Config problem or bug(?) with sssd and Windows AD 2008
by Patrick Grieshaber
Hello folks,
first let me say that the sssd project is great and I am lucky that this
project is available for CentOS/Redhat through the EPEL repo :-).
I've installed version sssd-1.2.1-27.el5.x86_64 and I want to be able to
fetch user infos plus enable login through AD 2008 - but I fail..
sssd.conf:
[domain/example.com]
enumerate = false
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://dc1.example.com, ldap://dc2.example.com
ldap_search_base = dc=example,dc=com
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_default_bind_dn = CN=serviceuser,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = serviceuserpassword
ldap_user_name = sAMAccountName
ldap_search_base = OU=IT,DC=example,DC=com
ldap_pwd_policy = none
ldap_user_object_class = person
ldap_schema = rfc2307bis
ldap_user_principal = userPrincipalName
ldap_user_uid_number = sAMAccountName
ldap_user_gid_number = sAMAccountName
ldap_user_uuid = sAMAccountName
ldap_user_fullname = displayName
# kerberos config
auth_provider = krb5
krb5_kdcip = dc1.example.com
krb5_realm = EXAMPLE.COM
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
For debugging reasons I run: sssd -d9
Here the output if I attempt: su - myuser(a)example.com
...snip...
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_generic_send]
(6): calling ldap_search_ext with
[(&(sAMAccountName=myuser)(objectclass=person))][OU=IT,DC=example,DC=com].
...snip...
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0]
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: ldap_result found nothing!
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0]
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_parse_entry] (9):
OriginalDN: [CN=my,OU=IT,DC=example,DC=com].
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: sh[0x8f876c0], connected[1], ops[0x8f87500], ldap[0x8f876f0]
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_generic_done]
(6): Search result: Success(0),
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_users_process]
(6): Search for users, returned 1 results.
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: sh[0x8f876c0], connected[1], ops[(nil)], ldap[0x8f876f0]
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_process_result]
(8): Trace: ldap_result found nothing!
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [ldb] (9): start ldb
transaction (nesting: 0)
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_user_send]
(9): Save user
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_user_send]
(1): no uid provided for [myuser] in domain [example.com].
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_save_users_process]
(2): Failed to store user 0. Ignoring.
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [ldb] (9): commit ldb
transaction (nesting: 0)
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [sdap_get_users_done]
(9): Saving 1 Users - Done
(Tue Oct 5 09:16:45 2010) [sssd[be[example.com]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
And su outputs: su: user myuser(a)example.com does not exist
What is wrong? I do the mapping of a uid/gid... any help is appreciated!
Thank you,
pat
--
Patrick Grieshaber
Mobile: +41 (0)79 215 63 79
Xing: xing.com/profile/Patrick_Grieshaber
Skype: patrickgrieshaber
GPG Key Fingerprint
0252 0C05 410E C345
1AC7 7530 98ED B18E
62CB CF04
12 years, 10 months
[PATCH] Introduce pam_verbosity config option
by Sumit Bose
Hi,
this patch should fix ticket #604, but maybe we want to add some more
levels to pam_verbosity and also handle other messages with this patch.
Currently I have two questions. First, is more granularity needed for
pam_verbosity or is it enough to switch between only important and all
messages? Second, if offline_credentials_expiration is set, the
'Authenticated with cached credentials' messages is always display. Is
this acceptable or shall we introduce a threshold parameter here?
bye,
Sumit
13 years
[PATCHES] Sanitize search filters in the sysdb
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is the first part of a fix for https://fedorahosted.org/sssd/ticket/639
These patches address the various search filters we're using in the
sysdb. Patches for LDAP search filters will be coming later. I wanted to
get these reviewed first.
Patch 0001: Adds a utility function to sanitize search filters using the
method described in RFC 4515. Includes a unit test.
Patch 0002: Sanitize search filters internal to the public sysdb APIs.
Includes unit tests.
Patch 0003: Sanitize sysdb search filters in the IPA provider used with
sysdb_search_custom()
Patch 0004: Sanitize sysdb search filters used when processing nested
groups.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzKGl0ACgkQeiVVYja6o6OSLQCeI9d1ITiVS4JcrZesZTXsyTyG
zS0AoIQeKBsatVL4Ed51D2nGwxaT7PVh
=qbgv
-----END PGP SIGNATURE-----
13 years
[PATCHES] Create krb5 access provider
by Sumit Bose
Hi,
this series of patches implements an access target for the Kerberos
provider based on the krb5_kuserok() call which checks $HOME/.k5login.
This patch should fix ticket #618.
bye,
Sumit
13 years, 1 month
[PATCH] Store krb5 auth context for other targets
by Sumit Bose
Hi,
this patch should fix ticket #628. It was reported the in the case of a
timeout the KDC was contacted two times. This happened, because the KDC
was added two times (one for the auth target the other for the chpass
target). There is already some code which should detect multiple
initialisation from different targets, but it didn't worked correctly.
This patch should fix it.
bye,
Sumit
13 years, 1 month
sdap_async_netgroups.c misused SDAP_SEARCH_BASE?
by Moritz Baumann
I have filed a bug report at:
https://bugzilla.redhat.com/show_bug.cgi?id=648150
ddiff -Nur sssd-1.4.0/src/providers/ldap/sdap_async_netgroups.c
sssd-1.4.0.patch/src/providers/ldap/sdap_async_netgroups.c
--- sssd-1.4.0/src/providers/ldap/sdap_async_netgroups.c 2010-10-18
20:03:45.000000000 +0200
+++ sssd-1.4.0.patch/src/providers/ldap/sdap_async_netgroups.c 2010-10-31
14:57:51.963194696 +0100
@@ -603,7 +603,7 @@
subreq = sdap_get_generic_send(state, state->ev, state->opts,
state->sh,
dp_opt_get_string(state->opts->basic,
- SDAP_SEARCH_BASE),
+
SDAP_NETGROUP_SEARCH_BASE),
LDAP_SCOPE_SUBTREE,
state->filter, state->attrs,
state->opts->netgroup_map,
I'm not sure if this fixes the issue.
Best,
Moritz
13 years, 1 month
[PATCH] Fix incorrect free of req in krb5_auth.c
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Causes a crash in the kerberos provider when we immediately thereafter
call into krb5_find_ccache_step().
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzIgLsACgkQeiVVYja6o6N+TACgoBpq5jbCzej43bnNqbcMCNsB
p7QAnAikYC0KWMNtY552FFP16g9mr1Ha
=Ozre
-----END PGP SIGNATURE-----
13 years, 1 month
GECOS mapping for 'cn' attribute in SSSD.
by Gowrishankar Rajaiyan
Hi All,
When SSSD is configured for proxy id_provider and a user is enumerated,
GECOS field is populated with the ldap server's "cn" attribute.
# getent -s sss passwd puser1
puser1:*:1001:1001:Posix User1:/export/puser1:/bin/bash
However, if SSSD is configured for ldap id_provider and the same user is
enumerated, the GECOS field remains empty.
# getent -s sss passwd puser1
puser1:*:1001:1001::/export/puser1:/bin/bash
It looks like nss_ldap switched to defaulting to using 'cn' for the
gecos mapping. Perhaps SSSD should do the same?
Best regards,
Shanks
13 years, 1 month
