ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
9 years, 1 month
sssd performance problem
by Sami K
Hello,
We have been lately having big problems with sssd caching. On our ssh
servers, (each with ~100-200 users) login may take several minutes as the
sssd_be -process uses 100% cpu time and sssd_be -process may be in this
state for days. Clearing the cache and restarting sssd during the day
usually helps and then everything works for few days, sometimes only hours.
It is not clear what triggers this behaviour, maybe some some combination
of lots of users and cache update at the same time.
The culprit seems to have been addition of few big groups lately to ldap
for our access policy worsening the situation and sssd-performance.
On test server simple id command and empty cache with same setttings as in
production takes:
[root@testsk tmp]# time id testusr
uid=1143(testusr) gid=100(users)
groups=100(users),3318(roam),3102(nixe),1000(staff1),3785(wl-staff1),3119(system),3402(fileaccess),3377(vpn1),120(grp2),3123(devel),1001(devel3),3378(vpn2),3266(usr),3386(access3)
real 0m28.689s
user 0m0.006s
sys 0m0.007s
We have currently several groups with around 17 000 and 3000 users so this
id query creates over 100k ghost users to cache:
[root@testsk tmp]# ldbsearch -H /var/lib/sss/db/cache_TESTAUTH.ldb |grep
ghost |wc -l
asq: Unable to register control with rootdse!
105196
Indeed, with full debug (time of id-command is then over 1 minute) all I
see in the logs ldap backend mostly adding ghost users to cache as it adds
information from _all_ groups related to that uid. As backend is not
respondind to monitor pings fast enough, monitor tries to kill it and
restart. Same happens also in production servers. I have already extended
timeout to 60 but it seems not to be enough.
This latter case seems to be relevant especially when we started to receive
complaints from some people that httpd authentication was not working.
Apache error log shows:
[Tue Oct 29 12:21:36 2013] [error] [client xxx.xx.xx.xx] GROUP: testuser
not in required group(s).
when in fact user is in the required group but it seems that sssd just
fails to respond fast enough. This is (PAM, AuthType Basic, Require group
testgroup) kind of authentication.
This is on RHEL6.4, sssd-1.9.2-82.10.el6_4.x86_64. Configured services
nss, ldap:
sanitized config:
------------------------
[sssd]
config_file_version = 2
debug_level = 1
reconnection_retries = 3
timeout = 60
services = nss
domains = TESTAUTH
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 1
[domain/TESTAUTH]
debug_level = 1
ldap_purge_cache_timeout = 3600
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://authserv.test
ldap_search_base = dc=test
ldap_user_search_base = ou=People,dc=test
ldap_group_search_base = ou=Group,dc=test
So in the end, any ideas or suggestions how to improve the situation? Of
course I'm willing to debug/test this more if needed as the current
situation is almost disastrous.
Cheers,
- Sami
ps. Quick test on a Fedora 19 and sssd-1.11.1-4.fc19 made the same queries
in 7 seconds or less so apparently some progress in performance has been
done. Any idea when would RHEL6 sssd be rebased? I tried to compile latest
git-version on RHEL6 but I couldn't find all required components (for ex.
configure: error: you must have the cifsidmap header installed to build the
idmap plugin).
10 years, 5 months
SSSD with id_provider ldap and auth_provider krb5-ad
by Pieter Baele
Hello everyone,
I made a configuration where I use Active Directory Kerberos as
authentication source,
but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or
ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN]
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=xyz
id_provider = ldap
access_provider = ldap
ldap_access_filter = isMemberOf=zyx
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xyz
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=xyz
ldap_netgroup_search_base = ou=xyz
ldap_group_name = uniqueMember
entry_cache_netgroup_timeout = 300
entry_cache_sudo_timeout = 300
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = True
ldap_krb5_keytab = /etc/krb5.keytab
krb5_keytab = /etc/krb5.keytab
krb5_realm = MSNET.RAILB.BE
krb5_ccachedir = /tmp
krb5_validate = True
krb5_auth_timeout = 15
ldap_sasl_authid = HOSTNAME$(a)MSNET.RAILB.BE
ldap_krb5_init_creds = true
debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my
LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of
uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty
to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
10 years, 5 months
RE: sssd access to server with read only root
by Chris Petty
I guess i naively thought i needed it, but i removed the pam_krb libs from all the system/password auth sections of test machines and things still work as normal.
I still get the same errors on the ro-root machine however:
Oct 31 13:37:13 node48 sshd[5983]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=hugin.biac.duke.edu user=cmp12
Oct 31 13:37:13 node48 sshd[5983]: debug1: PAM: password authentication accepted for cmp12
Oct 31 13:37:13 node48 sshd[5983]: debug1: do_pam_account: called
Oct 31 13:37:13 node48 sshd[5907]: debug2: channel 0: rcvd adjust 49852
Oct 31 13:37:15 node48 sshd[5983]: pam_sss(sshd:account): Access denied for user cmp12: 4 (System error)
Oct 31 13:37:15 node48 sshd[5983]: Failed password for cmp12 from 10.136.52.5 port 38218 ssh2
Oct 31 13:37:15 node48 sshd[5984]: fatal: Access denied for user cmp12 by PAM account configuration
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access granted by online lookup
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [cmp12]
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): User account control for user [cmp12] is [200].
