Samba Active Directory User Enumeration Fails

Support
1

Brief description of the problem

After a clean install of Rockstor 5.1.0-0, configuring the NTP, SAMBA Workgourp and Active Directory; successfully starting the services in that order; NAS2-1 shows up as COMPUTER in Active Directory, Active Directory Groups are enumerated, while Active Directory Users are NOT enumerated.

Detailed step by step instructions to reproduce the problem

The brief description includes the steps for reproduction. The environment is as follows:

Samba Active Directory Controller: XCP-ng VM Debian 12 Samba BIND9 v4.23.2 built from source
Rockstor: v5.1.0-0 on XCP-ng VM with passthrough HBA adapters built from generic AMD64 ISO

NAS2-1:/etc/sssd # systemctl status sssd

ā— sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: disabled)
Active: active (running) since Tue 2026-04-07 13:06:52 MST; 23min ago
Process: 30611 ExecStartPre=/bin/chown -f -R -H root:sssd /etc/sssd (code=exited, status=0/SUCCESS)
Process: 30613 ExecStartPre=/bin/chmod -f -R g+r /etc/sssd (code=exited, status=0/SUCCESS)
Process: 30615 ExecStartPre=/bin/chmod -f g+x /etc/sssd (code=exited, status=0/SUCCESS)
Process: 30617 ExecStartPre=/bin/chmod -f g+x /etc/sssd/conf.d (code=exited, status=0/SUCCESS)
Process: 30619 ExecStartPre=/bin/chmod -f g+x /etc/sssd/pki (code=exited, status=1/FAILURE)
Process: 30621 ExecStartPre=/bin/sh -c /bin/chown -f -h sssd:sssd /var/lib/sss/db/.ldb (code=exited, status=0/SUCCESS)
Process: 30623 ExecStartPre=/bin/chown -f -R -h sssd:sssd /var/lib/sss/gpo_cache (code=exited, status=0/SUCCESS)
Process: 30625 ExecStartPre=/bin/sh -c /bin/chown -f -h sssd:sssd /var/log/sssd/.log* (code=exited, status=0/SUCCESS)
Main PID: 30627 (sssd)
Tasks: 6 (limit: 4915)
CPU: 279ms
CGroup: /system.slice/sssd.service
ā”œā”€30627 /usr/sbin/sssd -i --logger=files
ā”œā”€30628 /usr/lib/sssd/sssd_be --domain traditionsllc.net --logger=files
ā”œā”€30630 /usr/lib/sssd/sssd_nss --logger=files
ā”œā”€30631 /usr/lib/sssd/sssd_pam --logger=files
ā”œā”€30632 /usr/lib/sssd/sssd_ifp --logger=files
ā””ā”€30633 /usr/lib/sssd/sssd_pac --logger=files

Apr 07 13:06:51 NAS2-1 systemd[1]: Starting System Security Services Daemonā€¦
Apr 07 13:06:51 NAS2-1 sssd[30627]: Starting up
Apr 07 13:06:51 NAS2-1 sssd_be[30628]: Starting up
Apr 07 13:06:51 NAS2-1 sssd_ifp[30632]: Starting up
Apr 07 13:06:51 NAS2-1 sssd_nss[30630]: Starting up
Apr 07 13:06:51 NAS2-1 sssd_pam[30631]: Starting up
Apr 07 13:06:52 NAS2-1 sssd_pac[30633]: Starting up
Apr 07 13:06:52 NAS2-1 systemd[1]: Started System Security Services Daemon.
Apr 07 13:22:08 NAS2-1 sssd_nss[30630]: Enumeration requested but not enabled[1]

