[PATCH] Consolidation of functions that make realm upper-case
by Ondrej Kos
https://fedorahosted.org/sssd/ticket/1491
I prepared function *get_uppercase_realm* accessible through
src/util/util.h which returns uppercase realm string. If whole principal
is passed, it transforms only the part after '@' character. Multiple
uses of *toupper* have been replaced and modified to use mentioned new
function.
Ondrej
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
cell: +420-736-417-909
phone: +420-532-294-558
ext.: 82-62558
irc: okos @ #brno
11 years, 8 months
message "Could not reconnect to LDAP provider"
by Franky Van Liedekerke
Hi,
I just had a weird situation: one of my servers suddenly no longer
allowed me to log in (pam auth via sssd).
Looking in the log for sssd, I had this message once every minute:
[sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to LDAP
provider.
Also, "getent passwd" no longer showed any ldap users.
Everything seemed correct, also the ldap servers, so I just restarted
the sssd daemon and all was well again.
Shouldn't the retry options of sssd just do that?
I have this as sssd config (obfuscated a bit):
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LDAP
[nss]
filter_groups = root
filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_access_filter = memberOf=xxxx
ldap_uri = ldap://host1, ldap://host2
ldap_search_base = xxxxx
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_timeout = 5
cache_credentials = true
enumerate = true
entry_cache_timeout = 5400
Any tips on how to prevent needing to restart sssd?
Franky
11 years, 8 months
realmd: Faster discovery, generic kerberos discovery
by Stef Walter
Some more patches for realmd.
The first patch is one that makes the discovery of kerberos realms much
faster:
https://bugs.freedesktop.org/show_bug.cgi?id=53956
In particular discovery of IPA is harder to do in a fixed amount of
time. We actually try to connect to the server to retrieve its
certificate, and this can block for a long time given a firewall. This
was slowing down discovery of non IPA domains.
So the patches at the above bug, integrate the discovery into a single
class, which discovers everything about a server all at once. It does
IPA server in parallel and limits initial connection attempt to 5
seconds. If server is discovered as being AD, then we short-circuit IPA
discovery.
Also another patch, which enables discovery of generic kerberos realms:
https://bugs.freedesktop.org/show_bug.cgi?id=53958
We can't actually enroll in generic kerberos realms, but discovery is
nice to have. gnome-online-accounts wants to use this feature.
Any review, sanity checking, or testing is super appreciated.
Cheers,
Stef
11 years, 8 months
login issue with sssd and krb5
by Derek Page
Hi Devs,
I am seeing an issue with sssd-1.8.0-32.el6.x86_64
Issue description.
Password authentication does not work. However I can su to the user.
Here is what I see in the krb5_child log when I try to login.
(Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]]
[krb5_child_setup] (0x1000): Cannot read
[SSSD_KRB5_RENEWABLE_LIFETIME] from environment.
(Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]]
[krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from
environment.
(Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]]
[krb5_child_setup] (0x4000): Not using FAST.
(Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [validate_tgt]
(0x4000): Found keytab entry with the realm of the credential.
(Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [validate_tgt]
(0x0200): TGT verified using key for
[host/m4app01.my.domain.com(a)MY.DOMAIN.COM].
(Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [become_user]
(0x4000): Trying to become user [1416][80].
(Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]]
[create_ccache_file] (0x0020): mkstemp failed [13][Permission denied].
(Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]]
[get_and_save_tgt] (0x0020): 688: [13][Permission denied]
(Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [tgt_req_child]
(0x0020): 919: [13][Permission denied]
Here is what i see in the ldap_chile log when I try to login.
