user and group precedence issue
by Olivier
> (without the n :-)
Ooops :)
> sssd cares only about what exists in ldap to date.
Ooops again
> If you look at the ldap tree on its own you see an
> "unknown" user name as member of a group.
Ok, I see the logic now ( although I'm not completely
convinced from a practical point of view to be honnest :
a user name could be defined somewhere else, in a
referal ldap for example. In that case, should it be an
overall group consistency problem if a memberuid was
uknown because a referal server is not accessible ? ).
Anyway, thank you so much for your responses Simo
and Stephen : I'll adapt my view to what is possible then :-)
Kindest,
---
Olivier
2012/3/14 Simo Sorce <simo(a)redhat.com>:
> On Wed, 2012-03-14 at 19:51 +0100, Olivier wrote:
>> Simon,
>
> (without the n :-)
>
>> that's where I don't catch ( sorry) :
>>
>> > You are asking it to know about "unknown" users
>>
>> If you say in nsswitch.conf :
>>
>> passwd: local sss
>> group: sss local
>>
>> Then sss should know about users that are in local
>> /etc/passwd and may retrieve their groups in ldap ?
>
> No, sssd is blissfully unaware of what you have in /etc/passwd
> or /etc/group, sssd cares only about what exists in ldap to date.
>
>> Why would that be inconsistent not to insert users
>> entries in ldap in that situation ?
>
> Because in the ldap server there is no corresponding user. If you look
> at the ldap tree on its own you see an "unknown" user name as member of
> a group.
>
>> BTW, I don' think that ldap requires that an entry exists
>> for a posixgroup memberuid ?
>
> No the rfc2307 schema does not mandate consistency (the rfc2307bis
> schema does mandate it due to use of DNs instead of simple names).
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
12 years, 1 month
user and group precedence issue
by Olivier
Hello,
I have configure redhat (6 and 5) boxes to authenticate users
over an openldap server via sssd. I have implemented a policy
so that "Systems" accounts ( uid > 500 ) are not in ldap but
authentified over local password db.
My ldap directory also contains posixgroups that I use to
tune some accesses ( using /etc/security/access.conf ).
I have added this in my nsswitch.conf :
passwd: files sss
shadow: files sss
group: sss files
I have configured sss as a primary source of information
for groups, because I would like pam to take into account
both groups that are declared in ldap and those that are
locally configured (even for system accounts that don't have
any entry in ldap).
The problem I'm facing is that ldap groups for a user are only
considered if the user has itself an entry in ldap ( except if
th user is declared as having an ldap group as primary in
/etc/passwd ).
Here is an example :
If I have this in /etc/passwd :
ntp:x:38:38::/etc/ntp:/sbin/sh
This in /etc/groups
ntp:x:38:
And this group in ldap :
dn: cn=sysgrp,ou=group,dc=example,dc=fr
cn: sysgrp
gidnumber: 18010
memberuid: ntp
memberuid: wheel
memberuid: ldap
objectclass: posixGroup
Then a "su - ntp -c groups" returns only "ntp" group not "sysgrp" :
$ su - ntp -c groups
ntp
If I create a user entry for "ntp" in ldap directory, then it works :
# Entry :
dn: uid=ntp,ou=sysaccounts,ou=people,dc=example,dc=fr
cn: ntp
gidnumber: 18010
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
uid: ntp
uidnumber: 38
...
I have then what I want on the client machine :
$ su - ntp -c groups
ntp sysgrp
I don't want to maintain a DIT in ldap to list system accounts,
I would only like to maintain a posix group entry that lists system
accounts ( and match if the system account exist on the client ).
Is there any way to do that ?
May be someone could help me or indicate a documentation or
a mailing list that I could try to consult to deal with that problem ?
Thanks,
---
Olivier
12 years, 1 month
[PATCH] LDAP: Add AD 2008r2 schema
by Stephen Gallagher
Fixes https://fedorahosted.org/sssd/ticket/1031
This patch creates a set of schema defaults that corresponds to Active
Directory 2008r2. It can be set up simply by specifying
ldap_schema = AD
Operationally, it behaves like any other RFC2307bis server at this time.
This patch does not remove the requirement for SFU/SUA support in Active
Directory. More enhancements will follow to add support for AD-specific
features.
12 years, 1 month
Announcing SSSD 1.8.1
by Stephen Gallagher
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.1
As usual, the source can be downloaded at https://fedorahosted.org/sssd
Packages for Fedora will be built later today and should appear in
updates-testing within two days.
