Error no domain set

Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору Товарищи из Microsoft об этом говорят так: Ссылка

Проверьте соединения DC вообще: Ссылка

И в заключение есть похожая тема в новостных группах: Ссылка

Источник

Error no domain set

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Answered by:

Question

I have a domain with two Windows Server 2008 DCs, let’s say it’s DC01 and DC02. Both DCs are DNS servers authoritative for the domain. DC01 holds all FSMO roles, incuding PDC Emulator.

The problem is sometimes one can’t access various domain-related resources: two examples are frequent lags when opening domain DFS shares and failed Exchange 2010 SP1 installation that logged «DC is no longer available» but later succedeed on another installation attempt (and the DC was up all the time). I think I narrowed the problem down to the PDC Emulator role which simply doesn’t seem to respond properly. I was able to transfer PDC Emulator role from DC01 to DC02 to test whether the problem is related to the underlying server but it seems the problem just moved with the role.

Here is an excert from nltest command (DC02 is the PDC here):

You also can’t find PDC Emulator using /dcname switch:

There are no suspicious entries in either DC’s event logs. In spite of the PDC problem it seems that PDC role itself works fine because users can change passwords, login on a workstation for the first time etc. Nonetheless I believe something is wrong now. I checked DNS domain zone and all important entries, including SRVs, are in place.

I’d appreciate any suggestions about where to start troubleshooting.

Answers

I would like to confirm that can you read any error message from the Event Viewer?

According to our internal material, this behavior is expected when this command is issued on the PDC for its own domain. The PDC is the source of the secure channel.

Sometimes, high load on domain controllers and firewalls can cause some network connectivity lags. You may read the following Microsoft TechNet articles for configuring Windows Firewall and troubleshooting network connectivity.

Active Directory Replication over Firewalls

I also would like to collect the following information to check if the domain controllers are health. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)

Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt

repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

All replies

I would like to confirm that can you read any error message from the Event Viewer?

According to our internal material, this behavior is expected when this command is issued on the PDC for its own domain. The PDC is the source of the secure channel.

Sometimes, high load on domain controllers and firewalls can cause some network connectivity lags. You may read the following Microsoft TechNet articles for configuring Windows Firewall and troubleshooting network connectivity.

Active Directory Replication over Firewalls

I also would like to collect the following information to check if the domain controllers are health. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose «Send Files to Microsoft»)

Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between ‘(‘ and ‘)’ when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding.

dcdiag /v /c /d /e /s:dcname >c:dcdiag.txt

repadmin /showrepl dc* /verbose /all /intersite >c:repl.txt

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you for your time! I uploaded the text files containing dcdiag, repadmin and dnslint output. DC02 is the PDC there.

Regarding the rest of your post:

1. I can read all event logs without issues.

2. Firewalls are disabled on DCs and member servers.

3. Quick note: running nltest /dcname:contoso.com gets NERR_DCNotFound as I said, but running /dcname:CONTOSO (with NetBIOS name) gets correct results. Also the behavior of using nltest /sc_verify against PDC that you mentioned seems to explain the ERR_NO_SUCH_DOMAIN error.

4. I wouldn’t say I have highly loaded DCs as there is about 10 member web servers and about 20 workstations. I’d say it’s relatively small environment.

There are in fact some warnings and errors in dcdiag and dnslint outputs. I’m looking forward to hearing from you about them!

if you upload the files also to Windows Sky drive we can also follow them and help you.

The PDCEmulaor role is not used to access resources on domain servers, so this can’t be the reason for your problem. An unedited ipconfig /all can also help for starting to exclude some problems.

Is the second DC also Global catalog server, this is essential for Exchange, this requires access to GCs?

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

I have uploaded the log files “Wojciech Kowasz” provided to my SkyDrive for our further research. Here is the public link: http://cid-49401e22fd9c1bd2.office.live.com/self.aspx/.Public/tests.zip.

Here are the error message I find in dcdiag.txt:

Summary of test results for DNS servers used by the above domain

DNS server: 198.32.64.12 (l.root-servers.net.)

2 test failure on this DNS server

PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:500:1::803f:235 (h.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:500:2f::f (f.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

DNS server: 2001:7fe::53 (i.root-servers.net.)

