sssd-users September 2013

sssd-users@lists.fedorahosted.org

23 participants
22 discussions

ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder 18 Mar '15

18 Mar '15

HI! Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with StartTLS or LDAPS using client certs? In a project they have certs in all systems anyway (because of using puppet) and I'd like to let the sssd instances on all the systems authenticate to the LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid having to set/configure passwords for each system's sssd. Ciao, Michael.

5 22

sssd.conf, authconfig and ldap_uri
by Olivier 11 Oct '13

11 Oct '13

Hello everyone, I launch "authconfig" within a script to setup my redhat6 boxes. I noticed that authconfig does not set up sssd.conf properly : https://bugzilla.redhat.com/show_bug.cgi?id=874527 but the bug is declared as "closed" ? First question : could anyone confirm that authconfig does *not* configure sssd.conf with "--enablesss" and "--enablesssdauth" and that I therefore need to configure that file myself (by hand or within my script) ? Second question: I noticed that sssd seemed to work properly even without declaring the "ldap_uri" parameter within sssd.conf. Could anyone confirm that this parameter is not necessary and where does sssd collect the list of ldap servers to query in that case, ldap.conf ? Thank you for any help, Best regards, --- Olivier

4 25

Re: [SSSD-users] authenticating against all sub-domains in AD forest
by a t 03 Oct '13

03 Oct '13

Hi, That user, test.user, is in the subdomain a.domain.org. Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains. I believe the user I tested in another subdomain, mhunt.test(a)a.domain.org did not show in the logs. When I tried to log in with mhunt.test(a)a.domain.org the logs show that sssd believes that domain "a" is a subdomain if b.domain.org rather than another subdomain of domain.org. I might have to ask if I can send un-obfuscated incase I am adding in confusion! Thanks, Matthew --- Original Message --- From: "Jakub Hrozek" <jhrozek(a)redhat.com> Sent: 29 September 2013 12:26 To: "End-user discussions about the System Security Services Daemon" <sssd-users(a)lists.fedorahosted.org> Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Tue, Sep 24, 2013 at 11:02:48AM +0000, a t wrote: > > Hi, > > please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below; > > ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds > ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again." > > (NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.) > > There are DNS server errors in the log. > > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers > > However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host' > > Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org? > > (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG] > > I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!! > > Thanks, > > Matthew Hi, I'm sorry for the late reply.. According to these logs I see three potential things to take a look at: 1) (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers It looks like you were hitting https://fedorahosted.org/sssd/ticket/2063 which should be resolved by now. What exact version was this? The one from sssd-devel? 2) The other thing I see: (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [B.DOMAIN.ORG] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_B_DOMAIN_ORG] (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_krb5_touch_config] (0x0020): Unable to change mtime of "/etc/krb5.conf" [13]: Permission denied (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sss_write_domain_mappings] (0x0020): Unable to change last modification time of krb5.conf. Created mappings may not be loaded. This sounds like SELinux denial to me. Could you try setting SELinux to permissive for the duration of the test (setenforce 0) 3) Then in the logs I see a lookup and authentication of [CN=test user,OU=No Management,OU=User Accounts,DC=b,DC=domain,DC=org] Is that a root domain or subdomain user? Because this particular request seems to have completed fine.. According to the logs, the subdomain should be just called domain.org: (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG] (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [sdap_domain_subdom_add] (0x0400): subdomain domain.org is a new one, will create a new sdap domain object But I don't see a request for a subdomain user from domain.org..not sure if the real DN just got lost in the obfuscation.. _______________________________________________ sssd-users mailing list sssd-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

