ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 8 months
RFC: dropping upstream support of RHEL5 starting with 1.10
by Jakub Hrozek
Hi,
many new features rely on library APIs and features that are only available
in recent versions of SSSD dependencies. As a result, the code often needs
#ifdefs and special branches in order to at least compile or run on RHEL5.
So far we've been doing nightly builds also for RHEL5 and fixing issues
as we were finding them. But recently we are considering dropping support
for RHEL5 -- it is causing some engineering effort and at the same time
the audience is probably very limited. If you are running super-stable
enterprise distribution, chances are you are not all that interested in
the latest and possibly very unstable SSSD version.
The proposal would be to keep building and supporting the 1.9.x branch
for RHEL5 and switch to using RHEL6 as the oldest supported release
starting from the 1.10 upstream version. Of course we would still accept
patches from any potential contributors.
Any objections against the plan?
10 years, 7 months
user@domainname ldap_user_principal oddities
by Sven Geggus
Hello,
I'm trying to convert an existing nslcd/pam_krb5 based setup authenticationg
against Active Direcctory to sssd/pam_sss.
I already succeeded in doing so as far as the nss-side of things is
concerned.
Not so with pam_sss.so (pam_krb5.so works fine) because of the following
reason:
When constructing a realm for authentication sssd seems to check for the
ldap attribute specified as ldap_user_principal in sssd.conf. Later on a
kerberos ticket is requested for the string found there.
What I have in sssd.conf is the following (as found in various howtos
araount the web):
ldap_user_principal = userPrincipalName
And this is why I get in trouble!
In my case userPrincipalName does contain an email address (user@dn) with a
domain part _different_ to the kerberos realm.
Thus I end up having sssd trying to request a kerberos ticket for user@DN
which will of course not work, because "DN" is not a valid kerberos realm.
I tried to reproduce this using kinit with varions Versions of this ldap
atrribute.
Neither one of the following works:
kinit user@dn
kinit user@DN
kinit user@dn@REALM
Only "user@REALM" and "user" work.
Thus I changed ldap_user_principal ins sssd.conf to the following:
ldap_user_principal = sAMAccountName
This does seem to work now, but I would rather like to switch back to
userPrincipalName again.
On windows it is possible to login either way: Using user@dn from
userPrincipalName as well as the value from sAMAccountName.
Any Idea
Sven
--
"I'm a bastard, and proud of it"
(Linus Torvalds, Wednesday Sep 6, 2000)
/me is giggls@ircnet, http://sven.gegg.us/ on the Web
10 years, 11 months
A test repository with SSSD 1.9 for RHEL-6.3
by Jakub Hrozek
Hi,
even though RHEL-6.4 is still brewing, I think there might be some
interest in trying out the 1.9.x series of the SSSD on RHEL-6.3.
So I went ahead and built the SSSD 1.9.2 in a RHEL-6.3 buildroot:
http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/
The NVR of these test packages will be lower than those in 6.4 to keep
the upgrade path clean. The only missing functionality is the PAC
responder, which means this SSSD version won't be able to work with
an AD domain that is in a trust relationship with an IPA 3.x domain. I
had to disable the PAC responder as it requires Kerberos 1.10.
Because some new functionality required tweaking the SELinux policy, you
will encounter AVC denials when the new fast cache is accessed. That
said, my quick smoke testing went fine and we will be glad to hear test
results or bug reports.
Using the repository comes with a warning - this is NOT an official Red
Hat supported repository. The packages have NOT gone through formal QA. If
it breaks your RHEL-6.3 installation, you get to keep the pieces.
This is the repo configuration I used:
--------------------------
[sssd-1.9-RHEL6.3]
name=SSSD 1.9.x built for latest stable RHEL
baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/$basearch/
enabled=1
skip_if_unavailable=1
gpgcheck=0
[sssd-1.9-RHEL6.3-source]
name=SSSD 1.9.x built for latest stable RHEL - Source
baseurl=http://repos.fedorapeople.org/repos/jhrozek/sssd/epel-6/SRPMS
enabled=0
skip_if_unavailable=1
gpgcheck=0
--------------------------
Happy testing!
10 years, 11 months
CentOS 6.2 Kerberos Authentication Issue
by Hugo Lima
Hi guys,
i'm facing some trouble when i do ssh to a CentOS 6.2 machine using AD
authentication. I am using SSSD, with krb5.conf and sssd.conf, well
configured (tested in other OS, like RHEL). The account information comes
when i make id or getent passwd. Seems something with ssh and kerberos
troubles.
I have already set 777 permission on /tmp and disabled SElinux, like logs
indicates permission issue, but didn't get sucess. Have tried an update but
in vain too.