1 test failure on this DNS server

PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53 [Error details: 1460 (Type: Win32 — Description: This operation returned because the timeout period expired.)]

Total query time:0 min. 12 sec., Total WMI connection

time:0 min. 0 sec.

Based on the current situation, I would like to suggest you clear the DNS server cache by the command: Dnscmd ServerName /clearcache and the client machines’ DNS cache by the command: ipconfig /flushdns. For more information, please refer to the following Microsoft TechNet articles:

Clear the server names cache

Flush and reset a client resolver cache using the ipconfig command

In addition, please also disable IPv6 to test the issue. For the detailed steps, please refer to the following Microsoft KB article:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008

If it does not work, please also upload the output of the command: ipconfig /all of the domain controllers and client machine to SkyDrive as “Meinolf Weber” required for our further research.

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Edited by Arthur_Li Microsoft contingent staff Monday, January 3, 2011 5:12 AM add signature

please make sure the correct values exist «Missing Expected Value» according to:

Also you should run adprep /rodcprep to remove the error message in dcdaig about «Starting test: NCSecDesc», not a problem or required but keeps the output cleaner and doesn’t require to run RODCs.

Additional check the useraccountcontrol flag setting with:

Keep in mind that you use the public iprange on the DCs and you are open for attackers that way. Better reconfigure your design and use private iprange on them and connect via a router/firewall to the internet. Why is the public iprange used on them? At least you have to configure the firewall properly.

Which ip addresses does your domain members use? If they are in the private ip range you have the problem with DNS i assume, so please post an unedited ipconfig /all from a domain machine with problems.

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

Sorry for the delay. I uploaded ipconfigs on my SkyDrive: http://cid-8bda2ed637ed7df5.office.live.com.

Some quick facts:

— all servers use public IP addresses
— IPv6 is already disabled on all servers
— firewall is disabled as well
— both DCs are Global Catalogs
— UAC is configured so that Admin-Approval is disabled (maybe this is why useraccountcontrol flag setting is incorrect?)

I don’t know what do you mean about the attackers part? The fact that I use public IP address on DCs with firewall disabled does not necessary mean that there is no firewall above. There is, of course, and only DNS traffic is allowed to DCs from the Internet. DNS is also the reason why the public addresses are there.

I’ll look into your suggestions with FRS parameter, RODC-related schema extensions and DNS cache clearing.

edit:

About «Missing expected value» error in dcdiag:

I did find out that msDFSR-ComputerReferenceBL attribute on both DCs here is Not Set so I guess that’s why the error pops out. I also found this post: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/2ce07c3f-9956-4bec-ae46-055f311c5d96/ but unfortunately there is no guide on how to change that attribute because it’s read only.

As a side note, I use FRS for SYSVOL replication and never tried to migrate it to DFS-R. I have some DFS-R groups in the domain but DCs are not members of any of them. Is this parameter really needed then and why it’s Not Set (I assume it’s a default value).

to modify the «Missing expected value» settings make sure to use RUNAS or an elevated command prompt to change them. Also make sure the used account is member of enterprise admins.

Best regards Meinolf Weber Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

Unfortunately, although I ran dsa.msc and adsiedit.msc as an administrator, the Add field is grayed out so I cannot modify this parameter.

The error message “Missing expected value” on msDFSR-ComputerReferenceBL mostly can be caused due to the DC is using NTFRS to replicate SYSVOL instead of DFSR.

To fix this issue, I would like to suggest you use DSFR for replication of SYSVOL. For the detailed steps, please refer to the following Microsoft TechNet article:

SYSVOL Replication Migration Guide: FRS to DFS Replication

If you have any feedback on our support, please contact tngfb@microsoft.com .

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

can you describe exactly the negative symptoms you are seeing that prompted you to search for help? What exactly made you conclude that this is related to PDC Emulator?

As Arthur has pointed out, the nltest behavior you mentioned is expected when being run on the PDC Emulator itself. In regard to DFS delay, are you using domain-based DFS implementation? Have you tried running network trace to determine what exactly is happening when a client attempts to contact a DFS target?

There is no single symptom that prompted me to search for help.

