ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 6 months
Connection to ad via ldap failing
by Nordgren, Bryce L -FS
Well, I guess the title is a little misleading. The ldap connection is working like a champ. I configured sssd to bind using my own credentials, and that's working. The searches are successful and return the correct result.
Things I don't understand:
* Sssd performs two ldap searches for my username, not one.
* Using wireshark, I don't even see it trying to bind to AD using the account it finds (twice).
* sssd fails to authenticate me, but the logs seems to indicate to me that everything it tried succeeded.
This is on a VM with a minimal install of Fedora 19. The setup roughly follows https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate... with local modifications to enable id mapping. I'm attaching edited versions of sssd.conf, sssd_pam.log, sssd_nss.log, and the output of wireshark (stupidly named sssd.log.) pam and nss are both at debug level 9.
Does anyone have any suggestions as to what I should try?
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
9 years, 7 months
sssd-1.11.1 Saucy automount
by Longina Przybyszewska
I would like get access to nfs- and cifs shares.
Sssd is configured with ad provider.
Is it possible to mount cifs share and nfs share on demand with
sssd and autofs service?
Med venlig hilsen
Longina Przybyszewska
Systemprogrammør, IT-service
Tlf.
+45 6550 2359<tel:+4565502359>
Mobil
+45 6011 2359<tel:+4560112359>
Fax
+45 6550 2467
Email
longina(a)sdu.dk
Web
http://www.sdu.dk/ansat/longina
Adr.
Campusvej 55, 5230 Odense M
[cid:image001.jpg@01CF1CEC.2D3373C0]
________________________________
Campusvej 55 · 5230 Odense M · Tlf. +45 6550 1000 · www.sdu.dk<http://www.sdu.dk/>
9 years, 8 months
sdap_save_user save user SID issue
by Chris Gray
Hello all,
I've been using SSSD 1.9 for a while now, and it works great. I'm setting
up a Fedora 19 laptop which came with a newer version of SSSD, 1.11.3-1.
I configured it much like I configure the installs of 1.9, using the ad
provider for everything, and using msktutil to handle joining to my AD
domain.
When I attempted to login, I got access denied, so I increased the logging,
restarted SSSD, and tried again. In the log, everything's looking good,
until I get to sdap_save_user.
[sdap_save_user] (0x0400) : Save user
[sdap_save_user] (0x0040) : SID (redacted, but it is the correct SID for my
account) does not belong to any known domain
[sdap_save_users] (0x0040) : Failed to store user 0. Ignoring.
My AD environment is a forest, and my Fedora laptop is joined to a child
domain. SSSD is only configured for the child domain as well, I haven't
tried multiple domain setups. So, SSSD should only know about the single
domain.
In sssd.conf, I do have ad_domain set to the FQDN.
I'm sure this is probably something simple. Or it's related to the changes
made in 1.11.2 for sdap_save_user: try to determine domain by SID.
The domain portion of my SID is correct as well, and running psgetsid
sidvalue for both my account and the domain SID returns the correct
information.
It finds my GC via DNS, and correctly uses the two local servers as the
primary GC servers, with 32 backup servers. I'm sure that my laptop can't
actually connect to all 34 domain controllers, due to firewalls. DNS
contains the _gc entries for the remote GC servers, but has no current way
to resolve the hosts.
I'm currently assuming that the lack of connection to the other GC's cause
it to fail to find out which domain the domain portion of my account's SID
belongs to.
Any help in pointing me towards a resolution would be appreciated.
Thanks,
Chris
9 years, 8 months
uid/gid allocation strategy
by Nordgren, Bryce L -FS
Can sssd allocate uid/gid out of a pool unique to each domain? The mapping need not be complex: "last_allocated+1" should suffice.
I'm motivated to ask the following question because I "supplement" our official active directory with accounts for external partners/collaborators. Numeric uid/gid fields could well collide because there's no coordination, nor is there likely to be. In the long term, we'd like to fix that, and we'd like to convince our powers-that-be that joining one or more larger "identity federations" is in their best interest. But that puts us right back where we started, as uid/gids across several large, mostly disconnected organizations are not going to be coordinated.
