[PATCH] Inherit ID limits of parent domains if set
by Jakub Hrozek
Hi,
the attached patch was tested by a customer running RHEL6. I'm not sure
if we should do any more checking when running on a modern system where
ranges can be better defined on the IPA side for example?
10 years, 5 months
auth.log error message: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
by Qing Chang
there was a thread on Aug 8, 2013 that was about this error, my situation is
a little different. This happens on Ubuntu 12.04 IPA clients, which automounts
kerberized NFSv4.
I am let to believe that this error may be the cause of a weird problem that
users are able to login wither per ssh or lightdm.
Open an ssh session, type in username and password, successful authentication
is logged in auth.log, but the session just hangs at the login prompt.
=====
Nov 13 09:52:33 murjo sshd[2746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=fish user=qchang
Nov 13 09:52:34 murjo sshd[2746]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost=fish user=qchang
Nov 13 09:52:34 murjo sshd[2746]: Accepted password for qchang from port 33621 ssh2
Nov 13 09:52:34 murjo sshd[2746]: pam_unix(sshd:session): session opened for user qchang by (uid=0)
Nov 13 09:53:04 murjo sssd_be: canonuserfunc error -7
Nov 13 09:53:04 murjo sssd_be: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Nov 13 09:57:23 murjo sshd[902]: Received signal 15; terminating.
Nov 13 09:57:23 murjo sshd[997]: Server listening on 0.0.0.0 port 22.
Nov 13 09:57:23 murjo sshd[997]: Server listening on :: port 22.
Nov 13 09:57:34 murjo lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0)
Nov 13 09:57:34 murjo lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0
Nov 13 09:57:35 murjo dbus[910]: [system] Rejected send message, 2 matched rules;
type="method_call", sender=":1.16" (uid=104 pid=1554 comm="/usr/lib/indicator-datetim
e/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error
name="(unset)" requested_reply="0" destination=":1.9" (uid=0 pid=1400 comm
="/usr/sbin/console-kit-daemon --no-daemon ")
Nov 13 09:57:43 murjo automount[1725]: canonuserfunc error -7
Nov 13 09:57:43 murjo automount[1725]: _sasl_plugin_load failed on sasl_canonuser_init for plugin:
ldapdb
Nov 13 09:57:44 murjo automount[1725]: DIGEST-MD5 common mech free
Nov 13 09:57:44 murjo automount[1725]: canonuserfunc error -7
=====
It is probably because my home is not available at the time when auth.log says session
opened for me. I have no problem login as a local user ID with local home. Maybe SSSD
did not provide information for automount to make my home available? At the end,
after I run sudo ls -l /home as the local user, the ssh session came alive.
The strangest thing is this seems to happen randomly in terms of what host and what
time! I have a group of people on Ubuntu 12.04 calling me at different times every few
days and I have to try all kind of things to get them back, the latest is that sudo ls -l
"trick" and can not tell them for sure what is the problem:-(
Note this _never_ happens on CentOS/RHEL clients. I know, I wish I can convert them...
Please help.
SSSD information:
=====
root@host:/var/log# aptitude show sssd
Package: sssd
State: installed
Automatically installed: yes
Version: 1.8.6-0ubuntu0.3
Priority: extra
Section: universe/utils
Maintainer: Ubuntu Core Developers <ubuntu-devel(a)lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 7,978 k
Depends: libc-ares2 (>= 1.7.0), libc6 (>= 2.14), libdbus-1-3 (>= 1.1.1), libdhash1, libini-config2,
libipa-hbac0 (= 1.8.6-0ubuntu0.3), libk5crypto3 (>= 1.6.dfsg.2),
libkrb5-3 (>= 1.9+dfsg~beta1), libldap-2.4-2 (>= 2.4.7), libldb1 (>= 0.9.21), libnspr4 (>=
1.8.0.10), libnss3 (>= 3.12.0~1.9b1), libpam0g (>= 0.99.7.1),
libpcre3 (>= 8.10), libpopt0 (>= 1.14), libtalloc2 (>= 2.0.4~git20101213), libtdb1 (>=
1.2.7+git20101214), libtevent0 (>= 0.9.9), libunistring0, upstart-job,
python, python-sss
PreDepends: multiarch-support
Recommends: ldap-utils, bind9-host, libnss-sss, libpam-sss, libsasl2-modules-gssapi-mit |
libsasl2-modules-gssapi-heimdal, libsasl2-modules-ldap
Suggests: sssd-tools
Conflicts: sssd
Description: System Security Services Daemon
Provides a set of daemons to manage access to remote directories and authentication mechanisms. It
provides an NSS and PAM interface toward the system and a pluggable
backend system to connect to multiple different account sources. It is also the basis to provide
client auditing and policy services for projects like FreeIPA.