I see my applications failing from time to time and want to troubleshoot it. The most important symptom is my IIS application that fails several times a week (I mean, the application pool itself fails and w3wp.exe is terminated) due to being unable to access shared folders located on other servers. I don’t think it’s DFS-related because when I changed UNC path to point directly to the underlying file servers, the issue was still there. Then I saw another errors like Exchange setup that failed with «DC01 is no longer available» error when it was up and running all the time and even 10 minutes later the installation succeeded when run for the second time. I also saw some strange errors in DC’s Security event logs that stated «account doesn’t exist» for my IIS application’s context that was successfully logged in a few minutes back and later on. That makes me think that Active Directory problem is the root issue here.

So, as you can see, there are a few «weird» situations and I just want to look into them and see if it can improve. It’s hard to troubleshoot by, say, network trace because I would have to capture all-day-long network traffic to catch just the exact moment when the issues occur. It may be seconds that matter here.

I tied the whole problem with PDC Emulator because I observed the ERR_NO_SUCH_DOMAIN on PDC server but didn’t know it’s a «by design» behavior. That was something (easy to explain) I could escalate on the forums and I did. By the way, it really should be documented somewhere. I did google it extensively and had no luck finding any information that it’s ok to see such an error on PDC.

So, to sum up this thread, my question actuallly was answered (I marked it) even though it didn’t help. I don’t think that following the advices like rodcprep or migrate to DFSR replication could really help here. At the same time, however, I don’t expect more because I know it’s hard to help when you don’t know what the problem exactly is 🙂 So I think we should stop here. Thank you for your time! 🙂 I think maybe I will open up another thread on IIS forums to see if we can debug the failing apppool issue (maybe it’s not AD, after all).

Источник

Adblock
detector

Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору Товарищи из Microsoft об этом говорят так: Ссылка

Проверьте соединения DC вообще: Ссылка

И в заключение есть похожая тема в новостных группах: Ссылка

Источник

How to Fix No Domain Under Control Error in iRedMail

While I’m setting up a mail server on Ubuntu 18.04 with iRedMail 0.9.8, I encountered the “No domain under control” error in iRedAdmin panel. This article will explain how to fix this error.

Fixing No Domain Under Control Error in iRedMail

Although the postmaster account is the global admin of the email server, iRedAdmin told me that no domain is under control. The domain name can’t be deleted from iRedAdmin panel. You need to delete the domain name from MySQL/MariaDB database and add it back in iRedAdmin panel. The following steps are for MariaDB users on Ubuntu.

Log into MariaDB shell. (Enter sudo user password, not MariaDB root password)

Select the vmail database.

Check available domains in the domain table.

Delete your first domain name in the domain table.

Exit MariaDB shell.

Then add it back in iRedAdmin panel.

Configuring Amavis DKIM Signing

If the above error happened to you, then amavis is likely not working. You can check the status of Amavis by running the following command.

As you can see, Amavis is not running on my server because the private key file is not found. You can generate the private key with:

Then restart Amavis.

Show the public key.

In your DNS manager, create a TXT record. Enter dkim._domainkey in the Name field. Copy everything in the parentheses and paste into the value field. Delete all double quotes.

After saving your changes. Check the TXT record with this command.

That’s it! I hope this article helped you fix the no domain under control error in iRedMail.

Источник

Contact US

Thanks. We have received your request and will respond promptly.

Come Join Us!

• Talk With Other Members
• Be Notified Of Responses
  To Your Posts
• Keyword Search
• One-Click Access To Your
  Favorite Forums
• Automated Signatures
  On Your Posts
• Best Of All, It’s Free!

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

mountd[12314]: [ID 664212 daemon.error] No default domain set

mountd[12314]: [ID 664212 daemon.error] No default domain set

mountd[12314]: [ID 664212 daemon.error] No default domain set

Can someone tell me why I see this message in /var/adm/messages.
mountd[12314]: [ID 664212 daemon.error] No default domain set

/etc/defaultdomain is not set, but we are not using NIS. I thought that was the only time the file was needed.

Solaris 8 — kernel 18
SunFire 6800

RE: mountd[12314]: [ID 664212 daemon.error] No default domain set

Are you sure that autofs is not running? Autofs trys to mount nfs shares when you try to access those directories.

