ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 8 months
sssd.conf, authconfig and ldap_uri
by Olivier
Hello everyone,
I launch "authconfig" within a script to setup my redhat6 boxes.
I noticed that authconfig does not set up sssd.conf properly :
https://bugzilla.redhat.com/show_bug.cgi?id=874527
but the bug is declared as "closed" ?
First question :
could anyone confirm that authconfig does *not* configure
sssd.conf with "--enablesss" and "--enablesssdauth" and
that I therefore need to configure that file myself (by hand
or within my script) ?
Second question:
I noticed that sssd seemed to work properly even without
declaring the "ldap_uri" parameter within sssd.conf. Could
anyone confirm that this parameter is not necessary and
where does sssd collect the list of ldap servers to query
in that case, ldap.conf ?
Thank you for any help,
Best regards,
---
Olivier
10 years, 1 month
Re: [SSSD-users] authenticating against all sub-domains in AD forest
by a t
Hi,
That user, test.user, is in the subdomain a.domain.org.
Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains.
I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not show in the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that sssd believes that domain "a" is a subdomain if b.domain.org rather than another subdomain of domain.org.
I might have to ask if I can send un-obfuscated incase I am adding in confusion!
Thanks,
Matthew
--- Original Message ---
From: "Jakub Hrozek" <jhrozek(a)redhat.com>
Sent: 29 September 2013 12:26
To: "End-user discussions about the System Security Services Daemon" <sssd-users(a)lists.fedorahosted.org>
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 24, 2013 at 11:02:48AM +0000, a t wrote:
>
> Hi,
>
> please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below;
>
> ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds
> ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again."
>
> (NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.)
>
> There are DNS server errors in the log.
>
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
>
> However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host'
>
> Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org?
>
> (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
>
> I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!!
>
> Thanks,
>
> Matthew
Hi,
I'm sorry for the late reply..
According to these logs I see three potential things to take a look at:
1)
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this
machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
It looks like you were hitting https://fedorahosted.org/sssd/ticket/2063
which should be resolved by now.
What exact version was this? The one from sssd-devel?
2)
The other thing I see:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [B.DOMAIN.ORG] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_B_DOMAIN_ORG]
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded.
This sounds like SELinux denial to me. Could you try setting SELinux to
permissive for the duration of the test (setenforce 0)
3)
Then in the logs I see a lookup and authentication of [CN=test user,OU=No
Management,OU=User Accounts,DC=b,DC=domain,DC=org]
Is that a root domain or subdomain user? Because this particular request
seems to have completed fine.. According to the logs, the subdomain should
be just called domain.org:
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sdap_domain_subdom_add] (0x0400): subdomain domain.org is a new one, will create a new sdap domain object
But I don't see a request for a subdomain user from domain.org..not sure
if the real DN just got lost in the obfuscation..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
10 years, 2 months
Announcing SSSD 1.11.1
by Jakub Hrozek
=== SSSD 1.11.1 ===
The SSSD team is proud to announce the release of version 1.11.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release contains mainly bug fixes in the Active Directory provider
and setups where the SSSD is running on an IPA server instance. In
particular:
- Several cases where offline authentication did not work correctly for
users from Active Directory domains were fixed
- Fixed a resolver bug that caused the SSSD to only look up AAAA records
for trusted Active Directory servers
- SSSD is now able to resolve users from trusted AD domains using their
POSIX attributes
* The simple access provider now allows the administrator to specify
users or groups from trusted domains in the access or deny lists
* Handling of Kerberos credential caches was made simpler and more robust
== Packaging Changes ==
* A new subpackage sssd-common-pac was added to work around a packaging
bug. Previous SSSD versions would own the PAC responder by both the
IPA and AD providers, which is not permitted by the Fedora packaging
guidelines.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1945
Enable printf format string checking in function debug_fn
https://fedorahosted.org/sssd/ticket/2001
Implement heuristics to use Global Catalog servers from local DNS
domain first
https://fedorahosted.org/sssd/ticket/2007
