August 2013 - sssd-users - Fedora Mailing-Lists

ldap_sasl_mech EXTERNAL and SSL client authc

by Michael Ströder

HI! Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with StartTLS or LDAPS using client certs? In a project they have certs in all systems anyway (because of using puppet) and I'd like to let the sssd instances on all the systems authenticate to the LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid having to set/configure passwords for each system's sssd. Ciao, Michael.

8 years, 2 months

5
22
0 / 0

FreeIPA on Debian

by Dmitri Pal

Hello, Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion. The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project. May be it is time to try again? Let us see why it yet has not happened? 1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages. Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above? -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/

9 years, 9 months

6
9
0 / 0

Announcing SSSD 1.11.0

by Jakub Hrozek

=== SSSD 1.11.0 === The SSSD team is proud to announce the final release of version 1.11 of the System Security Services Daemon. This release focuses on changes not visible to the end-user. The aim is to support new features used by the forthcoming version 3.3 of FreeIPA and targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA server established a trust relationship with an Active Directory Forest. As always, the source is available from https://fedorahosted.org/sssd. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release focuses on changes not visible to the end-user. The aim is to support new features used by the forthcoming version 3.3 of FreeIPA and targets supporting legacy (non-SSSD) clients in a setup where the FreeIPA server established a trust relationship with an Active Directory Forest. - The handling of ID ranges in the providers has been changed to use a plugin interface where each provider can use a different plugin - The libsss_idmap library has been enhanced in several ways such as handling "external mappings" or supporting base RIDs other than 0 - The assumption that subdomain users always have a primary user-private-group (UPG) has been removed - When SSSD is running on the IPA server, it is able to perform lookups for trusted users directly against the AD server using the AD provider lookups including enumeration and site location * The sudo integration was made more robust. SSSD is now able to gracefully handle situations where it is not able to resolve the client host name or sudo rules have multiple name attributes * Several nested group membership bugs were fixed * The PAC responder was made more robust and efficient, modifying existing cache entries instead of always recreating them. * The Kerberos provider now supports the new KEYRING ccache type. This feature depends on yet unreleased libkrb5 and kernel patches. == Packaging changes == * The sssd_pac binary was moved to the IPA and AD provider subpackages from the krb5-common subpackage == Tickets fixed == https://fedorahosted.org/sssd/ticket/1938 [RFE] Add a new call to libsss_idmap to add a new mapping where the first RID is not 0 https://fedorahosted.org/sssd/ticket/1960 [RFE] Add range type for ID mapping in AD to libsss_idmap https://fedorahosted.org/sssd/ticket/1961 [RFE] Add plugin to LDAP provider to find new ranges https://fedorahosted.org/sssd/ticket/1962 [RFE] Integrate AD provider lookup code into IPA subdomain user lookup https://fedorahosted.org/sssd/ticket/1979 [RFE] Add an optional unique range identifier https://fedorahosted.org/sssd/ticket/1993 [RFE] Add a new option to denote server mode https://fedorahosted.org/sssd/ticket/1965 man: document that the default access provider in AD provider is "permit" https://fedorahosted.org/sssd/ticket/1988 [RFE] sss_cache has no option to clear all cached entries of all types https://fedorahosted.org/sssd/ticket/1997 When resolving a SID, search for groups first, then users https://fedorahosted.org/sssd/ticket/1998 sssd-ad man page states that ad_server can be an IP address even though SSSD doesn't support that https://fedorahosted.org/sssd/ticket/2005 SSSD filter out ldap user/group if uid/gid is zero https://fedorahosted.org/sssd/ticket/2009 Disallow or warn if full_name_format is set to a non-default value when IPA server mode is on https://fedorahosted.org/sssd/ticket/2023 AD provider in server mode follows referrals https://fedorahosted.org/sssd/ticket/2025 pysss module linking is broken https://fedorahosted.org/sssd/ticket/1408 It should be possible to use uid/gid defined in AD instead of SIDs https://fedorahosted.org/sssd/ticket/1821 Allow using UIDs and GIDs from AD in trust case https://fedorahosted.org/sssd/ticket/1881 Determine how to map SID to UID/GID based on IdM server configuration https://fedorahosted.org/sssd/ticket/1942 convert enumeration timer to be_ptask https://fedorahosted.org/sssd/ticket/1963 [RFE] Implement or Improve enumeration https://fedorahosted.org/sssd/ticket/1964 [RFE] Enhance IPA SRV plugin to do AD site lookups as well https://fedorahosted.org/sssd/ticket/1996 