August 2012 - sssd-devel - Fedora Mailing-Lists

[PATCH] (2nd wave) Removing bad examples of usage of, sysdb_transaction_start/commit/end functions and making it, more consistent (all files except of src/db/sysdb_*.c)

by Michal Židek

This is the second and final patch to make the usage of sysdb_transaction_* functions more consistent. There is still one place in the code left, where it is not as it should be, but it is related to a separate ticket ( https://fedorahosted.org/sssd/ticket/1370 ) and should be done as a separate patch. The patch is attached. Thanks Michal

11 years, 8 months

3
7
0 / 0

[PATCH] Fix: IPv6 address with square brackets doesn't work.

by Michal Židek

https://fedorahosted.org/sssd/ticket/1365 Note: It affected not only krb5, but other providers as well. Patch is attached.

11 years, 8 months

3
4
0 / 0

[PATCH] delete entries with entryUSN > lastUSN when lastUSN changes

by Pavel Březina

https://fedorahosted.org/sssd/ticket/734 Patches 1 and 2 adds support sysdb functions. Patch 3 uses them to remove those entries.

11 years, 8 months

3
7
0 / 0

[PATCH] AD provider was crashing with inappropriate keytab

by Ondrej Kos

https://fedorahosted.org/sssd/ticket/1416 Fixed by wrap-up function re-used from the IPA provider Ondrej -- Ondrej Kos Associate Software Engineer Identity Management Red Hat Czech cell: +420-736-417-909 phone: +420-532-294-558 ext.: 82-62558 irc: okos @ #brno

11 years, 8 months

2
3
0 / 0

[PATCH] Consolidation of functions that make realm upper-case

by Ondrej Kos

https://fedorahosted.org/sssd/ticket/1491 I prepared function *get_uppercase_realm* accessible through src/util/util.h which returns uppercase realm string. If whole principal is passed, it transforms only the part after '@' character. Multiple uses of *toupper* have been replaced and modified to use mentioned new function. Ondrej -- Ondrej Kos Associate Software Engineer Identity Management Red Hat Czech cell: +420-736-417-909 phone: +420-532-294-558 ext.: 82-62558 irc: okos @ #brno

11 years, 8 months

2
7
0 / 0

message "Could not reconnect to LDAP provider"

by Franky Van Liedekerke

Hi, I just had a weird situation: one of my servers suddenly no longer allowed me to log in (pam auth via sssd). Looking in the log for sssd, I had this message once every minute: [sssd[pam]] [pam_dp_reconnect_init] (0): Could not reconnect to LDAP provider. Also, "getent passwd" no longer showed any ldap users. Everything seemed correct, also the ldap servers, so I just restarted the sssd daemon and all was well again. Shouldn't the retry options of sssd just do that? I have this as sssd config (obfuscated a bit): [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root,ldap,named,avahi,haldaemon,messagebus,dbus,vcsa,ntp reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/LDAP] id_provider = ldap auth_provider = ldap access_provider = ldap ldap_access_filter = memberOf=xxxx ldap_uri = ldap://host1, ldap://host2 ldap_search_base = xxxxx ldap_tls_reqcert = demand ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_timeout = 5 cache_credentials = true enumerate = true entry_cache_timeout = 5400 Any tips on how to prevent needing to restart sssd? Franky

11 years, 8 months

2
3
0 / 0

realmd: Faster discovery, generic kerberos discovery

by Stef Walter

Some more patches for realmd. The first patch is one that makes the discovery of kerberos realms much faster: https://bugs.freedesktop.org/show_bug.cgi?id=53956 In particular discovery of IPA is harder to do in a fixed amount of time. We actually try to connect to the server to retrieve its certificate, and this can block for a long time given a firewall. This was slowing down discovery of non IPA domains. So the patches at the above bug, integrate the discovery into a single class, which discovers everything about a server all at once. It does IPA server in parallel and limits initial connection attempt to 5 seconds. If server is discovered as being AD, then we short-circuit IPA discovery. Also another patch, which enables discovery of generic kerberos realms: https://bugs.freedesktop.org/show_bug.cgi?id=53958 We can't actually enroll in generic kerberos realms, but discovery is nice to have. gnome-online-accounts wants to use this feature. Any review, sanity checking, or testing is super appreciated. Cheers, Stef

11 years, 8 months

1
0
0 / 0

realmd: Support enrolling in a specific OU

by Stef Walter

I've implemented support in realmd for enrolling in a specific OU when joining Active Directory. More details here in this bug: https://bugs.freedesktop.org/show_bug.cgi?id=53889 Anyone interested in reviewing or trying this feature out? I'd be happy to help you test it or get setup with realmd. Cheers, Stef