The krb5.child log is:
Can anyone help me?
Thanks,
Hugo Lima.
11 years
Announcing the release of SSSD 1.9.3
by Jakub Hrozek
=== SSSD 1.9.3 ===
The SSSD team is proud to announce the release of version 1.9.3 of
the System Security Services Daemon.
This release is mainly focused on fixing regressions in functionality
introduced by new features during the 1.9 development cycle or bugs in
the new features themselves.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18
and rawhide and later also backported to F-17. We will also provide test builds
for RHEL6.3 as was the case with 1.9.2.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Many fixes related to deployments where the SSSD is running as a client
of IPA server with trust relation established with an Active Directory server
* Multiple fixes related to correct reporting of group memberships,
especially in setups that use nested groups
* Fixed a bug that prevented upgrade from the 1.8 series if the cache
contained nested groups before the upgrade
* Restarting the responders is more robust for cases where the machine is
under heavy load during back end restart
* The default_shell option can now be also set per-domain in addition to
global setting
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1345
sssd does not warn into sssd.log for broken configurations
https://fedorahosted.org/sssd/ticket/1357
Init script reports complete before sssd is actually working
https://fedorahosted.org/sssd/ticket/1437
upstream spec should use systemd where available
https://fedorahosted.org/sssd/ticket/1482
"fullName" in sysdb doesn't match with the "name" ldap attribute on AD Server
https://fedorahosted.org/sssd/ticket/1528
SSSD_NSS failure to gracefully restart after sbus failure
https://fedorahosted.org/sssd/ticket/1581
sssd_be crashes while looking up users
https://fedorahosted.org/sssd/ticket/1583
Allow setting the default_shell per-domain
https://fedorahosted.org/sssd/ticket/1584
invalidating the memcache with sss_cache doesn't work if the sssd is not running
https://fedorahosted.org/sssd/ticket/1589
sss_cache says 'Wrong DB version'
https://fedorahosted.org/sssd/ticket/1590
sssd does not resolve group names from AD
https://fedorahosted.org/sssd/ticket/1593
Silence the DEBUG messages when ID mapping code skips a built-in group
https://fedorahosted.org/sssd/ticket/1594
ldap_child crashes on using invalid keytab during gssapi connection
https://fedorahosted.org/sssd/ticket/1595
Password authentication with users coming via AD trust
https://fedorahosted.org/sssd/ticket/1596
Sudo smart refresh doesn't occur on time
https://fedorahosted.org/sssd/ticket/1600
The sssd_nss process grows the memory consumption over time
https://fedorahosted.org/sssd/ticket/1601
A wrong callback used causes getgrgid to not work for trusted domains
https://fedorahosted.org/sssd/ticket/1602
provider is forcibly killed with SIGKILL instead of SIGTERM if it's not responding
https://fedorahosted.org/sssd/ticket/1604
sssd not granting access for AD trusted user in HBAC rule
https://fedorahosted.org/sssd/ticket/1606
SSSD starts multiple processes due to syntax error in ldap_uri
https://fedorahosted.org/sssd/ticket/1608
sss_cache: Multiple domains not handled properly
https://fedorahosted.org/sssd/ticket/1610
subdomains: Invalid sub-domain request type.
https://fedorahosted.org/sssd/ticket/1611
authconfig chokes on sssd.conf with chpass_provider directive
https://fedorahosted.org/sssd/ticket/1612
Nested groups are not retrieved appropriately from cache
https://fedorahosted.org/sssd/ticket/1613
ipa client setup should configure host properly in a trust is in place
https://fedorahosted.org/sssd/ticket/1614
User appears twice on looking up a nested group
https://fedorahosted.org/sssd/ticket/1615
IPA client cannot change AD Trusted User password
https://fedorahosted.org/sssd/ticket/1616
sudo failing for ad trusted user in IPA environment
https://fedorahosted.org/sssd/ticket/1619
pam: fd leak when writing the selinux login file in the pam responder
https://fedorahosted.org/sssd/ticket/1623
Man page issue to list 'force_timeout' as an option for the [sssd] section
https://fedorahosted.org/sssd/ticket/1628
user id lookup fails using proxy provider
https://fedorahosted.org/sssd/ticket/1629
subdomains code does not save the proper user/group name
https://fedorahosted.org/sssd/ticket/1631
sysdb upgrade failed converting db to 0.11
https://fedorahosted.org/sssd/ticket/1635
investigate the behaviour of ldap_sasl_authid in 1.9.x
https://fedorahosted.org/sssd/ticket/1636
offline authentication failure always returns System Error
https://fedorahosted.org/sssd/ticket/1638
password expiry warning message doesn't appear during auth
https://fedorahosted.org/sssd/ticket/1640
"defaults" entry ignored
https://fedorahosted.org/sssd/ticket/1647