PAC responder: update cached user object instead of deleting and recreating them https://fedorahosted.org/sssd/ticket/2027 Domain Users memberships removed in subsequent lookups in server_mode https://fedorahosted.org/sssd/ticket/2032 sssd sees gid as 0 for AD trust posix users causing lookup failures https://fedorahosted.org/sssd/ticket/2035 amend the docs of sss_nss_getnamebysid to make it clear it only works for id_provider=ad https://fedorahosted.org/sssd/ticket/2044 Update sssd-ad manpage to reflect "trust between domains in single forest are supported" == Detailed changelog == Alexander Bokovoy (3): * build: fix dependencies for pysss module * pysss: add pysss.getgrouplist(username) * pysss: prevent crashing when group is unresolvable Jakub Hrozek (58): * Updating the version for the 1.10.1 release * Bump version to track 1.11 development * IPA: Add a server mode option * LDAP: Add utility function sdap_copy_map * AD: decouple ad_id_ctx initialization * AD: initialize failover with custom realm, domain and failover service * IPA: Initialize server mode ctx if server mode is on * AD: Move storing sdap_domain for subdomain to generic LDAP code * IPA: Create and remove AD id_ctx for subdomains discovered in server mode * IPA: Look up AD users directly if IPA server mode is on * Updating translations for the 1.11 beta1 release * Bumping the version for the 1.11 beta2 release * RPM: Move sssd_pac to the krb5-common subpackage * DB: sysdb_search_user_by_name: search by both name and alias * LDAP: When resolving a SID, search for groups first, then users * RPM: Require libsss_idmap from sssd-common * MAN: clarify the default access provider for AD * MAN: IP addresss does not work when used for ad_server * MAN: Clarify the min_id/max_id limits further * Remove unused be_ctx->sigchld_ctx * IPA: warn if full_name_format is customized in server mode * AD: Set the bool value same as default value in opts * Fix the default FQDN format * SUDO: realloc with sizeof(uint32_t) when adding uint32_t * KRB5: Do not send PAC in server mode * LDAP: Use domain-specific name where appropriate * Updating translations for the 1.11 beta2 release * Bumping the version for the 1.11 beta3 release * Use GID if subdomain is not MPG * PAM: Check negcache when searching for fully qualified users, too * PAM: Set negcache if user is not found after provider check * Use the correct resolv timeout * Remove unused constant * AD: Use the correct include guard * UTIL: Remove obsolete compat macros * KRB5: Formatting changes * KRB5: Do not log to syslog on each login * MAN: AD provider only supports trusted domains from the same forest * PAC: Skip SIDs that cannot be resolved to domain * IPA: Enable AD sites when in server mode * DB: Update sss_domain_info with new updated data * DB: remove unused realm parameter from sysdb_master_domain_add_info * LDAP: Add enum_{users,groups}_recv to follow the tevent_req style * LDAP: Remove unused constant * LDAP: Move the ldap enum request to its own reusable module * LDAP: Convert enumeration to the ptask API * LDAP: Make cleanup synchronous * LDAP: Make the cleanup task reusable for subdomains * LDAP: Make sdap_id_setup_tasks reusable for subdomains * SYSDB: Store enumerate flag for subdomain * Read enumerate state for subdomains from cache * Add a new option to control subdomain enumeration * IPA: enable enumeration if parent domain enumerates in server mode * NSS: Descend into subdomains if enumerate=true * IPA: Add forgotten declaration * DP: Use the correct type for DBus boolean * Updating translations for the 1.11.0 release * Updating the version for the 1.11.0 release Jim Collins (1): * ldap: only update shadowLastChange when password change is successful Lukas Slebodnik (35): * BUILD: Use pkg-config to detect cmocka * Return right directory name for dircache * Use conditional build for retrieving ccache. * Remove unused function parameter * Every time use permissive control in function memberof_mod. * Fix clang format string warning. * Use functionm ldb_dn_get_linearized to format struct ldb_dn * Add mising argument required by format string * Remove unused memory context from function unpack_authtok * Fix warnings: uninitialized variable * Fix autotols warnings: macro xyz not found in library * Fix possible dereference of a NULL pointer. * Every time release allocated memory in function py_sss_getgrouplist * Prevent using uninitialized "group_name" in done section. * Remove unused memory context * SSH: Ensure that cmd_ctx->name will not be NULL. * Add script make_srpm.sh to dist tarball. * NSS: allow removing entries from netgroup hash table * NSS: Clear cached netgroups if a request comes in from the sss_cache * Enable removing nonexisting dn in sdap_handle_account_info * proxy: Alocate auth tokens in struct authtok_conv * Check whether servername is not empty string. * Remove include recursion * Remove include recursion * Use brackets around macros. * Fix memory leak insss_krb5_get_error_message * mmap_cache: Skip records which doesn't have same hash * mmap_cache: Use stricter check for hash keys. * UTIL: Create new wraper header file sss_endian.h * CLIENT: Fix non gnu sss_strnlen implementation * MONITOR: Move function declaration out of conditional build * UTIL: Explicitly include header file sys/socket.h * MEMBEROF: Remove temporary workaround * IPA_HBAC: Explicitelly include header file time.h * CONFIGURE: Get rid of bashism Michal Zidek (16): * sss_cache: Add option to invalidate all entries * Always set port status to neutral when resetting service. * Missing space in debug message * Remove unused constant. * Set default DNS resolution timeout to 6 seconds. * Lower timeout to contact DNS server * resolv-tests failing with memory leak * ldap, krb5: More descriptive msg on chpass failure. * mmap_cache: Check if slot and name_ptr are not invalid. * mmap_cache: Check data->name value in client code * mmap_cache: Remove triple checks in client code. * mmap_cache: Off by one error. * mmap_cache: Use better checks for corrupted mc in responder * mmap_cache: Store corrupted mmap cache before reset * mmap_cache: Use sss_atomic_write_s instead of write. * pam: Bad debug message format and parameter. Ondrej Kos (9): * Do not copy special files when creating homedir * KRB5_CHILD: Fix handling of get_password return code * Do not try to set password when authtok_length is zero * KRB: Handle empty password gracefully * KRB: Replace multiple calls with variable * TOOLS: Update all services with sss_debuglevel * Clarify that getnamebysid currently works only with ipa/ad id_provider * AD: Cast SASL callbacks to propper type * DP: Notify propperly when removing PAC responder Pavel Březina (13): * remove unused variable * print hint about password complexity when new password is rejected * dyndns timeout test: catch SIGCHLD handler events * SIGCHLD handler: do not call callback when pvt data where freed * Fix netgroup lookup when using fully qualified name * sudo: skip rule on error instead of failing completely * sudo: print better debug message when a rule has multiple cn values * simple access provider: allow fully qualified names * add simple access provider init test * sudo: continue if we are unable to resolve fqdn * sudo: do not fail to store the rule if we can't read usn * sudo: do not strdup usn on ENOENT * sss_packet_grow: correctly pad packet length to 512B Simo Sorce (5): * Add a commit template * sssd_ad: Add hackish workaround for sasl ad_compat * proxy: Allow initgroup to return NOTFOUND * krb5_common: Refactor to use a talloc temp context * BUILD: Remove unnecessary patch and configure opts Stephen Gallagher (14): * Move pre and post scripts to sssd-common * Remove sysv->systemd upgrade routines * Move sssd_pac binary to the IPA and AD providers * Netgroups should ignore the 'use_fully_qualified_names' setting * BUILD: Fix contrib build macros to display warnings * gitignore: Add Eclipse project files to ignore list * KRB5: Add new #define for collection cache types * KRB5: Refactor cc_*_check_existing * KRB5: Only set active and valid on success * KRB5: Add low-level debugging to sss_get_ccache_name_for_principal * KRB5: Remove unnecessary call to become_user() * KRB5: Add support for KEYRING cache type * BUILD: Ignore translations when building RPMs * krb5: Fetch ccname template from krb5.conf Sumit Bose (36): * idmap: allow first RID to be set * idmap: add optional unique range id * idmap: add option to indicate external_mapping * idmap: allow NULL domain sid for external mappings * idmap: add calls to check if ID mapping conforms to ranges * idmap: add sss_idmap_domain_has_algorithmic_mapping * Add cmocka based tests for libsss_idmap * Add now options ldap_min_id and ldap_max_id * SDAP IDMAP: Add configured domain to idmap context * Allow different methods to find new domains for idmapping * Add sdap_idmap_domain_has_algorithmic_mapping() * Replace SDAP_ID_MAPPING checks with sdap_idmap_domain_has_algorithmic_mapping * Add ipa_idmap_init() * Add support for new ipaRangeType attribute * Replace new_subdomain() with find_subdomain_by_name() * IPA: read ranges before subdomains * Save mpg state for subdomains * Read mpg state for subdomains from cache * Fix memory context for a state member * Fix memory context for hash entries * ipa_s2n_get_user_done: free group_attrs as well * ipa_s2n_get_user_done: make sure ALIAS name is lower case * sdap_get_initgr_done: use the right SID to get a GID * sdap_save_user: save original primary GID of subdomain users * fill_initgr: add original primary GID if available * sdap_add_incomplete_groups: use fully qualified name if needed * save_rfc2307bis_user_memberships: use fq names for subdomains * sysdb_add_incomplete_group: store SID string is available * check_cc_validity: make sure _valid is always set * PAC: if user entry already exists keep it * PAC: do not create users with missing GID * PAC: handle non-POSIX groups in cache * PAC: read user DN instead of constructing it * PAC: do not fail if a single group cannot be added/removed * PAC: use SID instead of GID to search for groups * ipa-server-mode: add IPA group memberships to AD users Yuri Chornoivan (1): * Fix two minor typos

