October 2012 - sssd-devel - Fedora Mailing-Lists

by Joshua C. Endries

Hello, I'm trying to set sssd up so that I use a local passwd file for accounts and Kerberos for authentication, until AD is set up with the correct attributes (which will be a while). I have Kerberos working via krb5.conf, and LDAP sort of works via ldap.conf (except the important parts) but I will need to switch to SSSD eventually. I was hoping to get this going now with local accounts to make things easier down the road. This is on RHEL 5 right now. I'm hoping 6 isn't much different. I'm having some trouble (shocker!) so my first question is: is this configuration possible? My sssd.conf is pretty basic so far: [sssd] config_file_version = 2 domains = DEFAULT services = nss, pam [nss] [pam] [domain/DEFAULT] auth_provider = krb5 id_provider = proxy proxy_lib_name = files krb5_server = kerberos.foo.com krb5_realm = IT.FOO.COM These are some of the errors I'm seeing: [sssd[pam]] [sss_dp_get_reply] (4): Got reply (3, 19, Initgroups call not supported) from Data Provider [sssd[pam]] [pam_check_user_dp_callback] (2): Unable to get information from Data Provider [sssd[pam]] [pam_check_user_search] (4): Requesting info for [jce54@DEFAULT] [pam_check_user_search] (2): No matching domain found for [jce54], fail! sshd[6592]: pam_sss(sshd:auth): received for user jce54: 10 (User not known to the underlying authentication module) This suggests to me that it's not talking with NSS somehow... /etc/pam.d/system-auth: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass #auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so #account sufficient pam_ldap.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so #account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok #password sufficient pam_krb5.so use_authtok minimum_uid=1000 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so I read in one of the man pages I think that sssd will append the krb5_realm to the username if there isn't a domain there, and I'm logging in with jce54, so it *should* I think use jce54(a)IT.FOO.COM, but doesn't appear to do anything Kerberos-wise so maybe that's not an issue (yet). Thanks, Josh

11 years, 6 months

2
4
0 / 0

[PATCH] Allow setting the default_shell option per-domain as well

by Jakub Hrozek

https://fedorahosted.org/sssd/ticket/1583

11 years, 6 months

2
2
0 / 0

[INI] Patch to address coverity issue 11089

by Dmitri Pal

Expected to be applied on top of the previous set of patches. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

11 years, 6 months

2
1
0 / 0

[INI] Assorted patches for ding-libs

by Dmitri Pal

Hello, Here is a bunch of patches for review: Patch 1: The unit test was not correct. The paths to files used in the unit test were wrong. It used function exec instead of system which is bad too. It was hard to see what is going on so some more verbose output added. The config files are now copied our of the ini.d directory. The permission test is adjusted. Patch 2: Can be squashed into previous one but I decided against it as it is a change in configure.am not in code. Patch 1 does all the copying of the files used in the unit test so there is no need to copy file at the configure stage. Patch 3: Couple convenience functions for the value object that turned out to be missing Patches 4-10 (big!!!): Definition, implementation, unit tests and docs for the new INI interface that uses value object instead of the bare strings. There is a lot of code there but it is mostly inspired by existing interface. It exists in parallel for the backward compatibility. Old inteface is still built, just not advertised via the docs. It needs couple more layers of polish before it can be called complete. The new interface is mostly a copy of the old interface so no big logical differences other than ability to have keys with multiple values in the same file. For example there is now a way to deal with case like this: file=x1 file=x2 file=x3 and get all the values for key "file" one at a time. Plans for the near future: 1) Finish the section merge - it is not complete but when it is this interface will be completely functional. The goal to that during August. 2) Provide a patch for SSSD to switch to the new interface - for August too. This is the moment when we can call it v1. Longer term plans: 1) Add functions to create config file to the interface. Currently it is a the processing/parsing part, but you can't easily construct the configuration file, only read it. 2) Add validation as it was originally planned. I will try to find the victim to do the long term changes as I do not scale for this any more. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

11 years, 6 months

3
7
0 / 0

Active Directory Integration test day coming up on Thursday, 2012-10-18

by Jakub Hrozek

Hi, The Fedora Test day scheduled for Thursday, October 18th is focused on Active Directory integration, in particular the realmd project and to some extent the Active Directory provider of the SSSD. This test day should be of particular interest to admins who manage Linux boxes enrolled in an Active Directory domain. As usual, join us in #fedora-test-day on FreeNode IRC. All the test instructions are on the wiki: https://fedoraproject.org/wiki/Test_Day:2012-10-18_Active_Directory See the full feature page at if you'd like to learn more about the feature: http://fedoraproject.org/wiki/Features/ActiveDirectory If you are interested and have the spare cycles, please join us during this Fedora Test day and help us make sure that Fedora 18 works with Active Directory out of the box!