[1] shows up after executing the following:
NAS2-1:/etc/sssd # getent passwd

root:x:0:0:root:/root:/bin/bash
messagebus:x:499:499:User for D-Bus:/run/dbus:/usr/bin/false
systemd-timesync:x:484:484:systemd Time Synchronization:/:/usr/sbin/nologin
daemon:x:2:2:Daemon:/sbin:/usr/sbin/nologin
lp:x:483:490:Printing daemon:/var/spool/lpd:/usr/sbin/nologin
mail:x:482:482:Mailer daemon:/var/spool/clientmqueue:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
upsd:x:481:481:UPS daemon:/var/lib/empty:/usr/sbin/nologin
rpc:x:480:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
statd:x:479:65533:NFS statd daemon:/var/lib/nfs:/sbin/nologin
sshd:x:478:478:SSH daemon:/var/lib/sshd:/usr/sbin/nologin
dockremap:x:477:477:docker --userns-remap=default:/:/usr/sbin/nologin
chrony:x:476:476:Chrony Daemon:/var/lib/chrony:/usr/sbin/nologin
pesign:x:475:479:PE-COFF signing daemon:/var/lib/pesign:/bin/false
ntp:x:74:475:NTP daemon:/var/lib/ntp:/bin/false
postgres:x:474:474:PostgreSQL Server:/var/lib/pgsql:/bin/bash
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/usr/sbin/nologin
avahi:x:473:473:User for Avahi:/run/avahi-daemon:/usr/sbin/nologin
nginx:x:472:472:User for nginx:/var/lib/nginx:/usr/sbin/nologin
shellinabox:x:471:471:user for shellinabox:/var/lib/shellinabox:/bin/false
polkitd:x:470:470:User for polkitd:/var/lib/polkit:/usr/sbin/nologin
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/usr/sbin/nologin
sssd:x:469:468:System Security Services Daemon:/run/sssd:/sbin/nologin
nasntadmin:x:1000:100::/home/nasntadmin:/bin/bash

NAS2-1:/etc/sssd # wbinfo -p
Ping to winbindd succeeded

NAS2-1:/etc/sssd # wbinfo -D traditionsllc.net
Name : TRADITIONSLLC
Alt_Name : traditionsllc.net
SID : S-1-5-21-3387211117-2021684950-4115634017
Active Directory : Yes
Native : Yes
Primary : Yes

NAS2-1:/etc/sssd # wbinfo -K administrator
Enter administratorā€™s password:
plaintext kerberos password authentication for [administrator] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

NAS2-1:/etc/sssd # wbinfo -u

TRADITIONSLLC\guest
TRADITIONSLLC\administrator
TRADITIONSLLC\dns-dc1-1
TRADITIONSLLC\krbtgt

NAS2-1:/etc/sssd # id administrator

id: ā€˜administratorā€™: no such user

NAS2-1:/etc/sssd # id administrator@traditionsllc.net

uid=573800500(administrator@traditionsllc.net) gid=573800513(domain users@traditionsllc.net) groups=573800513(domain users@traditionsllc.net),573800518(schema admins@traditionsllc.net),573800572(denied rodc password replication group@traditionsllc.net),573800519(enterprise admins@traditionsllc.net),573800512(domain admins@traditionsllc.net),573800520(group policy creator owners@traditionsllc.net)

NAS2-1:/etc/sssd # cat /etc/sssd/sssd.conf
ā€¦
[sssd]
services = nss, pam, ifp
domains = traditionsllc.net
config_file_version = 2

ā€¦
[domain/traditionsllc.net]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = TRADITIONSLLC.NET
realmd_tags = manages-system joined-with-samba
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = traditionsllc.net
use_fully_qualified_names = true
ldap_id_mapping = True
access_provider = ad
enumerate = True

NAS2-1:/etc/sssd # cat /etc/nsswitch.conf

ā€¦
passwd: compat sss
group: compat sss
shadow: compat sss
ā€¦

NAS2-1:/etc/sssd # cat /var/log/sssd/sssd_traditionsllc.net.log | grep ā€˜2026-04-07 12:39:ā€™

