Can not login with AD User

s0p4L1n · 29 June 2021 10:58

Hi,

I’m trying to setup HA Master Thinlinc, I’ve setuped pacemaker for the clustering solution and it is working well, failover with fencing and the VIP is working.

root@tl-alpha-paris:~# pcs status
Cluster name: thinlincha
Stack: corosync
Current DC: tl-alpha-paris (version 2.0.1-9e909a5bdd) - partition with quorum
Last updated: Tue Jun 29 09:39:17 2021
Last change: Mon Jun 28 22:29:59 2021 by root via cibadmin on tl-alpha-paris

2 nodes configured
3 resources configured

Online: [ tl-alpha-paris tl-beta-paris ]

Full list of resources:

 cluster_ip     (ocf::heartbeat:IPaddr2):       Started tl-alpha-paris
 fence_tl-alpha-paris   (stonith:fence_virsh):  Started tl-beta-paris
 fence_tl-beta-paris    (stonith:fence_virsh):  Started tl-alpha-paris

Daemon Status:
  corosync: active/enabled
  pacemaker: active/enabled
  pcsd: active/enabled

nodes:
tl-alpha-paris
tl-beta-paris

IP address:
10.100.150.50 → tl-alpha-paris
10.100.150.51 → tl-beta-paris
10.100.150.52 → tl-ha-paris (VIP)

DNS name are working, same as the node name,
and with the .company.lan suffix also.
/etc/hosts contain also the DNS name.

root@tl-alpha-paris:~# nslookup
tl-alpha-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-alpha-paris.company.lan
Address: 10.100.150.50
tl-beta-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-beta-paris.company.lan
Address: 10.100.150.51
tl-ha-paris
Server:         10.100.120.2
Address:        10.100.120.2#53

Name:   tl-ha-paris.company.lan
Address: 10.100.150.52

The issue I encounter is that I can not login with Active Directory user with the client, but if I check the user on the tlwebadmin interface, it says it work. (I can connect with local user)

I do not have errors in log.

/var/log/vsmagent.log

root@tl-alpha-paris:~# tail -f /var/log/vsmagent.log
2021-06-29 12:22:38 INFO vsmagent: Got SIGTERM, signaling process to quit
2021-06-29 12:22:38 INFO vsmagent: Terminating. Have a nice day!
2021-06-29 12:22:39 INFO vsmagent: VSM Agent version 4.12.1 build 6733 started
2021-06-29 12:22:39 INFO vsmagent: My public hostname is 10.100.150.50
2021-06-29 12:38:05 INFO vsmagent: Got SIGTERM, signaling process to quit
2021-06-29 12:38:05 INFO vsmagent: Terminating. Have a nice day!
2021-06-29 12:38:05 INFO vsmagent: VSM Agent version 4.12.1 build 6733 started
2021-06-29 12:38:05 INFO vsmagent: My public hostname is 10.100.150.50

/var/log/vsmserver.log

root@tl-alpha-paris:~# tail -f /var/log/vsmserver.log
2021-06-29 12:29:55 INFO vsmserver: VSM Server version 4.12.1 build 6733 started
2021-06-29 12:29:55 INFO vsmserver.license: Updating license data from disk to memory
2021-06-29 12:29:55 INFO vsmserver.license: License summary: 5 concurrent users. Hard limit of 6 concurrent users.
2021-06-29 12:29:55 INFO vsmserver.session: Loaded 0 sessions for 0 users from file
2021-06-29 12:31:32 INFO vsmserver: Got SIGTERM, signaling process to quit
2021-06-29 12:31:32 INFO vsmserver: Terminating. Have a nice day!
2021-06-29 12:31:32 INFO vsmserver: VSM Server version 4.12.1 build 6733 started
2021-06-29 12:31:32 INFO vsmserver.license: Updating license data from disk to memory
2021-06-29 12:31:32 INFO vsmserver.license: License summary: 5 concurrent users. Hard limit of 6 concurrent users.
2021-06-29 12:31:32 INFO vsmserver.session: Loaded 0 sessions for 0 users from file

Is there another log file for Active Directory user login on Thinlinc ?

On both nodes, Active Directory is setted:

root@tl-alpha-paris:~# id thinlincad
uid=1470206623(thinlincad) gid=1470200513(utilisateurs du domaine) groups=1470200513(utilisateurs du domaine),1470201605(ftp-users),1470205113($duplicate-13f9),1470203534(sophosuser),1470203975($duplicate-f87)

root@tl-alpha-paris:~# kinit thinlincad
Password for thinlincad@COMPANY.LAN:
Password expired.  You must change it now.
Enter new password:
Enter it again:
root@tl-alpha-paris:~# kinit thinlincad
Password for thinlincad@COMPANY.LAN:

root@tl-alpha-paris:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: thinlincad@COMPANY.LAN

Valid starting       Expires              Service principal
06/29/2021 12:44:49  06/29/2021 22:44:49  krbtgt/COMPANY.LAN@COMPANY.LAN
        renew until 06/30/2021 12:44:43

The basic VSM Agent and Server conf file for HA:

/opt/thinlinc/etc/conf.d/vsmagent.hconf

[/vsmagent]
master_hostname=tl-ha-paris
allowed_clients=tl-alpha-paris tl-beta-paris

/opt/thinlinc/etc/conf.d/vsmserver.hconf

[/vsmserver/HA]
enabled=1
nodes=tl-alpha-paris tl-beta-paris

[/vsmserver/subclusters/Default]
agents=tl-alpha-paris tl-beta-paris

Do anyone have an idea ?

EDIT: I forgotten the sssd.conf file in /etc/sssd/ !!! I keep the post

The issue is known from Cendio and there is a doc, my bad
https://www.cendio.com/thinlinc/docs/platforms/general

The missing line for this to work was: ad_gpo_access_control = disabled

Thanks !

samuel · 30 June 2021 12:41

Glad to see that you solved the issue, perhaps it will help others

Topic		Replies	Views
Using keepalived with ThinLinc HA for IP failover Knowledge Base networking , ha , keepalived	2	410	11 May 2023
Connection timeout on one node after server reboot ThinLinc	8	807	5 April 2023
Does ThinLinc support high-availability (HA) configurations? Knowledge Base tlserver , ha	0	642	28 May 2022
Marking a node in the subcluster as inactive ThinLinc tlserver , ha	2	193	30 November 2023
Issue with thinlinc HA setup ThinLinc thinlinc , ha	8	477	22 May 2023

Can not login with AD User

Related Topics