Есть alt-p9-mate в домене Windows
В /etc/sssd/sssd.conf:
[domain/FABRIKA.COM]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
debug_level = 3
По большей части войти в ОС доменным пользователем удаётся. Но иногда в LightDM не даёт войти, говорит "неверный пользователь или пароль" и предлагает снова ввести имя. В SSH в это время тоже не войти. И в LightDM и в SSH можно войти только локальным пользователем. sssd проверяю(войдя локальной учеткой), он запущен.
Пытаюсь войти несколько раз в течении часа - не входит. Только перегружу sssd - сразу могу войти и доменной учеткой.
Сеть работает хорошо, ни у кого нет проблем.
После неудавшегося входа в графический интерфейс lightdm:
В /var/log/sssd/krb5_child.log:
(Tue Dec 24 15:32:53 2019) [[sssd[krb5_child[1689]]]] [privileged_krb5_setup] (0x0080): Cannot open the
PAC responder socket
В /var/log/sssd/sssd_FABRIKA.COM.log:
(Tue Dec 24 15:32:48 2019) [sssd[be[fabrika.com]]] [sbus_issue_request_done] (0x0040): sssd.dataprovid
er.getAccountInfo: Error [1432158212]: SSSD is offline
(Tue Dec 24 15:32:48 2019) [sssd[be[fabrika.com]]] [sbus_issue_request_done] (0x0040): sssd.dataprovid
er.getAccountInfo: Error [1432158212]: SSSD is offline
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [sbus_issue_request_done] (0x0040): sssd.dataprovid
er.getAccountInfo: Error [1432158212]: SSSD is offline
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [get_port_status] (0x0080): SSSD is unable to compl
ete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [resolv_discover_srv_done] (0x0040): SRV query fail
ed [11]: Could not contact DNS servers
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [resolve_srv_done] (0x0040): Unable to resolve SRV
[1432158237]: SRV lookup error
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [be_resolve_server_process] (0x0080): Couldn't reso
lve server (SRV lookup meta-server), resolver returned [1432158237]: SRV lookup error
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [get_port_status] (0x0080): SSSD is unable to compl
ete the full connection request, this internal status does not necessarily indicate network port issues.
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [fo_resolve_service_send] (0x0020): No available se
rvers for service 'AD'
(Tue Dec 24 15:32:53 2019) [sssd[be[fabrika.com]]] [be_ptask_enable] (0x0080): Task [Check if online (
periodic)]: already enabled
В /var/log/lightdm/lightdm.log:
[+6505.65s] DEBUG: Continue authentication
[+6505.65s] DEBUG: Session pid=1639: Got 1 message(s) from PAM
[+6505.65s] DEBUG: Prompt greeter with 1 message(s)
[+6510.83s] DEBUG: Continue authentication
[+6510.84s] DEBUG: Session pid=1639: Authentication complete with return value 9: Authentication servic
e cannot retrieve authentication info
[+6510.84s] DEBUG: Authenticate result for user fedia: Authentication service cannot retrieve authentication info
[+6510.84s] DEBUG: Session pid=1639: Exited with return value 1
[+6510.84s] DEBUG: Seat seat0: Session stopped
[+6510.84s] CRITICAL: seat_get_string_property: assertion 'seat != NULL' failed
[+6510.84s] DEBUG: Greeter start authentication
[+6510.84s] DEBUG: Session pid=1690: Started with service 'lightdm', username '(null)'
[+6510.84s] DEBUG: Session pid=1690: Got 1 message(s) from PAM
[+6510.84s] DEBUG: Prompt greeter with 1 message(s)
В /var/log/lightdm/seat0-greeter.log:
[+6504,79s] DEBUG: Providing response to display manager
[+6504,79s] DEBUG: Wrote 23 bytes to daemon
[+6504,80s] DEBUG: Read 8 bytes from daemon
[+6504,80s] DEBUG: Read 17 bytes from daemon
[+6504,80s] DEBUG: Authentication complete for user fedia with return code 9
[+6504,80s] DEBUG: slick-greeter.vala:209: Invalid session: 'default'
[+6504,80s] DEBUG: slick-greeter.vala:216: Using default session: 'mate'
[+6504,80s] DEBUG: Starting authentication for user (null)...
[+6504,80s] DEBUG: Wrote 16 bytes to daemon
[+6504,80s] DEBUG: Read 8 bytes from daemon
[+6504,80s] DEBUG: Read 26 bytes from daemon
[+6504,80s] DEBUG: Prompt user with 1 message(s)
[+6504,80s] DEBUG: slick-greeter.vala:209: Invalid session: 'default'
[+6504,80s] DEBUG: slick-greeter.vala:216: Using default session: 'mate'
journal -e говорит:
дек 24 15:32:48 fedialinp9.fabrika.com lightdm[1639]: pam_succeed_if(lightdm:auth): requirement "user
ingroup nopasswdlogin" not met by user "fedia"
дек 24 15:32:53 fedialinp9.fabrika.com lightdm[1639]: pam_sss(lightdm:auth): authentication failure; l
ogname= uid=0 euid=0 tty=:0 ruser= rhost= user=fedia
дек 24 15:32:53 fedialinp9.fabrika.com lightdm[1639]: pam_sss(lightdm:auth): received for user fedia:
9 (Authentication service cannot retrieve authentication info)
дек 24 15:32:53 fedialinp9.fabrika.com lightdm[1639]: gkr-pam: no password is available for user
дек 24 15:32:53 fedialinp9.fabrika.com lightdm[1307]: seat_get_string_property: assertion 'seat != NUL
L' failed
При этом если зайти по ssh локально и nslookup, то DNS-сервер виден и работает:
bux1pc
Server: 192.168.0.2
Address: 192.168.0.2#53
Name: bux1pc.fabrika.com
Address: 192.168.0.117
Как это победить?