  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sbus_dispatch] (0x4000): Dispatching.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd from sssd.nss
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.nss]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_attach_req] (0x0400): [RID#7] DP Request [Account #7]: REQ_TRACE: New request. [sssd.nss CID #18] Flags [0x0001].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_attach_req] (0x0400): [RID#7] Number of active DP request: 1
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sss_domain_get_state] (0x1000): [RID#7] Domain traditionsllc.net is Active
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sss_domain_get_state] (0x1000): [RID#7] Domain traditionsllc.net is Active
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_id_op_connect_step] (0x4000): [RID#7] reusing cached connection
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_id_conn_data_not_idle] (0x4000): [RID#7] Marking connection as not idle
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_search_user_next_base] (0x0400): [RID#7] Searching for users with base [DC=traditionsllc,DC=net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x0400): [RID#7] calling ldap_search_ext with [(&(sAMAccountName=administrator)(objectclass=user)(sAMAccountName=)(objectSID=))][DC=traditionsllc,DC=net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [objectClass]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [sAMAccountName]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [unixUserPassword]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [uidNumber]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [gidNumber]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [gecos]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [unixHomeDirectory]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [loginShell]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [userPrincipalName]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [name]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [memberOf]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [objectGUID]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [objectSID]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [primaryGroupID]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [whenChanged]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [uSNChanged]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [accountExpires]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [userAccountControl]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [userCertificate;binary]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [mail]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [sAMAccountName]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x1000): [RID#7] Requesting attrs: [altSecurityIdentities]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_step] (0x2000): [RID#7] ldap_search_ext called, msgid = 7
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_op_add] (0x2000): [RID#7] New operation 7 timeout 6
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[0x55b9a29cf7f0], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_message] (0x4000): [RID#7] Message type: [LDAP_RES_SEARCH_ENTRY]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_entry] (0x1000): [RID#7] OriginalDN: [CN=Administrator,CN=Users,DC=traditionsllc,DC=net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [objectClass]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [name]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [objectGUID]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [userAccountControl]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [primaryGroupID]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [objectSid]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [accountExpires]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [sAMAccountName]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [memberOf]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [whenChanged]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_parse_range] (0x2000): [RID#7] No sub-attributes for [uSNChanged]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[0x55b9a29cf7f0], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_message] (0x4000): [RID#7] Message type: [LDAP_RES_SEARCH_REFERENCE]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_add_references] (0x1000): [RID#7] Additional References: ldap://traditionsllc.net/CN=Configuration,DC=traditionsllc,DC=net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[0x55b9a29cf7f0], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_message] (0x4000): [RID#7] Message type: [LDAP_RES_SEARCH_REFERENCE]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_add_references] (0x1000): [RID#7] Additional References: ldap://traditionsllc.net/DC=DomainDnsZones,DC=traditionsllc,DC=net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[0x55b9a29cf7f0], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_message] (0x4000): [RID#7] Message type: [LDAP_RES_SEARCH_REFERENCE]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_ext_add_references] (0x1000): [RID#7] Additional References: ldap://traditionsllc.net/DC=ForestDnsZones,DC=traditionsllc,DC=net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[0x55b9a29cf7f0], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_message] (0x4000): [RID#7] Message type: [LDAP_RES_SEARCH_RESULT]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_generic_op_finished] (0x0400): [RID#7] Search result: Success(0), no errmsg set
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_op_destructor] (0x2000): [RID#7] Operation 7 finished
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [generic_ext_search_handler] (0x4000): [RID#7] Request included referrals which were ignored.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_search_user_process] (0x0400): [RID#7] Search for users, returned 1 results.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_search_user_process] (0x2000): [RID#7] Retrieved total 1 users
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] Save user
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sss_domain_get_state] (0x1000): [RID#7] Domain traditionsllc.net is Active
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_primary_name] (0x0400): [RID#7] Processing object Administrator
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] Processing user Administrator@traditionsllc.net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] Storing Canonical UPN Administrator@TRADITIONSLLC.NET for user Administrator@traditionsllc.net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x1000): [RID#7] Mapping user [Administrator@traditionsllc.net] objectSID [S-1-5-21-3387211117-2021684950-4115634017-500] to unix ID
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x2000): [RID#7] Adding originalDN [CN=Administrator,CN=Users,DC=traditionsllc,DC=net] to attributes of [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] Adding original memberOf attributes to [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] Adding original mod-Timestamp [20260407061222.0Z] to attributes of [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] User principal is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowLastChange is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowMin is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowMax is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowWarning is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowInactive is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowExpire is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] shadowFlag is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] krbLastPwdChange is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] krbPasswordExpiration is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] pwdAttribute is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] authorizedService is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] Adding adAccountExpires [9223372036854775807] to attributes of [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] Adding adUserAccountControl [512] to attributes of [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] nsAccountLock is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] authorizedHost is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] authorizedRHost is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] ndsLoginDisabled is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] ndsLoginExpirationTime is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] ndsLoginAllowedTimeMap is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] sshPublicKey is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] authType is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] userCertificate is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] mail is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] Adding adSAMAccountName [Administrator] to attributes of [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#7] userPasskey is not available for [Administrator@traditionsllc.net].
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_attrs_get_aliases] (0x2000): [RID#7] Domain is case-insensitive; will add lowercased aliases
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_user] (0x0400): [RID#7] Storing info for user Administrator@traditionsllc.net
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_set_entry_attr] (0x0200): [RID#7] Entry [name=Administrator@traditionsllc.net,cn=users,cn=traditionsllc.net,cn=sysdb] has set [ts_cache] attrs.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [userPassword] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [homeDirectory] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [loginShell] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [userPrincipalName] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [userCertificate] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [mail] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_remove_attrs] (0x2000): [RID#7] Removing attribute [userPasskey] from [Administrator@traditionsllc.net]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sysdb_store_user] (0x0400): [RID#7] User ā€œAdministrator@traditionsllc.netā€ has been stored
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_save_users] (0x4000): [RID#7] User 0 processed!
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_get_users_done] (0x4000): [RID#7] Saving 1 Users - Done
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_id_op_done] (0x4000): [RID#7] releasing operation connection
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_id_conn_data_idle] (0x4000): [RID#7] Marking connection as idle
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_req_done] (0x0400): [RID#7] DP Request [Account #7]: Request handler finished [0]: Success
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [_dp_req_recv] (0x0400): [RID#7] DP Request [Account #7]: Receiving request data.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_req_destructor] (0x0400): [RID#7] DP Request [Account #7]: Request removed.
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_req_destructor] (0x0400): [RID#7] Number of active DP request: 0
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [dp_req_reply_std] (0x1000): [RID#7] DP Request [Account #7]: Returning [Success]: 0,0,Success
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo on /sssd from sssd.nss: Success
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: sh[0x55b9a29c9030], connected[1], ops[(nil)], ldap[0x55b9a2955830]
  • (2026-04-07 12:39:44): [be[traditionsllc.net]] [sdap_process_result] (0x2000): Trace: end of ldap_result list