2 3

Announcing SSSD 1.11.1
by Jakub Hrozek 30 Sep '13

30 Sep '13

=== SSSD 1.11.1 === The SSSD team is proud to announce the release of version 1.11.1 of the System Security Services Daemon. As always, the source is available from https://fedorahosted.org/sssd RPM packages will be made available for Fedora 19, 20 and rawhide shortly. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * This release contains mainly bug fixes in the Active Directory provider and setups where the SSSD is running on an IPA server instance. In particular: - Several cases where offline authentication did not work correctly for users from Active Directory domains were fixed - Fixed a resolver bug that caused the SSSD to only look up AAAA records for trusted Active Directory servers - SSSD is now able to resolve users from trusted AD domains using their POSIX attributes * The simple access provider now allows the administrator to specify users or groups from trusted domains in the access or deny lists * Handling of Kerberos credential caches was made simpler and more robust == Packaging Changes == * A new subpackage sssd-common-pac was added to work around a packaging bug. Previous SSSD versions would own the PAC responder by both the IPA and AD providers, which is not permitted by the Fedora packaging guidelines. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1945 Enable printf format string checking in function debug_fn https://fedorahosted.org/sssd/ticket/2001 Implement heuristics to use Global Catalog servers from local DNS domain first https://fedorahosted.org/sssd/ticket/2007 sss_debuglevel did not increase verbosity in sssd_pac.log https://fedorahosted.org/sssd/ticket/2034 [RFE] simple access provider: support subdomain users and groups https://fedorahosted.org/sssd/ticket/2060 Cached credentials aren't working with sssd-ad UPN logins https://fedorahosted.org/sssd/ticket/2063 sssd-ad unable to resolve names in other domains possibly UPN related https://fedorahosted.org/sssd/ticket/2066 ad: invalid handling of Domain Users group for subdomain user https://fedorahosted.org/sssd/ticket/2067 Carry on if detecting the flat name fails https://fedorahosted.org/sssd/ticket/2068 Initial enumeration in the AD provider does not work https://fedorahosted.org/sssd/ticket/2070 The present sssd-ad is unable to pull RFC2307 attributes from all domains in a forest https://fedorahosted.org/sssd/ticket/2075 sssd fails to retrieve netgroups with multiple CN attributes https://fedorahosted.org/sssd/ticket/2076 Fix expand_ccname_template libkrb5 style expansion and add tests https://fedorahosted.org/sssd/ticket/2079 SSSD subdomains provider does not resolve SRV records correctly when DNS name of the server is different from domain/realm name of IPA install in IPA server mode https://fedorahosted.org/sssd/ticket/2080 When in IPA server mode, SSSD should map trusted forest subdomains to root domain realm https://fedorahosted.org/sssd/ticket/2085 man sssd-sudo: improve description of necessary configuration https://fedorahosted.org/sssd/ticket/2087 The multicast check is wrong in the sudo source code getting the host info https://fedorahosted.org/sssd/ticket/2090 getpwuid and getgrgid do not use the negative cache https://fedorahosted.org/sssd/ticket/2091 Document that server side password policies always takes precedence https://fedorahosted.org/sssd/ticket/2093 sssd should write capaths for IPA trusted forests' subdomains == Detailed Changelog == Jakub Hrozek (24): * Updating the version for 1.11.1 release * PROXY: Handle empty GECOS * MAN: Document that sss_cache should be run after changing the cache timeout * AD: Rename parametrized #define * LDAP: Store cleanup timestamp after initial cleanup * Remove unused code * TESTS: Remove unused variable * KRB5: Call umask before mkstemp in the krb5 child code * AD: async request to retrieve master domain info * LDAP: sdap_id_setup_tasks accepts a custom enum request * AD: Download master domain info when enumerating * AD: Failure to get flat name is not fatal * Convert IN_MULTICAST parameter to host order * NSS: Set UID and GID to negative cache after searching all domains * NSS: Failure to store entry negative cache should not be fatal * KRB5: Fix bad comparison * IPA: Ignore dns_discovery_domain in server mode * KRB5: Return ERR_NETWORK_IO when trusted AD server can't be resolved * KRB5: Use the correct domain when authenticating with cached password * LDAP: Require ID numbers when ID mapping is off * LDAP: Allow searching subdomain during RFC2307bis initgroups * AD: