Migrating from CentOS to OpenSUSE error with Users

kupan787 · March 4, 2022, 12:58am

I seem to be having an issue in my migration from my CentOS install to OpenSUSE. Everything seems to mostly have gone fine. However, when I try and go to the Users page, it spins for 30 seconds, and then I get an error but it isn’t very helpful:

Houston, we’ve had a problem.

Unknown internal error doing a GET to /api/users?page=1&format=json&page_size=32000&count=

The Groups page loads fine, it just seems to be the Users page that has an issue.

I’m trying to poke around in the database, to see if there is like a user with a bad ID or something, but I can’t seem to find anything.

This same “internal error” also shows up on the Shares page when I click into a share.

Let me know if there is more I can provide.

kupan787 · March 4, 2022, 6:58am

Ok, I’ve done some more digging in.

Firstly, I had tried enabling LDAP in the Service section. While it enabled, it didn’t seem to pull down my users/groups. Dropping to an ssh shell and doing:

getent passwd someLdapUser

Would return nothing. Dropping to a shell and running

systemctl status sssd

Showed the service running, but had the following error:

Could not start TLS encryption. error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get issuer certificate)

I hand edited the sssd.conf file, and commented out the TLS lines, and then restarted sssd from the shell. Now I was seeing my LDAP users. However, when I go to the Users page, it gives the above error.

If I disabled the sssd service, then the Users page started working (but without my ldap users).

I’ll try and do some more digging, but it seems like something is going on with the LDAP settings and how I am trying to enable things. If anyone has any insight into how to get LDAP configured and going, I’m all ears.

phillxnet · March 4, 2022, 11:48am

@kupan787 Hello there.

I’m afraid this is more in @Flox realm than my own. So I’m unable currently to offer much in the way of ways out/around. Do keep us informed of your finding though.

The following wiki entry may help with how stuff is done on the Rockstor side of things:

At least on the AD front. I’m not actually sure where our LDAP stuff is currently.

Apologies for not being of any real help here.

Flox · March 4, 2022, 2:23pm

Hi @kupan787,

Nice to read from you again and thanks for reporting that one.

For information, I enforced the TLS bit following SSSD’s recommendation: see the related part in the PR in question:

Still related to LDAP, note that I’m forcing here the use of TLS encryption as per SSSD’s recommendation:

LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed.

source: https://linux.die.net/man/5/sssd-ldap

We are thus verifying first that the provided certificate matches with the server’s upon turning the LDAP service ON.

Per your findings, however, this may be a bit extreme so we may switch this to an option (enabled by default but one can disable if needed).
Is TLS set up on your Ldap server or not at all?

@phillxnet, I’m surprised this led to a panic on the Users page but it’s a nice find if that’s the case indeed. We may want to avoid this kind of result.

Flox · March 4, 2022, 2:30pm

A quick thought… How many users do you have? I’m wondering if it’s just a timeout issue here. Does the error on the Users page happens right away or does it try to load for a little while and then fails?

Flox · March 4, 2022, 4:00pm

Sorry for the repeated posts here; things are a bit hectic on my end for the moment, unfortunately.

I just wanted to also note that if you indeed experience a timeout, it would be interesting to try unchecking the “enable enumeration” checkbox when configuring the LDAP service and see whether it changes anything.

One last question: can you see your users (ldap and non-ldap) using getent passwd after fixing the TLS config in sssd.conf or do you still experience a problem with that?

kupan787 · March 4, 2022, 5:02pm

So I don’t think I have many just 13. I actually have more groups (27) and the groups page loads just fine. The users page will spin for 10 or 15 seconds and then it throws up the error message.

I did give this a try, and it doesn’t seem to make a difference.

So I disabled the bits in the sssd config file, and restarted sssd manually (if I do it from RockStor it will reintroduce the TLS parts). That said, after restarting getent works fine.

I’m also able to do a domain-status check:

rocknas:~ # sssctl domain-status ldap.int.mydomain.com

Online status: Online

Active servers:

LDAP: ldap.int.mydomain.com

Discovered LDAP servers:

- ldap.int.mydomain.com

So it does indeed appear that sssd is working, and picking things up as expected.

One thought I had, and it wasn’t an issue for me previously on the CentOS install. But my initial Rockstor user that is created during the setup flow also exists in LDAP. Could there be some conflict that it is seeing both a user in LDAP and a native Rockstor user that causes an issue?

When I was on CentOS, I don’t think I had updated to the version that had SSSD, so I was using a combination of nscd and nslcd to do my ldap.

If there is anything I can do to tweak the code to try and get some more debug output, let me know. I don’t mind poking around in the python, just need to know where to look.