sssd-users May 2013

sssd-users@lists.fedorahosted.org

23 participants
20 discussions

Ldap Help
by Brandon Foster 10 May '13

10 May '13

Hey all, Im back with another ldap question. this time I rebuilt sssd and followed this guide: http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuration-a… for setting up ldap authentication on my centos 6.4 system. my firewall is off and selinux is disabled. when i do an ldapsearch -x "cn=test.user" it returns all the correct information, but doing id test.user returns no user. I've attached the log files and all of the relevant files and maybe some non relevant ones as well. it appears as tho it is searching for the user but is simply not finding anything. Is there an option to search for cn=test.user? and not by uid? any help will be much appreciated.

7 14

Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek)
by Will_Darton＠navyfederal.org 10 May '13

10 May '13

2 4

Multiple ldap accounts for sudo and users in sssd.conf
by michael gabriel 09 May '13

09 May '13

Hi there, We have two different ldap "accounts". One is used to get user account information and the other is used get sudo information. Is there way to have two ldap_default_bind_dn's and ldap_default_authtok's for each of these account configured in sssd.conf. Thanks Mickeyg

2 2

Nested Groups in ldap_access_filter?
by Wojtak, Greg (Superfly) 09 May '13

09 May '13

I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to. The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say: cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,… Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access? As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line? Thanks! -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472

3 5

RHEL5, sssd and the Global Catalog
by Will_Darton＠navyfederal.org 09 May '13

09 May '13

2 1

Active Directory Integration test day invitation
by Jakub Hrozek 07 May '13

07 May '13

The realmd and SSSD development teams are happy to invite you to a Fedora Test Day that will be held on Thursday, May 9th. We invite you to take part in testing of the new features that will become available in upcoming upstream releases of realmd and SSSD and would be a part of Fedora 19. The features are mostly focused on better Active Directory integration and to some extent easier way of joining clients to an IPA domain using realmd. To read more about the test day and suggested tests use the following link https://fedoraproject.org/wiki/Test_Day:2013-05-09_SSSD_Improvements_and_AD… The tests in particular can be previewed using this link: https://fedoraproject.org/wiki/Category:Active_Directory_Test_Cases https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases Even if you do not plan on following the test cases themselves, consider joining the test day to see if the new realmd or SSSD features are usable and working in your environment or just to see if your current workflow is not affected in any way by the recent changes in either SSSD or realmd. Thank you for your help and participation!

