AD authentication login is not working after patching the server from SLES12 SP1 to SP2

Question

AD authentication login is not working after patching the server from SLES12 SP1 to SP2

Closed this issue 5 years ago · 11 comments

Version: 8.5.1.206
OS/Distro: SUSE Linux Enterprise Server for SAP Applications 12 SP2
Issue/Impact: AD authentication login is not working after patching the server from SLES12 SP1 to SP2
Note: replace co
lsass.log
ntent with your own
When reporting an issue it's important that we have as much detail as you can provide. The following is a list of commands to check.

systemctl status lwsmd.service
=> iutdevsap132:~ # systemctl status lwsmd.service
● lwsmd.service - BeyondTrust PBIS Service Manager
Loaded: loaded (/usr/lib/systemd/system/lwsmd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2019-06-03 17:36:30 AEST; 18h ago
Process: 14499 ExecStop=/opt/pbis/bin/lwsm shutdown (code=dumped, signal=SEGV)
Process: 14914 ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon (code=exited, status=0/SUCCESS)
Main PID: 14919 (lwsmd)
Tasks: 481 (limit: 512)
CGroup: /system.slice/lwsmd.service
├─14919 /opt/pbis/sbin/lwsmd --start-as-daemon
├─14987 lw-container lwreg
├─15059 lw-container eventlog
├─15129 lw-container netlogon
├─15198 lw-container lwio
├─15269 lw-container lsass
└─15354 lw-container reapsysl

Jun 03 17:36:30 iutdevsap132 /opt/pbis/sbin/lwsmd[14919]: Logging started
Jun 03 17:36:30 iutdevsap132 lwreg[14987]: Logging started
Jun 03 17:36:30 iutdevsap132 eventlog[15059]: Logging started
Jun 03 17:36:30 iutdevsap132 netlogon[15129]: Logging started
Jun 03 17:36:30 iutdevsap132 lwio[15198]: Logging started
Jun 03 17:36:30 iutdevsap132 lsass[15269]: Logging started
Jun 03 17:36:30 iutdevsap132 reapsysl[15354]: Logging started
Jun 03 17:36:30 iutdevsap132 systemd[1]: Started BeyondTrust PBIS Service Manager.
Jun 03 17:36:38 iutdevsap132 lsass[15269]: [lsass] Ignoring failure enumerating trusts for forest ebiz.qr.com.au. Error was -1 (4294967295)
Jun 03 17:36:38 iutdevsap132 lsass[15269]: [lsass] Ignoring failure enumerating trusts for forest ebizuat.qr.com.au. Error was -1 (4294967295)
iutdevsap132:~ #
2. /opt/pbis/bin/lwsm list
=> iutdevsap132:~ # /opt/pbis/bin/lwsm list
lwreg running (container: 14987)
dcerpc stopped
eventlog running (container: 15059)
lsass running (container: 15269)
lwio running (container: 15198)
netlogon running (container: 15129)
rdr running (io: 15198)
reapsysl running (container: 15354)
usermonitor stopped
iutdevsap132:~ #

/opt/pbis/domainjoin-cli query
=> iutdevsap132:~ # /opt/pbis/bin/domainjoin-cli query
Name = iutdevsap132
Domain = INTERNAL.QR.COM.AU
Distinguished Name = CN=IUTDEVSAP132,OU=SAP HANA,OU=Applications,OU=DEV,OU=SLES,OU=Domain Corp Servers Linux,DC=internal,DC=qr,DC=com,DC=au
iutdevsap132:~ #
pbis status
=> iutdevsap132:~ # pbis status
LSA Server Status:

Compiled daemon version: 8.5.1.206
Packaged product version: 8.5.206.2564
Uptime: 0 days 18 hours 35 minutes 19 seconds

[Authentication provider: lsa-activedirectory-provider]

    Status:        Unknown
    Mode:          Unknown

iutdevsap132:~ #

/opt/pbis/bin/enum-users
=> iutdevsap132:~ # /opt/pbis/bin/enum-users
TotalNumUsersFound: 0
attach logs

/opt/pbis/bin/lwsm set-log-target -p lsass - file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass - debug
attach log

Output/Error: error in /var/log/messages
2019-06-03T19:00:06.285340+10:00 iutdevsap132 dbus[2140]: [system] Rejected send message, 2 matched rules; type="method_call", sender=":1.299" (uid=1006 pid=42893 comm="-pam ") interface="org.freedesktop.login1.Manager" member="CreateSession" error name="(unset)" requested_reply="0" destination="org.freedesktop.login1" (uid=0 pid=2211 comm="/usr/lib/systemd/systemd-logind ")

Steps to Reproduce:

install command
Domainjoin command
Command that returns issue => PBIS status is showing "Unknown" instead of listing the domains. currently we are unable to login to the server using AD login id and password.