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [cmp12] is [9223372036854775807].
(Thu Oct 31 13:48:12 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
Running version 1.9.2:
sssd-1.9.2-82.4.el6_4.x86_64
Thanks,
-Chris
Why do you have pam_krb5 in picture at all?
I am not sure this is the cause of the problem but this seems odd.
What version of SSSD we are talking about?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
10 years, 5 months
Re: [SSSD-users] sssd access to server with read only root
by Chris Petty
I have a working config on multiple machines, now i am taking this
config to our computing cluster, which i manage with oneSIS.
It has ro root with various nfs mounts for writable locations and other
pieces in an actual ramdisk at bootup.
/var/lib/sss has a writable location in the ram disk
When i have my / drive mounted as ro , pam_sss/sshd rejects my login (
after i've it tells me that i've authenticated successfully and i get a
kerberos ticket )
If I remount the root filesystem rw, everything works as expected. If i
remove the sss line from my pam.d/password-auth, everything also works,
even in ro because i am not using the piece that's throwing the System
error.
"account [default=bad success=ok user_unknown=ignore] pam_sss.so"
Any advice on how to make this work would be greatly appreciated. My
same sssd.conf is working fine on various other machines without the ro
root.
-Chris
some snippets from the logs .. i truncated things because i have sssd
and pam at very high levels of logging for now.
from secure log:
Oct 31 10:53:32 node48 sshd[5843]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12
Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myhost user=cmp12
Oct 31 10:53:33 node48 sshd[5843]: debug1: PAM: password authentication
accepted for cmp12
Oct 31 10:53:33 node48 sshd[5843]: debug1: do_pam_account: called
Oct 31 10:53:33 node48 sshd[5843]: pam_sss(sshd:account): Access denied
for user cmp12: 4 (System error)
.
. get a valid krb5 ticket from the server
.
Oct 31 10:53:34 node48 sshd[5843]: pam_krb5[5843]: pam_acct_mgmt
returning 0 (Success)
Oct 31 10:53:34 node48 sshd[5843]: Failed password for cmp12 from
10.136.52.5 port 42199 ssh2
Oct 31 10:53:34 node48 sshd[5844]: fatal: Access denied for user cmp12
by PAM account configuration
from sssd_default.log:
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler]
(0x0100): Got request with the following data
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): command: PAM_ACCT_MGMT
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): domain: default
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): user: cmp12
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): service: sshd
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): tty: ssh
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): ruser:
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): rhost: hugin.biac.duke.edu
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): authtok type: 0
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): authtok size: 0
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): newauthtok type: 0
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): newauthtok size: 0
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): priv: 1
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [pam_print_data]
(0x0100): cli_pid: 5865
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_access_send]
(0x0400): Performing access check for user [cmp12]
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad]
(0x0400): Performing AD access check for user [cmp12]
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad]
(0x4000): User account control for user [cmp12] is [200].
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [sdap_account_expired_ad]
(0x4000): Expiration time for user [cmp12] is [9223372036854775807].
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback]
(0x0400): SELinux provider doesn't exist, not sending the request to it.
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Sending result [0][default]
(Thu Oct 31 11:22:40 2013) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Sent result [0][default]
10 years, 5 months
Announcing SSSD 1.11.2
by Jakub Hrozek
=== SSSD 1.11.2 ===
The SSSD team is proud to announce the release of version 1.11.2 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* A new option ad_access_filter was added. This option allows the
administrator to easily configure LDAP search filter that the users logging
in must match in order to be granted access
* Group resolution now supports resolving group members from different
trusted AD domains in a single forest
* A bug that prevented a configuration file with trailing spaces to be
loaded was fixed
* SSSD no longer crashes if the LDAP connection is terminated while LDAP
requests are still in progress
* Several important bugs related to the Global Catalog support were fixed:
* SSSD now correctly falls back to LDAP lookups in case Global Catalog
is not reachable
* If the AD servers were specified using the ad_server option and not
autodiscovered, server fail over did not work correctly with 1.11.1
== Feature removal ==
* The Kerberos provider is no longer able to create public directories
when evaluating the krb5_ccachedir option. This is a backwards-incompatible
change. Creating public directories is something the system administrator
should perform in order for the directories to have the correct permissions
and allow the authentication daemon to create user directories as private
only.