Make sure there aren’t any auto_[something] in /etc. Those should be a moot point though if autofs is not running. You should eb able to safely shutdown autofs by running:

Hope this helps!

RE: mountd[12314]: [ID 664212 daemon.error] No default domain set

RE: mountd[12314]: [ID 664212 daemon.error] No default domain set

It sounds almost like it is trying to pull the automount info from nis and the /etc/defaultdomain file is not present. check the /etc/nsswitch.conf file and see what the setting is for automount. If it has nis in that line, remove it so it only says files.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Источник

FIX: The Specified Domain Either Does Not Exist or Could Not Be Contacted (Solved)

This tutorial contains instructions to resolve the following problem, when you try to join a Windows based computer to an existing domain: «The Specified Domain Either Does Not Exist or Could Not Be Contacted».

The error «The Specified Domain Either Does Not Exist or Could Not Be Contacted» commonly occurs due to invalid DNS settings on the workstation’s side, because Active directory requires you to use domain DNS to work properly (and not router’s address).

How to fix: Specified Domain Does Not Exist or Could Not Be Contacted.

Let’s suppose that your Active Directory Domain Controller (and DNS Server) is a Windows Server 2016 machine and is responsible for the domain «wintips.local» and has the IP Address «192.168.1.10».

At this example, the IP and the Preferred DNS address on the Primary Domain Controller (Server 2016) must be the same, e.g.

Primary Domain Controller (Server 2016)
Computer Name:	Server2k16
Domain Name:	WINTIPS.LOCAL
IP Address (Static):	192.168.1.10
Subnet Mask:	255.255.255.0
Default Gateway:	192.168.1.1
Preferred DNS Server:	192.168.1.10

Method 1. Set the Preferred DNS Server Address to match the Domain Controller’s IP Address (on Client Workstation)

To resolve the «Specified Domain Does Not Exist or Could Not Be Contacted» error, you have to set the Preferred DNS IP to point to Primary Domain Controller’s IP address, on each client workstation that you want to join in the domain. To do that:

1. Open Network and Sharing Center.
2. Right click on Local Area Connection and click Properties.
3. Double click on Internet Protocol TCP/IPv4.
4. Change the Preferred DNS server address to match the Primary Domain Controller’s IP Address (e.g. «192.168.1.10» in this example).
6. Click OK twice and close all windows.

7. Try to join the workstation in the Domain.

Method 2. Specify the WINS Server’s IP Address on Client.

If your Active Directory Domain Controller acts also as a WINS server, then set the WINS IP address to point to WINS Server’s (Primary Domain Controller’s IP address),* on the client machine that you want to join to the Domain. To do that:

* Note: This method works even when the Primary Domain Controller does not act as a WINS Server.

1. Open Network and Sharing Center.
2. Right click on Local Area Connection and click Properties.
3. Double click on Internet Protocol TCP/IPv4.

4. Click the Advanced button.

5. At WINS tab, click Add.

6. Type at WINS Server’s IP Address filed, the IP address of the WINS server (e.g. «192.168.1.10» in this example) and click Add.

7. Press OK three (3) times to apply changes and close all windows.

8. Try to join the machine in the Domain.

That’s it! Let me know if this guide has helped you by leaving your comment about your experience. Please like and share this guide to help others.

Источник

Adblock
detector

When you start jdeveloper and open the ‘Application Servers’ pane and start the IntegratedWebLogicServer for the first time, jdeveloper will create an OSB domain for you and when it does that, it generates a wlst script under your $JDEV_USER_DIR/system12.2.1….. folder. That wlst script can be saved and reused.