2 2

Announcing SSSD 1.10.0 Beta 1
by Jakub Hrozek 06 May '13

06 May '13

=== SSSD 1.10 Beta 1 === The SSSD team is proud to announce the beta release of version 1.10 of the System Security Services Daemon. This beta release includes several new features, mostly targeted at better integration with Microsoft Active Directory. As always, the source is available from https://fedorahosted.org/sssd. RPM packages will be made available for Fedora 19 and rawhide shortly. The SSSD 1.10 Beta 2 release is tentatively scheduled for next week, before the Fedora Test Day which will happen on May 9th. The Beta 2 release will contain the remaining features we finish before the Test Day. There might be another pre-release if any of the planned features are not ready for the test day, after this last pre-release, the SSSD will enter a period of string-freeze and the 1.10 development will switch to bug fixing in preparation for the 1.10 final release. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * The Active Directory provider now includes support for Site-based discovery. This feature allows the Active Directory clients to find the most suitable Domain Controller to connect to. * Support for dynamic DNS updates in the Active Directory provider. This feature enables the clients to automatically update or refresh their DNS records stored in the AD server. * A new library, called libsss_nss_idmap was introduced. This library allows the user to convert Windows Security Identifiers (SIDs) to names and vice versa. The library also includes Python bindings. * Setting the SELinux context on the IPA server now also works for users coming from a trusted Active Directory domain * Fixed a serious performance issue when enumerating large number of users * The subdomain_homedir configuration option gained a new template expansion %F that expands to the flat name (NetBIOS name) of the trusted AD domain == Packaging Changes == * The SSSD python ConfigAPI was moved to its own noarch subpackage to make the SSSD packaging more compliant with the Fedora packaging guidelines * The libsss_nss_idmap library and its Python bindings are packaged in separate subpackages == Tickets Fixed == https://fedorahosted.org/sssd/ticket/453 [RFE] Replace pam status codes with sssd specific codes https://fedorahosted.org/sssd/ticket/902 [RFE] Allow setting krb5_renew_interval with a delimiter https://fedorahosted.org/sssd/ticket/1032 [RFE] sssd should support DNS sites https://fedorahosted.org/sssd/ticket/1414 [RFE] Improve syslog message when configuration cannot be loaded https://fedorahosted.org/sssd/ticket/1609 [RFE] Subdomain homedir template should be configurable/use flatname by default https://fedorahosted.org/sssd/ticket/1625 Confusing error messages for invalid sssd.conf https://fedorahosted.org/sssd/ticket/1741 sss_cache doesn't support subdomains https://fedorahosted.org/sssd/ticket/1767 unify sss_mc_set_recycled https://fedorahosted.org/sssd/ticket/1774 move processing of password expiration back to PAM provider only https://fedorahosted.org/sssd/ticket/1784 rewrite nested group processing to follow the tevent_req coding style https://fedorahosted.org/sssd/ticket/1786 Use new interface from ding-libs ini interface https://fedorahosted.org/sssd/ticket/1809 Document that SSSD domains should only be named using ASCII characters https://fedorahosted.org/sssd/ticket/1830 make the authtok structure really opaque https://fedorahosted.org/sssd/ticket/1839 Incorrect *.py[co] files placement https://fedorahosted.org/sssd/ticket/1842 Allow usage of enterprise principals https://fedorahosted.org/sssd/ticket/1844 add a call to calculated the range for a given domain SID to libsss_idmap https://fedorahosted.org/sssd/ticket/1848 unused parameter in ipa_selinux handler https://fedorahosted.org/sssd/ticket/1860 pidfile() may leak memory on error https://fedorahosted.org/sssd/ticket/1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid https://fedorahosted.org/sssd/ticket/1862 negative return in files.c https://fedorahosted.org/sssd/ticket/1864 Bad comparisons in checks found by new Coverity instance https://fedorahosted.org/sssd/ticket/1865 Logically dead code in tools_util.c https://fedorahosted.org/sssd/ticket/1867 document that AD provider is always case insensitive https://fedorahosted.org/sssd/ticket/1877 ding-libs.dhash: uninitialized pointer read https://fedorahosted.org/sssd/ticket/1888 freeipa 3.2 trusted ad user not listed in external group https://fedorahosted.org/sssd/ticket/1889 coverity: dead code in sudo client https://fedorahosted.org/sssd/ticket/1890 SSSD doesn't display warning for last grace login. https://fedorahosted.org/sssd/ticket/1892 In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name failed' error when AD