IPA cross-forest trust, retrieve additional ldap attributes for users
by Steve Dainard
Hello,
I'm running a cross-forest trust with RHEL 7 IPA (60 day trial), when I do
an ldapsearch on the AD user against the IPA server I get very few
attributes.
It seems like the sssd option 'ldap_user_extras_attrs' should fetch
additional attributes but I can't seem to get any results. I'm also
confused which section this option should be added to on IPA server
sssd.conf. I've tried:
[domain/ipadomain]
ldap_user_extras_attrs = givenname, sn, displayname
[domain/addomain]
ldap_user_extras_attrs = givenname, sn, displayname
[domain/ipadomain/addomain]
ldap_user_extras_attrs = givenname, sn, displayname
Of note, I didn't include the 'mail' attribute as a value above as I read a
post that said IPA should pull this attribute automatically but I'm not
seeing it either when doing an ldapsearch. Maybe this points to a bigger
problem..
Here are the value's I'm receiving:
# steve.dainard(a)addomain.com, users, compat, ipadomain.com
dn: uid=steve.dainard(a)addomain.com,cn=users,cn=compat,dc=ipadomain,dc=com
objectClass: posixAccount
objectClass: top
gecos: Steve Dainard
cn: Steve Dainard
uidNumber: 1587
gidNumber: 1028
loginShell: /bin/sh
homeDirectory: /home/addomain.com/steve.dainard
uid: steve.dainard(a)addomain.com
The uidNumber/gidNumber are coming from AD, but the loginShell in AD is set
to /bin/bash.
I've also seen mention of using the [ifp] section to populate attributes
for applications such as manageiq
http://manageiq.org/docs/reference/euwe/auth/ipa_ad_trust but if I add that
option my client hosts can't id users. I'm not entirely sure if the [ifp]
entry should be server side, client side, or both.
Thanks,
Steve
6 years, 6 months
Install replica
by Oleg Danilovich
Hello guys,
I want deploy freeipa replica. Now my master works on Ubuntu 16.04. Master
version VERSION: 4.3.1, API_VERSION: 2.164
Then i try to install replica on ubuntu i get error. I tried to find a
solution but could not.
I want try to install freeipa replica on centos. Can i use freeipa replica
on centos then my master on Ubuntu 16.04 ?
--
Best regards,
*Oleg Danilovich*
DevOps Engineer
*exp**(capital) **limited*
*T. **+ <+357%2096%20672275>375447487939*
6 years, 6 months
Latest updates broke pki-tomcatd
by Kristian Petersen
When I recently updated one of my IPA servers (it reports
4.5.0-21.el7_4.1.2 in yum), the result was that it could start back up
because pki-tomcatd kept failing. I was able to get it running for now by
ignoring the failure of that one service, but I haven't been able to to
determine the cause. The logs are pretty quiet on this one. They show the
failure itself, but not information that helps me fix the problem.
--
Kristian Petersen
System Administrator
Dept. of Chemistry and Biochemistry
6 years, 6 months
ipa sudorule-add-user SUDORULE-NAME doesn't support multiple groups
by Alexandre Pitre
Hi,
I noticed that on FreeIPA 4.5.0 on CentOS I can't specify multiple groups
with the sudorule-add-user command.
Example:
ipa sudorule-add-user sudorule --groups=group1,group2
Failed users/groups:
member user:
member group: group1,group2
-------------------------
Number of members added 0
-------------------------
Other similar ipa commands support multiple groups just fine.
Is this normal ?
Thanks,
Alex
6 years, 6 months
cross-forest trust, client system cannot id AD users.
by Steve Dainard
Hello,
I've installed a 60 day 'self supported' trial of red hat idm on rhel7.
I've created a cross-forest trust with an AD domain (2012R2) which already
has posix attributes in ldap for users and groups.
On my ipa server I can id/getent my AD user, and can SSH to the ipa server
with my AD credentials/kerberos ticket.
# id steve.dainard(a)ADDOMAIN.com
uid=1587(steve.dainard(a)ADDOMAIN.com) gid=1028(employees)
groups=1028(employees),1041(confluence-administrators(a)ADDOMAIN.com
),1060(employees-vancouver@ADDOMAIN.com),10(wheel),1027(cluster(a)ADDOMAIN.com
),1086(devops@ADDOMAIN.com),1029(sysops(a)ADDOMAIN.com)
I installed Centos 7.4 and joined it to the realm but I'm having
intermittent issues id'ing users. At first I couldn't id any AD user, but
then I added a trusted domain ldap_search_base to the ipa servers sssd.conf:
ldap_search_base = OU=Employees,OU=Users,OU=Accounts,DC=ADDOMAIN,DC=com
This initially seemed to work intermittently, some users I could id and
some I could not. I also noticed that the group membership of the users I
could id was incomplete, notably I have an AD group 'wheel' with gid 10
that shows on the ipa server side when I id my AD user, but didn't show on
the client side.