== Documentation Changes ==
* The decimal debug levels are now recommended instead of the advanced
hexadecimal levels which are more suitable for developers
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1968
Memory grows if subdomain goes away in the AD provider
https://fedorahosted.org/sssd/ticket/2030
getent response requires sssd restart after trust add
https://fedorahosted.org/sssd/ticket/2064
ad: unable to resolve membership when user is from different domain than group
https://fedorahosted.org/sssd/ticket/2071
Ccache directory creation leads to unexpected results
https://fedorahosted.org/sssd/ticket/2082
[RFE] Add a new option ad_access_filter
https://fedorahosted.org/sssd/ticket/2092
Group lookup is not returned immediately after service startup
https://fedorahosted.org/sssd/ticket/2100
sudo responder does not support specifying just one of sudoNotBefore/sudoNotAfter
https://fedorahosted.org/sssd/ticket/2101
Use idrange of forest root if there is none for a member domain and type is ipa-ad-trust-posix
https://fedorahosted.org/sssd/ticket/2104
AD provider should fall back the LDAP if Global Catalog is not reachable
https://fedorahosted.org/sssd/ticket/2105
Do not show 'Could not add new domain' error messages if ldap_id_mapping=false
https://fedorahosted.org/sssd/ticket/2112
Coverity reported potential NULL dereference
https://fedorahosted.org/sssd/ticket/2116
SID looksups are not handled if noexist_delete flag is set
https://fedorahosted.org/sssd/ticket/2121
ipa ad trusted user lookups failed with sssd_be crash
https://fedorahosted.org/sssd/ticket/2123
Creating system accounts on a IdM client takes up to 10 minutes when AD trust is configured in the IdM.
https://fedorahosted.org/sssd/ticket/2124
sssd_nss exited abnormally and generated core files.
https://fedorahosted.org/sssd/ticket/2126
sssd_be segfault when authenticating against active directory
https://fedorahosted.org/sssd/ticket/2131
NSS responder doesn't qualify memberuid and ghost users of groups that contain members from different domains
== Detailed Changelog ==
Jakub Hrozek (23):
* Updating the version for the 1.11.2 release
* krb5: Fix unit tests
* INI: Disable line-wrapping functionality
* KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user
* PROXY: Fix memory hierarchy when enumerating services
* Inherit ID limits of parent domains if set
* SYSDB: Add sysdb_delete_by_sid
* LDAP: Delete entry by SID if not found
* LDAP: Amend sdap_access_check to allow any connection
* LDAP: Parse FQDN into name/domain for subdomain users
* AD: Add a new option ad_access_filter
* AD: Use the ad_access_filter if it's set
* AD: Search GC by default during access control, fall back to LDAP
* AD: Add extended access filter
* TEST: Test getgrnam with emphasis on members
* NSS: Print FQDN for groups with mixed domain membership
* KRB5: Handle ERR_CHPASS_FAILED
* NSS: Fix service enumeration
* MAN: Document that krb5 directories can only be created as private
* LDAP: Check all search bases during nested group processing
* NSS: Fix parenthesis
* AD: Fix ad_access_filter parsing with empty filter
* Updating translation for the 1.11.2 release
Lukas Slebodnik (9):
* LDAP: Set default value for dyndns update to false
* krb5: Remove warning dereference of a null pointer
* krb5: Use right function to free data.
* AD: Prefer GC port from SRV record
* AD: fall back to LDAP if GC is not available.
* tests: Use right format string for type size_t
* Makefile: Add missing libraries
* Makefile: Remove unused variable TEST_MOCK_OBJ
* LDAP: Return correct error code
Pavel Březina (23):
* sudo: allow specifying only one time restriction
* sudo: improve time restrictions debug messages
* nss: wait for initial subdomains request to finish
* subdomains: first destroy ptask then remove sdom
* dp: make subdomains refresh interval configurable
* dp: store list of ongoing requests
* utils: add ERR_DOMAIN_NOT_FOUND error code
* dp: set request domain
* dp: add function to terminate request of specific domain
* dp: free sdap domain if subdomain is removed
* be_ptask: add be_ptask_create_sync()
* dp: convert cleanup task to be_ptask
* ipa: destroy cleanup task when subdomain is removed
* ad: destroy ptasks when subdomain is removed
* sdap_save_user: try to determine domain by SID
* sdap_save_group: try to determine domain by SID
* free sid obtained from sss_idmap_unix_to_sid()
* ad: shortcut if possible during get object by ID or SID
* sdap: store base dn in sdap_domain
* sdap: add sdap_domain_get_by_dn()
* ghosts: pick correct domain for every member
* sdap_fill_memberships: pick correct domain for every member
* nested groups: pick correct domain for cache lookups
Simo Sorce (1):
* krb5: Remove ability to create public directories
Stephen Gallagher (4):
* SYSDB: Fix incorrect DEBUG message
* MAN: Clarify debug level documentation
* MAN: Reflow debug_levels.xml
* BUILD: Update bashrc macros
Sumit Bose (17):
* AD: properly intitialize GC from ad_server option
* LDAP: handle SID requests if noexist_delete is set
* IPA server mode: properly initialize ext_groups
* idmap: add internal function to free a domain struct
* idmap: fix a memory leak if a collision is detected
* idmap: allow ranges with external mapping to overlap
* sdap_idmap: add sdap_idmap_get_configured_external_range()
* sdap_idmap: properly handle ranges for external mappings
* Add unconditional online callbacks
* IPA: add callback to reset subdomain timeouts
* sdap_get_generic_ext_send: check if we a re still connected
* find_subdomain_by_sid: skip domains with missing domain_id
* idmap: add sss_idmap_domain_by_name_has_algorithmic_mapping()
* sdap_idmap_domain_has_algorithmic_mapping: add domain name argument
* IPA: add trusted domains with missing idrange
* ad_subdom_store: check ID mapping of the domain not of the parent
* be_spy_create: free be_req and not the long living data
10 years, 5 months
SSSD - GDM login
by Roberts Klotiņš
Hi Many thanks. I attaching the files as otherwise the one that relates to
the domain is very large. Curiously though the krb5_child.log is empty (0
bytes) "so it will not be attached".
