July 2014 - sssd-devel - Fedora Mailing-Lists

Trying to ssh with sssd/pam configuration

by Sterling Sahaydak

Running CentOS 6.5 sssd 1.9.2 in a test environment and trying to authenticate user: testjoe to ssh to server ldap01.something.net running openldap on ldap01.something.net and trying to authenticate to it. [root@testmachine sssd]# cat sssd.conf [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=something,dc=net id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap01.something.net ldap_tls_cacertdir = /etc/openldap/certs [sssd] config_file_version = 2 services = nss, pam, sudo domains = default, LDAP [nss] filter_users = root filter_groups = root [pam] [sudo] [domain/LDAP] access_provider = ldap auth_provider = ldap chpass_provider = ldap id_provider = ldap sudo_provider = ldap debug_level = 7 cache_credentials = true enumerate = true ldap_access_filter = cn=allowedusers,ou=Groups,dc=something,dc=net ldap_search_base = dc=something,dc=net ldap_sudo_search_base = ou=sudoers,dc=something,dc=net ldap_tls_cacert = /etc/openldap/certs/cacert.pem ldap_tls_reqcert = allow ldap_uri = ldaps://ldap01.something.net [root@testmachine pam.d]# cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_debug.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so umask=0022 skel=/etc/skel/ session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so -sh-4.1$ ssh -vvv test1234(a)ldap01.something.net OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to ldap01.something.net [54.183.120.59] port 22. debug1: Connection established. debug1: identity file /home/users/testjoe/.ssh/identity type -1 debug1: identity file /home/users/testjoe/.ssh/id_rsa type -1 debug1: identity file /home/users/testjoe/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 5 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 792 bytes for a total of 813 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib debug2: kex_parse_kexinit: none,zlib(a)openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc(a)lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160(a)openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib(a)openssh.com debug2: kex_parse_kexinit: none,zlib(a)openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 837 debug2: dh_gen_key: priv key bits set: 127/256 debug2: bits set: 515/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 981 debug3: check_host_in_hostfile: filename /home/users/testjoe/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /home/users/testjoe/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'ldap01.something.net' is known and matches the RSA host key. debug1: Found key in /home/users/testjoe/.ssh/known_hosts:1 debug2: bits set: 513/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 997 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1045 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/users/testjoe/.ssh/identity ((nil)) debug2: key: /home/users/testjoe/.ssh/id_rsa ((nil)) debug2: key: /home/users/testjoe/.ssh/id_dsa ((nil)) debug3: Wrote 64 bytes for a total of 1109 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/users/testjoe/.ssh/identity debug3: no such identity: /home/users/testjoe/.ssh/identity debug1: Trying private key: /home/users/testjoe/.ssh/id_rsa debug3: no such identity: /home/users/testjoe/.ssh/id_rsa debug1: Trying private key: /home/users/testjoe/.ssh/id_dsa debug3: no such identity: /home/users/testjoe/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password test1234(a)ldap01.something.net's password: debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64) debug2: we sent a password packet, wait for reply debug3: Wrote 144 bytes for a total of 1253 Connection closed by 54.183.120.59 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'ldap01.something.net' is 'name not resolved' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'ldap01.something.net' is 'neutral' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'ldap01.something.net' is 'name not resolved' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ldap01.something.net' in files (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldap01.something.net' as 'resolving name' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ldap01.something.net' in files (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ldap01.something.net' in DNS (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [request_watch_destructor] (0x0400): Deleting request watch (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldap01.something.net' as 'name resolved' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [be_resolve_server_process] (0x0200): Found address for server ldap01.something.net: [54.183.120.59] TTL 1408 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldaps://ldap01.something.net' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_full_refresh_send] (0x0400): Issuing a full refresh of sudo rules (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldaps://ldap01.something.net:636/??base] with fd [22]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server! (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn! (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1406568103 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): No authentication requested or SASL auth forced off (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ldap01.something.net' as 'working' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'ldap01.something.net' as 