user tries to login via ipa client. == Detailed Changelog == Abhishek Singh (3): * cmocka unittest for find_uid added * cmocka unittest for io added * Fix segmentation fault in test_io. Ariel Barria (2): * Allow setting krb5_renew_interval with a delimiter * Confusing error messages for invalid sssd.conf Jakub Hrozek (38): * Updating the version for the 1.10 beta1 release * krb5 child: Use the correct type when processing OTP * pidfile(): Do not leak fd on error * Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sid * Return errno, not -1 on failure in files.c * Check for correct variable name * Init failover with be_res options * Centralize resolv_init, remove resolv context list * dyndns: Fix initializing sdap_id_ctx * Check for the correct variables * Allocate PAM DP request data on responder context * LDAP: Always fail if a map can't be found * Put the override_homedir into an included xml file * Allow using flatname for subdomain home dir template * Fix simple access group control in case-insensitive domains * Make leak checks usable in tests that do not utilize check * tests: Fix the order of key/values * LDAP: do not invalidate pointer with realloc while processing ghost users * Convert the simple access check to new error codes * tests: Link the simple access tests with -ldl * Do not keep growing event context * Document the naming convention for SSSD domains * Document that the AD provider is case-insensitive * selinux: if no domain matches, make the debug message louder * Only try to relink ghost users if we're not enumerating * Display the last grace warning, too * Refactor dynamic DNS updates * Convert IPA-specific options to be back-end agnostic * dyndns: new option dyndns_refresh_interval * resolver: Return PTR record as string * dyndns: New option dyndns_update_ptr * dyndns: new option dyndns_force_tcp * dyndns: new option dyndns_auth * Split out the common code from timed DNS updates * Active Directory dynamic DNS updates * AD: Always initialize ID mapping * Only check UPN if enterprise principals are not used * Updating the translations for the 1.10 beta1 release Jan Cholasta (1): * Add exit status section to sss_ssh_* man pages Lukas Slebodnik (5): * LDAP: Fix value initialization warnings * Incorrect *.py[co] files placement * Fix krbcc dir creation issue with MIT krb5 1.11 * Default TEST_DIR to cwd, not empty string if not set explicitly * SUDO: IPA provider Michal Zidek (6): * Check for waitpid failure at wrong place. * Wrong condition after waitpid. * sss_cache: support for subdomains * sss_cache: Remove annoying messages * Inform about function duplication. * libsss_idmap: function to calculate range Ondrej Kos (3): * DB: Switch to new libini_config API * CONFDB: prevent double free * IDMAP: Fix variable initialization Pavel Březina (18): * resolv: add resolv_get_domain request to resolv utils * resolv: add resolv_discover_srv request to resolv utils * DNS sites support - SRV lookup plugin interface * DNS sites support - SRV DNS lookup plugin * fail over - add function to insert multiple servers to the list * DNS sites support - replace SRV lookup code with a plugin call * DNS sites support - use SRV DNS lookup plugin in all providers * DNS sites support - add IPA SRV plugin * sudo client: remove dead code * add fo_discover_servers request * IPA SRV plugin: use fo_discover_servers request * IPA SRV plugin: improve debugging * sdap: add sdap_connect_host request * add sss_ldap_encode_ndr_uint32 * DNS sites support - add AD SRV plugin * dns srv plugin: compare domain names case insensitive * AD SRV plugin: check if site name is empty * fo_discover_servers_send: don't crash when backup_domain is NULL Simo Sorce (1): * Further restrict become_user drop of privileges. Sumit Bose (21): * Fix and rename get_my_domain_data() * Refactoring: remove duplicated code in nss responder * Allow usage of enterprise principals * Make IPA SELinux provider aware of subdomain users * Add override_homedir.xml to po4a.cfg * Remove unused TALLOC_CTX from responder_get_domain() * responder_get_domain: do not return disabled domains * responder_get_domain(): remove timeout calculation * LDAP: always store SID if available * Add secid filter to responder-dp protocol * Add two new request types to the data-provider interface * Add idmap context to nss context * Add responder_get_domain_by_id() * sysdb: add sysdb_search_object_by_sid() * Add sss_ncache_set_sid() and sss_ncache_check_sid() * Remove unused attribute list * Use struct to hold different types of request parameters * Add SID related lookups to IPA subdomains * Add SID related calls to the NSS responder * Add client library for SID related lookups * Add python interface to libsss_nss_idmap Yuri Chornoivan (1): * Fix typos in man pages