And I apologize for not paying attention to subject - in Gmail it is a bit
fiddly.
Roberts
On 25 October 2013 02:25, <sssd-users-request(a)lists.fedorahosted.org> wrote:
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Re: sssd-users Digest, Vol 18, Issue 25 (Jakub Hrozek)
> 2. Re: sssd-users Digest, Vol 18, Issue 25 (Roberts Klotiņš)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Oct 2013 16:24:41 +0200
> From: Jakub Hrozek <jhrozek(a)redhat.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25
> Message-ID: <20131024142441.GG4240(a)hendrix.redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> On Thu, Oct 24, 2013 at 02:01:11PM +0100, Roberts Klotiņš wrote:
> > Hi Thanks a lot for looking into this.
> >
> > As you suspected - there is something that enterprise simple login added
> > into the config file file:
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = PEOPLE
> >
> > [nss]
> > filter_users = root
> > filter_groups = root
> >
> > [pam]
> >
> > [domain/PEOPLE]
> > description = PEOPLE AD domain
> > id_provider = ad
> > auth_provider = ad
> > access_provider = ad
> > chpass_provider = ad
> >
> > ad_server = srv1.people.local
> > ad_hostname = client1.people.local
> > ad_domain = PEOPLE.LOCAL
> > case_sensitive = false
> >
> > enumerate = true
> > cache_credentials = true
> > simple_allow_users = usr1, usr2
>
> Did you modify the config file anyhow? I find it suprising that there is
> both "access_provider=ad" and "simple_allow_users". For the simple allow
> users to work, I would have expected "access_provider=simple".
>
> >
> > However when I deleted the last line in this file I got the same result.
> > /var/log/secure
> > datet:42:54 robbie gdm-password]: pam_unix(gdm-password:auth):
> > authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser
> > = rhost= user=PEOPLE\usr2
> > datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth):
> > authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
> > rhost= user=PEOPLE\usr2
> > datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth): received
> for
> > user PEOPLE\usr2: 6 (Permission denied)
> > datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth):
> conversation
> > failed
> > datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth): auth could
> > not identify password for [PEOPLE\usr2]
> > datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth):
> > authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
> > rhost= user=PEOPLE\usr2
> > datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth): received
> for
> > user PEOPLE\usr2: 7 (Authentication failure)
> >
> > It appears I may need to configure something in pam, but maybe that is
> not
> > the case??
>
> Ah, in the /var/log/secure snippet you send earlier there was also
> access denied, which is why I was suspecting the access provider to be
> the problem.
>
> Can you put debug_level=7 into the [domain] section, restart the SSSD
> and attach the contents of /var/log/sssd/sssd_PEOPLE.log and
> /var/log/sssd/krb5_child.log
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 25 Oct 2013 02:25:04 +0100
> From: Roberts Klotiņš <roberts.klotins(a)gmail.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25
> Message-ID:
> <
> CALr2nHsFVyoo+GoENWjx99ew3Bjgek47QYU3_MJ0_D86zLOcuA(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi again, still trying to understand how to make the setup to work.
>
> As the very last thing I thought to check into /etc/sysconfig/authconfig.
> What I found was that usekerberos and useldap were set to no. Maybe they
> (or at least kerberos) need to be set to yes?