9 years, 9 months

3
7
0 / 0

Phantom Group upon login

by Chris Hartman

Hi guys, Weird problem here. Running Ubuntu with SSSD 1.9.5. Upon login after a long period between consecutive logins by the same user, I receive the following error message: groups: cannot find name for group ID 1596003661 `id` yields this: > USER@smarty:~$ id uid=1596001141(USER) gid=1596000513(domain users) groups=1596000513(domain > users),1596001142(radioworksusers),1596001642(nixdesktopusers),1596001643(nixserverusers),1596003180(puppetmakers),1596003206(drupal_admin),1596003661 An immediate subsequent login on the same system by the same user fails to produce the error message and the phantom group disappears from `id` output: > USER@smarty:~$ id uid=1596001141(USER) gid=1596000513(domain users) groups=1596000513(domain > users),1596001142(radioworksusers),1596001642(nixdesktopusers),1596001643(nixserverusers),1596003180(puppetmakers),1596003206(drupal_admin) I've also just noticed that the group ID reported is not consistent but can vary. I've searched my AD server for a group objectSID in question but have not found one; the group does not exist. There seem to be no negative side effects aside from the error message and unmapped GID in the output of the `id` command. My config: > [sssd] > config_file_version = 2 > debug_level = 0 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = DOMAIN > > [pam] > debug_level = 0 > [nss] > debug_level = 0 > filter_users = > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm > filter_groups = > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm > reconnection_retries = 3 > default_shell = /bin/bash > shell_fallback = /bin/bash > [domain/DOMAIN] > debug_level = 0 > ad_domain = DOMAIN.local > id_provider = ad > auth_provider = ad > chpass_provider = ad > access_provider = ad > enumerate = true > cache_credentials = true > # Will check unixHomeDirectory LDAP attribute for a value first > fallback_homedir = /home/%u > dyndns_update = true > dyndns_update_ptr = true > ldap_schema = ad > ldap_id_mapping = true > default_shell = /bin/bash Thanks! -Chris