11 years, 6 months

1
0
0 / 0

[PATCH] sss_debuglevel: Multiple arguments are treated as error.

by Michal Židek

https://fedorahosted.org/sssd/ticket/1327 Patch is attached. Michal

11 years, 6 months

3
2
0 / 0

[PATCH] Make TTL configurable for dynamic dns

by James Hogarth

Hi all, Following the discussion previously for #1476 attached is a patch to current master that does the following: 1) If there is no value in sssd.conf it assumes a default of 1200 to fall in line with the current IPA code 2) Adds a new option to sssd.conf - ipa_dyndns_ttl - which is an integer in seconds for the TTL of the record I've tested this on F17 with nothing set and with a few different integers set and verified on IPA (via ipa dnsrecord-show --all) that the TTL has been set correctly. Comments would be most welcome :) Kind regards, James

11 years, 6 months

3
8
0 / 0

[PATCH] MAN: improve wording of default_domain parameter

by Jakub Hrozek

attached..

11 years, 6 months

2
3
0 / 0

The master branch and sssd-1-9 have diverged

by Jakub Hrozek

Hi, I've created a new branch sssd-1-9 in git. The patches targeted for any of the 1.9.x milestones will be pushed to both sssd-1-9 and master as would the fixes for serious bugs we find during the 1.10 development. The patches intended for the 1.10 release will be pushed to master only. As the "master" branch is now tracking the 1.10 development, so the version (that is reflected in the ipa-devel repo) was set to 1.9.90.

11 years, 6 months

1
0
0 / 0

Announcing SSSD 1.9.2

by Jakub Hrozek

=== SSSD 1.9.2 === The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon. This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1008 Make sssd api conf file location configurable https://fedorahosted.org/sssd/ticket/1319 group lookups optimizations for IPA https://fedorahosted.org/sssd/ticket/1499 Add details about TGT validation to sssd-krb5 man page https://fedorahosted.org/sssd/ticket/1512 [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist https://fedorahosted.org/sssd/ticket/1514 [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1539 Collect Krb5 Trace on High Debug Levels https://fedorahosted.org/sssd/ticket/1551 sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU https://fedorahosted.org/sssd/ticket/1561 getting user/group entry by uid/gid sometimes fails https://fedorahosted.org/sssd/ticket/1569 Use pam_set_data to close the fd in the pam module https://fedorahosted.org/sssd/ticket/1571 sssd_nss intermittent crash https://fedorahosted.org/sssd/ticket/1574 SSH host keys are not being removed from the cache == Packaging Changes == * The libsss_sudo-devel package no longer contains the package-config file. The libsss_sudo-devel shared object has been moved to the libsss_sudo package. == Detailed Changelog == E Deon Lackey (1): * Fix language errors in the sssd-krb5.conf man page Jakub Hrozek (14): * Bumping the version to 1.9.1 release * Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts * Fix segfault when ID-mapping an entry without a SID * Fix memory hierarchy in subdomains discovery * PAM: close socket fd with pam_set_data * Couple of specfile fixes * Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo * Two fixes to child processes * Collect krb5 trace on high debug levels * PAM: fix handling the client fd in pam destructor * Create ghost users when a user DN is encountered in IPA * Only call krb5_set_trace_callback on platforms that support it * MAN: improve wording of default_domain parameter * Updating the translations for the 1.9.2 release Jan Cholasta (1): * SSH: When host keys are removed from LDAP, remove them from the cache as well Ondrej Kos (1): * Add more info about ticket validation Pavel Březina (3): * do not fail if POLLHUP occurs while reading data * do not call dp callbacks when responder is shutting down * nss_cmd_retpwent(): do not go into infinite loop if n < 0 Sumit Bose (3): * Save time of last get_domains request * Check for subdomains if getpwuid or getgrgid are the first requests * Allow extdom exop to return flat domain name as well Thorsten Scherf (1): * Fixed: translation bug Yuri Chornoivan (1): * Fix typos

11 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel October 2012