Can not login with AD User

Hi,

I’m trying to setup HA Master Thinlinc, I’ve setuped pacemaker for the clustering solution and it is working well, failover with fencing and the VIP is working.

root@tl-alpha-paris:~# pcs status
Cluster name: thinlincha
Stack: corosync
Current DC: tl-alpha-paris (version 2.0.1-9e909a5bdd) - partition with quorum
Last updated: Tue Jun 29 09:39:17 2021
Last change: Mon Jun 28 22:29:59 2021 by root via cibadmin on tl-alpha-paris

2 nodes configured
3 resources configured

Online: [ tl-alpha-paris tl-beta-paris ]

Full list of resources:

 cluster_ip     (ocf::heartbeat:IPaddr2):       Started tl-alpha-paris
 fence_tl-alpha-paris   (stonith:fence_virsh):  Started tl-beta-paris
 fence_tl-beta-paris    (stonith:fence_virsh):  Started tl-alpha-paris

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

nodes:
tl-alpha-paris
tl-beta-paris

IP address:
10.100.150.50 → tl-alpha-paris
10.100.150.51 → tl-beta-paris
10.100.150.52 → tl-ha-paris (VIP)

DNS name are working, same as the node name,
and with the .company.lan suffix also.
/etc/hosts contain also the DNS name.

root@tl-alpha-paris:~# nslookup
tl-alpha-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-alpha-paris.company.lan
Address: 10.100.150.50
tl-beta-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-beta-paris.company.lan
Address: 10.100.150.51
tl-ha-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-ha-paris.company.lan
Address: 10.100.150.52

The issue I encounter is that I can not login with Active Directory user with the client, but if I check the user on the tlwebadmin interface, it says it work. (I can connect with local user)

I do not have errors in log.

/var/log/vsmagent.log

root@tl-alpha-paris:~# tail -f /var/log/vsmagent.log
2021-06-29 12:22:38 INFO vsmagent: Got SIGTERM, signaling process to quit
2021-06-29 12:22:38 INFO vsmagent: Terminating. Have a nice day!
2021-06-29 12:22:39 INFO vsmagent: VSM Agent version 4.12.1 build 6733 started
2021-06-29 12:22:39 INFO vsmagent: My public hostname is 10.100.150.50
2021-06-29 12:38:05 INFO vsmagent: Got SIGTERM, signaling process to quit
2021-06-29 12:38:05 INFO vsmagent: Terminating. Have a nice day!
2021-06-29 12:38:05 INFO vsmagent: VSM Agent version 4.12.1 build 6733 started
2021-06-29 12:38:05 INFO vsmagent: My public hostname is 10.100.150.50

/var/log/vsmserver.log

root@tl-alpha-paris:~# tail -f /var/log/vsmserver.log
2021-06-29 12:29:55 INFO vsmserver: VSM Server version 4.12.1 build 6733 started
2021-06-29 12:29:55 INFO vsmserver.license: Updating license data from disk to memory
2021-06-29 12:29:55 INFO vsmserver.license: License summary: 5 concurrent users. Hard limit of 6 concurrent users.
2021-06-29 12:29:55 INFO vsmserver.session: Loaded 0 sessions for 0 users from file
2021-06-29 12:31:32 INFO vsmserver: Got SIGTERM, signaling process to quit
2021-06-29 12:31:32 INFO vsmserver: Terminating. Have a nice day!
2021-06-29 12:31:32 INFO vsmserver: VSM Server version 4.12.1 build 6733 started
2021-06-29 12:31:32 INFO vsmserver.license: Updating license data from disk to memory
2021-06-29 12:31:32 INFO vsmserver.license: License summary: 5 concurrent users. Hard limit of 6 concurrent users.
2021-06-29 12:31:32 INFO vsmserver.session: Loaded 0 sessions for 0 users from file

Is there another log file for Active Directory user login on Thinlinc ?

On both nodes, Active Directory is setted:

root@tl-alpha-paris:~# id thinlincad
uid=1470206623(thinlincad) gid=1470200513(utilisateurs du domaine) groups=1470200513(utilisateurs du domaine),1470201605(ftp-users),1470205113($duplicate-13f9),1470203534(sophosuser),1470203975($duplicate-f87)
root@tl-alpha-paris:~# kinit thinlincad
Password for thinlincad@COMPANY.LAN:
Password expired.  You must change it now.
Enter new password:
Enter it again:
root@tl-alpha-paris:~# kinit thinlincad
Password for thinlincad@COMPANY.LAN:
root@tl-alpha-paris:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: thinlincad@COMPANY.LAN

Valid starting       Expires              Service principal
06/29/2021 12:44:49  06/29/2021 22:44:49  krbtgt/COMPANY.LAN@COMPANY.LAN
        renew until 06/30/2021 12:44:43

The basic VSM Agent and Server conf file for HA:

/opt/thinlinc/etc/conf.d/vsmagent.hconf

[/vsmagent]
master_hostname=tl-ha-paris
allowed_clients=tl-alpha-paris tl-beta-paris

/opt/thinlinc/etc/conf.d/vsmserver.hconf

[/vsmserver/HA]
enabled=1
nodes=tl-alpha-paris tl-beta-paris

[/vsmserver/subclusters/Default]
agents=tl-alpha-paris tl-beta-paris

Do anyone have an idea ?

EDIT: I forgotten the sssd.conf file in /etc/sssd/ !!! I keep the post

The issue is known from Cendio and there is a doc, my bad :sweat_smile:
https://www.cendio.com/thinlinc/docs/platforms/general

The missing line for this to work was: ad_gpo_access_control = disabled

Thanks !

3 Likes

Glad to see that you solved the issue, perhaps it will help others :slight_smile:

1 Like