SSSD GSSAPI Question
by Derek Page
Hi Devs,
I am using SSSD with kerberos with gssapi auth and it works really
well for our environment using AD for authentication.
I am not sure if this is an SSSD issue but I though I would ask since
I can't find a solution anywhere.
SSH'ing from system to system works great using GSSAPI passing along
your kerberos ticket. But seems to only work with its FQDN or
shortname.
The issue I have is we run Virtual IP's with different A records that
point to services for our systems. When I ssh to one of these A
records Kerberos/sssd seems to reject and GSSAPI authenticaion that is
not directed due to reverse dns mismatch.
I have disabled reverse rdns in kerberos.
I think this could also be the issue.
ldap_sasl_authid = M4DEPLOY01$(a)MY.DOMAIN.COM
Is there a way to tell sssd to accept anything?
Let me know if this is not an SSSD issue and I will leave you guys
along. However we really need this to work otherwise I have to go back
to using SSH keys, which I really don't want to. I really like the
security of krb tickets.
rpm -qa | egrep 'sssd|krb'
sssd-client-1.8.0-32.el6.x86_64
sssd-1.8.0-32.el6.x86_64
krb5-devel-1.9-33.el6_3.3.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-libs-1.9-33.el6_3.3.x86_64
krb5-workstation-1.9-33.el6_3.3.x86_64
My sssd.conf
[domain/default]
cache_credentials = fasle
[sssd]
config_file_version = 2
domains = my.domain.com
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
[nss]
filter_groups = root, appl, mysql
filter_users = root, mirror, appl, mysql, bamboo, puppet
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/my.domain.com]
cache_credentials = true
enumerate = true
min_id = 80
max_id = 30000
id_provider = ldap
auth_provider = krb5
ldap_uri = ldap://ad3.my.domain.com/,ldap://ad4.my.domain.com/,ldap://ad8.my.domain....
ldap_schema = rfc2307bis
ldap_user_search_base = <REMOVED FOR SECURITY>
ldap_user_object_class = person
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_search_base = OU=Security Groups,DC=skydive,DC=runwaynine,DC=com
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_nesting_level = 5
ldap_account_expire_policy = ad
ldap_sasl_authid = M4DEPLOY01$(a)MY.DOMAIN.COM
ldap_krb5_init_creds = true
ldap_pwd_policy = mit_kerberos
chpass_provider = krb5
ldap_sasl_mech = GSSAPI
krb5_realm = MY.DOMAIN.COM
krb5_validate = true
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
ldap_force_upper_case_realm = true
ldap_referrals = false
# User Group and Account Access
access_provider = simple
simple_allow_groups = m4_login
my krb.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MY.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
rdns = false
[realms]
MY.DOMAIN.COM = {
kdc = ad3.my.domain.com:88
kdc = ad4.my.domain.com:88
admin_server = ad3.my.domain.com
default_domain = my.domain.com
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM
11 years, 2 months
krb5.conf on IPA server and SSSD setup
by Alexander Bokovoy
Hi!
I've been chasing few bugs in FreeIPA's trusted domains support and
found out some grave bugs in both SSSD and FreeIPA.
On FreeIPA server side we configure krb5.conf using following settings:
-------------------------------------------------
includedir /var/lib/sss/pubconf/krb5.include.d
[libdefaults]
...
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
...
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.com
--------------------------------------------------
Then SSSD generates files which contain domain_realm mapping for trusted
domains in /var/lib/sss/pubconf/krb5.include.d and libkrb5 will read them
as part of the krb5.conf sourcing.
Few problems here:
1. KDC needs to know this mapping information in order to issue
referrals to the clients. There is heuristic in libkrb5 that uses
domain_realm mapping first and default_realm value if mapping didn't
catch the principal which was not found in the database.
2. krb5.conf is parsed by applications usually only on startup. KDC is
not an exception, so any changes to krb5.conf would require to restart
KDC if we want them to be noticed.
3. Adding new trust implies therefore KDC restart. It also implies that
SSSD should have updated the mapping which is not neccessary true
time-wise.
As result, operations like mapping trusted domain users via external
groups in IPA might fail as IPA code running on IPA server needs to
contact LDAP service at trusted domain's Global Catalog using SASL
GSSAPI authentication. When ticket is obtained, we don't specify
explicitly the realm of the service principal, it is constructed by
underlying libldap/libsasl code.
If explicit domain_realm mapping is in place on client side (and here
client is the server as request is issued from IPA httpd code), trusted
domain's Global Catalog host will be automatically mapped to trusted
domain realm. Otherwise KDC will hint the client with referral to proper
KDC for trusted domain realm.
This is the step that might fail if trusted domain is sub-domain of IPA
domain, for example, ad.example.com. In this case our explicit mapping
for example.com will prevail and requests will always be sent for
principal in EXAMPLE.COM realm.
More to that, since client and KDC are the same host, KDC will use
domain_realm mapping as well and hint client with referral to itself
(since .example.com = EXAMPLE.COM). Obtaining ticket will fail again.