I decided to clear out the cache files manually and restart sssd on the
client, and now I can't id my user, but I can id users outside of the
ldap_search_base, specifically user accounts which are inactive and exist
in a inactive-users OU ouside the ldap_search_base. Very confusing.
The sssd server side seems to be iterating through all my AD users account
names in the logs (debug_level = 10) and I don't feel comfortable posting
logs with their complete names online..
IPA server sssd.conf:
[domain/IPADOMAIN.zone]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = IPADOMAIN.zone
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa001.IPADOMAIN.zone
chpass_provider = ipa
ipa_server = ipa001.IPADOMAIN.zone
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
[sssd]
services = sudo, nss, ifp, pam, ssh
domains = IPADOMAIN.zone
debug_level = 10
[domain/IPADOMAIN.zone/ADDOMAIN.com]
ldap_search_base = OU=Employees,OU=Users,OU=Accounts,DC=ADDOMAIN,DC=com
debug_level = 10
[nss]
memcache_timeout = 600
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
IPA client ssd.conf:
[domain/IPADOMAIN.zone]
cache_credentials = true
krb5_store_password_if_offline = true
ipa_domain = IPADOMAIN.zone
id_provider = ipa
auth_provider = ipa
ipa_hostname = pearl-pavella.IPADOMAIN.zone
chpass_provider = ipa
access_provider = ipa
ipa_server = _srv_, ipa001.IPADOMAIN.zone
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
[sssd]
services = nss, pam, sudo, ssh
domains = IPADOMAIN.zone
default_domain_suffix = ADDOMAIN.com
debug_level = 10
[nss]
homedir_substring = /home
entry_negative_timeout = 1
[pam]
[sudo]
[autofs]
[ssh]
[pac]
# id steve.dainard
id: steve.dainard: no such user
I've attached the client side sssd_ipadomain.zone.log file. Most
interestingly I see my AD group memberships are at least listed in this
log, but oddly the 'wheel' group is @ the ipadomain which should be the
addomain. I don't have a wheel group on the ipa side, so this seems to be
the groups list the ipa server resolved and it matches its local wheel
group gid 10 which was passed along to the client:
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): Received [7] groups in group list from
IPA Server
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [employees(a)addomain.com].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [devops(a)addomain.com].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [employees-vancouver(a)addomain.com].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [wheel(a)ipadomain.zone].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [confluence-administrators(a)addomain.com].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [sysops(a)addomain.com].
(Tue Oct 17 14:02:44 2017) [sssd[be[ipadomain.zone]]]
[ipa_s2n_get_user_done] (0x0400): [cluster(a)addomain.com].
Thanks,
Steve
6 years, 6 months
ipa-cacert-manage vs NIS support
by Harald Dunkel
Hi folks,
I had to replace the CA chain about 3 months ago, using
ipa-cacert-manage. Question:
Does this affect freeipa's NIS support? Is there a hidden
certificate somewhere I missed to renew?
The freeipa servers are running Centos 7.3 and 7.4.
Every helpful comment is highly appreciated
Harri
6 years, 6 months
One Machine not allowing kerberos auth
by Jeremy Utley
New FreeIPA deployment, and i have one server that is not allowing Kerberos
to handle authentication, but instead is prompting for password with a
valid kerberos ticket. All other machines are working normally. I've
double-checked the /etc/ssh/sshd_config file, identical between the one not
working, and the one that is. Done the same for SSSD and IPA configuration
info. Entering password on the machine does work, and does result in a
valid ticket being issued. Below is some debug info, generated with
"KRB5_TRACE=/dev/stdout ssh -vvv {hostname}", and truncated down to only
parts that differ:
On a working machine:
debug1: Next authentication method: gssapi-with-mic
[28004] 1508434137.499258: ccselect can't find appropriate cache for server
principal host/tc-adm01.trustcharge.net@
[28004] 1508434137.499490: Getting credentials jeremy(a)IPA.TRUSTCHARGE.NET
-> host/tc-adm01.trustcharge.net@ using ccache
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.499669: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-adm01.trustcharge.net@ from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result:
-1765328243/Matching credential not found
[28004] 1508434137.499768: Retrying jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET with result:
-1765328243/Matching credential not found
[28004] 1508434137.499778: Server has referral realm; starting with host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET
[28004] 1508434137.499878: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET -> krbtgt/
IPA.TRUSTCHARGE.NET(a)IPA.TRUSTCHARGE.NET from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result: 0/Success
[28004] 1508434137.499888: Starting with TGT for client realm:
jeremy(a)IPA.TRUSTCHARGE.NET -> krbtgt/IPA.TRUSTCHARGE.NET(a)IPA.TRUSTCHARGE.NET
[28004] 1508434137.499900: Requesting tickets for host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET, referrals on
[28004] 1508434137.499961: Generated subkey for TGS request: aes256-cts/B274
[28004] 1508434137.500054: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[28004] 1508434137.500259: Encoding request body and padata into FAST
request
[28004] 1508434137.500374: Sending request (985 bytes) to
IPA.TRUSTCHARGE.NET
[28004] 1508434137.500660: Initiating TCP connection to stream
172.31.92.18:88
[28004] 1508434137.501228: Sending TCP request to stream 172.31.92.18:88
[28004] 1508434137.507122: Received answer (937 bytes) from stream
172.31.92.18:88
[28004] 1508434137.507139: Terminating TCP connection to stream
172.31.92.18:88
[28004] 1508434137.507240: Response was from master KDC
[28004] 1508434137.507273: Decoding FAST response
[28004] 1508434137.507439: FAST reply key: aes256-cts/9BE9
[28004] 1508434137.507497: TGS reply is for jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET with session key
aes256-cts/CD56
[28004] 1508434137.507522: TGS request result: 0/Success
[28004] 1508434137.507529: Received creds for desired service host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET
[28004] 1508434137.507543: Storing jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-adm01.trustcharge.net@ in KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.507690: Also storing jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET based on ticket
[28004] 1508434137.507704: Removing jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-adm01.trustcharge.net(a)IPA.TRUSTCHARGE.NET from
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.507911: Creating authenticator for
jeremy(a)IPA.TRUSTCHARGE.NET -> host/tc-adm01.trustcharge.net@, seqnum
291429769, subkey aes256-cts/A214, session key aes256-cts/CD56
debug2: we sent a gssapi-with-mic packet, wait for reply
[28004] 1508434137.511804: ccselect can't find appropriate cache for server
principal host/tc-adm01.trustcharge.net@
[28004] 1508434137.511964: Getting credentials jeremy(a)IPA.TRUSTCHARGE.NET
-> host/tc-adm01.trustcharge.net@ using ccache
KEYRING:persistent:1001:krb_ccache_MjbcsDY
[28004] 1508434137.512124: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-adm01.trustcharge.net@ from
KEYRING:persistent:1001:krb_ccache_MjbcsDY with result: 0/Success
[28004] 1508434137.512197: Creating authenticator for
jeremy(a)IPA.TRUSTCHARGE.NET -> host/tc-adm01.trustcharge.net@, seqnum
487674855, subkey aes256-cts/0383, session key aes256-cts/CD56
[28004] 1508434137.670683: Read AP-REP, time 1508434137.512205, subkey
aes256-cts/2950, seqnum 529391729
debug1: Authentication succeeded (gssapi-with-mic).
On failing machine:
debug1: Next authentication method: gssapi-with-mic
[23080] 1508434210.54069: ccselect module realm chose cache
FILE:/tmp/krb5cc_1001 with client principal jeremy(a)IPA.TRUSTCHARGE.NET for
server principal host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET
[23080] 1508434210.54141: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/krb5cc_1001 with result: -1765328243/Matching credential not found
[23080] 1508434210.54160: Getting credentials jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.54207: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET from FILE:/tmp/krb5cc_1001
with result: -1765328243/Matching credential not found
[23080] 1508434210.54242: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET -> krbtgt/
IPA.TRUSTCHARGE.NET(a)IPA.TRUSTCHARGE.NET from FILE:/tmp/krb5cc_1001 with
result: 0/Success
[23080] 1508434210.54248: Found cached TGT for service realm:
jeremy(a)IPA.TRUSTCHARGE.NET -> krbtgt/IPA.TRUSTCHARGE.NET(a)IPA.TRUSTCHARGE.NET
[23080] 1508434210.54253: Requesting tickets for host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET, referrals on
[23080] 1508434210.54285: Generated subkey for TGS request: aes256-cts/52BF
[23080] 1508434210.54292: etypes requested in TGS request: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[23080] 1508434210.54411: Sending request (740 bytes) to IPA.TRUSTCHARGE.NET
[23080] 1508434210.54541: Initiating TCP connection to stream
172.31.92.18:88
[23080] 1508434210.54902: Sending TCP request to stream 172.31.92.18:88
[23080] 1508434210.60311: Received answer from stream 172.31.92.18:88
[23080] 1508434210.60349: Response was from master KDC
[23080] 1508434210.60409: TGS reply is for jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET with session key
aes256-cts/98CE
[23080] 1508434210.60438: TGS request result: 0/Success
[23080] 1508434210.60444: Received creds for desired service host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET
[23080] 1508434210.60450: Removing jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET from FILE:/tmp/krb5cc_1001
[23080] 1508434210.60455: Storing jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET in FILE:/tmp/krb5cc_1001