sss_debuglevel did not increase verbosity in sssd_pac.log
https://fedorahosted.org/sssd/ticket/2034
[RFE] simple access provider: support subdomain users and groups
https://fedorahosted.org/sssd/ticket/2060
Cached credentials aren't working with sssd-ad UPN logins
https://fedorahosted.org/sssd/ticket/2063
sssd-ad unable to resolve names in other domains possibly UPN related
https://fedorahosted.org/sssd/ticket/2066
ad: invalid handling of Domain Users group for subdomain user
https://fedorahosted.org/sssd/ticket/2067
Carry on if detecting the flat name fails
https://fedorahosted.org/sssd/ticket/2068
Initial enumeration in the AD provider does not work
https://fedorahosted.org/sssd/ticket/2070
The present sssd-ad is unable to pull RFC2307 attributes from all
domains in a forest
https://fedorahosted.org/sssd/ticket/2075
sssd fails to retrieve netgroups with multiple CN attributes
https://fedorahosted.org/sssd/ticket/2076
Fix expand_ccname_template libkrb5 style expansion and add tests
https://fedorahosted.org/sssd/ticket/2079
SSSD subdomains provider does not resolve SRV records correctly when
DNS name of the server is different from domain/realm name of IPA
install in IPA server mode
https://fedorahosted.org/sssd/ticket/2080
When in IPA server mode, SSSD should map trusted forest subdomains to
root domain realm
https://fedorahosted.org/sssd/ticket/2085
man sssd-sudo: improve description of necessary configuration
https://fedorahosted.org/sssd/ticket/2087
The multicast check is wrong in the sudo source code getting the host info
https://fedorahosted.org/sssd/ticket/2090
getpwuid and getgrgid do not use the negative cache
https://fedorahosted.org/sssd/ticket/2091
Document that server side password policies always takes precedence
https://fedorahosted.org/sssd/ticket/2093
sssd should write capaths for IPA trusted forests' subdomains
== Detailed Changelog ==
Jakub Hrozek (24):
* Updating the version for 1.11.1 release
* PROXY: Handle empty GECOS
* MAN: Document that sss_cache should be run after changing the cache timeout
* AD: Rename parametrized #define
* LDAP: Store cleanup timestamp after initial cleanup
* Remove unused code
* TESTS: Remove unused variable
* KRB5: Call umask before mkstemp in the krb5 child code
* AD: async request to retrieve master domain info
* LDAP: sdap_id_setup_tasks accepts a custom enum request
* AD: Download master domain info when enumerating
* AD: Failure to get flat name is not fatal
* Convert IN_MULTICAST parameter to host order
* NSS: Set UID and GID to negative cache after searching all domains
* NSS: Failure to store entry negative cache should not be fatal
* KRB5: Fix bad comparison
* IPA: Ignore dns_discovery_domain in server mode
* KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved
* KRB5: Use the correct domain when authenticating with cached password
* LDAP: Require ID numbers when ID mapping is off
* LDAP: Allow searching subdomain during RFC2307bis initgroups
* AD: talk to GC first even for local domain objects
* MAN: Document that POSIX attributes must be replicated to GC
* Updating the translations for the 1.11.1 release
Lukas Slebodnik (38):
* AUTOMAKE: Add missing escaped newline
* Include sys/types.h for types id_t and uid_t
* UTIL: Use standard maximum value of type size_t
* KRB5: Fix warning declaration shadows global declaration
* Fix warning missing arguments
* mmap_cache: Do not remove record from chain twice
* AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS
* AUTOTOOLS: Add missing AC_MSG_RESULT
* AUTOMAKE: Use portable way to link with dlopen
* AUTOMAKE: Use portable way to link with gettext
* AUTOTOOLS: Add directories for searching ldap headers and libs
* AUTOTOOLS: Refactor unicode library detection
* AUTOTOOLS: add check for type intptr_t
* AUTOTOOLS: Use pkg-config to detect libraries.
* AUTOTOOLS: More robust detection of inotify.
* krb5: Fix warning sometimes uninitialized
* Fix formating of variables with type: long
* Fix formating of variables with type: unsigned long
* Fix formating of variables with type: int
* Fix pointer formatting
* Use the same variable type like in struct ldb_message_element
* Fix formating of variables with type: ssize_t
* Fix formating of variables with type: size_t
* Adding new header for printf formating macros
* Fix formating of variables with type: key_serial_t
* Fix formating of variables with type: rlim_t
* Fix formating of variables with type defined in stdint.h
* Fix formating of variables with type: time_t
* Fix formating of variables with ber_ type
* Fix warning: data argument not used by format string
* Use right formating to print string
* Fix formating of variables with type: id_t
* Fix formating of variables with type: uid_t
* Fix formating of variables with type: gid_t
* Enable printf format string checking
* KRB: Remove unused memory context
* KRB: Remove unused function parameters
* LDAP: Use primary cn to search netgroup
Michal Zidek (4):
* Rename SAFEALIGN macros
* Rename _SSS_MC_SPECIAL
* man sssd: Add note about SSS_NSS_USE_MEMCACHE
* Check slot validity before MC_SLOT_TO_PTR.