Answer 1 · 2019-06-04T07:26:36.000Z

iutdevsap132:/opt/pbis/bin # /opt/pbis/bin/lwsm restart lsass
Stopping service: lsass
Starting service: lsass
Error: LW_ERROR_SERVICE_UNRESPONSIVE (41203)
The service is not responding to requests
iutdevsap132:/opt/pbis/bin #

Answer 2 · 2019-06-04T08:05:07.000Z

After refreshing lsass service login issue was resolved, however after reboot same issue is reoccurring.
iutdevsap132:/opt/pbis/bin # /opt/pbis/bin/lwsm restart lsass
Stopping service: lsass
Starting service: lsass
Error: LW_ERROR_SERVICE_UNRESPONSIVE (41203)
The service is not responding to requests
iutdevsap132:/opt/pbis/bin # /opt/pbis/bin/lwsm refresh lsass
Refreshing service: lsass
iutdevsap132:/opt/pbis/bin # /opt/pbis/bin/lwsm restart lsass
Stopping service: lsass
Starting service: lsass
iutdevsap132:/opt/pbis/bin #

Answer 3 · 2019-06-04T17:11:44.000Z

Can you rejoin the domain? System file updates might have overwritten our changes.

We recommend a leave/uninstall/reinstall/join when upgrading the OS. See the Installation Guide section on "Upgrade An Operating System"

Answer 4 · 2019-06-05T01:46:09.000Z

Hi Robert,

Please let me know the complete command syntax to rejoin the domain.

Answer 5 · 2019-06-05T04:47:07.000Z

Hi Robert,
I went through the Installation Guide, however as I haven't done the rejoin before, please let me know the complete steps for leave/uninstall/reinstall/join when upgrading the OS. The Installation Guide is helpful but I am unable to completely understand some of the steps. Moreover please confirm which version of PBIS needs to be installed in SLES12 SP2 OS version. Current PBIS version is pbis-open-8.5.1-206.x86_64.
can I download the newer version from - https://github.com/BeyondTrust/pbis-open/releases ?
Regards,
Koyel Paul

Answer 6 · 2019-06-05T14:45:36.000Z

For SLES12 SP2 go with 8.8.0(we are working on an issue with 9.0.1)

/opt/pbis/bin/domainjoin-cli leave
/opt/pbis/bin/uninstall.sh uninstall
{update OS}
{install PBIS}
/opt/pbis/bin/domainjoin-cli join {previous join options}

Answer 7 · 2019-06-12T03:49:32.000Z

Hi Robert,
Thank you for sharing the details.
we added an entry in /etc/after.local to refresh and restart 'lsass' after each reboot and tested that AD login is automatically working within 1-2 minutes of server reboot.
Please let us know if we can keep the same PBIS version running currently (pbis-open-8.5.1-206.x86_64).
Regards,
Koyel Paul

Answer 8 · 2019-06-12T11:27:57.000Z

If it's working for you. I would recommend 8.8.0 as it did address an issue with lwsmd on startup.

Answer 9 · 2019-06-18T08:28:46.000Z

Hi,
Please let me know the format to add --OU while joining the server back to the domain. we have multiple OU and this is the first time I am going to implement this change. Also, will there be any additional steps required at Winapp side, or Linux commands should be sufficient to join the server back to the domain after the installation of pbis 8.8.0 version?

Answer 10 · 2019-06-18T12:04:38.000Z

The internal help for domainjoin-cli (run 'domainjoin-cli --help') provides two examples of specifying OU's. This is also mentioned in the Linux Admin Guide, and in the domainjoin-cli man page. There should be no additional steps required on the windows side.

Answer 11 · 2019-09-13T18:26:13.000Z

Examples have been updated in the product and in the Documentation.