[23080] 1508434210.60557: Creating authenticator for
jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET, seqnum 77295956, subkey
aes256-cts/5E8E, session key aes256-cts/98CE
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 100 bytes for a total of 1417
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
[23080] 1508434210.62494: ccselect module realm chose cache
FILE:/tmp/krb5cc_1001 with client principal jeremy(a)IPA.TRUSTCHARGE.NET for
server principal host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET
[23080] 1508434210.62534: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET ->
krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: from
FILE:/tmp/krb5cc_1001 with result: -1765328243/Matching credential not found
[23080] 1508434210.62542: Getting credentials jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.62574: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET from FILE:/tmp/krb5cc_1001
with result: 0/Success
[23080] 1508434210.62628: Getting credentials jeremy(a)IPA.TRUSTCHARGE.NET ->
host/tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET using ccache
FILE:/tmp/krb5cc_1001
[23080] 1508434210.62662: Retrieving jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET from FILE:/tmp/krb5cc_1001
with result: 0/Success
[23080] 1508434210.62689: Creating authenticator for
jeremy(a)IPA.TRUSTCHARGE.NET -> host/
tc-log01.trustcharge.net(a)IPA.TRUSTCHARGE.NET, seqnum 764360366, subkey
aes256-cts/1570, session key aes256-cts/98CE
debug2: we sent a gssapi-with-mic packet, wait for reply
debug3: Wrote 100 bytes for a total of 1517
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password
Any ideas what could be going wrong? I'm not real familiar with the
internals of Kerberos/GSSAPI, but it seems that is where it is failing.
Jeremy
6 years, 6 months
Manual IPA client install
by Mark Haney
So, I'm /this/ close to getting a pair of servers in Alaska (on very
slow links) setup for IPA authentication. I've followed the
documentation here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
since these two servers are CentOS 6.9. I'm almost certain I've got
everything setup correctly, but I'm still unable to login as an IPA user
either with SSH or with su - <username>. I get '<username> does not
exist'. However, I /can/ 'kinit admin' /and/ 'kinit mark.haney'
successfully:
[root@rad8 nnsrad]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mark.haney(a)NEONOVA.NET
Valid starting Expires Service principal
10/17/17 15:05:47 10/18/17 15:05:24 krbtgt/NEONOVA.NET(a)NEONOVA.NET
Note that my user account does not exist on the local machine and never
has. And the admin account, while one exists locally, has a different
password than the IPA admin.
Rob Crittenden had me check the keytab KVNO and it matches with the KVNO
of the IPA server. The one issue I can definitely say I have is this:
kinit -kt /etc/krb5.keytab
kinit: Generic preauthentication failure while getting initial credentials
Rob said the keytab might be out of sync, but unless I'm following his
instructions incorrectly, they do match. Anyone else have ideas on how
to get this working?
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net
6 years, 6 months
Announcing SSSD 1.16.0
by Jakub Hrozek
SSSD 1.16.0
===========
The SSSD team is proud to announce the release of version 1.16.0 of the
System Security Services Daemon.
The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/
RPM packages will be made available for Fedora shortly.
Feedback
--------
Please provide comments, bugs and other feedback
via the sssd-devel or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Highlights
----------
Security fixes
^^^^^^^^^^^^^^
* This release fixes CVE-2017-12173: Unsanitized input when searching in
local cache database. SSSD stores its cached data in an LDAP like local
database file using libldb. To lookup cached data LDAP search filters
like (objectClass=user)(name=user_name) are used. However, in
sysdb_search_user_by_upn_res(), the input was not sanitized and
allowed to manipulate the search filter for cache lookups. This would
allow a logged in user to discover the password hash of a different user.
New Features
^^^^^^^^^^^^
* SSSD now supports session recording configuration through tlog. This
feature enables recording of everything specific users see or type
during their sessions on a text terminal. For more information, see
the sssd-session-recording(5) manual page.
* SSSD can act as a client agent to deliver
Fleet Commander <https://wiki.gnome.org/Projects/FleetCommander>
policies defined on an IPA server. Fleet Commander provides a
configuration management interface that is controlled centrally and
that covers desktop, applications and network configuration.
* Several new systemtap <https://sourceware.org/systemtap/> probes
were added into various locations in SSSD code to assist in
troubleshooting and analyzing performance related issues. Please see the
sssd-systemtap(5) manual page for more information.