Web-UI screenshot

Screenshot (3)
Screenshot (3)1316Ɨ665 8.04 KB

Screenshot (4)
Screenshot (4)581Ɨ404 3.56 KB

Error Traceback provided on the Web-UI

No GUI Errors

  1. Footnotes ā†©ļøŽ

1 Like
2

@traditionsllc welcome to the Rockstor community.

I am not an expert in using Active Directory services, However, have you taken a look at this (somewhat aged) post already? I know it eventually not resolve the issue, but maybe some settings around enumeration, etc. will be helpful for your caseā€¦

I guess, if youā€™re updating any of the sssd settings then it seems from what I read is that you often times also need to clear out the cache (which you might already be doing). Also, not sure about how case-sensitive the config file is on both the keys (e.g. True vs. true).

2 Likes
3

I did, the OP scenario had a number of differences. In my circumstance, when clicking the Rockstor GUI ā€œActive Directoryā€ service button after properly activating the SAMBA service with the Workgroup properly defined and the NTP service, Rockstor successfully joined the DOMAIN, which was reflected by the Windows Active Directory RSAT application. While the OPā€™s posting was from MAR 2023 bringing the environment closer to our deployment, it is still significantly dated (i.e. several version earlier components) creating a larger gap of potential unrelated issues.

Iā€™ve reviewed a number of posts as well as Google SSSD/Samba Active Directory SSSD enumeration posts that deal with the failure of USER enumeration while successfully having GROUP enumeration. Iā€™ve tested a large portion of the suggested interventions to include, but not be limited to building my SAMBA Active Directory Domain Controller with and without RFC2307. Iā€™m am certainly a novice when it comes to SSSD and kerberos authentication so I decided to reach out.

I have a few older Rockstor 4.1.0-0 identically deployed systems with the caveat of older versions of all the components that work flawlessly so Iā€™m hoping to resolve this issue so we can move forward with our standard Rockstor NAS SMB solutions.

3 Likes
4

Hello,

Very briefly as Iā€™m unfortunately too short on time, but would you be able to detail which version of SSSD you system has, please?

zypper info sssd

I think I remember a possible change related to enumeration in SSSD somewhat recently (2.9 maybe?) so I wonder if itā€™s related. Could you also check the version on your Rockstor 4.1 systems, please? They probably run a much older version of SSSD, which could help narrow/rule out an issue with the version of SSSD used.