>
> # cat /etc/sysconfig/authconfig
> IPADOMAINJOINED=no
> USEMKHOMEDIR=yes
> USEPAMACCESS=no
> CACHECREDENTIALS=yes
> USESSSDAUTH=yes
> USESHADOW=yes
> USEWINBIND=no
> USEDB=no
> FORCELEGACY=no
> USEFPRINTD=no
> USEHESIOD=no
> FORCESMARTCARD=no
> PASSWDALGORITHM=sha512
> USELDAPAUTH=no
> IPAV2NONTP=no
> USELOCAUTHORIZE=yes
> USEECRYPTFS=no
> USEIPAV2=no
> USEWINBINDAUTH=no
> USESMARTCARD=no
> USELDAP=no
> USENIS=no
> USEKERBEROS=no
> USESYSNETAUTH=no
> USESSSD=yes
> USEPWQUALITY=yes
> USEPASSWDQC=no
>
>
> On 24 October 2013 15:02, Roberts Klotiņš <roberts.klotins(a)gmail.com>
> wrote:
>
> > Sorry to trouble again with this. but I thought it might be relevant to
> > look through pam modules;
> >
> > I found sss present as per system installation; I have not modified the
> > file
> >
> > # cat /etc/pam.d/password-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> > auth sufficient pam_sss.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 1000 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account required pam_permit.so
> >
> > password requisite pam_pwquality.so try_first_pass retry=3
> > authtok_type=
> > password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> > use_authtok
> > password sufficient pam_sss.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_limits.so
> > -session optional pam_systemd.so
> > session optional pam_oddjob_mkhomedir.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond
> > quiet use_uid
> > session required pam_unix.so
> > session optional pam_sss.so
> >
> > And GDM password config file includes the above:
> >
> > # cat /etc/pam.d/gdm-password
> > auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
> > auth substack password-auth
> > auth optional pam_gnome_keyring.so
> > auth include postlogin
> >
> > account required pam_nologin.so
> > account include password-auth
> >
> > password include password-auth
> >
> > session required pam_selinux.so close
> > session required pam_loginuid.so
> > session optional pam_console.so
> > -session optional pam_ck_connector.so
> > session required pam_selinux.so open
> > session optional pam_keyinit.so force revoke
> > session required pam_namespace.so
> > session include password-auth
> > session optional pam_gnome_keyring.so auto_start
> > session include postlogin
> >
> > I don't know where to look further in troubleshooting domain logons. I
> > kind of hope it is some obvious misconfiguration in my sssd.conf which I
> > posted before. Many thanks for looking at this,
> >
> > Roberts
> >
> >
> >
> >
> > On 24 October 2013 14:01, Roberts Klotiņš <roberts.klotins(a)gmail.com
> >wrote:
> >
> >> Hi Thanks a lot for looking into this.
> >>
> >> As you suspected - there is something that enterprise simple login added
> >> into the config file file:
> >>
> >> [sssd]
> >> services = nss, pam
> >> config_file_version = 2
> >> domains = PEOPLE
> >>
> >> [nss]
> >> filter_users = root
> >> filter_groups = root
> >>
> >> [pam]
> >>
> >> [domain/PEOPLE]
> >> description = PEOPLE AD domain
> >> id_provider = ad
> >> auth_provider = ad
> >> access_provider = ad
> >> chpass_provider = ad
> >>
> >> ad_server = srv1.people.local
> >> ad_hostname = client1.people.local
> >> ad_domain = PEOPLE.LOCAL
> >> case_sensitive = false
> >>
> >> enumerate = true
> >> cache_credentials = true
> >> simple_allow_users = usr1, usr2
> >>
> >> However when I deleted the last line in this file I got the same result.
> >> /var/log/secure
> >> datet:42:54 robbie gdm-password]: pam_unix(gdm-password:auth):
> >> authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser
> >> = rhost= user=PEOPLE\usr2
> >> datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth):
> >> authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
> >> rhost= user=PEOPLE\usr2
> >> datet:42:54 robbie gdm-password]: pam_sss(gdm-password:auth): received
> >> for user PEOPLE\usr2: 6 (Permission denied)
> >> datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth):
> >> conversation failed
> >> datet:42:59 robbie gdm-password]: pam_unix(gdm-password:auth): auth
> could
> >> not identify password for [PEOPLE\usr2]
> >> datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth):
> >> authentication failure; logname=(unknown) uid=0 euid=0 tty=:1 ruser=
> >> rhost= user=PEOPLE\usr2
> >> datet:42:59 robbie gdm-password]: pam_sss(gdm-password:auth): received
> >> for user PEOPLE\usr2: 7 (Authentication failure)
> >>
> >> It appears I may need to configure something in pam, but maybe that is
> >> not the case??
> >>
> >> Your help is much appreciated.
> >>
> >> Roberts
> >>
> >>
> >>
> >>
> >> On 24 October 2013 13:00, <sssd-users-request(a)lists.fedorahosted.org
> >wrote:
> >>
> >>> Send sssd-users mailing list submissions to
> >>> sssd-users(a)lists.fedorahosted.org
> >>>
> >>> To subscribe or unsubscribe via the World Wide Web, visit
> >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>> or, via email, send a message with subject or body 'help' to
> >>> sssd-users-request(a)lists.fedorahosted.org
> >>>
> >>> You can reach the person managing the list at
> >>> sssd-users-owner(a)lists.fedorahosted.org
> >>>
> >>> When replying, please edit your Subject line so it is more specific
> >>> than "Re: Contents of sssd-users digest..."