* A new LDAP provide access control mechanism that allows to restrict
access based on PAM's rhost data field was added. For more details,
please consult the sssd-ldap(5) manual page, in particular the
options ldap_user_authorized_rhost and the rhost value of
ldap_access_filter.
Performance enhancements
^^^^^^^^^^^^^^^^^^^^^^^^
* Several attributes in the SSSD cache that are quite often used during
cache searches were not indexed. This release adds the missing indices,
which improves SSSD performance in large environments.
Notable bug fixes
^^^^^^^^^^^^^^^^^
* The SSSD libwbclient implementation adjusted its behaviour in order to
be compatible with Winbind's return value of wbcAuthenticateUserEx().
This enables the SSSD libwbclient library to work with Samba-4.6 or newer.
* SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder
did not protect the communication with the PAC responder with a mutex.
This was causing multi-threaded applications that process the Kerberos
PAC to miss a reply from SSSD and then were blocked until the default
client timeout of 300 seconds passed. This release adds the mutex,
which fixes the PAC responder usage in multi-threaded environments.
* Previously, SSSD used to refresh several expired sudo rules by combining
them into a long LDAP filter. This was ineffective, because the LDAP server
had to process the query, but at that point, the client was quite often
querying most or all of the sudo rules anyway. In this version, when
the number of sudo rules to be refreshed exceeds the value of a new option
sudo_threshold, all sudo rules are fetched instead.
* A bug in the sudo integration that prevented the rules from matching if the
user name referenced in that rule was overriden with sss_override or
IPA ID views was fixed
* When SSSD is configured with id_provider=ad, then a Kerberos
configuration is created that instructs libkrb5 to use TCP for communication
with the AD DC by default. This would save switching from UDP to TCP, which
happens almost every time with the ad provider due to the PAC attached to
the Kerberos ticket.
Packaging Changes
-----------------
* The sss_debuglevel and sss_cache utilities were superseded by
sssctl commands sssctl debug-level and sssctl cache-expire,
respectively. While this change is backwards-compatible in the sense
that the old commands continue to work, it is recommended to switch
to the sssctl command which will in future encompass all SSSD
administration tasks.
* Two new manpages, sssd-session-recording(5) and sssd-systemtap(5)
were added.
* A new systemtap example script, which is packaged by default at
/usr/share/sssd/systemtap/dp_request.stp was added.
* A new directory called deskprofile under the SSSD state directory
(typically /var/lib/sss/) was added. SSSD downloads the Fleet
Commander profiles into this directory.
Documentation Changes
---------------------
* The ldap_user_certificate option has changed its default value
in the LDAP provider from "not set" to userCertificate;binary.
* The ldap_access_filter option has a new allowed value rhost
to support access control based on the PAM rhost value. The attribute
that SSSD reads during the rhost access control can be configured using
the new option ldap_user_authorized_rhost.
* The thresholds after which the IPA and LDAP sudo providers will refresh
all sudo rules instead of only the expired ones can be tuned using the
sudo_threshold option.
* A new provider handler, session_provider was added. At the moment,
only two handlers, ipa and none are supported. The IPA session
handler is used to fetch the Fleet Commander profiles from an IPA
server.
* The interval after which the IPA session provider will check for new
FleetCommander profiles can be configured using the new
ipa_deskprofile_request_interval option.
Tickets Fixed
-------------
* https://pagure.io/SSSD/sssd/issue/3549 - CVE-2017-12173: Unsanitized input when searching in local cache database
* https://pagure.io/SSSD/sssd/issue/3531 - dbus-1.11.18 caused hangs in cwrap integration tests
* https://pagure.io/SSSD/sssd/issue/3518 - sssd_client: add mutex protected call to the PAC responder
* https://pagure.io/SSSD/sssd/issue/3511 - sssd incorrectly checks 'try_inotify' thinking it is the wrong section
* https://pagure.io/SSSD/sssd/issue/3508 - Issues with certificate mapping rules
* https://pagure.io/SSSD/sssd/issue/3501 - Accessing IdM kerberos ticket fails while id mapping is applied
* https://pagure.io/SSSD/sssd/issue/3491 - pysss_nss_idmap: py3 constants defined as strings or bytes
* https://pagure.io/SSSD/sssd/issue/3485 - getsidbyid does not work with 1.15.3
* https://pagure.io/SSSD/sssd/issue/3481 - ERROR at setup of test_kcm_sec_init_list_destroy
* https://pagure.io/SSSD/sssd/issue/3459 - Allow fallback from krb5_aname_to_localname to other krb5 plugins
* https://pagure.io/SSSD/sssd/issue/3461 - unable to access cifs share using sssd-libwbclient
* https://pagure.io/SSSD/sssd/issue/3488 - SUDO doesn't work for IPA users on IPA clients after applying ID Views for them in IPA server
* https://pagure.io/SSSD/sssd/issue/3478 - sudo: fall back to the full refresh after reaching a certain threshold
* https://pagure.io/SSSD/sssd/issue/3473 - Failures on test_idle_timeout()
* https://pagure.io/SSSD/sssd/issue/3472 - sysdb index improvements - missing ghost attribute indexing, unneeded objectclass index etc..