1 Like
5

On the Rockstor 5.1.0-0:

Information for package sssd:

Repository : Update repository with updates from SUSE Linux Enterprise 15
Name : sssd
Version : 2.10.2-150600.3.41.1
Arch : x86_64
Vendor : SUSE LLC https://www.suse.com/
Installed Size : 4.9 MiB
Installed : Yes (automatically)
Status : up-to-date
Source package : sssd-2.10.2-150600.3.41.1.src
Upstream URL : GitHub - SSSD/sssd: A daemon to manage identity, authentication and authorization for centrally-managed systems. Ā· GitHub
Summary : System Security Services Daemon
Description :
A set of daemons to manage access to remote directories and
authentication mechanisms. sssd provides an NSS and PAM interfaces
toward the system and a pluggable backend system to connect to
multiple different account sources. It is also the basis to provide
client auditing and policy services for projects like FreeIPA.

On the Rockstor 4.1.0-0:

Information for package sssd:

Repository : @System
Name : sssd
Version : 1.16.1-150300.23.34.1
Arch : x86_64
Vendor : SUSE LLC https://www.suse.com/
Installed Size : 34.3 KiB
Installed : Yes (automatically)
Status : up-to-date
Source package : sssd-1.16.1-150300.23.34.1.src
Upstream URL : Making sure you're not a bot!
Summary : System Security Services Daemon
Description :
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a pluggable backend system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.

2 Likes
6

I found this in the release notes for 2.10.0:

  • Support of enumeration feature (i.e. ability to list all users/groups using getent passwd/group without argument) for AD/IPA providers is deprecated and might be removed in further releases. Those who are interested to keep using it awhile should configure its build explicitly using --with-extended-enumeration-support ./configure option.

@Flox Is this what you were thinking of?

2 Likes
7

Yes, exactly, thanks a lot!

@traditionsllc , Iā€™m curious if specifying the service would force it here:

getent -s sss passwd
1 Like
8

Rockstor 5.1.0-0:

NAS2-1:~ # getent -s sss passwd
NAS2-1:~ #

Rockstor 4.1.0-0:

NAS:~ # getent -s sss passwd
Provides a full listing of all Samba Active Directory Users

3 Likes
9

Thanks a lot for all the information and your patience and help with getting to the bottom of this. Iā€™m completely mentally drained and exhausted from work lately so Iā€™ll summarize my understanding of your situation below to make sure I didnā€™t miss part of your explanations or misunderstand something. Please pardon any inaccuracies and correct me where needed.

In Rockstorā€™s webUI, you do see your AD groups but you do not see the AD users, correct? If this is indeed the case, and based on all the information you provided (thanks again, that is always so helpful!), that would give another clue as what is happening here.

Thanks to @Hooverdan for digging up the exact SSSD version with the enumeration deprecation, and your functioning systems on SSSD < 2.10 but not >= 2.10, it appears relatively safe to think that we have the culprit here. The fact that you do see the AD groups in Rockstorā€™s webUI can be explained by the fact that we do have a fallback to directly query groups from a remote domain using SSSD D-Bus interface if we canā€™t get them from system calls (where enumeration would be needed). We unfortunately do not have such fallback for remote users. I thus donā€™t think you have a working enumeration of groups either, itā€™s just that Rockstor tries harder for groups than users for the moment.

It is clear we need to fix that in a future release but it wonā€™t help you right now, Iā€™m afraid.

If you are indeed still testing Rockstor 5.1.0, and are thus willing to test something I have not tested (meaning I donā€™t know if it would work or cause breakages), maybe we can try using an older version of SSSD to (1) fix your issue, albeit with a band-aid for now, and (2) prove the SSSD version is the culprit here. One caveat is that I donā€™t know if a compatible version of SSSD is available for your system, but maybe you can try?

zypper install 'sssd<2.10'

Let us know if you are game with trying this.

2 Likes
10

Your work on the project and to resolve this issue is greatly appreciated!!! Weā€™ll be upgrading our older installs when I resolve this issue and establish appropriate confidence to deploy the newer versions, but I can isolate the current one we registered with appman for testing any configuration you wish. Iā€™ll attempt to deploy and earlier version of SSSD as you suggested in the next 24 hours or so and forward results shortly thereafter. For now here is some feedback you requested:

Yes (see below).

Screenshot (5)
Screenshot (5)1691Ɨ682 8.65 KB

If this helps in anyway, a DOMAIN group can be selected when assigning access rights for a share, but I do NOT believe that translates into granted access to a member of the group. This does not surprise me when considering how would a file access request be able to determine if a DOMAIN user is a member of a DOMAIN group that has been granted access rights to a file/folder if it is unable to establish the DOMAIN user identity attempting access.