11 years, 8 months

1
0
0 / 0

login issue with sssd and krb5

by Derek Page

Hi Devs, I am seeing an issue with sssd-1.8.0-32.el6.x86_64 Issue description. Password authentication does not work. However I can su to the user. Here is what I see in the krb5_child log when I try to login. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x1000): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [krb5_child_setup] (0x4000): Not using FAST. (Tue Aug 21 16:04:33 2012) [[sssd[krb5_child[5088]]]] [validate_tgt] (0x4000): Found keytab entry with the realm of the credential. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [validate_tgt] (0x0200): TGT verified using key for [host/m4app01.my.domain.com(a)MY.DOMAIN.COM]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [become_user] (0x4000): Trying to become user [1416][80]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [create_ccache_file] (0x0020): mkstemp failed [13][Permission denied]. (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [get_and_save_tgt] (0x0020): 688: [13][Permission denied] (Tue Aug 21 16:04:34 2012) [[sssd[krb5_child[5088]]]] [tgt_req_child] (0x0020): 919: [13][Permission denied] Here is what i see in the ldap_chile log when I try to login. (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): total buffer size: 69 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): realm_str size: 22 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): got realm_str: MY.DOMAIN.COM (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): princ_str size: 31 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): got princ_str: M4APP01$(a)MY.DOMAIN.COM (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): keytab_name size: 0 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Tue Aug 21 16:11:29 2012) [[sssd[ldap_child[5167]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [M4APP01$(a)MY.DOMAIN.COM] Here is what i see in the sssd_my.domain.log when I try to login. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sysdb_get_direct_parents] (0x1000): dpage is a member of 19 sysdb groups (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [save_rfc2307bis_user_memberships] (0x2000): Updating memberships for dpage (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): start ldb transaction (nesting: 2) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_get_initgr_done] (0x4000): Initgroups done (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_destroy] (0x4000): releasing operation connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_id_op_done] (0x4000): releasing operation connection (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: sh[0xc4e580], connected[1], ops[(nil)], ldap[0xc4bfa0] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch] (0x4000): dbus conn: C3A630 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_dispatch] (0x4000): Dispatching. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler] (0x0100): Got request with the following data (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): domain: my.domain.com (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): user: dpage (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): service: sshd (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): tty: ssh (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): ruser: (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): rhost: 10.0.30.102 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): authtok type: 1 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): authtok size: 9 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): newauthtok size: 0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): priv: 1 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [pam_print_data] (0x0100): cli_pid: 5232 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_pam_handler] (0x1000): Wait queue of user [dpage] is empty, running request immediately. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Added timed event "ltdb_callback": 0xce8a60 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Added timed event "ltdb_timeout": 0xcdb4a0 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Destroying timer event 0xcdb4a0 "ltdb_timeout" (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [ldb] (0x4000): tevent: Ending timer event 0xce8a60 "ltdb_callback" (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send] (0x0100): No ccache file for user [dpage] found. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_auth_send] (0x4000): Ccache_file is [not set] and is not active and TGT is not valid. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KERBEROS' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status] (0x1000): Port status of port 88 for server 'ad2.my.domain.com' is 'neutral' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [resolve_srv_send] (0x0400): The status of SRV lookup is resolved (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x0200): Found address for server ad2.my.domain.com: [10.0.0.201] TTL 3600 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'KPASSWD' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_port_status] (0x1000): Port status of port 464 for server 'ad2.my.domain.com' is 'neutral' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 10 seconds (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [resolve_srv_send] (0x0400): The status of SRV lookup is resolved (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [get_server_status] (0x1000): Status of server 'ad2.my.domain.com' is 'name resolved' (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x1000): Saving the first resolved server (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_resolve_server_done] (0x0200): Found address for server ad2.my.domain.com: [10.0.0.201] TTL 3600 (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_find_ccache_step] (0x4000): Recreating ccache file. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [create_ccache_dir] (0x4000): Ccache directory name [/tmp/krb5cc_1416_XXXXXX] does not contain illegal patterns. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5240] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [5240] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [write_pipe_handler] (0x0400): All data has been sent! (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [read_pipe_handler] (0x0400): EOF received, client finished (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done] (0x4000): child response [4][1][18]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [krb5_child_done] (0x4000): child response [4][6][8]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [check_wait_queue] (0x1000): Wait queue for user [dpage] is empty. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 4, <NULL>) [Success] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Sending result [4][my.domain.com] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [be_pam_handler_callback] (0x0100): Sent result [4][my.domain.com] (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_sig_handler] (0x1000): Waiting for child [5240]. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [child_sig_handler] (0x0100): child [5240] finished successfully. (Tue Aug 21 16:17:18 2012) [sssd[be[my.domain.com]]] [sss_child_handler] (0x2000): waitpid failed [10]: No child processes Any suggestions? Here are my configs. #/etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms] MY.DOMAIN.COM = { kdc = ad.my.domain.com:88 admin_server = ad.my.domain.com default_domain = my.domain.com } [domain_realm] .my.domain.com = MY.DOMAIN.COM my.domain.com = MY.DOMAIN.COM #/etc/sssd/sssd.conf [domain/default] cache_credentials = fasle [sssd] config_file_version = 2 domains = my.domain.com reconnection_retries = 3 sbus_timeout = 30 services = nss, pam [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/my.domain.com] cache_credentials = false enumerate = false min_id = 80 max_id = 30000 id_provider = ldap auth_provider = krb5 ldap_uri = ldap://ad3.my.domain.com/ ldap_schema = rfc2307bis ldap_user_search_base = dc=my,dc=domain,dc=com ldap_user_object_class = person ldap_user_modify_timestamp = whenChanged ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_search_base = dc=my,dc=domain,dc=com ldap_group_object_class = group ldap_group_modify_timestamp = whenChanged ldap_group_nesting_level = 5 ldap_account_expire_policy = ad ldap_sasl_authid = M4DEPLOY01$(a)MY.DOMAIN.COM ldap_krb5_init_creds = true ldap_pwd_policy = mit_kerberos chpass_provider = krb5 ldap_sasl_mech = GSSAPI krb5_realm = MY.DOMAIN.COM krb5_validate = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_force_upper_case_realm = true ldap_referrals = false # User Group and Account Access access_provider = simple #simple_allow_users = simple_allow_groups = m4_login debug_level = 10

11 years, 8 months

2
2
0 / 0

[PATCH] Fix alignment issues reported by clang

by Nick Guay

clang reports alignment warnings for SSSD.

11 years, 8 months

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel August 2012