* https://pagure.io/SSSD/sssd/issue/3363 - secrets: Per UID secrets quota
* https://pagure.io/SSSD/sssd/issue/3507 - Long search filters are created during IPA sudo command + command group retrieval
* https://pagure.io/SSSD/sssd/issue/3499 - Change the ldap_user_certificate to userCertificate;binary for the generic LDAP provider as well
* https://pagure.io/SSSD/sssd/issue/3482 - Fleet Commander: Add a timeout to avoid contacting the DP too often in case there was no profile fetched in the last login
* https://pagure.io/SSSD/sssd/issue/3460 - id root triggers an LDAP lookup
* https://pagure.io/SSSD/sssd/issue/3315 - infopipe: org.freedesktop.sssd.infopipe.Groups.Group doesn't show users
* https://pagure.io/SSSD/sssd/issue/3308 - SELinux: Use libselinux's getseuserbyname to get the correct seuser
* https://pagure.io/SSSD/sssd/issue/3307 - RFE: Log to syslog when sssd cannot contact servers, goes offline
* https://pagure.io/SSSD/sssd/issue/3306 - infopipe: List* with limit = 0 returns 0 results
* https://pagure.io/SSSD/sssd/issue/3305 - infopipe: crash when filter doesn't contain '*'
* https://pagure.io/SSSD/sssd/issue/3254 - Set udp_preference_limit=0 by sssd-ad using a krb5 snippet
* https://pagure.io/SSSD/sssd/issue/2995 - RFE: Deliver FleetCommander URL endpoint from an IPA server
* https://pagure.io/SSSD/sssd/issue/2893 - [RFE] Conditionally wrap user terminal with tlog
* https://pagure.io/SSSD/sssd/issue/3513 - MAN: Document that full_name_format must be set if the output of trusted domains user resolution should be shortnames only
* https://pagure.io/SSSD/sssd/issue/3450 - Unnecessary second log event causing much spam to syslog
* https://pagure.io/SSSD/sssd/issue/3417 - MAN: document that attribute 'provider' is not allowed in section 'secrets'
* https://pagure.io/SSSD/sssd/issue/3399 - Improve description of 'trusted domain section' in sssd.conf's man page
* https://pagure.io/SSSD/sssd/issue/3061 - Add systemtap probes into the top-level data provider requests
* https://pagure.io/SSSD/sssd/issue/2809 - CI doesn't work with DNF
* https://pagure.io/SSSD/sssd/issue/2301 - Print a warning when enumeration is requrested but disabled
* https://pagure.io/SSSD/sssd/issue/1898 - Move header files consumed by both server and client to special folder
* https://pagure.io/SSSD/sssd/issue/3517 - Prevent "TypeError: must be type, not classobj"
* https://pagure.io/SSSD/sssd/issue/3147 - sssctl: get and set debug level
* https://pagure.io/SSSD/sssd/issue/3057 - Merge existing command line tools into sssctl
Detailed Changelog
------------------
* Alexey Kamenskiy (1):
* LDAP: Add support for rhost access control
* AmitKumar (6):
* Moving headers used by both server and client to special folder
* ldap_child: Removing duplicate log message
* MAN: Improve description of 'trusted domain section' in sssd.conf's man page
* MAN: Improve ipa_hostname description
* IPA: check if IPA hostname is fully qualified
* Print a warning when enumeration is requested but disabled
* Fabiano Fidêncio (57):
* CACHE_REQ: Fix warning may be used uninitialized
* INTG: Add --with-session-recording=/bin/false to intgcheck's configure
* IFP: Change ifp_list_ctx_remaining_capacity() return type
* IFP: Don't pre-allocate the amount of entries requested
* IPA_ACCESS: Remove not used attribute
* IPA: Make ipa_hbac_sysdb_save() more generic
* IPA: Leave only HBAC specific defines in ipa_hbac_private.h
* IPA_ACCESS: Make hbac_get_cache_rules() more generic
* IPA_ACCESS: Make ipa_purge_hbac() more generic
* IPA_RULES_COMMON: Introduce ipa_common_save_rules()
* IPA_RULES_COMMON: Introduce ipa_common_get_hostgroupname()
* IPA_ACCESS: Make use of struct ipa_common_entries
* IPA_COMMON: Introduce ipa_get_host_attrs()
* UTIL: move {files,selinux}.c under util directory
* UTIL: Add sss_create_dir()
* DESKPROFILE: Introduce the new IPA session provider
* HBAC: Fix tevent hierarchy in ipa_hbac_rule_info_send()
* HBAC: Document ipa_hbac_rule_info_next()'s behaviour
* HBAC: Remove a cosmetic extra space from an if clause