> >>>
> >>>
> >>> Today's Topics:
> >>>
> >>> 1. GDM login (Roberts Klotiņš)
> >>> 2. Re: GDM login (Jakub Hrozek)
> >>>
> >>>
> >>> ----------------------------------------------------------------------
> >>>
> >>> Message: 1
> >>> Date: Thu, 24 Oct 2013 09:59:50 +0100
> >>> From: Roberts Klotiņš <roberts.klotins(a)gmail.com>
> >>> To: sssd-users(a)lists.fedorahosted.org
> >>> Subject: [SSSD-users] GDM login
> >>> Message-ID:
> >>> <
> >>> CALr2nHs9s41VbMVECCLrUQx1mfJYgsQFcLAxzT-0QzudHuaW8g(a)mail.gmail.com>
> >>> Content-Type: text/plain; charset="utf-8"
> >>>
> >>> Hello,
> >>>
> >>> After 2 days of reading on Samba4 SSSD and AD login I am running into
> >>> problems. I have set up
> >>> - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
> >>> - Fedora 19 machine
> >>> - Windows XP machine joined the domain without problems, I can run
> >>> dsa.msc successfully
> >>>
> >>> I want to achieve AD user login from gdm. I understand that I should
> >>> create
> >>> used with dsa.msc and then I don't know if I should add it through
> Fedora
> >>> 19 user control panel. I tried it anyhow (was useful in debugging) but
> >>> changes do not persist.
> >>>
> >>> I set up sssd (ver 1.11.1) it seems alright with AD options:
> >>> - id and getent work for passwords and groups
> >>>
> >>> In my sssd.conf I have specified domain as [domain\PEOPLE]
> >>> as all the correct server addresses etc are given there and it is
> easier
> >>> to
> >>> refer to the domain just by one name.
> >>> sssd loads fine, getent passwd 'PEOPLE\user' works
> >>>
> >>> - realm discover gives this result
> >>> realm discover --verbose PEOPLE.LOCAL
> >>> * Resolving: _ldap._tcp.people.local
> >>> * Performing LDAP DSE lookup on: 192.168.1.74
> >>> ! Received invalid or unsupported Netlogon data from server
> >>> people.local
> >>> type: kerberos
> >>> realm-name: PEOPLE.LOCAL
> >>> domain-name: people.local
> >>> configured: no
> >>>
> >>> I can add previously defined domain user via Settings - User :
> Enterprise
> >>> with correct username and password, however this does not persist - if
> I
> >>> close the user admin panel and then re-open it, the added user is gone.
> >>>
> >>> If I try to log on from GDM (user not listed so I use PEOPLE\user) I
> get
> >>> authentication failure
> >>> /var/log/secure gives these messages:
> >>>
> >>> date:00:19 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr1
> >>> date:00:19 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr1
> >>> date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received for
> >>> user PEOPLE\usr1: 6 (Permission denied)
> >>> date:00:48 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr1
> >>> date:00:48 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr1
> >>> date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received for
> >>> user PEOPLE\usr1: 6 (Permission denied)
> >>> date:01:40 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr2
> >>> date:01:40 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr2
> >>> date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received for
> >>> user PEOPLE\usr2: 6 (Permission denied)
> >>> date:01:46 host gdm-password]: pam_unix(gdm-password:auth):
> conversation
> >>> failed
> >>> date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth could
> >>> not
> >>> identify password for [PEOPLE\usr2]
> >>> date:01:46 host gdm-password]: pam_sss(gdm-password:auth):
> authentication
> >>> failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> user=PEOPLE\usr2
> >>> date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received for
> >>> user PEOPLE\usr2: 7 (Authentication failure)
> >>> date:01:46 host gdm-password]: gkr-pam: no password is available for
> user
> >>>
> >>> Could someone point me in the right direction as to what is wrong with
> my
> >>> setup. I have sorted some problems out by myself, but here I feel out
> of
> >>> depth.
> >>>
> >>> Many thanks,
> >>>
> >>> Roberts
> >>> -------------- next part --------------
> >>> An HTML attachment was scrubbed...
> >>> URL: <
> >>>
> https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131024/...
> >>> >
> >>>
> >>> ------------------------------
> >>>
> >>> Message: 2
> >>> Date: Thu, 24 Oct 2013 12:01:11 +0200
> >>> From: Jakub Hrozek <jhrozek(a)redhat.com>
> >>> To: sssd-users(a)lists.fedorahosted.org
> >>> Subject: Re: [SSSD-users] GDM login
> >>> Message-ID: <20131024100111.GD4240(a)hendrix.redhat.com>
> >>> Content-Type: text/plain; charset=utf-8
> >>>
> >>> On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote:
> >>> > Hello,
> >>> >
> >>> > After 2 days of reading on Samba4 SSSD and AD login I am running into
> >>> > problems. I have set up
> >>> > - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL
> >>> > - Fedora 19 machine
> >>> > - Windows XP machine joined the domain without problems, I can run
> >>> > dsa.msc successfully
> >>> >
> >>> > I want to achieve AD user login from gdm. I understand that I should
> >>> create
> >>> > used with dsa.msc and then I don't know if I should add it through
> >>> Fedora
> >>> > 19 user control panel. I tried it anyhow (was useful in debugging)
> but
> >>> > changes do not persist.
> >>> >
> >>> > I set up sssd (ver 1.11.1) it seems alright with AD options:
> >>> > - id and getent work for passwords and groups
> >>> >
> >>> > In my sssd.conf I have specified domain as [domain\PEOPLE]
> >>> > as all the correct server addresses etc are given there and it is
> >>> easier to
> >>> > refer to the domain just by one name.
