]: pam_unix(sudo:session): session closed for user root
Jul 24 19:58:55 ocelot11-nas sudo[12623]: root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Jul 24 19:58:55 ocelot11-nas sudo[12623]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)
lines 3310-3352/3352 (END)
This was the sssd config file located at /etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
[pam]
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM
Update: Decided to poke around more when I had time and I had an epiphany. I left the realm realm via ‘realm leave’ command which seemed to clean up whichever issue was happening, then rejoined with ‘realm join’ and suddenly everything seems to be mostly working again. Users have yet to enumerate but I can see group objects enumerating, so I’m sure in some time users will appear as well. not sure if the GUI join would have worked, its something I will test when I have time.
Unfortunately users arn’t enumerating unless I try and log onto the box with them, which fails. Also samba appears to be failing to actually validate users against AD. Unfortunately I don’t have time to poke around more. I’’ have to rely on guest access for now and hide the shares via browsability. Not ideal, but nothing on the NAS is ultra-critical. Plus as I mentioned I don’t know too much about the inner workings of linux in general, so unfortunately all’s I can do is test and report what I find when I have time. If nobody else is having this issue It could be my setup at this point. I’m not entirely sure.