* HBAC: Improve readability of ipa_hbac_rule_info_send()
* HBAC: Enforce coding style on ipa_hbac_rule_info_send()
* HBAC: Enforce coding style ipa_hbac_rule_info_recv()
* HBAC: Add a debug message in case ipa_hbac_rule_info_next() fails
* HBAC: Not having rules should not be logged as error
* DESKPROFILE: Add ipa_deskprofile_request_interval
* NEGCACHE: Add some comments about each step of sss_ncache_prepopulate()
* NEGCACHE: Always add "root" to the negative cache
* TEST_NEGCACHE: Test that "root" is always added to ncache
* NEGCACHE: Descend to all subdomains when adding user/groups
* CACHE_REQ: Don't error out when searching by id = 0
* NSS: Don't error out when deleting an entry which has id = 0 from the memcache
* NEGCACHE: Add root's uid/gid to ncache
* TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache
* CONFDB: Set a default value for subdomain_refresh_interval in case an invalid value is set
* SDAP: Add a debug message to explain why a backend was marked offline
* SDAP: Don't call be_mark_offline() because sdap_id_conn_data_set_expire_timer() failed
* PYTHON: Define constants as bytes instead of strings
* SYSDB: Add sysdb_search_by_orig_dn()
* TESTS: Add tests for sysdb_search_{users,groups}_by_orig_dn()
* IPA: Use sysdb_search_*_by_orig_dn() _hbac_users.c
* SDAP: Use sysdb_search_*_by_orig_dn() in sdap_async_nested_groups.c
* SDAP: Use sysdb_search_*_by_orig_dn() in sdap_async_groups.c
* IPA: Use sysdb_search_*_by_orig_dn() in _subdomains_ext_group.c
* MAN: Add a note about the output of all commands when using domain_resolution_order
* RESOLV: Fix "-Werror=null-dereference" caught by GCC
* SIFP: Fix "-Wjump-misses-init" caught by GCC
* NSS: Fix "-Wold-style-definition" caught by GCC
* TESTS: Fix "-Werror=null-dereference" caught by GCC
* TOOLS: Fix "-Wstack-protector" caught by GCC
* SSSCTL: Fix "-Wshadow" warning caught by GCC
* SSSCTL: Fix "-Wunitialized" caught by GCC
* SSSCTL: Use get prefix for the sssctl_attr_fn functions
* TESTS: Fix "-Wshadow" caught by GCC
* RESPONDER: Fix "-Wold-style-definition" caught by GCC
* PAM: Avoid overwriting pam_status in _lookup_by_cert_done()
* DP: Fix the output type used in dp_req_recv_ptr()
* DP: Log to syslog whether it's online or offline
* Jakub Hrozek (29):
* Updating the version for the 1.15.4 release
* MAN: Don't tell the user to autostart sssd-kcm.service; it's socket-enabled
* TESTS: Add wrappers to request a user or a group by ID
* TESTS: Add files provider tests that request a user and group by ID
* TESTS: Add regression tests to try if resolving root and ID 0 fails as expected
* CONFDB: Do not crash with an invalid domain_type or case_sensitive value
* IPA: Only attempt migration for the joined domain
* SECRETS: Remove unused declarations
* SECRETS: Do not link with c-ares
* SECRETS: Store quotas in a per-hive configuration structure
* SECRETS: Read the quotas for cn=secrets from [secrets/secrets] configuration subsection
* SECRETS: Rename local_db_req.basedn to local_db_req.req_dn
* SECRETS: Use separate quotas for /kcm and /secrets hives
* TESTS: Test that ccaches can be stored after max_secrets is reached for regular non-ccache secrets
* SECRETS: Add a new option to control per-UID limits
* SECRETS: Support 0 as unlimited for the quotas
* TESTS: Relax the assert in test_idle_timeout
* IPA: Reword the DEBUG message about SRV resolution on IDM masters
* IPA: Only generate kdcinfo files on clients
* MAN: Improve failover documentation by explaining the timeout better
* MAN: Document that the secrets provider can only be specified in a per-client section
* TESTS: Use NULL for pointer, not 0
* SUDO: Use initgr_with_views when looking up a sudo user
* KCM: Do not leak newly created ccache in case the name is malformed
* KCM: Use the right memory context
* KCM: Add some forgotten NULL checks
* GPO: Don't use freed LDAPURLDesc if domain for AD DC cannot be found
* Updating the translation for the 1.16.0 release
* Updating the version for the 1.16.0 release
* Justin Stephenson (8):
* SELINUX: Use getseuserbyname to get IPA seuser