9 years, 9 months

5
9
0 / 0

ssh (sssd) ldap authentication problem

by John Uhlig

I have been trying to resolve this problem for a couple weeks and tried hundreds of iterations without success. I will try to be brief and concise. (1) I have a centos 6.4 openldap-2.4.35 server configured for ssh authentication with a test account "localjoe". dn:uid=localjoe,ou=internal,dc=example,dc=com objectClass:top objectClass:person objectClass:organizationalPerson objectClass:inetOrgPerson objectClass:posixAccount cn:CN=localjoe,ou=internal,dc=example,dc=com sn:localjoe userPassword:{MD5}KRVE5i0tSdtSdBLzZ6h3VnR4dk4 description:posix acct ou:internal uid:localjoe uidNumber:103418 gidNumber:100 loginShell:/bin/bash homeDirectory:/tmp (2) I have an ubuntu ldap client system (zander) and can ssh localjoe@zander successfully. (3) I have a centos 6.4 sssd ldap client system (argot) and cannot ssh localjoe@argot. (4) The client (argos) /var/log/secure reports: ------------------------------------------------------------ Aug 21 07:56:39 argot sshd[9640]: pam_succeed_if(sshd:auth): error retrieving information about user localjoe Aug 21 07:56:41 argot sshd[9640]: Failed password for invalid user localjoe from XX.XX.XX.XX port 50380 ssh2 Aug 21 07:56:44 argot sshd[9641]: Connection closed by XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9688]: Invalid user localjoe from XX.XX.XX.XX Aug 21 07:59:47 argot sshd[9689]: input_userauth_request: invalid user localjoe Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): check pass; user unknown Aug 21 07:59:51 argot sshd[9688]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=argot (5)The client (argos) sssd log file reports: ------------------------------------------------------- (Wed Aug 21 08:27:45 2013) [sssd[be[default]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (6) "getent passwd" works with nslcd daemon running but "getent --s sss passwd" does not work. (7) ldapsearch (as per example from this mail list works ok: -------------------------------------------------------------------------------- [root@argot security]# ldapsearch -x -LLL '(&(uid=localjoe)(objectClass=posixAccount))' uidnumber homedirectory gidnumber loginshell dn: uid=localjoe,ou=internal,dc=example,dc=com uidNumber: 103418 gidNumber: 100 loginShell: /bin/bash homeDirectory: /tmp I wonder if anyone has heard of similar problems with centos 6.4 sssd ldap client and might have a suggestion. thanks, John.

9 years, 9 months

3
8
0 / 0

Can't build SSSD on Ubuntu 12.04

by Chris Hartman

Hi everyone, My apologies if this is a repost, but I botched the subject line and thought it best to re-send. I'm trying to build SSSD 1.10.1 for Ubuntu 12.04 i386 to gain AD dynamic DNS update support. The PPA version 1.9.5 does not seem to have this functionality as DNS records for my Ubuntu hosts are becoming stale. Using the latest stable tarball, I'm receiving the following error while running ./configure: > ... > checking for krb5-config... (cached) /usr/bin/krb5-config > checking for supported MIT krb5 version... yes > checking for sigprocmask... yes > checking for sigblock... yes > checking for sigaction... yes > checking for getpgrp... yes > checking for prctl... yes > checking for NDR_NBT... no > configure: error: "Please install Samba 4 development libraries" But Samba4 development files seem to be installed: > user@snickers:~$ aptitude search samba|grep ^i > i libsamba-credentials-dev > i A libsamba-credentials0 > i libsamba-hostconfig-dev > i A libsamba-hostconfig0 > i libsamba-policy-dev > i A libsamba-policy0 > i A libsamba-util-dev > i A libsamba-util0 > i samba-common > i samba-common-bin > i A samba-dsdb-modules > i samba4-dev Any help would be appreciated. Thanks! -Chris