Screenshot (6)
Screenshot (6)641Ɨ430 5.51 KB

2 Likes
11

NAS2-1:~ # zypper install ā€˜sssd<2.10ā€™
Looking for gpg keys in repository Update repository with updates from SUSE Linux Enterprise 15.
gpgkey=http://download.opensuse.org/update/leap/15.6/sle/repodata/repomd.xml.key
Retrieving repository ā€˜Update repository with updates from SUSE Linux Enterprise 15ā€™ metadata ā€¦[done]
Building repository ā€˜Update repository with updates from SUSE Linux Enterprise 15ā€™ cache ā€¦[done]
Loading repository dataā€¦
Reading installed packagesā€¦
The selected package ā€˜sssd-2.9.3-150600.3.31.1.x86_64ā€™ from repository ā€˜Update repository with updates from SUSE Linux Enterprise 15ā€™ has lower version than the installed one. Use ā€˜zypper install --oldpackage sssd-2.9.3-150600.3.31.1.x86_64ā€™ to force installation of the package.
Resolving package dependenciesā€¦
Nothing to do.
NAS2-1:~ # zypper install --oldpackage sssd-2.9.3-150600.3.31.1.x86_64
Loading repository dataā€¦
Reading installed packagesā€¦
Resolving package dependenciesā€¦

Problem: 1: the installed sssd-tools-2.10.2-150600.3.41.1.x86_64 requires ā€˜libsss_debug.so(V_2.10.2)(64bit)ā€™, but this requirement cannot be provided
not installable providers: sssd-2.10.2-150600.3.36.1.x86_64[repo-sle-update]

Solution 1: Following actions will be done:
downgrade of sssd-tools-2.10.2-150600.3.41.1.x86_64 to sssd-tools-2.9.3-150600.3.31.1.x86_64
downgrade of sssd-ad-2.10.2-150600.3.41.1.x86_64 to sssd-ad-2.9.3-150600.3.31.1.x86_64
downgrade of sssd-dbus-2.10.2-150600.3.41.1.x86_64 to sssd-dbus-2.9.3-150600.3.31.1.x86_64
downgrade of sssd-krb5-common-2.10.2-150600.3.41.1.x86_64 to sssd-krb5-common-2.9.3-150600.3.31.1.x86_64
downgrade of sssd-ldap-2.10.2-150600.3.41.1.x86_64 to sssd-ldap-2.9.3-150600.3.31.1.x86_64
downgrade of python3-sssd-config-2.10.2-150600.3.41.1.x86_64 to python3-sssd-config-2.9.3-150600.3.31.1.x86_64
Solution 2: do not install sssd-2.9.3-150600.3.31.1.x86_64
Solution 3: break sssd-tools-2.10.2-150600.3.41.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c):

How would you like to proceed? Iā€™m going to snapshot the VM prior to these changes so we can quickly switch around between our testing configurations.

3 Likes
12

I removed the NAS appliance from the SAMBA Active Directory so our testing will be a clean join of the desired configuration. I could also build a new VM from the 5.1.0-0 Rockstor ISO without executing the initial zypper update ā€“no-recommends and check the version of SSSD to see if it is a version <2.10. If so, I could conduct the same tests to see if the results vary. Let me know if youā€™d like to pursue this testing?

3 Likes
13

Fresh non-updated Rockstor 5.1.0-0 install:

localhost:~ # zypper info sssd
Loading repository dataā€¦
Reading installed packagesā€¦

Information for package sssd:

Repository : Update repository with updates from SUSE Linux Enterprise 15
Name : sssd
Version : 2.10.2-150600.3.41.1
Arch : x86_64
Vendor : SUSE LLC https://www.suse.com/
Installed Size : 4.9 MiB
Installed : Yes (automatically)
Status : out-of-date (version 2.9.3-150600.3.18.3 installed)
Source package : sssd-2.10.2-150600.3.41.1.src
Upstream URL : GitHub - SSSD/sssd: A daemon to manage identity, authentication and authorization for centrally-managed systems. Ā· GitHub
Summary : System Security Services Daemon
Description :
A set of daemons to manage access to remote directories and
authentication mechanisms. sssd provides an NSS and PAM interfaces
toward the system and a pluggable backend system to connect to
multiple different account sources. It is also the basis to provide
client auditing and policy services for projects like FreeIPA.