'working' (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=something,dc=net] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixAccount)(uid=*)(uidNumber=*)(gidNumber=*))][dc=something,dc=net]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [homeDirectory] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPrincipalName] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_refresh_connect_done] (0x0400): SUDO LDAP connection successful (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_next_base] (0x0400): Searching for sudo rules with base [ou=sudoers,dc=something,dc=net] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=testmachine.something.net)(sudoHost=testmachine)(sudoHost=172.31.4.163)(sudoHost=172.31.0.0/20)(sudoHost=fe80::889:cff:fe1d:d718)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))][ou=sudoers,dc=something,dc=net]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoCommand] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoHost] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoUser] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOption] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsUser] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoRunAsGroup] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotBefore] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoNotAfter] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sudoOrder] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_process] (0x0400): Receiving sudo rules with base [ou=sudoers,dc=something,dc=net] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_done] (0x0400): Received 2 rules (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule testjoe (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sysdb_save_sudorule] (0x0400): Adding sudo rule test1234 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_load_sudoers_done] (0x0400): Sudoers is successfuly stored in cache (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_full_refresh_done] (0x0400): Successful full refresh of sudo rules (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_set_usn] (0x0200): SUDO higher USN value: [20140728162617Z] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_schedule_refresh] (0x0400): Full refresh scheduled at: 1406588803 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_sudo_schedule_refresh] (0x0400): Smart refresh scheduled at: 1406568103 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_search_user_process] (0x0400): Search for users, returned 2 results. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): Original memberOf is not available for [testjoe]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): Original USN value is not available for [testjoe]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): User principal is not available for [testjoe]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Storing info for user testjoe (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): Original memberOf is not available for [test1234]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): Original USN value is not available for [test1234]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x1000): User principal is not available for [test1234]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Storing info for user test1234 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [enum_users_op_done] (0x0100): Users higher USN value: [(null)] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_groups_next_base] (0x0400): Searching for groups with base [dc=something,dc=net] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc=something,dc=net]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberuid] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_groups_process] (0x0400): Search for groups, returned 1 results. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_process_group_members_2307] (0x1000): Member already cached in sysdb: testjoe (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_process_group_members_2307] (0x1000): Member already cached in sysdb: test1234 (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_process_group_send] (0x1000): All group members processed (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_group] (0x0400): Processing group allowedusers (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_group] (0x1000): Original USN value is not available for [allowedusers]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_process_ghost_members] (0x0400): Group has 2 members (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_save_group] (0x0400): Storing info for group allowedusers (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [enum_groups_op_done] (0x0100): Groups higher USN value: [(null)] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_services_next_base] (0x0400): Searching for services with base [dc=something,dc=net] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))][dc=something,dc=net]. (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipServicePort] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [ipServiceProtocol] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x1000): Total count [0] (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [sdap_get_services_process] (0x0400): Search for services, returned 0 results. (Mon Jul 28 13:06:44 2014) [sssd[be[LDAP]]] [ldap_id_enumerate_set_timer] (0x0400): Scheduling next enumeration at 1406567503.675094