I got this script which I customized and now re-use to re-create an OSB domain whenever I need to…

#===========================================================================
# Create osb domain for JDeveloper application development 
# runtime.
#
# The script creates a default osb domain.  
# The default domain consists of a single server, 
# representing a typical development environment.  This type of configuration 
# is not recommended for production environments.
#===========================================================================

import os

if not 'JDEV_USER_DIR' in os.environ:
  print("Error:  JDEV_USER_DIR environment variable not set.")
  exit()
  
if not 'ORACLE_HOME' in os.environ:
  print("Error:  ORACLE_HOME environment variable not set.")
  exit()  
  
print("Creating Default Domain")

#%%%VARIABLE_ASSIGNMENTS%%%

templateFile =  'Basic WebLogic Server Domain'
targetDomain =  os.environ['JDEV_USER_DIR'] + '/system12.2.1.4.42.190911.2248/DefaultDomain/'
serverName =    'DefaultServer'
domainAdmin =   'weblogic'
domainPassword = 'welcome1'
listenAddress = ''
listenPort =    '7001'
sslListenPort = '7002'
cfgGrpProfile = 'Compact'
jdevHome = os.environ['ORACLE_HOME'] + '/jdeveloper/'
commonComponentsHome = os.environ['ORACLE_HOME'] + '/oracle_common/'


#===========================================================================
# Open a domain template.
#===========================================================================

print("[progress] Reading template: " + templateFile);
setTopologyProfile(cfgGrpProfile)
selectTemplate(templateFile)
loadTemplates()

#===========================================================================
# Configure the domain
#===========================================================================

#%%%BASE_DOMAIN_CONFIGURE_START%%%
cd('Servers/AdminServer')

print('Setting Name to '' + serverName + ''')
set('Name', serverName)

print('Setting ListenAddress to '' + listenAddress + ''')
set('ListenAddress', listenAddress)

print('Setting ListenPort to ' + listenPort)
set('ListenPort', int(listenPort))

set('TunnelingEnabled', 1)

cd('/Servers/' + serverName)
create (serverName, 'SSL')
cd('SSL/' + serverName)

print('Enabling SSL using port ' + sslListenPort)
set('Enabled' , 'true')
set('ListenPort', int(sslListenPort))

set('ClientCertificateEnforced', 'false')
set('TwoWaySSLEnabled', 'true')

cd('/')
cd('Security/base_domain/User/weblogic')

print('Setting domain administrator to '' + domainAdmin + ''')
cmo.setName(domainAdmin)

print('Setting domain password.')
cmo.setPassword(domainPassword)
#%%%BASE_DOMAIN_CONFIGURE_END%%%

#===========================================================================
# Write the domain and close the domain template.
#===========================================================================

setOption('OverwriteDomain', 'true')

print("[progress] Writing domain: " + targetDomain);
writeDomain(targetDomain)

print("[progress] Closing template.")
closeTemplate()

#===========================================================================
# Set environment variables used by extension templates.
#===========================================================================
os.putenv('JDEV_HOME', jdevHome)
os.putenv('COMMON_COMPONENTS_HOME', commonComponentsHome)
os.putenv('DOMAIN_HOME', targetDomain)

#===========================================================================
# Extend the domain
#===========================================================================

#%%%DOMAIN_EXTENSION_TEMPLATES_DECLARTION%%%
templates = 
[
  ["Oracle ADRS", None],
  ["Oracle JRF", None],
  ["Oracle WSM Policy Manager", None],
  ["Oracle ADF Development Mode Logging", None],
  ["Oracle Service Bus", None]
]

try:
  if len(templates) > 0:

#%%%START_TEMPLATE_LOOP%%%
    for t in templates:
      print("[progress] Reading domain: " + targetDomain)
      readDomain(targetDomain);
      print("[progress] Adding domain extension template: " + t[0] + " " + (t[1] or "") )
      if t[1] is None:
        selectTemplate(t[0])
      else:
        selectTemplate(t[0], t[1])
      loadTemplates()
      print("[progress] Updating domain.")
      updateDomain()
      print("[progress] Closing domain.")
      closeDomain()
#%%%END_TEMPLATE_LOOP%%%

except:
  dumpStack()
  raise
  
print("*** Domain processing complete ***");  
  