localhost:~ # getent -s sss passwd (Enumerates Active Directory Users Successfully)
administrator@traditionsllc.net::573800500:573800513:Administrator:/home/administrator@traditionsllc.net:/bin/bash
dns-dc1-1@traditionsllc.net::573801101:573800513:dns-DC1-1:/home/dns-dc1-1@traditionsllc.net:/bin/bash
nas3-1$@traditionsllc.net::573801106:573800515:NAS3-1:/home/nas3-1$@traditionsllc.net:/bin/bash
dc1-1$@traditionsllc.net::573801000:573800516:DC1-1:/home/dc1-1$@traditionsllc.net:/bin/bash
w11-ltsc$@traditionsllc.net::573801104:573800515:W11-LTSC:/home/w11-ltsc$@traditionsllc.net:/bin/bash
krbtgt@traditionsllc.net::573800502:573800513:krbtgt:/home/krbtgt@traditionsllc.net:/bin/bash
guest@traditionsllc.net:*:573800501:573800514:Guest:/home/guest@traditionsllc.net:/bin/bash

Screenshot (7)
Screenshot (7)1696Ɨ730 11 KB

I was able to access the NAS from a Windows 11 LTSC workstation logged in as an Active Directory Administrator and replace the ā€œunixā€ acls of a Rockstor SAMBA share with appropriate Windows acls and access the share accordingly from the workstation logged in as an administrator and a non-administrator test user so everythng seemed to be working accordingly and looks very promising. Iā€™m hoping Rockstor 5 will resolve and issue we continue to have with Rockstor 4.1.0-0, which is the initial creation of a new Windows active directory user with a Microsoft ā€œRoaming Profileā€. With Rockstor 4.1.0-0, the first login of a Windows active directory user will create the roaming profile directory as defined by the GPO of the DOMAIN and attempt to populate it accordingly for the account. With Rockstor 4.1.0-0, the directory gets created with what seems to be the appropriate acls, but the login process fails and Windows throws an error message stating it could not log in to the user ROAMING PROFILE and opens a default desktop using a TEMPORARY Local PROFILE. Weā€™ve developed a work-around where we open the ROAMING PROFILE folder on the Rockstor NAS while using the TEMPORARY Local PROFILE and delete the userā€™s folder. Once deleted, we re-create an identically named folder and log-out. On the next login, Windows will sucessfully access that ROAMING PROFILE folder and properly setup the account. All logins by the Windows Active Directory user are successful after completing that process (even on workstations where said user is logging in for the first time causing Windows to create a local copy of the ROAMING PROFILE).

I just wanted to give you a heads up about that. For now we should remain focused on the SSSD issue. Upon resolving this issue, Iā€™ll properly setup the new environment to see if that resolves as a result of the newest Rockstor deployment.

Let me know where we go from here and again, thanks sooo much for your efforts!!!

3 Likes
14

Thatā€™s great news! It confirms that the SSSD version is indeed the problem to circumvent. I wished the ā€œdeprecatedā€ from the changelogs really meant deprecated and not removed but I guess they do offer an alternative to have the old behavior back with a configuration build option. Thatā€™s not a good option for us, though, but we should implement the same fallback that we currently have for remote groups for remote users.

Iā€™ll get to create a corresponding issue when I get some time but things are very busy for me at the moment, Iā€™m afraid. Iā€™ll keep this thread updated, of course.

In the meantime, maybe you can try to lock the sssd package to that version fresh from the ISO install (as long as itā€™s <2.10, you should be good).

zypper addlock sssd

This way, zypper will not update it when running other system packages updates. I havenā€™t tested it, but my understanding is that itā€™ll keep all other dependencies (like sssd-ad and such) compatible with the installed version of SSSD but thatā€™s something to keep an eye on.

Thanks! That is definitely helpful and something that would deserve its own thread so that we can better understand where things are going south and what would need to be done to fix it. The goal is always to get a set of steps to reproduce the issue so that we can then identify and develop a fix.

2 Likes
15

Already successfully testing the install with zypper addlock sssd followed by zypper update ā€“no-recommends and everything has been working accordingly, which is allowing us to proceed with the deployment! I have been able to confirm the ROAMING PROFILE problem still exists so let me know when you want to dig deeper into that. The work-around we developed still works for us as we do not manage large numbers of users in our Active Directory. The work-around adds about 5 minutes of additional effort to onboard a new user, which could become a concern for higher volume user turn-over.

4 Likes