When a user enrolls a system against Active Directory, the expectation
is that the client will honor the centrally-managed settings. In the
past, we avoided changing the default (and left it in permissive mode,
to warn admins that the security policy wasn't being honored) in order
to avoid breaking existing Active Directory enrollments.
However, sufficient time has likely passed for users to become
accustomed to using GPOs to manage access-control for their systems.
This patch changes the default to enforcing and adds a configure flag
for distributions to use if they wish to provide a different default
I have prepared wiki page with proposal how to implement the feature from the subject.
For your convenience I paste the content here.
= Authenticate against cache in SSSD =
=== Problem statement ===
SSSD should allow cache authentication instead of authenticating directly against network server every time. Authenticating against the network many times can cause excessive application latency.
=== Use cases ===
In environments with tens of thousands of users log in process may become inappropriately long, when servers are running under high workload (e.g. during classes, when may users log in simultaneously).
=== Overview of the solution ===
Add new domain option `cached_authentication_timeout` describing how long can be cached credentials used for cached authentication before on-line authentication must be performed. Update PAM responder functionality for forwarding requests to domains by checking if request can be served from cache and if so execute same code branch as for off-line authentication instead of contacting the domain.
=== Implementation details ===
* extend ''struct pam_auth_req''
* add new field `use_cached_auth` (default value is false)
* extend ''pam_dom_forwarder()''
* obtain value of domain option `cached_authentication_timeout`
* do not forward request to domain if
* domain uses cached credentials and
* `cached_authentication_timeout` is greater than 0 and
* last online log in of user who is being authenticated is not stale (< ''now()'' - `cached_authentication_timeout`) and
* PAM request can be handled from cache (PAM command is SSS_PAM_AUTHENTICATE or SSS_PAM_ACCT_MGMT)
* then set `use_cached_auth` to true
* call ''pam_reply()''
* extend ''pam_reply()''
* extend condition for entering into block processing case when pam_status is PAM_AUTHINFO_UNAVAIL even for `use_cached_auth` being true
* while in this block and if PAM command is SSS_PAM_AUTHENTICATE then set `use_cached_auth` to false to avoid cyclic recursion call of ''pam_reply()'' which is subsequently called from ''pam_handle_cached_login()''.
* introduce function ''sysdb_get_user_lastlogin()''
* returning time of last online performed log in for given user
=== Configuration changes ===
A new domain option `cached_authentication_timeout` will be added. The value of this option is time period for which cached authentication can be used. After this period is exceeded on-line authentication must be performed. The default value would be 0, which implies that this feature is by default disabled.
=== How To Test ===
1. set `cached_authentication_timeout` in sssd.conf to some non-null value (e.g. 120)
1. erase SSSD caches and restart SSSD
1. log in as user from domain which stores credentials and then log out and log in again. The second log in should use cached credentials. Output should by similar to this, especially note the line starting with: '''Authenticated with cached credentials'''
devel@dev $ su john
john@dev $ exit
devel@dev $ su john
Authenticated with cached credentials, your cached password will expire at: Wed 22 Apr 2015 08:47:29 AM EDT.
1. for the `cached_authentication_timeout` seconds since the 1st log in all subsequent log in attempts (for the same user) should be served from cache and domain should not be contacted, this can be verified by changing password at server.
1. after passing more than `cached_authentication_timeout` seconds since the 1st log in an on-line log in should be performed and new password must be used.
=== Authors ===
* Pavel Reichl <preichl(a)redhat.com>
with Samba-4.2.x libwbclient has a new interface version because new
calls were added which have an opaque context as an argument to allow
threaded applications to send multiple requests to winbind in parallel.
This patch adds the new interface but so far does not implement any calls.
We have a similar issue in SSSD, all applications either single all
multi-threaded use a single file-descriptor to talk to the SSSD
responders and the requests are serialized. Originally the only clients
were the NSS and PAM client code where there was no way around it
because the PAM and NSS interface do not provide a way to pass a
Nowadays there are applications like 389ds running on a FreeIPA server
which want to get data exclusively from SSSD which can use more enhanced
interface. So I think it would make sense to consider an enhancement to
the low-level client communication code similar to the changes done in
Samba so that threads can get an individual file-descriptors to talk to
the responders. When this is done the new context aware libwbclient
calls can be implemented (as long as it is possible).
I'm sending these incomplete patches for review just to get some feed back.
What is missing:
- support for user's extraAttributes (although get invoker is there)
- ListByNameFilter for both groups and users
2nd and 3rd patch fixes https://fedorahosted.org/sssd/ticket/2634
Steps to reproduce are written in upstream and downstream ticket.
Patches are quite small so it should be clear from patches
how to reproduce bug.
Type of timestamp for entries in negative cache is time_t
which is number of *seconds* that have elapsed since 1 January 1970.
The condition for ttl was to strict so entry could be valid
from "ttl-1" to ttl e.g.
* ttl is 1 second
* entry was stored to negative cache at 1432120871.999639
stored_timestamp = 1432120871
* entry was tested few miliseconds later 1432120872.001293
current_time = 1432120872
Entry was marked as expired becuase result of condition was false
stored_timestamp + ttl < current_time
1432120871 + 1 < 1432120872
This is a reason why ./test-negcache sometime fails.
It's quite easily reproducible on slow machine or when valgrind was used.
sh$ while libtool --mode=execute valgrind ./test-negcache ; do echo OK: done
It would be good to push patch to master and sssd-1-12.
So we can get gid of problematic failed tests in CI.
Patch "sss_client: Fix mixed enums" introduced the following warning:
/home/pbrezina/workspace/sssd/src/sss_client/pam_sss.c:48:0: error: "_"
#define _(STRING) dgettext (PACKAGE, STRING)
In file included from /home/pbrezina/workspace/sssd/src/util/authtok.h:23:0,
/home/pbrezina/workspace/sssd/src/util/util.h:55:0: note: this is the
location of the previous definition
#define _(STRING) gettext (STRING)
please see attached simple patch. I believe that nested header files are
sometimes necessary evil, but they should be avoided when possible. It
makes difficult figuring out on which header files source file actually
depend on and can increase compilation time.
My idea is as follows:
- create new option 'domains' in [ifp] sections
- this option can reduce number of domains set in 'domains' in [sssd]
- provide this reduced domains set to rctx->domains
domains = A, B, C
domains = B
rctx->domains would contain only B in ifp responder.
But I am not sure if it fulfills the requirement.