LDAP provider fails to save empty groups
https://fedorahosted.org/sssd/ticket/1649
ldap_connection_expire_timeout doesn't expire ldap connections
https://fedorahosted.org/sssd/ticket/1650
Wrong variable check in sudosrv_parse_query_send
https://fedorahosted.org/sssd/ticket/1651
Unchecked return value from waitpid()
https://fedorahosted.org/sssd/ticket/1652
updating top-level group does not reflect ghost members correctly
https://fedorahosted.org/sssd/ticket/1657
SIGSEGV in IPA provider when ldap_sasl_authid is not set
https://fedorahosted.org/sssd/ticket/1658
ipa password auth failing for user principal name when shorter than IPA Realm name
https://fedorahosted.org/sssd/ticket/1661
Allow backward compatible regex for domain / realm search in sssd 1.9
https://fedorahosted.org/sssd/ticket/1668
delete operation is not implemented for ghost users
https://fedorahosted.org/sssd/ticket/1669
sssd hangs at startup with broken configurations
https://fedorahosted.org/sssd/ticket/1671
mmap cache needs update after db changes
https://fedorahosted.org/sssd/ticket/1674
Explicit null dereferenced
https://fedorahosted.org/sssd/ticket/1683
arithmetic bug in the SSSD causes netgroup midpoint refresh to be always set to 10 seconds
https://fedorahosted.org/sssd/ticket/1684
Dereference after null check in sss_idmap_sid_to_unix
https://fedorahosted.org/sssd/ticket/1686
sssd crashes during start if id_provider is not mentioned
https://fedorahosted.org/sssd/ticket/1688
sssd_sudo prints wrong debug message when notBefore or notAfter attribute is missing
https://fedorahosted.org/sssd/ticket/1694
Incorrect synchronization in mmap cache
https://fedorahosted.org/sssd/ticket/1695
user is not removed from group membership during initgroups
== Packaging Changes ==
* The sss_cache has been moved from sss-tools subpackage to the main sssd package
* The upstream RPM uses a systemd unit file by default, rather than a SystemV init script
* Several rpmlint warnings have been fixed in the upstream spec file
== Detailed Changelog ==
Ariel O. Barria (1):
* Monitor quit when not exists no process no stops
Jakub Hrozek (42):
* Updating the version for the 1.9.3 release
* LDAP: Check validity of naming_context
* Allow setting the default_shell option per-domain as well
* KRB5: Return error when principal selection fails
* Free the internal DP request
* LDAP: Fix off-by-one error when saving ghost users
* Monitor: read the correct SIGKILL timeout for providers, too
* PAM: Do not leak fd after SELinux context file is written
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
* KRB5: Rename variable to avoid shadowing a global declaration
* Only build extract_and_send_pac on platforms that support it
* Include the auth_utils.h header in the distribution
* SYSDB: Do not touch the member attribute during conversion to ghost users
* Provide AM_COND_IF-combatible implementation for old automake systems
* LDAP: Expire even non authenticated connections
* SUDO: Fix wrong variable check
* SERVER: Check the return value of waitpid
* LDAP: Allocate the temporary context on NULL, not memctx
* LDAP: Fix saving empty groups
* LDAP: use the correct memory context
* LDAP: Refactor saving ghost users
* Restart services with a delay in case they are restarted too often
* MAN: document the ldap_sasl_realm option
* LDAP: Provide a common sdap_set_sasl_options init function
* LDAP: Checking the principal should not be considered fatal
* LDAP: Make it possible to use full principal in ldap_sasl_authid again
* SYSDB: Use the add_string convenience functions for managing ghost user attribute
* LDAP: Only convert direct parents' ghost attribute to member
* MONITOR: Fix off-by-one error in add_string_to_list
* Handle compiling FQDN regular expression with old pcre gracefully
* MEMBEROF: Do not add the ghost attribute to self
* TESTS: Test ghosts users in the RFC2307 schema
* NSS: Fix netgroup midpoint cache refresh
* LDAP: Continue adjusting group membership even if there is nothing to add
* MEMBEROF: Implement delete operation for ghost users
* MEMBEROF: split processing the member modify into a separate function
* MEMBEROF: Split the del ghost attribute op into a reusable function
* MEMBEROF: Split the add ghost operation into a separate function
* MEMBEROF: Implement the modify operation for ghost users
* MEMBEROF: Keep inherited ghost users around on modify operation
* RESOLV: return ENOENT if the address list is empty
* Updating the translations for the 1.9.3 release
Jan Cholasta (3):
* Use systemd by default on Fedora 16+
* Fix errors reported by rpmlint
* MAN: Move ssh_known_hosts_timeout documentation to the correct section
Michal Zidek (11):
* sss_cache: Multiple domains not handled properly
* util: Added new file util_lock.c
* sss_cache: Remove fastcache even if sssd is not running.