== Highlights ==
* Resolve issue where we could enter an infinite loop trying to connect
to an auth server
* Fix serious issue with complex (3+ levels) nested groups
* Fix netgroup support for case-insensitivity and aliases
* Fix serious issue with lookup bundling resulting in requests never
completing
* IPA provider will now check the value of nsAccountLock during
pam_acct_mgmt in addition to pam_authenticate
* Fix several regressions in the proxy provider
== Detailed Changelog ==
Jakub Hrozek (12):
* Use proper errno code
* Only do one cycle when resolving a server
* krb5_child: set debugging sooner
* Search netgroups by alias, too
* Detect cycle in the fail over on subsequent resolve requests only
* Autofs: operate on contents of double-pointer, not address
* Only free returned values on success
* Save original name into the in-memory cache
* Handle errors from lookup_netgr_step gracefully
* Fix nested groups processing
* Fix netgroup error handling
* Handle empty elements in proxy netgroups:
Jan Cholasta (1):
* Include missing source files to the list of source files which
contain translatable strings
Jan Zeleny (5):
* Fix the script path
* Fixed uninitialized pointer in SSH known host proxy
* Fixed uninitialized pointer in SSH authorized keys client
* Add umask before mkstemp() call in SSH responder
* Fixed resource leak in ssh client code
Pavel Březina (6):
* Hide --debug option in sss_debuglevel
* Two memory leaks in sss_sudo_get_values
* Missing debug message if sdap_sudo_refresh_set_timer fails
* Use of unininitialized value in sudosrv_cache_set_entry and
sudosrv_cache_lookup_internal
* Use of unininitialized value in sss_sudo_parse_response
* Potential NULL-dereference in sudosrv_cmd_get_sudorules
Simo Sorce (1):
* Use the correct hash table for pending requests
Stephen Gallagher (20):
* Bump version to 1.8.1
* Fix typo in autofs option description
* Include the debug_level upgrade tool in the tarball
* Include new manpages in translations
* Updating translations for SSSD 1.8.1
* Fix typo in script name
* Handle cases where UID is -1
* IPA: Set the DNS discovery domain to match ipa_domain
* IPA: Fix segfault with srchost functionality enabled
* DP: Reorganize memory hierarchy of requests
* Prune python provides correctly
* Make RPM spec more explicit
* Build experimental features by default in RPMs
* Properly terminate GIT_CHECKOUT
* LDAP: Make sdap_access_send/recv public
* IPA: Check nsAccountLock during PAM_ACCT_MGMT
* PROXY: Create fake user entries for group lookups
* SSH: Fix missing semicolon
* IPA: Initialize hbac_ctx to NULL
* i18n: Remove empty translations
Yuri Chornoivan (1):
* fix typos in manual
12 years, 1 month
[PATCH] Fix validation errors in translations
by Stephen Gallagher
This patch corrects some validation errors resulting in translation
files not being output (the build system would just detect the error and
scrap the translation for these languages).
12 years, 1 month
building ssd-1.8.0 on RHEL6
by Moritz Baumann
Hi there,
ist it safe to pick the rawhide sssd-1.8.0-6.fc18.src.rpm,
change ldb_version to
%global ldb_version 0.9.10
and fix the
RPM build errors:
File must begin with "/": %{_unitdir}/sssd.service
Or do I have to build the newer ldb version (1.1.4)?
We are running in timeout problems with sssd lookups and would like to
test the new sssd version to see if this improoves things.
Or is there somewhere an official sssd-1.8.0 in some fasttrack channel?
Best,
Moritz Baumann
12 years, 1 month
[PATCH] Two proxy netgroups fixes
by Jakub Hrozek
Hi,
attached are two patches for issues I found in the proxy netgroups code.
[PATCH 1/2] Fix netgroup error handling
https://fedorahosted.org/sssd/ticket/1242
The patch improves error handling, and, most importanly, deletes any
netgroup that might be in the cache if the search did not yield any
results. There's one catch, though. During my testing with
nss-pam-ldapd, all the NSS operations returned NSS_STATUS_SUCCESS and an
empty "struct __netgrent" structure for cases when the netgroup existed
and when the netgroup existed but had no nisNetgroupTriple attributes.
This may be a nss-pam-ldapd bug, though..is there any other back end
that could be used to test? I'd like to avoid setting up NIS :-)
[PATCH 2/2] Handle empty elements in proxy netgroups
The make_netgroup_attr() function did not check for NULL elements of
netgroup triples and could print literal "(null)" into the triple
element in the nice case and crash in the worse case.
12 years, 1 month