9 years, 8 months

2
22
0 / 0

[PATCH] NSS: replace with space with specified character in names.

by Lukas Slebodnik

ehlo, This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 patch is attached. LS

9 years, 8 months

7
19
0 / 0

[PATCH] Two patches with more debugging for the LDAP provider

by Jakub Hrozek

Hi, I was trying to help a user who had problems with the AD provider and realized I had hard time following what exact server are we searching at the time and, because we hit a referral, where the referral pointed to. I wrote the two attached patches. I'm OK with keeping them in my local tree, but if other developers agree, maybe we can include them upstream as well.

9 years, 8 months

4
9
0 / 0

[PATCH] failover: set port status to not working if previous srv lookup failed

by Pavel Březina

https://fedorahosted.org/sssd/ticket/2390

9 years, 9 months

4
8
0 / 0

[PATCH] AD: add entry_cache_gpo_timeout option

by Yassir Elley

Hi, The attached patch adds support for an "entry_cache_gpo_timeout" option, which allows an admin to specify how many seconds the backend should consider locally stored gpo policy files to be valid before asking the backend again. This is an additional performance enhancement (along with comparing gpo versions to avoid unnecessary downloads). The timeout is set when a gpo entry is stored in the cache (which only happens after policy files have been downloaded). During the processing of a gpo, if the gpo's cache timeout has not elapsed, the backend does not interact with the gpo_child at all (and therefore doesn't download any files from the smb server). Rather, it re-uses the policy files that are already stored locally. Obviously, no gpo version comparisons need to be made in this case. If the timeout has elapsed (or there is no gpo entry in the cache), then the backend does interact with the gpo child in the usual manner (including comparing gpo versions to avoid unnecessary downloads). Note that the entry_cache_gpo_timeout option is *not* an expiration for the data in the gpo cache entry (which includes the cached_gpt_version). Indeed, the cached_gpt_version is never considered to be "expired". Note that this patch does not add support for offline mode, which will be implemented in a subsequent patch. Regards, Yassir.

9 years, 9 months

2
4
0 / 0

[PATCH v4] Add basic support for CI test execution

by Nikolai Kondrashov

Hi everyone, Here is the fourth version of the patch adding CI tests. Compared to the last one, this adds handling of libini_config-devel 1.1.0 being absent from most distributions, and adds support for Fedora Rawhide. It relies on the three patches titled "Make sssd.spec.in work without libini_config >= 1.1.0" I sent earlier today. You can test it locally by executing "contrib/ci/run --help" and exercising the few supported options on the supported distros. Thank you. Nick

9 years, 9 months

1
1
0 / 0

[PATCH] Exit offline mode only if server is available.

by Michal Židek

Hi, this patch solves the ticket https://fedorahosted.org/sssd/ticket/2355 I was able to reproduce the slowdowns that the reported experienced by pausing a virtual machine with the server. With this patch the slowdowns no longer appear. I use the already implemented function check_if_online in the new periodic task. See patch description for more details. Patches for master and sssd-1-11 are in the attachment. Thanks, Michal

9 years, 9 months

4
19
0 / 0

having trouble building master

by Yassir Elley

Is anyone else having trouble building master? I pulled the latest bits from master. I am able to successfully "reconfig", but when I "chmake", I am getting the following error: CCLD libsss_autofs.la CCLD libsss_idmap.la CCLD libsss_nss_idmap.la CCLD sssd_krb5_locator_plugin.la CCLD memberof.la CCLD libipa_hbac.la CCLD libsss_crypt.la CCLD libsss_util.la CCLD libsss_krb5_common.la CCLD libsss_ad_common.la CCLD pyhbac.la CCLD pysss_nss_idmap.la CCLD libsss_proxy.la CCLD libsss_simple.la CCLD libsss_sudo.la CCLD sss_sudo_cli CCLD krb5_child CCLD ldap_child CCLD proxy_child src/sss_client/krb5_child-common.o: file not recognized: File truncated collect2: error: ld returned 1 exit status make[2]: *** [krb5_child] Error 1 make[2]: *** Waiting for unfinished jobs.... make[2]: Leaving directory `/home/yelley/git/sssd-gpo/x86_64' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/yelley/git/sssd-gpo/x86_64' make: *** [all] Error 2 Regards, Yassir.

9 years, 9 months

2
2
0 / 0

[PATCHES] Build fixes and improvements

by Nikolai Kondrashov

Hi everyone, Here is a bunch of various build fixes and improvements mainly concerned with libini_config detection. Nick

9 years, 9 months

2
3
0 / 0

[PATCH] sudo: replace asterisk with escape sequence in host filter

by Pavel Březina

https://fedorahosted.org/sssd/ticket/2377

9 years, 9 months

2
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

sssd-devel July 2014