So: What reasons still exist to insist on coordination? Are we ready to make the leap to coordinating the set of text-based-principals which are valid within a domain?
File sharing via NFS with "sec=sys" is just about the only obstruction I can think of. Otherwise, uid/gids are local to each machine, and it is sufficient to allow each machine to perform its own unique mapping from "valid username" to uid.
So if I either prohibit NFS entirely or insist on "sec=krb5", could I have a gaggle of linux boxes which individually allocate uids and gids as they encounter valid Kerberos credentials?
Sorry for wandering into the abstract there...this seemed an appropriate venue for determining whether such a scheme was viable.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
9 years, 8 months
Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem[splved]
by Longina Przybyszewska
I have figured out that missing homdir is the problem with login ADUser(a)domain.com from GUI.
Best,
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: 27. januar 2014 16:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem
It seems that issuing command
kinit -k COMPUTER$@DOMAIN
helped on sssd startup problem.
I am very pleased to notice that I could successfully change passwd online (during ssh session!) which expired for Aduser .
I can login from GUI as localuser 'longina'
I can 'su - ADuser' as 'longina' I terminal.
I can not login from GUI as ADuser!!
testuser(a)a.example.com
a\testuser
From auth.log:
Jan 27 16:14:48 longina-nb lightdm: pam_unix(lightdm:session): session closed for user longina
Jan 27 16:14:49 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:15:09 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "testuser(a)a.example.com "
Jan 27 16:15:19 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser(a)a.example.com
Jan 27 16:15:20 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser(a)a.example.com
......
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm:session): session opened for user testuser(a)a.example.com by (uid=0)
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:15:36 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a\testuser"
Jan 27 16:15:46 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser
Jan 27 16:15:46 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm:session): session opened for user a\testuser by (uid=0)
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:16:14 longina-nb login[1238]: pam_unix(login:session): session opened for user longina by LOGIN(uid=0)
Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:auth): authentication failure; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser(a)a.example.com
Jan 27 16:16:35 longina-nb su[5160]: pam_sss(su:auth): authentication success; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser(a)a.example.con
Jan 27 16:16:35 longina-nb su[5160]: Successful su for testuser(a)a.example.com by longina
Jan 27 16:16:35 longina-nb su[5160]: + /dev/tty1 alongina:testuser@a.example.com
Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:session): session opened for user testuser(a)a.example.com by longina(uid=1001)
Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session closed for user root
Sssd_pam.log:
l(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [testuser(a)a.example.com]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: a.example.com
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: testuser
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5363
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x12211a0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x12211a0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1223050
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][a.example.com]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 29
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[5616].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe!
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
:
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'lightdm' matched without domain, user is lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm-greeter
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5616
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 8
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer e-set for client [0x121fa20][18]
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1220b60
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Mon Jan 27 16:43:02 2014) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [testuser] removed from PAM initgroup cache
Best,
Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 8 months
Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem
by Longina Przybyszewska
It seems that issuing command
kinit -k COMPUTER$@DOMAIN
helped on sssd startup problem.
I am very pleased to notice that I could successfully change passwd online (during ssh session!) which expired for Aduser .
I can login from GUI as localuser 'longina'
I can 'su - ADuser' as 'longina' I terminal.
I can not login from GUI as ADuser!!
testuser(a)a.example.com
a\testuser
From auth.log:
Jan 27 16:14:48 longina-nb lightdm: pam_unix(lightdm:session): session closed for user longina
Jan 27 16:14:49 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:15:09 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "testuser(a)a.example.com "
Jan 27 16:15:19 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser(a)a.example.com
Jan 27 16:15:20 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser(a)a.example.com
......