* util_lock.c: sss_br_lock_file accepted invalid parameter value
* debug: print fatal and critical errors if debug level is unresolved
* sss_cache: Small refactor.
* Uninitialized pointer read
* idmap: Silence DEBUG messages when dealing with built-in SIDs.
* Null pointer dereferenced.
* Dereference after null check in sss_idmap_sid_to_unix
* Missing parameter in DEBUG message.
Ondrej Kos (4):
* MAN: sssd-simple - suggest awarness of empty rules
* Display more information on DB version crash
* LDAP: fix uninitialized variable
* SYSDB: Don't operate with aliases same as name
Pavel Březina (23):
* sudo: do not fail if usn value is zero but full refresh is completed
* sudo refresh: handle errors properly
* authconfig: allow chpass_provider = proxy
* add SSSDBG_IMPORTANT_INFO macro
* fix indendation, coding style and debug levels in server.c
* make monitor_quit() usable outside signal handler
* exit original process after sssd is initialized
* create pid file immediately after fork again
* do not default fullname to gecos when schema = ad
* sss_dp_get_domains_send(): handle subreq error correctly
* subdomains: check request type on one place only
* backend: add PAC to the list of known clients
* sudo: fix missing parameter in two debug messages
* use tmp_ctx in sudosrv_get_sudorules_from_cache()
* sudo: support users from subdomains
* sudo: do not send domain name with username
* sudo: print how many rules we are refreshing or returning
* sudo: store rules with no sudoHost attribute
* fix SIGSEGV in IPA provider when ldap_sasl_authid is not set
* avoid versioning libsss_sudo
* warn user if password is about to expire
* do not crash when id_provider is not set
* sudo: print rule name if notBefore or notAfter attribute is missing
Simo Sorce (9):
* Simplify writing db update functions
* Refactor the way subdomain accounts are saved
* Handle conversion to fully qualified usernames
* mmap cache: public functions to invalidate records
* Hook to perform a mmap cache update from sssd_nss
* Hook for mmap cache update on initgroup calls
* Add backchannel NSS provider query on initgr calls
* Always append rctx as private data
* Add memory barrier to mmap cache client code loop
Stephen Gallagher (9):
* LDAP: Better debug logging when saving groups
* RPMS: Move sss_cache tool to main package
* Monitor: Better debugging for ping timeouts
* MAN: Specify the correct location for the force_timeout option
* SSSDConfig: Locate the force_timeout option in the correct sections
* MAN: Fix validation error caused by bad 'ca' translation
* SUDO: Remove unused variable
* BUILD: Temporary workaround for Kerberos build
* IPA: Handle bad results from c-ares lookup
Sumit Bose (34):
* Fix two errors in the nss responder
* subdomain-id: Generate homedir only for users not groups
* pac responder: fix copy-and-paste error
* sysdb: look for ranges in the parent tree
* pac responder: use only lower case user name
* pac responder: add user principal and name alias to cached user object
* krb5_auth_send: check for sub-domains
* sysdb: add sysdb_base_dn()
* check_ccache_files: search sub-domains as well
* Add replacement for krb5_find_authdata()
* krb5_auth: check if principal belongs to a different realm
* krb5_auth: send different_realm flag to krb5_child
* krb5_child: send PAC to PAC responder
* krb5_mod_ccname: replace wrong memory context
* krb5_child: send back the client principal
* Add new call find_or_guess_upn()
* Use find_or_guess_upn() where needed
* krb5_auth: update with correct UPN if needed
* sss_parse_name_for_domains: always return the canonical domain name
* Make sub-domains case-insensitive
* Clarify debug message about initgroups and subdomains
* Do not remove a group if it has members from subdomains
* Add diff_gid_lists() with test
* Add pac_user_get_grp_info() to read current group memberships
* Get lists of GIDs to be added and deleted and use them
* Store the original group DN in the subdomain user object
* Add string_in_list() and add_string_to_list() with tests
* Always start PAC responder if IPA ID provider is configured
* Run IPA subdomain provider if IPA ID provider is configured
* Do not save HBAC rules in subdomain subtree
* Just use the service name with krb5_get_init_creds_password()
* Fix compare_principal_realm() check
* Disable canonicalization during password changes
* KRB5: Work around const warning for krb5 releases older than 1.11
Timo Aaltonen (1):
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthread
11 years