Skip to navigation
Skip to main content

Infrastructure and Management

• Red Hat Enterprise Linux

• Red Hat Virtualization
• Red Hat Identity Management

• Red Hat Directory Server

• Red Hat Certificate System

• Red Hat Satellite

• Red Hat Subscription Management

• Red Hat Update Infrastructure

• Red Hat Insights

• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift

• Red Hat CloudForms

• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform

• Red Hat OpenShift Data Science

• Red Hat OpenShift Online

• Red Hat OpenShift Dedicated

• Red Hat Advanced Cluster Security for Kubernetes

• Red Hat Advanced Cluster Management for Kubernetes

• Red Hat Quay

• OpenShift Dev Spaces

• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure

• Red Hat Ceph Storage

• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes

• Red Hat JBoss Enterprise Application Platform

• Red Hat Data Grid

• Red Hat JBoss Web Server

• Red Hat Single Sign On

• Red Hat support for Spring Boot

• Red Hat build of Node.js
• Red Hat build of Thorntail

• Red Hat build of Eclipse Vert.x

• Red Hat build of OpenJDK

• Red Hat build of Quarkus

Integration and Automation

• Red Hat Process Automation

• Red Hat Process Automation Manager

• Red Hat Decision Manager

All Products

Setting Debug Logs for SSSD Domains

Each domain sets its own debug log level. Increasing the log level can provide more information about problems with SSSD or with the domain configuration.

To change the log level, set the debug_level parameter for each section in the sssd.conf file for which to produce extra logs. For example:

[domain/LDAP]
cache_credentials = true
debug_level = 9

Table 13.13. Debug Log Levels

Level	Description
0	Fatal failures. Anything that would prevent SSSD from starting up or causes it to cease running.
1	Critical failures. An error that doesn’t kill the SSSD, but one that indicates that at least one major feature is not going to work properly.
2	Serious failures. An error announcing that a particular request or operation has failed.
3	Minor failures. These are the errors that would percolate down to cause the operation failure of 2.
4	Configuration settings.
5	Function data.
6	Trace messages for operation functions.
7	Trace messages for internal control functions.
8	Contents of function-internal variables that may be interesting.
9	Extremely low-level tracing information.

In versions of SSSD older than 1.8, debug log levels could be set globally in the [sssd] section. Now, each domain and service must configure its own debug log level.

To copy the global SSSD debug log levels into each configuration area in the SSSD configuration file, use the sssd_update_debug_levels.py script.

python -m SSSDConfig.sssd_update_debug_levels.py

Checking SSSD Log Files

SSSD uses a number of log files to report information about its operation, located in the /var/log/sssd/ directory. SSSD produces a log file for each domain, as well as an sssd_pam.log and an sssd_nss.log file.

Additionally, the /var/log/secure file logs authentication failures and the reason for the failure.

Problems with SSSD Configuration

Q:
SSSD fails to start

Q:
I don’t see any groups with ‘id’ or group members with ‘getent group’.

Q:
Authentication fails against LDAP.

Q:
Connecting to LDAP servers on non-standard ports fail.

Q:
NSS fails to return user information

Q:
NSS returns incorrect user information

Q:
Setting the password for the local SSSD user prompts twice for the password

Q:
I am trying to use sudo rules with an Identity Management (IPA) provider, but no sudo rules are being found, even though sudo is properly configured.

Q:
Password lookups on large directories can take several seconds per request. How can this be improved?

Q:
An Active Directory identity provider is properly configured in my sssd.conf file, but SSSD fails to connect to it, with GSS-API errors.

Q:
I configured SSSD for central authentication, but now several of my applications (such as Firefox or Adobe) will not start.

Q:
SSSD is showing an automount location that I removed.

A:

SSSD requires that the configuration file be properly set up, with all the required entries, before the daemon will start.

• SSSD requires at least one properly configured domain before the service will start. Without a domain, attempting to start SSSD returns an error that no domains are configured:

  # sssd -d4
  
  [sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
  [sssd] [confdb_get_domains] (0): No domains configured, fatal error!
  [sssd] [get_monitor_config] (0): No domains configured.
  

  Edit the /etc/sssd/sssd.conf file and create at least one domain.

• SSSD also requires at least one available service provider before it will start. If the problem is with the service provider configuration, the error message indicates that there are no services configured:

  [sssd] [get_monitor_config] (0): No services configured!
  

  Edit the /etc/sssd/sssd.conf file and configure at least one service provider.

  SSSD requires that service providers be configured as a comma-separated list in a single services entry in the /etc/sssd/sssd.conf file. If services are listed in multiple entries, only the last entry is recognized by SSSD.