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm:session): session opened for user testuser(a)a.example.com by (uid=0)
Jan 27 16:15:20 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:15:36 longina-nb lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "a\testuser"
Jan 27 16:15:46 longina-nb lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser
Jan 27 16:15:46 longina-nb lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=a\testuser
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session closed for user lightdm
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm:session): session opened for user a\testuser by (uid=0)
Jan 27 16:15:47 longina-nb lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0)
Jan 27 16:16:14 longina-nb login[1238]: pam_unix(login:session): session opened for user longina by LOGIN(uid=0)
Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:auth): authentication failure; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser(a)a.example.com
Jan 27 16:16:35 longina-nb su[5160]: pam_sss(su:auth): authentication success; logname=longina uid=1001 euid=0 tty=/dev/tty1 ruser=longina rhost= user=testuser(a)a.example.con
Jan 27 16:16:35 longina-nb su[5160]: Successful su for testuser(a)a.example.com by longina
Jan 27 16:16:35 longina-nb su[5160]: + /dev/tty1 alongina:testuser@a.example.com
Jan 27 16:16:35 longina-nb su[5160]: pam_unix(su:session): session opened for user testuser(a)a.example.com by longina(uid=1001)
Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 27 16:17:01 longina-nb CRON[5203]: pam_unix(cron:session): session closed for user root
Sssd_pam.log:
l(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [testuser(a)a.example.com]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: a.example.com
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: testuser
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5363
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x12211a0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x12211a0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1223050
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][a.example.com]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 29
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_recv] (0x0200): Client disconnected!
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x122d7f0][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[5616].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe!
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3].
:
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x121fa20][18]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_cmd_open_session] (0x0100): entering pam_cmd_open_session
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'lightdm' matched without domain, user is lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)]
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): user: lightdm
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): service: lightdm-greeter
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: :0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 5616
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10].
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 8
(Mon Jan 27 16:42:58 2014) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer e-set for client [0x121fa20][18]
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x1220b60
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Jan 27 16:42:59 2014) [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Mon Jan 27 16:43:02 2014) [sssd[pam]] [pam_initgr_cache_remove] (0x2000): [testuser] removed from PAM initgroup cache
Best,
Longina
9 years, 8 months
sssd-1.11.1 in Saucy
by Longina Przybyszewska
I tried sssd in Ubuntu-Saucy ,clean installation, AD provider.
"+" sides:
-can join AD with 'realm' :
-auto created krb5.keytab for computer
-auto created DNS entries for computer
"-" sides:
-sssd on start auto generates buggy /etc/sssd/sssd.conf
(white space before end of line in entry:
realmd_tags = manages-system joined-with-samba;
)
-cannot login as member@ad_domain from GUI login even if
'id member@ad_domain' cli can find out data
This is my auto configured config file:
-----------------------------------------
[sssd]
domains = a.c.example.com
config_file_version = 2
services = nss, pam
[domain/a.c.example.com]
ad_domain = a.c.example.com
krb5_realm = A.C.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u
access_provider = ad
Any ideas?
Best regards
Longina
9 years, 8 months
Re: [SSSD-users] sssd-1.11.1 in Saucy: adcli or realm
by Longina Przybyszewska
What is the preferable way for joining AD for sssd client machine - 'adcli join' or 'realm join' ?
'realm discover' says it requires 'adcli' package does it mean that 'realm' self uses it?
Best
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: 24. januar 2014 12:54
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] sssd-1.11.1 in Saucy
Ups. I just run into another strange problem - can not start sssd with working previously sssd.conf.
This is my laptop - I worked at home yesterday, on my local account and home wireless network; At work, I turned off wireless, working on wired network, the same local account;
Wanted reset sssd - can't do that anymore.
alongina@longina-nb:~$ sudo sssd -i -d9 -f [sudo] password for alongina:
(Fri Jan 24 12:43:54:927427 2014) [sssd[be[nat.c.sdu.dk]]] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Fri Jan 24 12:43:54:959764 2014) [sssd[nss]] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
(Fri Jan 24 12:43:54:959794 2014) [sssd[pam]] [ldb] (0x0400): server_sort:Unable to register control with rootdse!
tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
Best
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 24. januar 2014 11:49
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] sssd-1.11.1 in Saucy
On Fri, Jan 24, 2014 at 10:42:34AM +0000, Longina Przybyszewska wrote:
> I tried sssd in Ubuntu-Saucy ,clean installation, AD provider.
