authentication problem causes log to fill up disk.
by Mark London
Hi - I'm using SSSD 1.8.93 on redhat, which has worked great for many
many months. Recently, the certificate for our ldap server expired, and
then an incorrect one was installed. This is has caused SSSD
authentications to intermittently fail, and the SSSD log files start to
fill up with constant messages, like the following:
(Mon Feb 18 14:00:15 2013) [sssd[nss]] [accept_fd_handler] (0x0020):
Accept failed [Too many open files]
This caused the system disk to be totally filled up, breaking everything
else running on the server. Perhaps SSSD could try to automatically
restart, when this error message is encountered? Or perhaps someone can
suggest a better solution to this problem. Thanks. - Mark
11 years, 2 months
[PATCHES] Fix behavior of 1.5 when backend is stopped
by Ondrej Kos
Hi,
in sssd-1-5, when the backend process is stopped until the pings time
out and backend is restarted, the monitor is still trying to ping the
old process, which results in faulty behavior.
attached are three patches backported for the 1-5(rhel5-9) branch which
fix this.
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=886165
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1013 Brno 1 office
irc: okos @ #brno
11 years, 2 months
Announcing realmd 0.13
by Stef Walter
realmd is a project for joining a machine in in realms/domains (like
Active Directory and FreeIPA) and configuring domain logins and related
stuff.
What's new in 0.13:
===================
* Pull in translations from transifex
* Detect incorrect passwords when using 'net ads join' login via RPC
* Use ipa-client-install to provide join functionality for IPA domains
* Don't assume that we can use kerberos to validate admin password
* Allow specifying --membership-software when discovering a realm
* Only use the XDG user data directory if it exists
* Quit the daemon when SIGTERM or SIGINT received
* Implement cancellation of operations
* Documentation fixes
* Add documentation about realmd internals
* Update commands and packages for Debian
* Use /var/cache/realmd instead of /tmp
* Build fixes and lots of other bugs fixed
Detailed log:
=============
Marius Vollmer (4):
Fixes.
Export the Service interface.
Implement support for Service.Cancel() method
Make Example Provider cancellable
Nuno Araujo (1):
Fix the build with automake 1.13
Piotr Drąg (1):
Updated Polish translation
Stef Walter (35):
Fix use of uninitialized variable.
Allow specifying --membership-software when discovering a realm
Quit the daemon when SIGTERM or SIGINT received
Avoid race conditions when doing IPA discovery
Fix race on DBus peer to peer connections
Better handling of missing, blank or invalid known commands
Only use the XDG user data directory if it exists
Update the known commands and packages for debian
No longer a need to restart accounts-service after a join
Add some documentation about contributing
Add option to realm command to only print out realm name
Add function for getting all sections of INI conf file
Add function for getting boolean from settings
Add example provider, disabled by default
Create the localstatedir for the example provider
Don't assume that we can use kerberos to validate admin password
Better handling of missing packages section in settings file.
When running in --debug make warnings and criticals fatal
Thread cancellation through basic operations
Don't use gtk-doc for documentation
Add some rough internal documentation
Add back 'make upload' target for manual
Some tweaks and clarifications to the internal documentation
Don't wrap options in realm client manual page
Add the internals documentation to the realmd website
Move the example provider documentation to internals document
Expose the method for updating an SSSD realm's properties
Pull out function to build password input out of passwords
Refactor out config domain identification logic
Add a utility function for updating sssd.conf domains
Use ipa-client-install to provide join functionality for IPA domai
Detect incorrect passwords when using 'net ads join' login via RPC
Pull translations from transifex
Use a private cache directory for temp files
Release version 0.13
Yassir Elley (7):
Cleaned up "uninitialized variable" warning from gcc
Replaced "active-directory" with "users" in user configuration pag
Fixed omissions and typos in command line man page.
Fixed blurb for Provider property's param-spec
Fixed typos: inserted commas, added missing words, corrected mista
add membership-software to dbus xml api - second try
fixed typos for realm man page
Signed Sources:
===============
http://www.freedesktop.org/software/realmd/releases/
Note: 0.13.1 was also packaged to solve a build problem which may not
affect all systems.
Cheers,
Stef
11 years, 2 months
[PATCH 2/2] tools: append new line to error string from poptStrerror()
by Milan Cejnar
Function usage() in tools_util.c now correctly appends new line character
with popt error messages.
https://fedorahosted.org/sssd/ticket/1756
This patch changes function usage() in tools_util.c which is used by
BAD_POPT_PARAMS macro.
Since BAD_POPT_PARAMS macro is called by multiple functions in multiple
files with both custom messages termited with \n as well as popt messages
which are not terminated by default, this patch offers a correction by
checking the string just before printing out to console and printing out
additional \n if new line wasn't present.
-----------
The second patch
- includes previously omitted brackets after if condition
- uses only one fprint()f call instead of two
11 years, 2 months
sssd and ldb versions
by Jan Engelhardt
Hi,
I am writing again with respect to the LDB matter
(https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010303.html )
>There isn't really a workaround for it right now. The problem is that
>SSSD needs to build a plugin for LDB (our memberOf plugin) and because
>of a poor design decision in libldb, modules have to be rebuilt for
>every version number bump of the LDB library.