9 years, 9 months

3
3
0 / 0

RHEL V6.4: nslcd need to start tls and ssl in a specific order

by Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)

I know this forum is about sssd, but I am working with a customer that cannot run sssd due to a configuration issue on their ldap servers. I didn't know where else to ask this question other than to raise a formal elevation which I can do if so requested or this is found to be a bug. This customer has opted to use nslcd over encrypted links. In testing this configuration I noticed two oddities. These two lines are required in nslcd.conf to get the encryption started: ssl start_tls ssl on I was always under the impression that if you use ssl, you shouldn't use or start TLS and visa versa, if TLS has been started, then don't start ssl. Am I misinterpreting what is being enabled with these two options. What is even stranger, is that they are position dependent. The start_tls line must come before the ssl on line otherwise the encryption will not start correctly and the connections will fail. To my knowledge this seems to be the only position dependent option I have run it to so far. Was this intended ? Al Licause HP L2 UNIX Network Services HP Customer Support Center Hours 7am-3pm Pacific time USA Manager: tom.cernilli(a)hp.com

9 years, 9 months

3
3
0 / 0

Ubuntu 12.04 and

by Chris Hartman

Hi everyone, I'm trying to build SSSD 1.10.1 for Ubuntu 12.04 i386 to gain AD dynamic DNS update support. The PPA version 1.9.5 does not seem to have this functionality as DNS records for my Ubuntu hosts are becoming stale. Using the latest stable tarball, I'm receiving the following error while running ./configure: > ... > checking for krb5-config... (cached) /usr/bin/krb5-config > checking for supported MIT krb5 version... yes > checking for sigprocmask... yes > checking for sigblock... yes > checking for sigaction... yes > checking for getpgrp... yes > checking for prctl... yes > checking for NDR_NBT... no > configure: error: "Please install Samba 4 development libraries" But Samba4 development files seem to be installed: > user@snickers:~$ aptitude search samba|grep ^i > i libsamba-credentials-dev > i A libsamba-credentials0 > i libsamba-hostconfig-dev > i A libsamba-hostconfig0 > i libsamba-policy-dev > i A libsamba-policy0 > i A libsamba-util-dev > i A libsamba-util0 > i samba-common > i samba-common-bin > i A samba-dsdb-modules > i samba4-dev Any help would be appreciated. Thanks! -Chris

