Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sssd + AD/LDAP stopped working after update to 21.11 or unstable due to misconfigured SASL #157803

Closed
uzytkownik opened this issue Feb 2, 2022 · 8 comments
Closed

sssd + AD/LDAP stopped working after update to 21.11 or unstable due to misconfigured SASL #157803

uzytkownik opened this issue Feb 2, 2022 · 8 comments
Labels
0.kind: bug

Comments

@uzytkownik
Copy link

Describe the bug

sssd + AD/LDAP stopped working after update to 21.11 or unstable due to misconfigured SASL

Steps To Reproduce

  1. Update from 21.05 to 21.11
  2. Attempt to log in

Expected behavior

Log in works

Additional context

Errors in logs are:

No worthy mechs found
SASL: No worthy mechs found
ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
Unsable to establish connection [number]: Authentication failed

Notify maintainers

@e-user @illustris

Metadata

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
- system: "x86_64-linux"
- host os: "Linux 5.10.88, NixOS, 21.05.4719.0fd9ee1aa36 (Okapi)'
- multi-user?: `yes`
- sandbox: `yes`
- version `nix-env (Nix) 2.3.16`
- channels(root): `"nixos-21.05.4719.0fd9ee1aa36"`
- nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
@illustris
Copy link
Contributor

illustris commented Feb 2, 2022
edited

@uzytkownik can you share your services.sssd configs and sssd.conf with any sensitive bits blanked out?

@uzytkownik
Copy link
Author 

services.sssd = {
    enable = true;
    config = ''
[sssd]
domains = ${domain}
config_file_version = 2
services = nss, pam

[nss]

[domain/files]
id_provider = files

[domain/${domain}]
default_shell = /run/current-system/sw/bin/fish
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = ${DOMAIN}
id_provider = ad
fallback_home = /home/%d/%u
ad_domain = ${domain}
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
simple_allow_users = ${domain_users}
ignore_group_members = True
'';
};

@illustris illustris mentioned this issue Feb 4, 2022
Closed
13 tasks
@illustris
Copy link
Contributor

@uzytkownik any chance you can try using the patch from the PR and confirm it works?

@uzytkownik
Copy link
Author

@illustris I will try next week. Can you post a snippet with overlay I can put into configuration.nix to do it? My nix-fu is weak.

@illustris
Copy link
Contributor 

nixpkgs.overlays = [  (self: super: {
  cyrus_sasl = super.cyrus_sasl.overrideAttrs (oldAttrs: {
    patches = oldAttrs.patches ++ [ (self.fetchpatch { # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003355
      name = "autoconf-270-fix.patch";
      url = "https://sources.debian.org/data/main/c/cyrus-sasl2/2.1.27+dfsg2-3/debian/patches/0033-autoconf-270-fix.patch";
      sha256 = "sha256-ms0nf7SrKzm6HInz7PT0qNdehxucJDGsxMRqvinhmf0=";
    }) ];
  });
}) ];

@uzytkownik
Copy link
Author

@illustris - that worked

@illustris illustris mentioned this issue Feb 19, 2022
Closed
13 tasks
@nixos-discourse
Copy link

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/743

@wucke13
Copy link
Contributor

wucke13 commented Dec 7, 2022

Closing, since the fix was merged a long time ago. Feel free to re-open in case of further problems.

@wucke13 wucke13 closed this as completed Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cyrus_sasl: 2.1.27 -> 2.1.28 illustris/nixpkgs
4 participants
@uzytkownik @illustris @wucke13 @nixos-discourse