Samba people are letting it be known that sssd is part of the problem:
memberof.so has the following code piece:
int ldb_init_module(const char *version)
{
#ifdef LDB_MODULE_CHECK_VERSION
--> LDB_MODULE_CHECK_VERSION(version);
#endif
return ldb_register_module(&ldb_memberof_module_ops);
}
If sssd's memberof.so really did not care about ldb-1.1.x vs ldb-1.1.y,
then it probably should not call LDB_MODULE_CHECK_VERSION in the
first place.
(The samba part is at https://bugzilla.samba.org/show_bug.cgi?id=9495
comment 5.)
11 years, 2 months
Advice request : LDAP server discovering
by Olivier
Hello,
in the case I was not knocking at the right door, please accept my apologies,
but I suspect that some of you may provide some advices that would help me
to avoid mistakes. The problem is : which mecanism would you recommand
to route ldap requests to the right ldap server.
Here is the situation :
My hosts and services are distributed in 3 distinct operationnal sites (site
A, site B, site C).
I have three ldap servers (one on each site), they are configured to be exact
replicate of the others (I use openldap syncrepl in multimaster mode).
Authentication on my hosts are based on ldap :
posixaccounts/nsswitch/pam/ldap.conf/sssd
I also have deployed things such as centralized sudoer rules in ldap.
At this stage, I have configured hosts so that ldap queries are sent to
the closer ldap server first, then to another one if the first one timeout
and so on:
Here is an extract of my ldap.conf for a host located in site A:
> URI ldap://ldapA.mydom.fr ldap://ldapB.mydom.fr ldap://ldapC.mydom.fr
Here is an extract of my sssd.conf:
> ldap_uri = ldap://ldapA.mydom.fr,ldap://ldapB.mydom.fr,ldap://ldapC.mydom.fr
For a host located in site C, I have declared this in ldap.conf:
> URI ldap://ldapC.mydom.fr ldap://ldapB.mydom.fr ldap://ldapA.mydom.fr
I would like to change that.
Rather than declaring three ldap server references in configurations on the
client side, I would like to implement some sort of mecanism to declare
only one reference (that route ldap queries to ldap service, not to ldap
servers).
I see different possibilities to do that, such as setting up some sort of
"heartbeat" or using some DNS trick such as multiple IN A for the same
DNS RR, sortlist option or _ldap._tcp. See:
http://www-01.ibm.com/software/network/directory/library/publications/jnd...
http://www.rjsystems.nl/en/2100-dns-discovery-openldap.php
http://www.ietf.org/proceedings/50/I-D/ldapext-locate-05.txt
http://ipamworldwide.com/bind-options/sortlist-option.html
Intuitively, my preference would go to use an "_ldap._tcp" srv
record, but I'm not sure that nsswitch or sssd would interpret
this kind of DNS responses correctly (what I mean by "correctly"
is "not sure that the client would query an up and running ldap
server found in the NS response list, and even better: would
query the faster one that respond" ).
Any advice ?
Thanks,
---
Olivier
11 years, 2 months
Support for pwdAccountLockedTime
by Rajnesh Kumar Siwal
We have an attribute pwdAccountLockedTime in OpenLDAP that is
responsible for for locking a User account.
I am not able to figure out how sssd honours it.
--
Regards,
Rajnesh Kumar Siwal
11 years, 2 months
[PATCH] get_next_domain() test dom->parent->next for NULL
by Pavel Březina
This is a fix for recent simo's patches.
I have one domain and one subdomain. When I tried to su aduser@addom a
responder crashed. NSS responder crash during the first try, PAM
responder during seconds. Log and patch is attached.
11 years, 2 months
About netgroup refresh
by Dmitri Pal
Hello,
I was thinking a bit about the ticket
https://fedorahosted.org/sssd/ticket/1713
AFAIU the problem is that in the case when there are many netgroups they
are expiring at the same time and every so often the system has to
refetch all of them.
The ticket calls for a job that would run asynchronously and refresh
things that already expired. While this might be useful it seems like a
big task. I was wondering about a different "complementary" approach
that might help with making entries not expire at the same time. Would
it be helpful it we as an option parameter something like:
<map>_extended_expiration_range = %of_the_cache_lifetime.
If not defined it will work as right now. If defined (per map) it will
set the window of expiration. Here is how it would work.
Say the expiration time is 10h and midpoint cache is at 50%. Without
activity after 10 hours all entries would expire and the user would
experience a delay. If the new parameter is defined say 100% the
expiration timestamp will be set in between 10h and 10h + 10h * 100% =
20h randomly. It does not solve the problem of the refresh after 20h if
there is no activity happening, but if there is some minimal activity
happening within 10h and 20h window not all netgroups would expire at
the same time and not all of them need to be refreshed at the same time.
Does this make sense? Would it make things better?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
11 years, 2 months