talk to GC first even for local domain objects * MAN: Document that POSIX attributes must be replicated to GC * Updating the translations for the 1.11.1 release Lukas Slebodnik (38): * AUTOMAKE: Add missing escaped newline * Include sys/types.h for types id_t and uid_t * UTIL: Use standard maximum value of type size_t * KRB5: Fix warning declaration shadows global declaration * Fix warning missing arguments * mmap_cache: Do not remove record from chain twice * AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS * AUTOTOOLS: Add missing AC_MSG_RESULT * AUTOMAKE: Use portable way to link with dlopen * AUTOMAKE: Use portable way to link with gettext * AUTOTOOLS: Add directories for searching ldap headers and libs * AUTOTOOLS: Refactor unicode library detection * AUTOTOOLS: add check for type intptr_t * AUTOTOOLS: Use pkg-config to detect libraries. * AUTOTOOLS: More robust detection of inotify. * krb5: Fix warning sometimes uninitialized * Fix formating of variables with type: long * Fix formating of variables with type: unsigned long * Fix formating of variables with type: int * Fix pointer formatting * Use the same variable type like in struct ldb_message_element * Fix formating of variables with type: ssize_t * Fix formating of variables with type: size_t * Adding new header for printf formating macros * Fix formating of variables with type: key_serial_t * Fix formating of variables with type: rlim_t * Fix formating of variables with type defined in stdint.h * Fix formating of variables with type: time_t * Fix formating of variables with ber_ type * Fix warning: data argument not used by format string * Use right formating to print string * Fix formating of variables with type: id_t * Fix formating of variables with type: uid_t * Fix formating of variables with type: gid_t * Enable printf format string checking * KRB: Remove unused memory context * KRB: Remove unused function parameters * LDAP: Use primary cn to search netgroup Michal Zidek (4): * Rename SAFEALIGN macros * Rename _SSS_MC_SPECIAL * man sssd: Add note about SSS_NSS_USE_MEMCACHE * Check slot validity before MC_SLOT_TO_PTR. Nikolai Kondrashov (1): * Fix reference to sssd-krb5 man page Ondrej Kos (2): * DB: Add user/group lookup by SID * DB: Rise search functions debug levels Pavel Březina (22): * Fix czech specific character in my name * krb5_utils tests: fix some typos * resolv_sort_srv_reply: remove unnecessary mem_ctx * fo srv: add priority to fo_server_info * utils: add is_host_in_domain() * ad srv: prefer servers that are in the same domain as client * sysdb_search_group_by_gid: obtain gid instead of uid * is_dn(): free dn * util: add sss_idmap_talloc[_free] * simple access tests: fix typos * simple provider: support subdomain users * util: add find_subdomain_by_sid() * util: add find_subdomain_by_object_name() * simple provider: support subdomain groups * simple access test: initialize be_ctx for all tests * simple provider: obey case sensitivity for subdomain users and groups * man: improve sssd-sudo manual page * man: server side password policies always takes precedence * util: add get_domains_head() * sysdb: get_sysdb_grouplist() can return either names or dn * sysdb: sysdb_update_members can take either name or dn * ad: store group in correct tree on initgroups via tokenGroups Simo Sorce (18): * Makefile: Fix sssd_be targets * krb5: Ingnore unknown expansion sequences * tests: Add dlopen test to make sure modules works * krb5: Add calls to change and restore credentials * krb5: Add helper to destroy ccache as user * krb5: Use krb5_cc_destroy to remove old ccaches * krb5: Replace type-specific ccache/principal check * krb5: Move determination of user being active * krb5: move template check to initializzation * krb5: Make check_for_valid_tgt() static * krb5: Use new function to validate ccaches * krb5: Unify function to create ccache files * krb5: Remove unused ccache backend infrastructure * krb5: Remove unused function * krb5: Add file/dir path precheck * krb5_child: Simplify ccache creation * krb5: Remove unused helper functions * krb5: Be more lenient on failures for old ccache Stephen Gallagher (1): * RPM: Add new subpackage for PAC responder Sumit Bose (7): * dyndns: do not modify global family_order * sdap_domain_add: remove too strict consistency check * krb5: save canonical upn to sysdb * krb5: do not expand enterprise principals is offline * IPA: store forest name for forest member domains * ipa_server_mode: write capaths to krb5 include file * Do not return DP_ERR_FATAL in case of success

