Trying to get id proxy to work
by Joshua C. Endries
Hello,
I'm trying to set sssd up so that I use a local passwd file for accounts and Kerberos for authentication, until AD is set up with the correct attributes (which will be a while). I have Kerberos working via krb5.conf, and LDAP sort of works via ldap.conf (except the important parts) but I will need to switch to SSSD eventually. I was hoping to get this going now with local accounts to make things easier down the road. This is on RHEL 5 right now. I'm hoping 6 isn't much different.
I'm having some trouble (shocker!) so my first question is: is this configuration possible?
My sssd.conf is pretty basic so far:
[sssd]
config_file_version = 2
domains = DEFAULT
services = nss, pam
[nss]
[pam]
[domain/DEFAULT]
auth_provider = krb5
id_provider = proxy
proxy_lib_name = files
krb5_server = kerberos.foo.com
krb5_realm = IT.FOO.COM
These are some of the errors I'm seeing:
[sssd[pam]] [sss_dp_get_reply] (4): Got reply (3, 19, Initgroups call not supported) from Data Provider
[sssd[pam]] [pam_check_user_dp_callback] (2): Unable to get information from Data Provider
[sssd[pam]] [pam_check_user_search] (4): Requesting info for [jce54@DEFAULT]
[pam_check_user_search] (2): No matching domain found for [jce54], fail!
sshd[6592]: pam_sss(sshd:auth): received for user jce54: 10 (User not known to the underlying authentication module)
This suggests to me that it's not talking with NSS somehow...
/etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
#auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
#account sufficient pam_ldap.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
#password sufficient pam_krb5.so use_authtok minimum_uid=1000
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session sufficient pam_sss.so
session required pam_unix.so
I read in one of the man pages I think that sssd will append the krb5_realm to the username if there isn't a domain there, and I'm logging in with jce54, so it *should* I think use jce54(a)IT.FOO.COM, but doesn't appear to do anything Kerberos-wise so maybe that's not an issue (yet).
Thanks,
Josh
11 years, 6 months
[INI] Assorted patches for ding-libs
by Dmitri Pal
Hello,
Here is a bunch of patches for review:
Patch 1:
The unit test was not correct. The paths to files used in the unit test
were wrong. It used function exec instead of system which is bad too.
It was hard to see what is going on so some more verbose output added.
The config files are now copied our of the ini.d directory. The
permission test is adjusted.
Patch 2:
Can be squashed into previous one but I decided against it as it is a
change in configure.am not in code.
Patch 1 does all the copying of the files used in the unit test so there
is no need to copy file at the configure stage.
Patch 3:
Couple convenience functions for the value object that turned out to be
missing
Patches 4-10 (big!!!):
Definition, implementation, unit tests and docs for the new INI
interface that uses value object instead of the bare strings.
There is a lot of code there but it is mostly inspired by existing
interface. It exists in parallel for the backward compatibility.
Old inteface is still built, just not advertised via the docs. It needs
couple more layers of polish before it can be called complete.
The new interface is mostly a copy of the old interface so no big
logical differences other than ability to have keys with multiple values
in the same file.
For example there is now a way to deal with case like this:
file=x1
file=x2
file=x3
and get all the values for key "file" one at a time.
Plans for the near future:
1) Finish the section merge - it is not complete but when it is this
interface will be completely functional. The goal to that during August.
2) Provide a patch for SSSD to switch to the new interface - for August too.
This is the moment when we can call it v1.
Longer term plans:
1) Add functions to create config file to the interface. Currently it is
a the processing/parsing part, but you can't easily construct the
configuration file, only read it.
2) Add validation as it was originally planned.
I will try to find the victim to do the long term changes as I do not
scale for this any more.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
11 years, 6 months
[PATCH] Make TTL configurable for dynamic dns
by James Hogarth
Hi all,
Following the discussion previously for #1476 attached is a patch to
current master that does the following:
1) If there is no value in sssd.conf it assumes a default of 1200 to
fall in line with the current IPA code
2) Adds a new option to sssd.conf - ipa_dyndns_ttl - which is an
integer in seconds for the TTL of the record
I've tested this on F17 with nothing set and with a few different
integers set and verified on IPA (via ipa dnsrecord-show --all) that
the TTL has been set correctly.