So, I was trying to solve this issue and I've got to following setup
with Nalin's help:
1. Define following settings in [libdefaults] of krb5.conf
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
realm_try_domains = 0
realm_try_domains = 0 forces libkrb5 to fallback discovery of realm to
domain of the host via DNS if there is no other explicit mapping.
2. Remove any explicit domain_realm mapping for our default realm since
it will be implicitly generated from default_realm value by the fallback
code anyway.
With these changes both KDC and libkrb5 will be able to properly serve
out both own domain and trusted domain requests. At some point SSSD will
kick in with its explicit mapping for trusted domain realm. Still, KDC
will not be able to see this mapping until restart but in Krb5 1.12 we
are getting new pluggable interface that will allow to refresh KDC
configuration.
And here I'm coming to grave error in the SSSD code: the name of
explicit mapping file contains non-filtered domain name, which contains
dot. krb5.conf manual page states that includedir allows to source all
files which names are constructed from alpha-numeric chars, dashes and
underscores.
Files with other characters are ignored. So dots as in
domain_realm_example.com are ignored and our mapping is never sourced.
For IDN domains we also will need to transform the name into its
Punycode (RFC3492) to avoid breaking out of alpha-numeric space.
I'd suggest replacing dots with underscores.
File name is irrelevant to libkrb5 after it was read as part of
includedir processing, and files are only written by the SSSD.
--
/ Alexander Bokovoy
11 years, 2 months
Announcing SSSD 1.8.6
by Jakub Hrozek
=== SSSD 1.8.6 ===
The SSSD team is proud to announce the bugfix release of the System
Security Services Daemon version 1.8.6.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, this time for
F-16 and F-17 (before F-17 rebases to 1.9.4)
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A security bug assigned CVE-2013-0219 was fixed - TOCTOU race conditions
when creating or removing home directories for users in local domain
* A security bug assigned CVE-2013-0220 was fixed - out-of-bounds reads
in autofs and ssh responder
* Handle servers that return an empty string as the value of namingContext,
in particular Novell eDirectory
* The netgroup midpoint cache refresh works as documented in the manual page
* The sssd_pam responder processes pending requests after reconnect
== Tickets Fixed ==
* https://fedorahosted.org/sssd/ticket/1542
User authentication using LDAP doesn't work
* https://fedorahosted.org/sssd/ticket/1581
sssd_be crashes while looking up users
* https://fedorahosted.org/sssd/ticket/1717
Limit requests coalescing in time
* https://fedorahosted.org/sssd/ticket/1683
arithmetic bug in the SSSD causes netgroup midpoint refresh to be always
set to 10 seconds
* https://fedorahosted.org/sssd/ticket/1655
Login fails - sssd_be module polling fd indefinitely and gets killed
* https://fedorahosted.org/sssd/ticket/1781
sssd: Out-of-bounds read flaws in autofs and ssh services responders
* https://fedorahosted.org/sssd/ticket/1528
SSSD_NSS failure to gracefully restart after sbus failure
* https://fedorahosted.org/sssd/ticket/1783
Group lookup fails and takes ~60s to return to shell if member dn is
incorrect
* https://fedorahosted.org/sssd/ticket/1782
TOCTOU race conditions by copying and removing directory trees
== Detailed Changelog ==
Jakub Hrozek (9):
* Updating the version for the 1.8.6 release
* Initialize Kerberos ticket renewal in the IPA provider
* LDAP: Check validity of naming_context
* Free the internal DP request
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
* NSS: Fix netgroup midpoint cache refresh
* TOOLS: Use openat/unlinkat when removing the homedir
* TOOLS: Compile on old platforms such as RHEL5
* Include the auth_utils.h header in the distribution
Jan Cholasta (1):
* Check that strings do not go beyond the end of the packet body in
autofs and SSH requests.
Ondrej Kos (2):
* Restart services with a delay in case they are restarted too often
* TOOLS: Use file descriptor to avoid races when creating a home directory
Pavel Březina (1):
* nested groups: fix group lookup hangs if member dn is incorrect
Simo Sorce (2):
* responder_dp: Add timeout to side requets
* sssd_pam: Cleanup requests cache on sbus reconect
Stephen Gallagher (1):
* LDAP: Handle empty namingContexts values safely
Timo Aaltonen (1):
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread
11 years, 2 months
[PATCH] Fix TOCTOU race conditions by copying and removing directory trees
by Jakub Hrozek
[PATCH 1/2] TOOLS: Use openat/unlinkat when removing the homedir
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
[PATCH 2/2] TOOLS: Use file descriptor to avoid races when creating a
home directory
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.
https://fedorahosted.org/sssd/ticket/1782
This security problem was assigned CVE-2013-0219
11 years, 2 months
[PATCH] TOOLS: Compile on old platforms such as RHEL5
by Jakub Hrozek
The recent homedir creation patches broke compilation on RHEL5.
SSSD 1.10 is no longer supported on RHEL5, but 1.9.x is and I know of
several users, who actually run 1.9.x in production.
The attached patch provides compatible implementations for several
functions that are not available, fixing the RHEL5 build.
11 years, 2 months