Nikolai Kondrashov (1):
* Fix reference to sssd-krb5 man page
Ondrej Kos (2):
* DB: Add user/group lookup by SID
* DB: Rise search functions debug levels
Pavel Březina (22):
* Fix czech specific character in my name
* krb5_utils tests: fix some typos
* resolv_sort_srv_reply: remove unnecessary mem_ctx
* fo srv: add priority to fo_server_info
* utils: add is_host_in_domain()
* ad srv: prefer servers that are in the same domain as client
* sysdb_search_group_by_gid: obtain gid instead of uid
* is_dn(): free dn
* util: add sss_idmap_talloc[_free]
* simple access tests: fix typos
* simple provider: support subdomain users
* util: add find_subdomain_by_sid()
* util: add find_subdomain_by_object_name()
* simple provider: support subdomain groups
* simple access test: initialize be_ctx for all tests
* simple provider: obey case sensitivity for subdomain users and groups
* man: improve sssd-sudo manual page
* man: server side password policies always takes precedence
* util: add get_domains_head()
* sysdb: get_sysdb_grouplist() can return either names or dn
* sysdb: sysdb_update_members can take either name or dn
* ad: store group in correct tree on initgroups via tokenGroups
Simo Sorce (18):
* Makefile: Fix sssd_be targets
* krb5: Ingnore unknown expansion sequences
* tests: Add dlopen test to make sure modules works
* krb5: Add calls to change and restore credentials
* krb5: Add helper to destroy ccache as user
* krb5: Use krb5_cc_destroy to remove old ccaches
* krb5: Replace type-specific ccache/principal check
* krb5: Move determination of user being active
* krb5: move template check to initializzation
* krb5: Make check_for_valid_tgt() static
* krb5: Use new function to validate ccaches
* krb5: Unify function to create ccache files
* krb5: Remove unused ccache backend infrastructure
* krb5: Remove unused function
* krb5: Add file/dir path precheck
* krb5_child: Simplify ccache creation
* krb5: Remove unused helper functions
* krb5: Be more lenient on failures for old ccache
Stephen Gallagher (1):
* RPM: Add new subpackage for PAC responder
Sumit Bose (7):
* dyndns: do not modify global family_order
* sdap_domain_add: remove too strict consistency check
* krb5: save canonical upn to sysdb
* krb5: do not expand enterprise principals is offline
* IPA: store forest name for forest member domains
* ipa_server_mode: write capaths to krb5 include file
* Do not return DP_ERR_FATAL in case of success
10 years, 2 months
Can't change default ldap_idmap_range
by Melvin Williams
Hello everybody,
I'm trying to change the default ldap_idmap_range_min, ldap_idmap_range_max
and ldap_idmap_range_size. First of all I'm not sure where to place them. I
tried placing them in [domain/DOMAINNAME]. If I do so sssd service fails to
start. I can't find any hints in logs even though I put the debug_level on
0xFFF0. Then I placed them in the [sssd] section. The service starts now
but it seems that the values are ignored. My sssd.conf looks as follows:
[sssd]
services = nss, pam
config_file_version = 2
domains = domain.name
debug_level = 0xFFF0
ldap_idmap_default_domain_sid = SID
ldap_idmap_default_domain = domain.name
[nss]
default_shell = /bin/bash
[pam]
[domain/domain.name]
ad_hostname = hostname.domain.name
ad_server = dc1.domain.name
ad_backup_server = dc2.domain.name
ad_domain = domain.name
#ldap_idmap_range_min = 100000
#ldap_idmap_range_max = 200000
#ldap_idmap_range_size = 10000
ldap_schema = ad
ldap_id_mapping=true
id_provider = ad
ldap_sasl_mech = gssapi
ldap_sasl_authid = dc1$(a)DONAIN.NAME
access_provider = simple
override_homedir = /home/%d/%u
# on large directories, you may want to disable enumeration for performance
reasons
enumerate = true
auth_provider = krb5
chpass_provider = krb5
krb5_realm = DOMAIN.NAME
krb5_server = dc1.domain.name
krb5_backup_server = dc2.domain.name
krb5_kpasswd = dc1.domain.name
krb5_backup_kpasswd = dc2.domain.name
krb5_keytab = /etc/krb5.sssd.keytab
ldap_krb5_init_creds = true
ldap_referrals = false
ldap_uri = ldap://dc1.domain.name,ldap://dc2.domain.name
ldap_search_base = some_search_base
dyndns_update=false
I hope somebody can help me with this issue.
Thanks
10 years, 2 months
Re: [SSSD-users] authenticating against all sub-domains in AD forest
by a t
Hi,
please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below;
ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds
ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again."
(NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.)
There are DNS server errors in the log.
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers
However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host'
Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org?
(Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG]!
I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!!