>
> "+" sides:
> -can join AD with 'realm' :
> -auto created krb5.keytab for computer -auto created DNS entries for
> computer
>
> "-" sides:
> -sssd on start auto generates buggy /etc/sssd/sssd.conf (white space
> before end of line in entry:
> realmd_tags = manages-system joined-with-samba;
> )
This sounds like a realmd issue, but it shouldn't matter, we fixed the libini bug which caused us to fail with trailing whitespace. Do you still see it?
> -cannot login as member@ad_domain from GUI
^^^^
Can you log in from ssh or console?
> login even if
> 'id member@ad_domain' cli can find out data
>
> This is my auto configured config file:
> -----------------------------------------
> [sssd]
> domains = a.c.example.com
> config_file_version = 2
> services = nss, pam
> [domain/a.c.example.com]
> ad_domain = a.c.example.com
> krb5_realm = A.C.EXAMPLE.COM
> realmd_tags = manages-system joined-with-samba cache_credentials =
> True id_provider = ad krb5_store_password_if_offline = True
> default_shell = /bin/bash ldap_id_mapping = True
> use_fully_qualified_names = True fallback_homedir = /home/%u
> access_provider = ad
>
> Any ideas?
Not many without logs, sorry..
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 8 months
ppa:sssd/updates: Ubuntu 12.04 + Sernet packages
by Márcio Merlone
Hi folks,
I'd like to use ppa:sssd/updates on a Ubuntu 12.04 LTS server *and*
Samba 4.1.4 sernet's packages. When I try to install sssd from PPA I get
some conflicts:
root@dc01:~# aptitude install sssd-ad sssd-ad-common sssd-tools
Os NOVOS pacotes a seguir serão instalados:
libndr-standard0{a} libndr0{a} libnl-route-3-200{a} libsamba-util0{a}
libsemanage-common{a} libsemanage1{a} libsepol1{a} libsss-idmap0{a}
libsss-sudo{a} libustr-1.0-1{a} sssd-ad sssd-ad-common sssd-common{a}
sssd-ipa{a}
sssd-krb5{a} sssd-krb5-common{a} sssd-ldap{a} sssd-proxy{a} sssd-tools
Os pacotes a seguir serão atualizados:
libipa-hbac0 python-sss sssd
3 pacotes atualizados, 19 novos instalados, 0 a serem removidos e 2 não
atualizados.
É preciso obter 4.811 kB/5.181 kB de arquivos. Depois do
desempacotamento, 9.467 kB serão usados.
Os pacotes a seguir possuem dependências não satisfeitas:
sernet-samba : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas 4.0.0~alpha18.dfsg1-4ubuntu2 será
instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-libs : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas 4.0.0~alpha18.dfsg1-4ubuntu2
será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-libsmbclient0 : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-client : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-common : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-winbind : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
sernet-samba-ad : Conflita: libndr-standard0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
Conflita: libndr0 mas 4.0.0~alpha18.dfsg1-4ubuntu2
será instalado.
Conflita: libsamba-util0 mas
4.0.0~alpha18.dfsg1-4ubuntu2 será instalado.
As seguintes ações resolverão estas dependências:
Remover os pacotes a seguir:
1) libwbclient0
2) sernet-samba
3) sernet-samba-ad
4) sernet-samba-client
5) sernet-samba-common
6) sernet-samba-libs
7) sernet-samba-libsmbclient0
8) sernet-samba-winbind
Aceitar esta solução? [Y/n/q/?] q
Abandonando todos os esforços para resolver estas dependências.
Abortar.
root@dc01:~#
Any way to get around this? Any way to make this ppa sernet friendly? :)
Best regards.
--
*Marcio Merlone*
TI - Administrador de redes
*A1 Engenharia - Unidade Corporativa*
Fone: +55 41 3616-3797
Cel: +55 41 9689-0036
http://www.a1.ind.br/ <http://www.a1.ind.br>
9 years, 8 months