> >>> > sssd loads fine, getent passwd 'PEOPLE\user' works
> >>> >
> >>> > - realm discover gives this result
> >>> > realm discover --verbose PEOPLE.LOCAL
> >>> > * Resolving: _ldap._tcp.people.local
> >>> > * Performing LDAP DSE lookup on: 192.168.1.74
> >>> > ! Received invalid or unsupported Netlogon data from server
> >>> > people.local
> >>>
> >>> ^^^ This is a Samba bug. I've seen it reported by another user, but
> I'm
> >>> not sure if it's reported to Samba upstream.
> >>>
> >>> > type: kerberos
> >>> > realm-name: PEOPLE.LOCAL
> >>> > domain-name: people.local
> >>> > configured: no
> >>> >
> >>> > I can add previously defined domain user via Settings - User :
> >>> Enterprise
> >>> > with correct username and password, however this does not persist -
> if
> >>> I
> >>> > close the user admin panel and then re-open it, the added user is
> gone.
> >>>
> >>> This sounds like Enterprise Logins bug, but let's resolve the
> Permission
> >>> Denied first.
> >>>
> >>> >
> >>> > If I try to log on from GDM (user not listed so I use PEOPLE\user) I
> >>> get
> >>> > authentication failure
> >>> > /var/log/secure gives these messages:
> >>> >
> >>> > date:00:19 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr1
> >>> > date:00:19 host gdm-password]: pam_sss(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr1
> >>> > date:00:19 host gdm-password]: pam_sss(gdm-password:auth): received
> for
> >>> > user PEOPLE\usr1: 6 (Permission denied)
> >>> > date:00:48 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr1
> >>> > date:00:48 host gdm-password]: pam_sss(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr1
> >>> > date:00:48 host gdm-password]: pam_sss(gdm-password:auth): received
> for
> >>> > user PEOPLE\usr1: 6 (Permission denied)
> >>> > date:01:40 host gdm-password]: pam_unix(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr2
> >>> > date:01:40 host gdm-password]: pam_sss(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr2
> >>> > date:01:40 host gdm-password]: pam_sss(gdm-password:auth): received
> for
> >>> > user PEOPLE\usr2: 6 (Permission denied)
> >>> > date:01:46 host gdm-password]: pam_unix(gdm-password:auth):
> >>> conversation
> >>> > failed
> >>> > date:01:46 host gdm-password]: pam_unix(gdm-password:auth): auth
> could
> >>> not
> >>> > identify password for [PEOPLE\usr2]
> >>> > date:01:46 host gdm-password]: pam_sss(gdm-password:auth):
> >>> authentication
> >>> > failure; logname=(unknown) uid=0 euid=0 tty=:0 ruser= rhost=
> >>> > user=PEOPLE\usr2
> >>> > date:01:46 host gdm-password]: pam_sss(gdm-password:auth): received
> for
> >>> > user PEOPLE\usr2: 7 (Authentication failure)
> >>> > date:01:46 host gdm-password]: gkr-pam: no password is available for
> >>> user
> >>> >
> >>> > Could someone point me in the right direction as to what is wrong
> with
> >>> my
> >>> > setup. I have sorted some problems out by myself, but here I feel out
> >>> of
> >>> > depth.
> >>> >
> >>> > Many thanks,
> >>> >
> >>> > Roberts
> >>>
> >>> Can you attach your sssd.conf? I suspect that realmd/enterprise logins
> >>> set up the simple access provider and the user is not included in the
> >>>
> >>>
> >>> ------------------------------
> >>>
> >>> _______________________________________________
> >>> sssd-users mailing list
> >>> sssd-users(a)lists.fedorahosted.org
> >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>>
> >>>
> >>> End of sssd-users Digest, Vol 18, Issue 25
> >>> ******************************************
> >>>
> >>
> >>
> >>
> >> --
> >> ==
> >> Roberts Klotins
> >>
> >>
> >
> >
> > --
> > ==
> > Roberts Klotins
> >
> >
>
>
> --
> ==
> Roberts Klotins
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131025/...
> >
>
> ------------------------------
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
> End of sssd-users Digest, Vol 18, Issue 27
> ******************************************
>
--
==
Roberts Klotins
10 years, 6 months
access_provider = simple or pam_access
by Michael Gliwinski
Hi all,
I was just looking at various access control methods and reading through
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl and
various older threads on this list, and I got the impression that pam_access
isn't recommended. Is that true?
In cases where you want to restrict access by group membership, what are the
advantages of using SSSD's /access_provider = simple/ or /access_provider =
ldap/ over pam_access?
AFAICS, pam_access may actually make more sense as it works OK with local and
domain groups, nested groups, can be used with different access restrictions
for different services, and can be combined with SSSD's /access_provider =
ldap/ + /ldap_access_order = expire/ to also handle expired/disabled accounts.
Am I missing anything?
Thanks,
Michael
**********************************************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract.
If you have received this email in error please notify support(a)henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************
10 years, 6 months
selectively override values
by Chris Petty
we are overriding our user's GID because our university has set everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get one GID and our service daemons get another GID?
