Header Shadow Image


[sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [994]. / [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers

You receive the following two errors when dealing with apparent group lookups using getent group <USER GROUP> :

[sssd[pac]] [accept_fd_handler] (0x0020): Access denied for uid [994]. 

[resolv_discover_srv_done]
(0x0040): SRV query failed [11]: Could not contact DNS servers

However, none of the above errors have anything to do with getent group <USER GROUP>.  They do have to do with plenty of forwarding to an AD DC.  Ensure the following and restart as follows:

DNS Forwarding:

DNS Forwarding Configuration

Additional Forwarding Section:

Additional Forwarders

 

Another reason for this is that SELinux / Auditd may be interrupting the lookup flow resulting in the following:

# cat /etc/selinux/config |grep -v "#"
SELINUX=enforcing
SELINUXTYPE=targeted

You can either scan the logs adding the new rules in:

grep AVC /var/log/audit/audit.log | audit2allow -M systemd-allow;  semodule -i systemd-allow.pp

Or just disable SELinux while you're configuring things.  Another thing to try is to use yum update and bring yourself up to the latest version.

Some of the errors you may see in case of resolution issues include:

[sssd[be[b.abc.123]]] [resolv_discover_srv_done] (0x0040): SRV query failed [11]: Could not contact DNS servers

[sssd[be[b.abc.123]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'sd_gc_abc.123'
[sssd[be[b.abc.123]]] [get_port_status] (0x1000): Port status of port 0 for server '(no name)' is 'not working'
[sssd[be[b.abc.123]]] [get_port_status] (0x0080): SSSD is unable to complete the full connection request, this internal status does not necessarily indicate network port issues.

[sssd[be[b.abc.123]]] [fo_resolve_service_send] (0x0020): No available servers for service 'sd_gc_abc.123'
[sssd[be[b.abc.123]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
[sssd[be[b.abc.123]]] [sdap_id_op_connect_done] (0x0400): Failed to connect to server, but ignore mark offline is enabled.
[sssd[be[b.abc.123]]] [sdap_id_op_connect_done] (0x4000): notify error to op #1: 5 [Input/output error]

[sssd[be[b.abc.123]]] [ipa_srv_ad_acct_lookup_done] (0x0040): ipa_get_*_acct request failed: [1432158272]: Subdomain is inactive.
[sssd[be[b.abc.123]]] [ipa_subdomain_account_done] (0x0040): ipa_get_*_acct request failed: [1432158272]: Subdomain is inactive.
[sssd[be[b.abc.123]]] [dp_req_reply_std] (0x1000): DP Request [Account #110]: Returning [Internal Error]: 3,1432158272,Subdomain is inactive
[sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider – DP error code: 3 errno: 1432158272 error message: Subdomain is inactive
[sssd[nss]] [cache_req_common_dp_recv] (0x0040): CR #97: Data Provider Error: 3, 1432158272, Subdomain is inactive

It's noteworthy to point out that on further reading, the Access Denied can be safely ignored.

Cheers,
TK

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License