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): total buffer size: 69
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): realm_str size: 22
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): got realm_str: MY.DOMAIN.COM
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): princ_str size: 31
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): got princ_str: M4APP01$(a)MY.DOMAIN.COM
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): keytab_name size: 0
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer]
(0x1000): lifetime: 86400
(Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]]
[ldap_child_get_tgt_sync] (0x0100): Principal name is:
[M4APP01$(a)MY.DOMAIN.COM]
Here is what i see in the sssd_my.domain.log when I try to login.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sysdb_get_direct_parents] (0x1000): dpage is a member of 19 sysdb
groups
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[save_rfc2307bis_user_memberships] (0x2000): Updating memberships for
dpage
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
start ldb transaction (nesting: 2)
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
commit ldb transaction (nesting: 2)
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
commit ldb transaction (nesting: 1)
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
commit ldb transaction (nesting: 0)
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sdap_get_initgr_done] (0x4000): Initgroups done
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sdap_id_op_connect_step] (0x4000): reusing cached connection
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sdap_id_op_destroy] (0x4000): releasing operation connection
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sdap_process_result] (0x2000): Trace: sh[0xc4e580], connected[1],
ops[(nil)], ldap[0xc4bfa0]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch]
(0x4000): dbus conn: C3A630
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch]
(0x4000): Dispatching.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sbus_message_handler] (0x4000): Received SBUS method [pamHandler]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler]
(0x0100): Got request with the following data
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): command: PAM_AUTHENTICATE
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): domain: my.domain.com
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): user: dpage
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): service: sshd
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): tty: ssh
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): ruser:
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): rhost: 10.0.30.102
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): authtok type: 1
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): authtok size: 9
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): newauthtok size: 0
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): priv: 1
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data]
(0x0100): cli_pid: 5232
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[krb5_pam_handler] (0x1000): Wait queue of user [dpage] is empty,
running request immediately.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
tevent: Added timed event "ltdb_callback": 0xce8a60
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
tevent: Added timed event "ltdb_timeout": 0xcdb4a0
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
tevent: Destroying timer event 0xcdb4a0 "ltdb_timeout"
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000):
tevent: Ending timer event 0xce8a60 "ltdb_callback"
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send]
(0x0100): No ccache file for user [dpage] found.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send]
(0x4000): Ccache_file is [not set] and is not active and TGT is not
valid.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KERBEROS'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is
'name resolved'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status]
(0x1000): Port status of port 88 for server 'ad2.my.domain.com' is
'neutral'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
10 seconds
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[resolve_srv_send] (0x0400): The status of SRV lookup is resolved
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is
'name resolved'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_resolve_server_done] (0x1000): Saving the first resolved server
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_resolve_server_done] (0x0200): Found address for server
ad2.my.domain.com: [10.0.0.201] TTL 3600
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[fo_resolve_service_send] (0x0100): Trying to resolve service
'KPASSWD'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is
'name resolved'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status]
(0x1000): Port status of port 464 for server 'ad2.my.domain.com' is
'neutral'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to
10 seconds
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[resolve_srv_send] (0x0400): The status of SRV lookup is resolved
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is
'name resolved'
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_resolve_server_done] (0x1000): Saving the first resolved server
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_resolve_server_done] (0x0200): Found address for server
ad2.my.domain.com: [10.0.0.201] TTL 3600
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[krb5_find_ccache_step] (0x4000): Recreating ccache file.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[create_ccache_dir] (0x4000): Ccache directory name
[/tmp/krb5cc_1416_XXXXXX] does not contain illegal patterns.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[child_handler_setup] (0x2000): Setting up signal handler up for pid
[5240]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[child_handler_setup] (0x2000): Signal handler set up for pid [5240]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[write_pipe_handler] (0x0400): All data has been sent!
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[read_pipe_handler] (0x0400): EOF received, client finished
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done]
(0x4000): child response [4][1][18].
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done]
(0x4000): child response [4][6][8].
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[check_wait_queue] (0x1000): Wait queue for user [dpage] is empty.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>)
[Success]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_pam_handler_callback] (0x0100): Sending result [4][my.domain.com]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[be_pam_handler_callback] (0x0100): Sent result [4][my.domain.com]
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[child_sig_handler] (0x1000): Waiting for child [5240].
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[child_sig_handler] (0x0100): child [5240] finished successfully.
(Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]]
[sss_child_handler] (0x2000): waitpid failed [10]: No child processes
Any suggestions?
Here are my configs.
#/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
[realms]
MY.DOMAIN.COM = {
kdc = ad.my.domain.com:88
admin_server = ad.my.domain.com
default_domain = my.domain.com
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM
#/etc/sssd/sssd.conf
[domain/default]
cache_credentials = fasle
[sssd]
config_file_version = 2
domains = my.domain.com
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/my.domain.com]
cache_credentials = false
enumerate = false
min_id = 80
max_id = 30000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://ad3.my.domain.com/
ldap_schema = rfc2307bis
ldap_user_search_base = dc=my,dc=domain,dc=com
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = dc=my,dc=domain,dc=com
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = M4DEPLOY01$(a)MY.DOMAIN.COM
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = MY.DOMAIN.COM
krb5_validate = true
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true
ldap_referrals = false
# User Group and Account Access
access_provider = simple
#simple_allow_users =
simple_allow_groups = m4_login
debug_level = 10
11 years, 8 months