sssd able to login the user but failed on sudo
by Karim
Hi Team,
i have two forests both working fine in terms of authentication.
I added a user to sudoers from one of the domains and he is getting access denied.
the user is able to login with no problem, sudo is not working.
in the secure log it shows "account is expired"
in the SSSD logs it shows error
"attempting to kinit for realm xxxxxx" then
"clients credentials has been revoked"
i checked the account and it is not expired nor locked.
additionally: I have another account on the same forest which i used to join to the domain and it is working fine on both authentication and sudoers.
I also tried ldap_user_principal = no suchattribute and krb5_use_enterprise_principal = false
but the problem remains.
what could be the reason behind being able to access and later getting clients credential revoked for sudoes?
Thanks
8 years, 7 months
ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 8 months
SSSD-AD and SSH GSSAPI problem - No key table entry found matching host
by crony
Hi Sumit,
I see this message:
Nov 6 09:55:48 client1 sshd[7780]: debug1: Unspecified GSS failure. Minor
code may provide more information\nNo key table entry found matching
host/client1.acme.example.com@\n
during every ssh connection with "-k" argument.
# klisk -k
2 CLIENT1$(a)ACME.EXAMPLE.COM <http://acme.example.com/>
2 CLIENT1(a)ACME.EXAMPLE.COM
2 CLIENT1$(a)ACME.EXAMPLE.COM <http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <http://acme.example.com/>
2 CLIENT1$(a)ACME.EXAMPLE.COM <http://acme.example.com/>
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/CLIENT1(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 HOST/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/CLIENT1(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
2 RestrictedKrbHost/client1.acme.example.com(a)ACME.EXAMPLE.COM
Afrer log in with password I see:
user1(a)client1.acme.example.com's password:
Last login: Thu Nov 6 09:51:49 2014 from
-sh-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_127283727_JccPrK7786
Default principal: user1(a)ACME.EXAMPLE.COM
Valid starting Expires Service principal
11/06/14 09:57:13 11/06/14 19:57:13 krbtgt/
ACME.EXAMPLE.COM(a)ACME.EXAMPLE.COM
renew until 11/13/14 09:57:13
Any idea?
/lm
On Wed, Nov 05, 2014 at 11:55:14AM +0100, crony wrote:
>* Hi All,
*>* I have a properly functioning integration between RHEL6.6/Cento6.6 and
*>* Active Directory 2008 using adcli tool and sssd-ad (
*>
* http://jhrozek.livejournal.com/3581.html
<http://jhrozek.livejournal.com/3581.html>):
*> >
* # adcli join acme.example.com <http://acme.example.com/> -U userdomain
*> >
* # adcli info acme.example.com <http://acme.example.com/>
*>* [domain]
*>
* domain-name = acme.example.com <http://acme.example.com/>
*>* domain-short = ACME
*>
* domain-forest = example.com <http://example.com/>
*>
* domain-controller = dom1.acme.example.com <http://dom1.acme.example.com/>
*>* domain-controller-site = CENTRAL
*>* domain-controller-flags = gc ldap ds kdc timeserv closest writable
*>* full-secret ads-web
*>* domain-controller-usable = yes
*>
* domain-controllers = dom1.acme.example.com
<http://dom1.acme.example.com/> dom2.acme.example.com
<http://dom2.acme.example.com/>
*>* [computer]
*>* computer-site = CENTRAL
*> >* The sssd.conf :
*> >* [sssd]
*>* services = nss, pam, ssh
*>* config_file_version = 2
*>
* domains = ACME.EXAMPLE.COM <http://acme.example.com/>
*>* debug_level = 7
*> >
* [domain/ACME.EXAMPLE.COM <http://acme.example.com/>]
*>* krb5_use_enterprise_principal = false
*>
* krb5_realm = ACME.EXAMPLE.COM <http://acme.example.com/>
*>* ldap_force_upper_case_realm = true
*>* ldap_account_expire_policy = ad
*>* override_homedir = /home/%d/%u
*>* ldap_id_mapping = true
*>* subdomain_enumerate = true
*>* ldap_schema = ad
*>* ad_access_filter =
*>* memberOf=CN=linuxgroup,OU=_Groups,DC=acme,DC=example,DC=com
*>* ad_enable_gc = false
*>* ldap_access_order = filter, expire
*>* enumerate = false
*>* id_provider = ad
*>* auth_provider = ad
*>* access_provider = ad
*>* subdomains_provider = ad
*>* chpass_provider = ad
*>
* ad_server = dom1.acme.example.com <http://dom1.acme.example.com/>,
dom2.acme.example.com <http://dom2.acme.example.com/>
*>
* ad_domain = acme.example.com <http://acme.example.com/>
*>
* ad_hostname = client1.acme.example.com <http://client1.acme.example.com/>
*>* ad_enable_dns_sites = false
*>* dyndns_update = false
*>* debug_level = 7
*> > >* /etc/krb5.conf:
*>* [logging]