I tried adding a second domain, with a different ldap_access_filter and different override_gid, but i never had success. Virtually all other attributes were the same and since my daemon user was not in my first ldap_access_filter authentication was rejected.
My current default domain is below:
[domain/default]
debug_level = 8
id_provider = ad
auth_provider = ad
access_provider = ldap
chpass_provider = ad
ad_domain = dhe.duke.edu
ldap_search_base = DC=dhe,DC=duke,DC=edu
ldap_idmap_default_domain = dhe.duke.edu
ldap_sasl_mech = GSSAPI
ldap_account_expire_policy = ad
ldap_access_order = filter, expire
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
ldap_force_upper_case_realm = True
ldap_access_filter = (|(memberOf=CN=BIAC-Users,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)(memberOf=CN=BIAC-Data-Daemons,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu))
ldap_idmap_default_domain_sid = S-1-5-edited
ldap_tls_reqcert = never
case_sensitive = False
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
ldap_account_expire_policy = ad
krb5_realm = DHE.DUKE.EDU
#these will go away with IDMU uid
ldap_idmap_range_size = 20000000
ldap_idmap_range_min = 0
ldap_idmap_range_max = 2000000000
min_id = 500
override_gid = 197250
10 years, 6 months
sssd - GDM logon
by Roberts Klotiņš
The last thought that occurred was to run authconfig --test. Authconfig
apparently is the command used by various frontends so I thought output
from it could point to the problem
I wish the output would have made more sense to me - it does not quite
indicate which files the answers come from.
$ sudo authconfig --test
caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://SRV1.people.local"
LDAP base DN = "dc=people,dc=local"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "PEOPLE"
SMB servers = "SRV1.PEOPLE.LOCAL"
SMB security = "ads"
SMB realm = "PEOPLE.LOCAL"
Winbind template shell = "/bin/false"
SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is sha512
pam_krb5 is disabled
krb5 realm = ""
krb5 realm via dns is disabled
krb5 kdc = ""
krb5 kdc via dns is disabled
krb5 admin server = ""
pam_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://SRV1.people.local"
LDAP base DN = "dc=people,dc=local"
LDAP schema = "rfc2307"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
SMB workgroup = "PEOPLE"
SMB servers = "SRV1.PEOPLE.LOCAL"
SMB security = "ads"
SMB realm = "PEOPLE.LOCAL"
pam_sss is enabled by default
credential caching in SSSD is enabled
SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
IPAv2 server = ""
IPAv2 realm = ""
IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
$
Thanks for looking at this,
Roberts
--
==
Roberts Klotins
On 25 October 2013 13:00, <sssd-users-request(a)lists.fedorahosted.org> wrote:
> Send sssd-users mailing list submissions to
> sssd-users(a)lists.fedorahosted.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> or, via email, send a message with subject or body 'help' to
> sssd-users-request(a)lists.fedorahosted.org
>
> You can reach the person managing the list at
> sssd-users-owner(a)lists.fedorahosted.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sssd-users digest..."
>
>
> Today's Topics:
>
> 1. Re: sssd-users Digest, Vol 18, Issue 25 (Jakub Hrozek)
> 2. sssd - GDM login (Roberts Klotiņš)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 25 Oct 2013 10:02:15 +0200
> From: Jakub Hrozek <jhrozek(a)redhat.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25
> Message-ID: <20131025080215.GC7624(a)hendrix.brq.redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> On Fri, Oct 25, 2013 at 09:58:48AM +0200, Jakub Hrozek wrote:
> > On Fri, Oct 25, 2013 at 02:25:04AM +0100, Roberts Klotiņš wrote:
> > > Hi again, still trying to understand how to make the setup to work.
> > >
> > > As the very last thing I thought to check into
> /etc/sysconfig/authconfig.
> > > What I found was that usekerberos and useldap were set to no. Maybe
> they
> > > (or at least kerberos) need to be set to yes?
> > >
> >
> > Did you have a chance to gather the debug logs I asked about earlier?
>
> Ah, sorry, it was stuck in moderation. I let that e-mail through.
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 25 Oct 2013 09:47:27 +0100
> From: Roberts Klotiņš <roberts.klotins(a)gmail.com>
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] sssd - GDM login
> Message-ID:
> <CALr2nHsBoDisjrDoTrMX7uNBJTwrBDvsUAeQQbR=
> 8pFDHxRUrw(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I did send them to the list, but at debug level 7 sssd_PEOPLE.log file they
> were about 15s KB in total and I sent them as an attachment. I was told to
> await till the post is approved by moderator because size over 40KB.
>
> I now put this same file edited for usernames and more descriptive host
> names on
>
> http://pastebin.com/ZRkmMgi6
>
> sssd_PEOPLE.log was 15 KB
> krb5_child.log was empty - 0 bytes.
>
> With thanks,
>
> Roberts
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://lists.fedorahosted.org/pipermail/sssd-users/attachments/20131025/...
> >
>
> ------------------------------
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
> End of sssd-users Digest, Vol 18, Issue 29
> ******************************************
>
--
==
Roberts Klotins
10 years, 6 months