This package provides the daemon.
Homepage: https://fedorahosted.org/sssd/
=====
Thanks,
Qing Chang
10 years, 5 months
[PATCH] Remove unused variable
by Jakub Hrozek
The recent autofs patch added a warning. Sorry, I didn't see it before,
so I pushed the attached one-liner to master.
10 years, 5 months
[PATCH] build: fix ordering of linker flags
by Jan Engelhardt
Libraries MUST be specified in LDADD/LIBADD, not LDFLAGS, because
LDFLAGS appear earlier in the command line and library order is
significant.
---
Makefile.am | 69 ++++++++++++++++++++++++++++++++-----------------------------
1 file changed, 36 insertions(+), 33 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 2826596..e9bed47 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -539,8 +539,9 @@ pkglib_LTLIBRARIES += libsss_debug.la
libsss_debug_la_SOURCES = \
src/util/debug.c \
src/util/sss_log.c
+libsss_debug_la_LIBADD = \
+ $(SYSLOG_LIBS)
libsss_debug_la_LDFLAGS = \
- $(SYSLOG_LIBS) \
-avoid-version
pkglib_LTLIBRARIES += libsss_child.la
@@ -614,9 +615,10 @@ dist_pkgconfig_DATA += src/providers/ipa/ipa_hbac.pc
libipa_hbac_la_SOURCES = \
src/providers/ipa/hbac_evaluator.c \
src/util/sss_utf8.c
-libipa_hbac_la_LDFLAGS = \
- -version-info 0:1:0 \
+libipa_hbac_la_LIBADD = \
$(UNICODE_LIBS)
+libipa_hbac_la_LDFLAGS = \
+ -version-info 0:1:0
dist_pkgconfig_DATA += src/lib/idmap/sss_idmap.pc
libsss_idmap_la_SOURCES = \
@@ -631,8 +633,9 @@ libsss_nss_idmap_la_SOURCES = \
src/sss_client/idmap/sss_nss_idmap.c \
src/sss_client/common.c \
src/util/strtonum.c
+libsss_nss_idmap_la_LIBADD = \
+ $(CLIENT_LIBS)
libsss_nss_idmap_la_LDFLAGS = \
- $(CLIENT_LIBS) \
-version-info 0:1:0
include_HEADERS = \
@@ -786,12 +789,11 @@ sss_userdel_SOURCES = \
sss_userdel_LDADD = \
$(TOOLS_LIBS) \
$(SYSTEMD_LOGIN_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
+ $(SSSD_INTERNAL_LTLIBS) \
+ $(CLIENT_LIBS)
sss_userdel_CFLAGS = \
$(AM_CFLAGS) \
$(SYSTEMD_LOGIN_CFLAGS)
-sss_userdel_LDFLAGS = \
- $(CLIENT_LIBS)
sss_groupadd_SOURCES = \
src/tools/sss_groupadd.c \
@@ -805,30 +807,27 @@ sss_groupdel_SOURCES = \
$(SSSD_LCL_TOOLS_OBJ)
sss_groupdel_LDADD = \
$(TOOLS_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
-sss_groupdel_CFLAGS = $(AM_CFLAGS)
-sss_groupdel_LDFLAGS = \
+ $(SSSD_INTERNAL_LTLIBS) \
$(CLIENT_LIBS)
+sss_groupdel_CFLAGS = $(AM_CFLAGS)
sss_usermod_SOURCES = \
src/tools/sss_usermod.c \
$(SSSD_LCL_TOOLS_OBJ)
sss_usermod_LDADD = \
$(TOOLS_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
-sss_usermod_CFLAGS = $(AM_CFLAGS)
-sss_usermod_LDFLAGS = \
+ $(SSSD_INTERNAL_LTLIBS) \
$(CLIENT_LIBS)
+sss_usermod_CFLAGS = $(AM_CFLAGS)
sss_groupmod_SOURCES = \
src/tools/sss_groupmod.c \
$(SSSD_LCL_TOOLS_OBJ)
sss_groupmod_LDADD = \
$(TOOLS_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
-sss_groupmod_CFLAGS = $(AM_CFLAGS)
-sss_groupmod_LDFLAGS = \
+ $(SSSD_INTERNAL_LTLIBS) \
$(CLIENT_LIBS)
+sss_groupmod_CFLAGS = $(AM_CFLAGS)
sss_groupshow_SOURCES = \
src/tools/sss_groupshow.c \
@@ -842,10 +841,9 @@ sss_cache_SOURCES = \
$(SSSD_LCL_TOOLS_OBJ)
sss_cache_LDADD = \
$(TOOLS_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
-sss_cache_CFLAGS = $(AM_CFLAGS)
-sss_cache_LDFLAGS = \
+ $(SSSD_INTERNAL_LTLIBS) \
$(CLIENT_LIBS)
+sss_cache_CFLAGS = $(AM_CFLAGS)