Q:

I don’t see any groups with ‘id’ or group members with ‘getent group’.

A:

This may be due to an incorrect ldap_schema setting in the [domain/DOMAINNAME] section of sssd.conf.

SSSD supports RFC 2307 and RFC 2307bis schema types. By default, SSSD uses the more common RFC 2307 schema.

The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued memberuid attribute, which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued member or uniqueMember attribute which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.

If group lookups are not returning any information:

1. Set ldap_schema to rfc2307bis.

2. Delete /var/lib/sss/db/cache_DOMAINNAME.ldb.

3. Restarting SSSD.

If that doesn’t work, add this line to sssd.conf:

ldap_group_name = uniqueMember

Then delete the cache and restart SSSD again.

Q:

Authentication fails against LDAP.

A:

To perform authentication, SSSD requires that the communication channel be encrypted. This means that if sssd.conf is configured to connect over a standard protocol (ldap://), it attempts to encrypt the communication channel with Start TLS. If sssd.conf is configured to connect over a secure protocol (ldaps://), then SSSD uses SSL.

This means that the LDAP server must be configured to run in SSL or TLS. TLS must be enabled for the standard LDAP port (389) or SSL enabled on the secure LDAPS port (636). With either SSL or TLS, the LDAP server must also be configured with a valid certificate trust.

An invalid certificate trust is one of the most common issues with authenticating against LDAP. If the client does not have proper trust of the LDAP server certificate, it is unable to validate the connection, and SSSD refuses to send the password. The LDAP protocol requires that the password be sent in plaintext to the LDAP server. Sending the password in plaintext over an unencrypted connection is a security problem.

If the certificate is not trusted, a syslog message is written, indicating that TLS encryption could not be started. The certificate configuration can be tested by checking if the LDAP server is accessible apart from SSSD. For example, this tests an anonymous bind over a TLS connection to test.example.com:

$ ldapsearch -x -ZZ -h test.example.com -b dc=example,dc=com

If the certificate trust is not properly configured, the test fails with this error:

ldap_start_tls: Connect error (-11) additional info: TLS error -8179:Unknown code ___f 13

To trust the certificate:

1. Obtain a copy of the public CA certificate for the certificate authority used to sign the LDAP server certificate and save it to the local system.

2. Add a line to the sssd.conf file that points to the CA certificate on the filesystem.

   ldap_tls_cacert = /path/to/cacert

3. If the LDAP server uses a self-signed certificate, remove the ldap_tls_reqcert line from the sssd.conf file.

   This parameter directs SSSD to trust any certificate issued by the CA certificate, which is a security risk with a self-signed CA certificate.

Q:

Connecting to LDAP servers on non-standard ports fail.

A:

When running SELinux in enforcing mode, the client’s SELinux policy has to be modified to connect to the LDAP server over the non-standard port. For example:

# semanage port -a -t ldap_port_t -p tcp 1389

Q:

NSS fails to return user information

A:

This usually means that SSSD cannot connect to the NSS service.

• Ensure that NSS is running:

  # service sssd status

• If NSS is running, make sure that the provider is properly configured in the [nss] section of the /etc/sssd/sssd.conf file. Especially check the filter_users and filter_groups attributes.

• Make sure that NSS is included in the list of services that SSSD uses.

• Check the configuration in the /etc/nsswitch.conf file.

Q:

NSS returns incorrect user information

A:

If searches are returning the incorrect user information, check that there are not conflicting user names in separate domains. When there are multiple domains, set the use_fully_qualified_domains attribute to true in the /etc/sssd/sssd.conf file. This differentiates between different users in different domains with the same name.

Q:

Setting the password for the local SSSD user prompts twice for the password

A:

When attempting to change a local SSSD user’s password, it may prompt for the password twice:

[root@clientF11 tmp]# passwd user1000
Changing password for user user1000.
New password:
Retype new password:
New Password:
Reenter new Password:
passwd: all authentication tokens updated successfully.

This is the result of an incorrect PAM configuration. Ensure that the use_authtok option is correctly configured in your /etc/pam.d/system-auth file.