*>* default = FILE:/var/log/krb5libs.log
*>* kdc = FILE:/var/log/krb5kdc.log
*>* admin_server = FILE:/var/log/kadmind.log
*> >* [libdefaults]
*>
* default_realm = acme.example.com <http://acme.example.com/>
*>* dns_lookup_realm = true
*>* dns_lookup_kdc = true
*>* ticket_lifetime = 24h
*>* renew_lifetime = 7d
*>* forwardable = true
*>* rdns = true
*>* ignore_acceptor_hostname = true
*> >* [realms]
*>
* acme.example.com <http://acme.example.com/> = {
*>
* kdc = acme.example.com <http://acme.example.com/>
*>
* admin_server = acme.example.com <http://acme.example.com/>
*>* }
*> >* [domain_realm]
*>
* .acme.example.com <http://acme.example.com/> = acme.example.com
<http://acme.example.com/>
*>
* acme.example.com <http://acme.example.com/> = acme.example.com
<http://acme.example.com/>
*>
* .example.com <http://example.com/> = acme.example.com
<http://acme.example.com/>
*>
* example.com <http://example.com/> = acme.example.com
<http://acme.example.com/>
*> >* [appdefaults]
*>* debug = true
*> > > >* I can log in with user/password from AD to RHEL/Centos, I
can change the
*>* password, lock the account from AD, etc. It all works.
*> > >* The problem is within GSSAPI SSH-SSO Authentication. Simple, it doesnt
*>* work. I see in logs:
*> >* Nov 4 16:36:42 ipatst02 sshd[4195]: debug1: Unspecified GSS failure.
*>* Minor code may provide more information\nNo key table entry found matching
*>* host/client1.acme.example.com@\n
*
Do you see this message when sshd is starting up or during the
connection of a client?
What principal are shown by 'klist -k' ?
bye,
Sumit
> > >* Any idea what could be the reason? All I want to achieve is to get SSH-SSO
*>* working, directly from AD desktop machine to Linux systems without password
*>* prompt.
*> > >* /lm
*
>* _______________________________________________
*>* sssd-users mailing list
*>
* sssd-users at lists.fedorahosted.org
<https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
*>
* https://lists.fedorahosted.org/mailman/listinfo/sssd-users
<https://lists.fedorahosted.org/mailman/listinfo/sssd-users>
*
--
Pozdrawiam Leszek Miś
www: http://cronylab.pl
www: http://emerge.pl
Nothing is secure, paranoia is your friend.
8 years, 12 months
Adding local users to ldap groups
by Octavian Afilipoai
Hello,
I'm trying to include a user "local" defined in /etc/passwd in a ldap group
called "test" by adding a memberUid in the group definition.
With the getent command I see the change:
>getent group test
test:*:3000:local
However when I run the id command for user local the group test is not
shown. Only the locally defined group "local" is listed. Also accessing
resources which require membership to group test fails.
>id local
uid=1000(local) gid=1000(local) groups=1000(local)
I don't have this issue with users defined on the ldap server (the id
command lists all the groups they are members of). The behavior is the same
with sssd 1.11.6 on CentOS 6.6 and sssd 1.9.2 on Centos 6.5.
On different machines (Centos 5.x and DebianWheezy) the local user shows up
with the correct ldap groups, but those systems don't use sssd to bind to
the ldap server.
The version of the server is OpenLDAP 2.4.31
Is there anything in the configuration file which would enabled this
behavior with sssd? Any help is appreciated.
--Tavi
9 years
pac issue
by Roy Sigurd Karlsbakk
Hi all.
I just upgraded some servers to RHEL7 and saw some really, really bad performance and found ssse_pac to be the badguy. After disabling PAC, the system worked well. Before that, server had a load at 200 with only 3-400 users. This is with sssd 1.11.2. After removing pac, it was down to a calm load of 1.2 or so, similar to that of Samba 3 with winbind. Any ideas what might have cause this?
roy
9 years
SSSD-AD: SamAccountName 20 character limit - What does SSSD do with longer host names?
by Joschi Brauchle
Hello,
We have a linux machine with a hostname that is longer than 19
characters. AFAIK the SamAccountName attribute in AD is limited to at
most 20 characters (inkl. trailing $). I.e. the usable characters is at
most 19.
In many AD docs it is stated that a Windows hostname should not exceed
15 characters for backward compatibility, but we do not really care
about that.
Could you comment on how does SSSD pick the principal / username name to
use for kerberos / ldap authentication / reading the keytab / and so on
in the case of the hostname being longer than 19 characters?
I could not find anything in the docs of sssd-ad about this.