9 years, 9 months

1
0
0 / 0

Can't add local user on system using ldap auth for samba

by Wes Modes

Hi, all. Trying to add a local user to a CentOS 6.3 system that is using ldap for Samba authentication, but being stymied by the user's existing entry in ldap. |[root@samba ~]# adduser wchandy adduser: user 'wchandy' already exists [root@samba ~]# useradd wchandy useradd: user 'wchandy' already exists | User is not already a local user: |[root@edgar2 ~]# grep wchandy /etc/passwd | But they are a Samba user in ldap: |[root@edgar2 ~]# smbldap-usershow wchandy | grep uid dn: uid=wchandy,ou=people,dc=ucsc,dc=edu uid: wchandy uidNumber: 30490 | adduser does not have a local option. How does one get adduser to add local users in the presence of ldap authentication. Other things to consider: * There are currently local users who share a uid with an ldap entry (with a different uidNumber) who can access samba and ssh independently. I want to be able to keep doing this, AND add more users like this when needed. * No, I don't want to edit the user directly into /etc/passwd and /etc/group. I'd like to fix the underlying problem. Plus now any new local entry interferes with the same user's access to samba. * No, I don't want to rely on ldap for local ssh login. * No, I don't want to use a different uid for the user. I originally set up my samba-ldap authentication with the handy (but seemly irreversible) authconfig command: |[root@samba ~]# authconfig --enableshadow --enablemd5 --enableldap \ --enableldapauth --enableldaptls --enablemkhomedir \ --ldapserver=dir.mydomain.com --ldapbasedn="dc=mydomain,dc=com" \ --enablelocauthorize --updateall | My /etc/sysconfig/authconfig looks like this: |IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=yes USEHESIOD=no FORCESMARTCARD=no USEDB=no USELDAPAUTH=yes IPAV2NONTP=no USELDAP=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=no USELOCAUTHORIZE=yes USENIS=no USEKERBEROS=no USESYSNETAUTH=no USESSSD=no USEPASSWDQC=no | My samba config was migrated from an RHEL4.x system to CentOS 6.3. Now instead of the kludgy mashup of nss and pam and who knows what, I used the pretty slick and easy sssd. My /etc/sssd/sssd.conf looks like this: |[domain/default] cache_credentials = True #cache_credentials = False ldap_search_base = dc=mydomain,dc=com krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://dir.mydomain.com/ ldap_tls_cacertdir = /etc/openldap/cacerts #ldap_tls_reqcert = allow entry_cache_timeout = 5 debug_level = 31 [sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP domains = default #debug_level = 31 [nss] [pam] debug_level = 31 | As a workaround I came up with two non-optimal solutions. It at least gave me a way of moving forward after I found myself in the sticky situation where LDAP and the local passwd file are blocking each other. Workaround 1: I created a local user with a different UID (username) to give ssh access to a person who already had an LDAP/Samba entry. Possibly the cheeziest sysadmin solution I've done in years. Workaround 2: A little more complicated but comes down to adding the local user with the same uidNumber as in LDAP. 1. Lookup LDAP uidNumber with getent, ldapsearch, or smbldap-usershow 2. Temporarily disable the user in LDAP in order to add the local user without conflicts 3. Create the local account matching the uidNumber with LDAP 4. Re-enable the user in LDAP Both of these work, but neither address the underlying issue of allowing the authentication to use LDAP exclusively for Samba auth and /etc/passwd for local auth. But in the absence of another solution, this will have to do. Thanks for the help. If I can get my local and samba-ldap authentication working independently I'll be stoked. Wes -- ------------------------------------------------------------------------ Wes Modes Systems Designer, Developer, and Administrator University Library ITS University of California, Santa Cruz

9 years, 9 months

2
1
0 / 0

Pulling users from a group in OSX Openldap

by Kim

Hello List, I am trying to set up sssd to authenticate against an OSX LDAP server. However, I only want to allow users that are in the VPN group. These usernames are located at cn=vpn,cn=groups,dc=server01,dc=castleaccess,dc=com under the memberUid attribute. For graphical representation (http://linuxowns.com/images/ldap.png). Below is my sssd.conf which is a mess and it's not locating the users. The rest of the credentials are fine being pulled from dc=server01,dc=mydomain,dc=com. If I take out the ldap_user_search_base parameter, SSSD will be able to find the users and authenticate... but then it allows all of the users. Any help getting sssd to pull the specified users would be greatly appreciated! /etc/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = default debug_level = 10 [nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd [pam] [domain/default] id_provider = ldap auth_provider = krb5 ldap_uri = ldap://server01.mydomain.com #ldap_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_search_base = dc=server01,dc=mydomain,dc=com ldap_user_search_base = cn=vpn,dc=server01,dc=mydomain,dc=com ldap_schema = rfc2307bis #ldap_user_principal = memberUid ldap_user_object_class = memberUid min_id = 1 max_id = 0 enumerate = False ldap_id_use_start_tls = False #chpass_provider = krb5 ldap_tls_cacertdir = /etc/openldap/cacerts krb5_realm = SERVER01.MYDOMAIN.COM krb5_server = server01.mydomain.com chpass_provider = krb5 cache_credentials = True krb5_kpasswd = server01.mydomain.com /var/log/secure Aug 12 14:34:01 myserver pppd[8686]: pam_unix(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=ppp0 user=tkawai Aug 12 14:34:01 myserver pppd[8686]: pam_sss(ppp:auth): received for user tkawai: 10 (User not known to the underlying authentication module)

9 years, 9 months

2
3
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users August 2013