* DP: Add Generic DP Request Probes
* CONTRIB: Add DP Request analysis script
* MAN: Add sssd-systemtap man page
* SSSCTL: Move sss_debuglevel to sssctl debug-level
* SSSCTL: Replace sss_debuglevel with shell wrapper
* SSSCTL: Add cache-expire command
* IPA: Add threshold for sudo searches
* Lukas Slebodnik (31):
* SPEC: Use language file for sssd-kcm
* SHARED: Return warning back about minimal header files
* intg: Disable add_remove tests
* SPEC: require http-parser only on rhel7.4
* intg: Increase startup timeouts for kcm and secrets
* libwbclient: Change return code for wbcAuthenticateUserEx
* libwbclient: Fix warning statement with no effect
* SPEC: rhel8 will have python3 as well
* SPEC: Fix unowned directory
* certmap: Suppress warning Wmissing-braces
* cache_req: Look for name attribute also in nss_cmd_getsidbyid
* SPEC: Update owner and mode for /var/lib/sss/deskprofile
* CI: Use dnf 2.0 for installation of packages in fedora
* Revert "PYTHON: Define constants as bytes instead of strings"
* pysss_nss_idmap: return same type as it is in module constants
* pysss_nss_idmap: Fix typos in python documentation
* CONFIG: Fix schema for try_inotify
* SPEC: Fix detecting of minor release
* Fix warning declaration of 'index' shadows a global declaration
* intg: Fix execution with dbus-1.11.18
* TOOLS: Log redirection info for sss_debuglevel to stderr
* TOOLS: Print Better usage for sssctl debug-level
* TOOLS: Hide option --debug in sssctl
* intg: Fix pep8 warnings in config.py template
* intg: Let python paths be configurable
* intg: prevent "TypeError: must be type, not classobj"
* intg: Prefer locally built python modules
* ds_openldap: Extract functionality to protected methods
* intg: Create FakeAD class based on openldap
* intg: Add sanity tests for pysss_nss_idmap
* Revert "IPA: Only generate kdcinfo files on clients"
* Marlena Marlenowska (1):
* IDMAP: Prevent colision for explicitly defined slice.
* Nikolai Kondrashov (16):
* CACHE_REQ: Propagate num_results to cache_req_state
* NSS: Move shell options to common responder
* NSS: Move nss_get_shell_override to responder utils
* CONFIG: Add session_recording section
* BUILD: Support configuring session recording shell
* UTIL: Add session recording conf management module
* RESPONDER: Add session recording conf loading
* DP: Add session recording conf loading
* SYSDB: Add sessionRecording attribute macro
* DP: Load override_space into be_ctx
* DP: Overlay sessionRecording attribute on initgr
* CACHE_REQ: Pull sessionRecording attrs from initgr
* NSS: Substitute session recording shell
* PAM: Export original shell to tlog-rec-session
* INTG: Add session recording tests
* MAN: Describe session recording configuration
Pavel Březina (4):
* DP: Update viewname for all providers
* sudo: add a threshold option to reduce size of rules refresh filter
* IFP: fix typo in option name in man pages
* IFP: parse ping arguments in codegen
Petr Čech (4):
* IFP: Do not fail when a GHOST group is not found
* UTIL: Set udp_preference_limit=0 in krb5 snippet
* IFP: Filter with * in infopipe group methods
* IFP: Fix of limit = 0 (unlimited result)
Sumit Bose (15):
* libwbclient-sssd: update interface to version 0.14
* localauth plugin: change return code of sss_an2ln
* tests: add unit tests for krb5 localauth plugin
* IPA: format fixes
* certmap: add OpenSSL implementation
* ipa: make sure view name is initialized at startup
* certmap: make sure eku_oid_list is always allocated
* IPA: fix handling of certmap_ctx
* sysdb: add missing indices
* IDMAP: add a unit test
* sssd_client: add mutex protected call to the PAC responder
* BUILD: Accept krb5 1.16 for building the PAC plugin
* sysdb: sanitize search filter input
* IPA: sanitize name in override search filter
* sss_client: refactor internal timeout handling
Yuri Chornoivan (3):
* Fix minor typos
* Fix minor typos
* Fix minor typos in docs
amitkuma (2):
* ldap: Change ldap_user_certificate to userCertificate;binary
* python: Changing class declaration from old to new-style type
6 years, 6 months