Thanks,
Matthew
10 years, 2 months
login problem sssd-1.11.0 Ubuntu saucy
by Longina Przybyszewska
I am testing sssd-1.11.0 in Ubuntu Saucy - and have problems with ssh
and login from GUI-login (lightdm and gdm) to the machine.
when using local account I get answers from commands:
sudo id aduser
getent passwd aduser
I get "Permission denied:" trying to login :
ssh x.x.x.x -l aduser
ssh x.x.x. -l aduser(a)my.domain.com
and
login as aduser, aduser(a)my.domain.com from login screen.
>From sssd_pam.log
-----------------------
[sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [aduser(a)my.domain.com]
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [aduser] added to PAM initgroup cache
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dp_send_req] (0x0100):Sending request with the following data:
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: my.domain.com
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): user: aduser
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser:
not set - Ignored:
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: ariadne.i.my.domain.com
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2007
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x111a980
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d20:3:aduser@my.domain.com]
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x111a980
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 111B7C0
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][my.domain.com]
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4].
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 29
(Thu Sep 26 16:25:44 2013) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1118300][18]
(Thu Sep 26 16:25:49 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [aduser] removed from PAM initgroup cache
(Thu Sep 26 16:25:51 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 111A1A0
(Thu Sep 26 16:25:51 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
Longina
10 years, 2 months
renewal of krb5 tickets created outside SSSD
by Michael Gliwinski
Hi all,
Currently SSSD (when configured with krb5_renew_interval, etc.) will only
renew tickets it itself created. Is it possible to somehow tell it to also
look after some other ccaches?
The use case I have is for sessions started e.g. via sudo -u + manual kinit or
SSH PKI or SSH GSS-API (i.e. passwordless logins). Those are sometimes long-
running, but the tickets won't be renewed automatically currently.
If not currently possible, I was thinking of creating some simple program that
would call SSSD functions to "register" a specified ccache path
(krb5_save_ccname + add_tgt_to_renew_table?). Do you see any problems with
this approach? Would those functions be somehow accessible from Python API?
Thanks,
Michael
**********************************************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract.
If you have received this email in error please notify support(a)henderson-group.com
John Henderson (Holdings) Ltd
Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT.
Registered in Northern Ireland
Registration Number NI010588
Vat No.: 814 6399 12
*********************************************************************************
10 years, 2 months
authenticating against all sub-domains in AD forest
by a t
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3.
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:s...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
10 years, 2 months
sssd and sudo
by Rowland Penny
Ok, I am back again, trying to get sssd to control sudo, but failing.
I added the sudo active directory schema ldif to samba4 AD
then added this:
dn: OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
dn: CN=linuxusers,OU=SUDOers,DC=example,DC=com
objectClass: top
objectClass: sudoRole
cn: linuxusers
sudoUser: %linuxusers
sudoHost: ALL
sudoCommand: ALL
On a Linux Mint client:
sudo apt-get install sudo-ldap
Edited /etc/sudo-ldap.conf
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
BASE DC=example,DC=com
URI ldap://server.example.com
ssl=no
LDAP_VERSION 3
SUDOERS_BASE ou=SUDOers,DC=example,DC=com
SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole))
BINDDN CN=Administrator,CN=Users,DC=example,DC=com
BINDPW xxxxxxxxxx
then edited /etc/nsswitch.conf and added
sudoers: files ldap
restarted sudo
then as a normal user, tried to run a command with sudo, this worked.
I then altered /etc/sssd/sssd.conf and added
services = nss, pam, autofs, sudo
[sudo]
ldap_sudo_search_base = OU=SUDOers,DC=example,DC=com
altered /etc/nsswitch.conf
sudoers: files sss
restarted sssd
restarted sudo
tried to run the command with sudo again, this time it failed
having been bitten by the way autofs works, I went straight to the way
that sudo & sssd do the ldapsearch:
SUDO
(&(&(objectClass=sudoRole))(|(sudoUser=rowland)(sudoUser=%Domain
Users)(sudoUser=%#20513)(sudoUser=%vboxusers)(sudoUser=%linuxusers)(sudoUser=%#127)(sudoUser=%#21110)(sudoUser=ALL)))
SSSD
(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.home.lan)(sudoHost=192.168.0.204)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*))))
sudo searches with objectClass=sudoRole & sudoUser attribute
sssd searches with objectClass=sudoRole & sudoHost attribute
Now I understand that the sssd search for the sudoHost attribute is to
ensure that only sudo rules for the host are downloaded, but it doesn't
actually seem to download any rules.
Is there anyway I can get the sssd search to include the sudoUser
attribute in the same way that the sudo ldap search does?
Or can anybody tell me where I am going wrong (again).
Rowland
10 years, 2 months