sss_debuglevel_SOURCES = \
src/tools/sss_debuglevel.c \
@@ -868,7 +866,7 @@ sss_sudo_cli_SOURCES = \
src/sss_client/sudo/sss_sudo_response.c \
src/sss_client/sudo_testcli/sudo_testcli.c
sss_sudo_cli_CFLAGS = $(AM_CFLAGS)
-sss_sudo_cli_LDFLAGS = $(CLIENT_LIBS)
+sss_sudo_cli_LDADD = $(CLIENT_LIBS)
endif
if BUILD_SSH
@@ -878,8 +876,8 @@ sss_ssh_authorizedkeys_SOURCES = \
src/sss_client/ssh/sss_ssh_authorizedkeys.c
sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS)
sss_ssh_authorizedkeys_LDADD = \
- $(SSSD_INTERNAL_LTLIBS)
-sss_ssh_authorizedkeys_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS)
+ $(SSSD_INTERNAL_LTLIBS) \
+ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS)
sss_ssh_knownhostsproxy_SOURCES = \
src/sss_client/common.c \
@@ -887,8 +885,8 @@ sss_ssh_knownhostsproxy_SOURCES = \
src/sss_client/ssh/sss_ssh_knownhostsproxy.c
sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS)
sss_ssh_knownhostsproxy_LDADD = \
- $(SSSD_INTERNAL_LTLIBS)
-sss_ssh_knownhostsproxy_LDFLAGS = $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS)
+ $(SSSD_INTERNAL_LTLIBS) \
+ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS)
endif
#################
@@ -1427,7 +1425,7 @@ noinst_PROGRAMS += autofs_test_client
endif
pam_test_client_SOURCES = src/sss_client/pam_test_client.c
-pam_test_client_LDFLAGS = -lpam -lpam_misc
+pam_test_client_LDADD = -lpam -lpam_misc
if BUILD_AUTOFS
autofs_test_client_SOURCES = \
@@ -1435,7 +1433,7 @@ autofs_test_client_SOURCES = \
src/sss_client/autofs/sss_autofs.c \
src/sss_client/common.c
autofs_test_client_CFLAGS = $(AM_CFLAGS)
-autofs_test_client_LDFLAGS = -lpopt $(CLIENT_LIBS)
+autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS)
endif
####################
@@ -1457,8 +1455,9 @@ libnss_sss_la_SOURCES = \
src/sss_client/nss_mc_passwd.c \
src/sss_client/nss_mc_group.c \
src/sss_client/nss_mc.h
+libnss_sss_la_LIBADD = \
+ $(CLIENT_LIBS)
libnss_sss_la_LDFLAGS = \
- $(CLIENT_LIBS) \
-module \
-version-info 2:0:0 \
-Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports
@@ -1471,9 +1470,10 @@ pam_sss_la_SOURCES = \
src/util/atomic_io.c \
src/sss_client/sss_pam_macros.h
-pam_sss_la_LDFLAGS = \
+pam_sss_la_LIBADD = \
$(CLIENT_LIBS) \
- -lpam \
+ -lpam
+pam_sss_la_LDFLAGS = \
-module \
-avoid-version \
-Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports
@@ -1487,8 +1487,9 @@ libsss_sudo_la_SOURCES = \
src/sss_client/sudo/sss_sudo.c \
src/sss_client/sudo/sss_sudo.h \
src/sss_client/sudo/sss_sudo_private.h
+libsss_sudo_la_LIBADD = \
+ $(CLIENT_LIBS)
libsss_sudo_la_LDFLAGS = \
- $(CLIENT_LIBS) \
-Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \
-module \
-avoid-version
@@ -1505,8 +1506,9 @@ libsss_autofs_la_SOURCES = \
src/sss_client/autofs/sss_autofs.c \
src/sss_client/autofs/sss_autofs_private.h
+libsss_autofs_la_LIBADD = \
+ $(CLIENT_LIBS)
libsss_autofs_la_LDFLAGS = \
- $(CLIENT_LIBS) \
-module \
-avoid-version \
-Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports
@@ -1864,9 +1866,10 @@ sssd_pac_plugin_la_SOURCES = \
sssd_pac_plugin_la_CFLAGS = \
$(AM_CFLAGS) \
$(KRB5_CFLAGS)
-sssd_pac_plugin_la_LDFLAGS = \
+sssd_pac_plugin_la_LIBADD = \
$(CLIENT_LIBS) \
- -lkrb5 \
+ -lkrb5
+sssd_pac_plugin_la_LDFLAGS = \
-avoid-version \
-module
--
1.8.2
10 years, 5 months