2 2

finding user - but says ldap result empty
by Klavs Klavsen 03 May '13

03 May '13

Hi, I'm trying to make sssd work on CentOS-6. It seems to find the user in AD (Win 2003) - but it ends ups saying: ldap_result found nothing! I'm hoping someone can give me an idea, as to why :( Output (with debug_level=9 - slightly sanitized and anonymized) is: (Fri May 3 15:10:25 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=klavs)(objectclass=user))][ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsUniqueId] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [modifyTimestamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_entry] (0x4000): OriginalDN: [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [objectClass] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [displayName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [memberOf] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uSNChanged] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userAccountControl] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [accountExpires] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [sAMAccountName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [userPrincipalName] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [modifyTimeStamp] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [gidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [uidNumber] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_parse_range] (0x2000): No sub-attributes for [unixHomeDirectory] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[0x17e8b60], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x4000): Save user (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x2000): Adding originalDN [CN=klavs,OU=Konsulenter,OU=Brugere,OU=My Company,DC=sub,DC=example,DC=dk] to attributes o f [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding original memberOf attributes to [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding original mod-Timestamp [20130429063553.0Z] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x1000): Adding user principal [klavs(a)SUB.EXAMPLE.DK] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowLastChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMin is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowMax is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowWarning is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowInactive is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowExpire is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): shadowFlag is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbLastPwdChange is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): krbPasswordExpiration is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): pwdAttribute is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedService is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adAccountExpires [9223372036854775807] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): Adding adUserAccountControl [512] to attributes of [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): nsAccountLock is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): authorizedHost is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginDisabled is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginExpirationTime is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): ndsLoginAllowedTimeMap is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_attrs_add_ldap_attr] (0x2000): sshPublicKey is not available for [klavs]. (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user klavs (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [userPassword] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [loginShell] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [uniqueID] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowLastChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMin] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowMax] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowWarning] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowInactive] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowExpire] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [shadowFlag] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbLastPwdChange] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [krbPasswordExpiration] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [pwdAttribute] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedService] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [nsAccountLock] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [authorizedHost] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginDisabled] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginExpirationTime] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sysdb_remove_attrs] (0x2000): Removing attribute [ndsLoginAllowedTimeMap] from [klavs] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): cancel ldb transaction (nesting: 3) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 2) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 1) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_save_users] (0x4000): User 0 processed! (Fri May 3 15:10:25 2013) [sssd[be[default]]] [ldb] (0x4000): commit ldb transaction (nesting: 0) (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_get_users_process] (0x4000): Saving 1 Users - Done (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_id_op_done] (0x4000): releasing operation connection (Fri May 3 15:10:25 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: sh[0x17e9bf0], connected[1], ops[(nil)], ldap[0x17e97a0] (Fri May 3 15:10:25 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! sssd.conf: [domain/default] debug_level = 9 enumerate = false min_id = 5000 ldap_id_use_start_tls = False cache_credentials = True #these two are ACTUALLY written with EXAMPLE.COM - as I don't want kerberos right now - just LDAP krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://dc01.sub.example.dk ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = true ldap_default_bind_dn = ldap(a)sub.example.dk ldap_default_authtok_type = password ldap_default_authtok = mypassword ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_search_scope = sub ldap_user_search_base = ou=Brugere,ou=My Company,dc=sub,dc=example,dc=dk ldap_search_base = OU=My Company,dc=sub,dc=example,DC=dk ldap_group_search_base = ou=Grupper,ou=My Company,dc=sub,dc=example,dc=dk ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_user_name = sAMAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_gecos = displayName #ldap_user_shell = msSFU30LoginShell [sssd] services = nss, pam config_file_version = 2 domains = default -- Regards, Klavs Klavsen, GSEC - kl(a)vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer

2 7

Gss-proxy
by Ondrej Valousek 02 May '13

02 May '13

Probably not the best list to ask this question, but I will try anyway. Can we expect to gss-proxy in RHEL-7? The thing is that I would like to let Linux-based dhcp server to update windows based DNS server via gss-tsig updates and hate 'chgrp dhcpd /etc/krb5.keytab' dirty hack. I guess sssd should use gss-proxy as well. Thanks, Ondrej

3 4

RFC: dropping upstream support of RHEL5 starting with 1.10
by Jakub Hrozek 01 May '13

01 May '13

Hi, many new features rely on library APIs and features that are only available in recent versions of SSSD dependencies. As a result, the code often needs #ifdefs and special branches in order to at least compile or run on RHEL5. So far we've been doing nightly builds also for RHEL5 and fixing issues as we were finding them. But recently we are considering dropping support for RHEL5 -- it is causing some engineering effort and at the same time the audience is probably very limited. If you are running super-stable enterprise distribution, chances are you are not all that interested in the latest and possibly very unstable SSSD version. The proposal would be to keep building and supporting the 1.9.x branch for RHEL5 and switch to using RHEL6 as the oldest supported release starting from the 1.10 upstream version. Of course we would still accept patches from any potential contributors. Any objections against the plan?

3 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2013