2 1

Can't change default ldap_idmap_range
by Melvin Williams 30 Sep '13

30 Sep '13

Hello everybody, I'm trying to change the default ldap_idmap_range_min, ldap_idmap_range_max and ldap_idmap_range_size. First of all I'm not sure where to place them. I tried placing them in [domain/DOMAINNAME]. If I do so sssd service fails to start. I can't find any hints in logs even though I put the debug_level on 0xFFF0. Then I placed them in the [sssd] section. The service starts now but it seems that the values are ignored. My sssd.conf looks as follows: [sssd] services = nss, pam config_file_version = 2 domains = domain.name debug_level = 0xFFF0 ldap_idmap_default_domain_sid = SID ldap_idmap_default_domain = domain.name [nss] default_shell = /bin/bash [pam] [domain/domain.name] ad_hostname = hostname.domain.name ad_server = dc1.domain.name ad_backup_server = dc2.domain.name ad_domain = domain.name #ldap_idmap_range_min = 100000 #ldap_idmap_range_max = 200000 #ldap_idmap_range_size = 10000 ldap_schema = ad ldap_id_mapping=true id_provider = ad ldap_sasl_mech = gssapi ldap_sasl_authid = dc1$(a)DONAIN.NAME access_provider = simple override_homedir = /home/%d/%u # on large directories, you may want to disable enumeration for performance reasons enumerate = true auth_provider = krb5 chpass_provider = krb5 krb5_realm = DOMAIN.NAME krb5_server = dc1.domain.name krb5_backup_server = dc2.domain.name krb5_kpasswd = dc1.domain.name krb5_backup_kpasswd = dc2.domain.name krb5_keytab = /etc/krb5.sssd.keytab ldap_krb5_init_creds = true ldap_referrals = false ldap_uri = ldap://dc1.domain.name,ldap://dc2.domain.name ldap_search_base = some_search_base dyndns_update=false I hope somebody can help me with this issue. Thanks

2 2

Re: [SSSD-users] authenticating against all sub-domains in AD forest
by a t 29 Sep '13

29 Sep '13

Hi, please see logs attached. (couldn't upload logs as they were too large so i hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. Then ran the commands below; ssh B\\test.user@localhost - run at (Tue Sep 24 10:31:19 2013) - login succeds ssh a\\mhunt.test@localhost - run at (Tue Sep 24 10:32:10 2013) - login fails. The error on ssh login is "Permission denied, please try again." (NOTE: I have just noticed I tested with uppercase domain "B" and lowercase domain "a". I have just retested with uppercase "A" and it still fails.) There are DNS server errors in the log. (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 'le-vm05-centos6' in DNS (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 6 seconds (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [request_watch_destructor] (0x0400): Deleting request watch (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [nsupdate_get_addrs_done] (0x0040): Could not resolve address for this machine, error [5]: Input/output error, resolver returned: [11]: Could not contact DNS servers However, DNS from this install is working (when querying its hostname or others on LAN or internet) and from other boxes querying its hostname. resolv.conf has correct name servers and they are responding to 'nslookup' and 'host' Also the following line looks to be creating the parent domain (domain.org) as a subdomain or b.domain.org? (Tue Sep 24 10:30:45 2013) [sssd[be[B.DOMAIN.ORG]]] [new_subdomain] (0x0400): Creating [domain.org] as subdomain of [B.DOMAIN.ORG] I have changed domain names in logs and changed bits of SIDs. Hope I have not confused anything with SID changes!! Thanks, Matthew

2 1

27 Sep '13

I am testing sssd-1.11.0 in Ubuntu Saucy - and have problems with ssh and login from GUI-login (lightdm and gdm) to the machine. when using local account I get answers from commands: sudo id aduser getent passwd aduser I get "Permission denied:" trying to login : ssh x.x.x.x -l aduser ssh x.x.x. -l aduser(a)my.domain.com and login as aduser, aduser(a)my.domain.com from login screen. >From sssd_pam.log ----------------------- [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [aduser(a)my.domain.com] (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [aduser] added to PAM initgroup cache (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dp_send_req] (0x0100):Sending request with the following data: (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): domain: my.domain.com (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): user: aduser (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): service: sshd (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set - Ignored: (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): rhost: ariadne.i.my.domain.com (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2007 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x111a980 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417d20:3:aduser@my.domain.com] (Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x111a980 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 111B7C0 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][my.domain.com] (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Thu Sep 26 16:25:44 2013) [sssd[pam]] [pam_reply] (0x0100): blen: 29 (Thu Sep 26 16:25:44 2013) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1118300][18] (Thu Sep 26 16:25:49 2013) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [aduser] removed from PAM initgroup cache (Thu Sep 26 16:25:51 2013) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 111A1A0 (Thu Sep 26 16:25:51 2013) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. Longina