Q:

I am trying to use sudo rules with an Identity Management (IPA) provider, but no sudo rules are being found, even though sudo is properly configured.

A:

The SSSD client can successfully authenticate to the Identity Management server, and it is properly searching the LDAP directory for sudo rules. However, it is showing that no rules exist. For example, in the logs:

(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=ipa,dc=test]
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 0 rules
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_purge_sudoers] (0x0400): Purging SUDOers cache of user's [admin] rules
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_byfilter] (0x0400): No rules matched
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sysdb_sudo_purge_bysudouser] (0x0400): No rules matched
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache
(Thu Jun 21 10:37:47 2012) [sssd[be[ipa.test]]] [be_sudo_handler_reply] (0x0200): SUDO Backend returned: (0, 0, Success)

When using an Identity Management provider for SSSD, SSSD attempts to connect to the underlying LDAP directory using Kerberos/GSS-API. However, by default, SSSD uses an anonymous connection to an LDAP server to retrieve sudo rules. This means that SSSD cannot retrieve the sudo rules from the Identity Management server with its default configuration.

To support retrieving sudo rules with a Kerberos/GSS-API connection, enable GSS-API as the authentication mechanism in the identity provider configuration in sssd.conf. For example:

[domain/ipa.example.com]
id_provider = ipa
ipa_server = ipa.example.com
ldap_tls_cacert = /etc/ipa/ca.crt

sudo_provider = ldap
ldap_uri = ldap://ipa.example.com
ldap_sudo_search_base = ou=sudoers,dc=ipa,dc=example,dc=com
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/hostname.ipa.example.com
ldap_sasl_realm = IPA.EXAMPLE.COM
krb5_server = ipa.example.com

Q:

Password lookups on large directories can take several seconds per request. How can this be improved?

A:

The initial user lookup is a call to the LDAP server. Unindexed searches are much more resource-intensive, and therefore take longer, than indexed searches because the server checks every entry in the directory for a match. To speed up user lookups, index the attributes that are searched for by SSSD:

• uid

• uidNumber

• gidNumber

• gecos

Q:

An Active Directory identity provider is properly configured in my sssd.conf file, but SSSD fails to connect to it, with GSS-API errors.

A:

SSSD can only connect with an Active Directory provider using its host name. If the host name is not given, the SSSD client cannot resolve the IP address to the host, and authentication fails.

For example, with this configuration:

[domain/ADEXAMPLE]
debug_level = 0xFFF0
id_provider = ad
ad_server = 255.255.255.255
ad_domain = example.com
krb5_canonicalize = False

The SSSD client returns this GSS-API failure, and the authentication request fails:

(Fri Jul 27 18:27:44 2012) [sssd[be[ADTEST]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Fri Jul 27 18:27:44 2012) [sssd[be[ADTEST]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Cannot determine realm for numeric host address)]

To avoid this error, set the ad_server to the name of the Active Directory host.

Q:

I configured SSSD for central authentication, but now several of my applications (such as Firefox or Adobe) will not start.

A:

Even on 64-bit systems, 32-bit applications require a 32-bit version of SSSD to use to access the password and identity cache. If a 32-bit version of SSSD is not available, but the system is configured to use the SSSD cache, then 32-bit applications can fail to start.

For example, Firefox can fail with permission denied errors:

Failed to contact configuration server. See http://www.gnome.org/projects/gconf/
for information. (Details -  1: IOR file '/tmp/gconfd-somebody/lock/ior'
not opened successfully, no gconfd located: Permission denied 2: IOR
file '/tmp/gconfd-somebody/lock/ior' not opened successfully, no gconfd
located: Permission denied)

For Adobe Reader, the error shows that the current system user is not recognized:

~]$ acroread 
(acroread:12739): GLib-WARNING **: getpwuid_r(): failed due to unknown
user id (366)

Other applications may show similar user or permissions errors.

Q:

SSSD is showing an automount location that I removed.

A:

The SSSD cache for the automount location persists even if the location is subsequently changed or removed. To update the autofs information in SSSD:

---

---

---

---

---

---

---

---

---

---

Return to VirtualBox on Windows Hosts

Who is online

Users browsing this forum: No registered users and 43 guests