Comments would be most welcome :)
Kind regards,
James
11 years, 6 months
The master branch and sssd-1-9 have diverged
by Jakub Hrozek
Hi,
I've created a new branch sssd-1-9 in git. The patches targeted for any
of the 1.9.x milestones will be pushed to both sssd-1-9 and master as
would the fixes for serious bugs we find during the 1.10 development.
The patches intended for the 1.10 release will be pushed to master only.
As the "master" branch is now tracking the 1.10 development, so the version
(that is reflected in the ipa-devel repo) was set to 1.9.90.
11 years, 6 months
Announcing SSSD 1.9.2
by Jakub Hrozek
=== SSSD 1.9.2 ===
The SSSD team is proud to announce the release of version 1.9.2 of
the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9
branch from master so that we can start including the 1.10 features in
master.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Users or groups from trusted domains can be retrieved by UID or GID as well
* Several fixes that mitigate file descriptor leak during logins
* SSH host keys are also removed from the cache after being removed
from the server
* Fix intermittent crash in responders if the responder was shutting
down while requests were still pending
* Catch an error condition that might have caused a tight loop in the
sssd_nss process while refreshing expired enumeration request
* Fixed memory hierarchy of subdomains discovery requests that caused
use-after-free access bugs
* The krb5_child and ldap_child processes can print libkrb5 tracing
information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008
Make sssd api conf file location configurable
https://fedorahosted.org/sssd/ticket/1319
group lookups optimizations for IPA
https://fedorahosted.org/sssd/ticket/1499
Add details about TGT validation to sssd-krb5 man page
https://fedorahosted.org/sssd/ticket/1512
[sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist
https://fedorahosted.org/sssd/ticket/1514
[abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT)
https://fedorahosted.org/sssd/ticket/1539
Collect Krb5 Trace on High Debug Levels
https://fedorahosted.org/sssd/ticket/1551
sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU
https://fedorahosted.org/sssd/ticket/1561
getting user/group entry by uid/gid sometimes fails
https://fedorahosted.org/sssd/ticket/1569
Use pam_set_data to close the fd in the pam module
https://fedorahosted.org/sssd/ticket/1571
sssd_nss intermittent crash
https://fedorahosted.org/sssd/ticket/1574
SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config
file. The libsss_sudo-devel shared object has been moved to the
libsss_sudo package.
== Detailed Changelog ==
E Deon Lackey (1):
* Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14):
* Bumping the version to 1.9.1 release
* Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts
* Fix segfault when ID-mapping an entry without a SID
* Fix memory hierarchy in subdomains discovery
* PAM: close socket fd with pam_set_data
* Couple of specfile fixes
* Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo
* Two fixes to child processes
* Collect krb5 trace on high debug levels
* PAM: fix handling the client fd in pam destructor
* Create ghost users when a user DN is encountered in IPA
* Only call krb5_set_trace_callback on platforms that support it
* MAN: improve wording of default_domain parameter
* Updating the translations for the 1.9.2 release
Jan Cholasta (1):
* SSH: When host keys are removed from LDAP, remove them from the
cache as well
Ondrej Kos (1):
* Add more info about ticket validation
Pavel Březina (3):
* do not fail if POLLHUP occurs while reading data
* do not call dp callbacks when responder is shutting down
* nss_cmd_retpwent(): do not go into infinite loop if n < 0
Sumit Bose (3):
* Save time of last get_domains request
* Check for subdomains if getpwuid or getgrgid are the first requests
* Allow extdom exop to return flat domain name as well
Thorsten Scherf (1):
* Fixed: translation bug
Yuri Chornoivan (1):
* Fix typos
11 years, 6 months