3 4

renewal of krb5 tickets created outside SSSD
by Michael Gliwinski 26 Sep '13

26 Sep '13

Hi all, Currently SSSD (when configured with krb5_renew_interval, etc.) will only renew tickets it itself created. Is it possible to somehow tell it to also look after some other ccaches? The use case I have is for sessions started e.g. via sudo -u + manual kinit or SSH PKI or SSH GSS-API (i.e. passwordless logins). Those are sometimes long- running, but the tickets won't be renewed automatically currently. If not currently possible, I was thinking of creating some simple program that would call SSSD functions to "register" a specified ccache path (krb5_save_ccname + add_tgt_to_renew_table?). Do you see any problems with this approach? Would those functions be somehow accessible from Python API? Thanks, Michael ********************************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee and access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients, any opinions or advice contained in this e-mail are subject to the terms and conditions expressed in the governing client engagement leter or contract. If you have received this email in error please notify support(a)henderson-group.com John Henderson (Holdings) Ltd Registered office: 9 Hightown Avenue, Mallusk, County Antrim, Northern Ireland, BT36 4RT. Registered in Northern Ireland Registration Number NI010588 Vat No.: 814 6399 12 *********************************************************************************

4 7

authenticating against all sub-domains in AD forest
by a t 23 Sep '13

23 Sep '13

Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:sys… It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew

2 9

sssd and sudo
by Rowland Penny 23 Sep '13

23 Sep '13

Ok, I am back again, trying to get sssd to control sudo, but failing. I added the sudo active directory schema ldif to samba4 AD then added this: dn: OU=SUDOers,DC=example,DC=com objectClass: top objectClass: organizationalUnit ou: SUDOers dn: CN=linuxusers,OU=SUDOers,DC=example,DC=com objectClass: top objectClass: sudoRole cn: linuxusers sudoUser: %linuxusers sudoHost: ALL sudoCommand: ALL On a Linux Mint client: sudo apt-get install sudo-ldap Edited /etc/sudo-ldap.conf # TLS certificates (needed for GnuTLS) TLS_CACERT /etc/ssl/certs/ca-certificates.crt BASE DC=example,DC=com URI ldap://server.example.com ssl=no LDAP_VERSION 3 SUDOERS_BASE ou=SUDOers,DC=example,DC=com SUDOERS_SEARCH_FILTER (&(objectClass=sudoRole)) BINDDN CN=Administrator,CN=Users,DC=example,DC=com BINDPW xxxxxxxxxx then edited /etc/nsswitch.conf and added sudoers: files ldap restarted sudo then as a normal user, tried to run a command with sudo, this worked. I then altered /etc/sssd/sssd.conf and added services = nss, pam, autofs, sudo [sudo] ldap_sudo_search_base = OU=SUDOers,DC=example,DC=com altered /etc/nsswitch.conf sudoers: files sss restarted sssd restarted sudo tried to run the command with sudo again, this time it failed having been bitten by the way autofs works, I went straight to the way that sudo & sssd do the ldapsearch: SUDO (&(&(objectClass=sudoRole))(|(sudoUser=rowland)(sudoUser=%Domain Users)(sudoUser=%#20513)(sudoUser=%vboxusers)(sudoUser=%linuxusers)(sudoUser=%#127)(sudoUser=%#21110)(sudoUser=ALL))) SSSD (&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=ThinkPad)(sudoHost=ThinkPad.home.lan)(sudoHost=192.168.0.204)(sudoHost=192.168.0.0/24)(sudoHost=fe80::86a6:c8ff:fe3b:da7b)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\**)(sudoHost=*[*]*)))) sudo searches with objectClass=sudoRole & sudoUser attribute sssd searches with objectClass=sudoRole & sudoHost attribute Now I understand that the sssd search for the sudoHost attribute is to ensure that only sudo rules for the host are downloaded, but it doesn't actually seem to download any rules. Is there anyway I can get the sssd search to include the sudoUser attribute in the same way that the sudo ldap search does? Or can anybody tell me where I am going wrong (again). Rowland

6 20

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users September 2013