Will it use
1) UNRESTRICTED_VERY_LONG_HOSTNAME$
2) 19_CHARACTERS_HOSTNAME$
3) 15_CHAR_HOSTNAME$
?
Thanks for clarifying. It will help us deciding on how to proceed with
hosts with long host names.
Best regards,
J Brauchle
9 years
Re: [SSSD-users] User not forced to change password with pwdReset and LDAP Bind
by Seth Sims
Dear Lukas,
I found it! Thanks for your help you ended up setting me on the right path.
Turns out that this line in /etc/pam/password-auth-ac needed to be
-----------------------------------------
account sufficient pam_unix.so broken_shadow
----------- Became -----------------
account required pam_unix.so broken_shadow
-----------------------------------------
and that fixed it.
-Seth
9 years
Re: [SSSD-users] User not forced to change password with pwdReset and LDAP Bind
by Seth Sims
Dear Lukas,
In this case it's ssh. I just tried it using su - and it worked as
expected.
- Seth
>>> su - worked
$ su - test-user
Password:
Password expired. Change your password now.
Current Password:
New password:
Retype new password:
>>>>>>>>>>>>>>>> pam section of auth people for ssh that did not prompt
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS
method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus
message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received
SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request
domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result
[0][auth-people]
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS
method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus
message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received
SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request
domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result
[0][auth-people]
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching.
[sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS
method [pamHandler]
[sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus
message, quit
[sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received
SBUS method [pamHandler]
[sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request
domain from [auth-people] to [auth-people]
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the
following data
[sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED
[sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people
[sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user
[sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd
[sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh
[sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser:
[sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.***
[sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 0
[sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27192
[sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set
[sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result
[0][auth-people]
>>>>>>>>>> /etc/pam/password-auth
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account sufficient pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
>>>>>>>>>>>>> /etc/pam/sshd
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
>>>>>>>>>>>>>> /var/log/secure
sshd[27189]: pam_sss(sshd:auth): received for user test-user: 12
(Authentication token is no longer valid; new one required)
sshd[27189]: Accepted password for test-user from ***.***.***.*** port
50120 ssh2
sshd[27189]: pam_unix(sshd:session): session opened for user test-user by
(uid=0)
9 years
User not forced to change password with pwdReset and LDAP Bind
by Seth Sims
Hello everyone,
I am trying to get sssd configured with ldap but having a little bit of
trouble. I can successfully authenticate and get all user information and
all that basic jazz. However when I set pwdReset in the user's entry on our
ldap sssd is not prompting the user to reset their password. It's obvious
from the sssd log for the domain (part included below) that sssd sees the
attribute in the password policy control but the message is not making it
back to PAM.
I have also included the config for the domain including some of my
attempts to figure out if this is a configuration issue. Am I missing a
setting? Have I found a bug? Whats going on here?
- Seth
>>>> some Pertinent Versions
CentOS 6
sssd 1.12.2
openldap 2.4.39
>>>>>>>>>>>>>>>>>>>>>>>> auth-people log
[find_password_expiration_attributes] (0x4000): No password policy
requested.
[simple_bind_send] (0x0100): Executing simple bind as: *****
[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
ops[0x1410460], ldap[0x1360050]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
ops[0x1410460], ldap[0x1360050]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
[simple_bind_done] (0x2000): Server returned control
[1.3.6.1.4.1.42.2.27.8.5.1].
[simple_bind_done] (0x1000): Password Policy Response: expire [0] grace
[-1] error [Password must be changed].
[simple_bind_done] (0x1000): Password was reset. User must set a new
password.
[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
[auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password
policies are active.
[sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1],
ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0]
[remove_connection_callback] (0x4000): Successfully removed connection
callback.
[be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>)
[Success]
[be_pam_handler_callback] (0x0100): Sending result [12][auth-people]
[be_pam_handler_callback] (0x0100): Sent result [12][auth-people]
>>>>>>>>>>>>>>>>>>>>> sssd.conf section for the domain
[domain/auth-people]
ldap_uri = ************
ldap_user_search_base = ou=people,**********
ldap_group_search_base = ou=group,**********
ldap_id_use_start_tls = True
ldap_tls_cacert = /etc/sssd/ca-certificate.pem
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
selinux_provider = none
ldap_access_filter = (objectClass=posixAccount)
ldap_access_order = filter
debug_level = 0xFFF0
[sssd]
services = nss, pam
config_file_version = 2
domains = auth-people,auth-systemAccounts
debug = 0xFFF0
[nss]
debug_level = 0xFFF0
[pam]
debug_level = 0xFFF0
pam_verbosity = 2
9 years
sssd and external trust
by Karim
Hi Team,
i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab
I added the new forest to a new domain section, then used adcli to create a computer account on the new forest.
so technically this Linux machine is now joined to two domains
klist -k show correct entries for both forests
nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
9 years
