ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 6 months
home directory ownership
by John P Arends
I’m new to SSSD in general. I configured a RHEL 6.5 machines to authenticate against a 2008 R2 AD using ldap_id_mapping because our AD does not have unix information defined for users. All appears to be working well. I had to add override_homedir = /home/%u to get home directories to to be created by oddjob mkhomedir.
The only problem is the group ownership on the home directory is “domain users” rather than the user’s private group. The default permissions also allow domain users read/execute access to the home directory.
It looks like you can change the umask used in /etc/pam.d/system-auth-ac, but I don’t see where I can control the group information. Any suggestions on best practices on how to fix this? I was surprised it wasn’t in the docs.
-John
9 years, 7 months
Re: [SSSD-users] sssd-1.11.1 Trusty automount nfs4+krb+sssd problem
by Longina Przybyszewska
Hi,
Ubuntu Saucy nfs4+krb+sssd server
Ubuntu Trusty client,sssd+autofs
I can manually mount directory (nfs4+krb) as root on the client.
Is it possible on client, use SSSD with autofs service, with automounter referring to the flat files ,
/etc/auto.master ,/etc/auto.home, not to ldap?
How can I check if autofs delivered with distribution supports sssd?
Best
longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 20. februar 2014 13:48
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
Created BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1067423
attached is a patch resolving the issue.
Ondrej
________________________________________
From: sssd-users-bounces(a)lists.fedorahosted.org [sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Simo Sorce [simo(a)redhat.com]
Sent: Wednesday, February 19, 2014 7:35 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
On Wed, 2014-02-19 at 15:04 +0000, Ondrej Valousek wrote:
> Hi Simo,
>
> I are you getting on about this with Steve?
This is the current situation:
<steved> simo: post a patch with what you want and lets talk about it....
:-)
> Would it be better to open a RFE for this? I would like to know where
> we are standing - whether there is any chance that RHEL6 will be fixed
> or it would only go to RHEL 7.
An RFE for RHEL7 would be nice.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 7 months
Connection to ad via ldap failing
by Nordgren, Bryce L -FS
> I think this is because the keytab is missing. I think we should do a
> better job reporting the reason for the failure.
>
>...
> The AD provider is more or less a wrapper around LDAP and Kerberos
>back ends with defaults tailored for AD and leveraging some AD-specific features.
> The only 'assumption' it makes is the presence of a keytab to use
>GSSAPI for authenticated searches.
I think you're right about the keytab: using ktutil, I created /etc/krb5.keytab with my principal and password in a handful of enctypes. Also, I told sssd to use me as the principal using ldap_sasl_authid. This seems to allow sssd to start. It also allows sssd to try and request a TGT from my kdc using my principal.
What I'm seeing now, using wireshark (attached), is a Kerberos failure. The sequence is :
AS_REQ (no preauth)
KRB_ERROR (preauth required)
AS_REQ (PA-ENC-TIMESTAMP)
KRB_ERROR (PA-ENCTYPE-INFO2)
My understanding from rfc4120 is that the "info2" is AD "hinting" to my client about the salt it wants the timecode to be encrypted with. If that were the case, shouldn't there be a third exchange where sasl (or sssd) applies the salt?
Is this a sasl thing or an sssd thing? Or am I just plain mistaken?
I'll try the new release next time around to see if that fixes my id-mapping problem...Now I gotta get back to work. :)
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
9 years, 7 months
sss_cache question
by Ondrej Valousek
Hi list,
Has anyone any experience with sss_cache? sss_cache -A (as of Centos-6) does not seem to work at all.
I need to restart sssd to get fresh automount maps - and it is a bit cumbersome.
Thanks,
Ondrej
9 years, 7 months
Unofficial SSSD 1.9.x repository for RHEL 5
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Due to popular request, I am offering a completely unofficial and
unsupported repository of the latest 1.9.x LTM bits for RHEL 5 and
derivatives. The latest official version supported by the distribution
is 1.5.x.
These packages are built from the upstream sources using the same spec
file that was used to generate the nightly builds back when 1.9.x was
the master branch, so it's expected to work just fine.
You can find the repository and instructions how to use it at:
http://copr-fe.cloud.fedoraproject.org/coprs/sgallagh/sssd-1.9-rhel5/
Please do not file bugs against Bugzilla for issues discovered with
these builds.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMGAwAACgkQeiVVYja6o6McygCdH6OGn//W3Po7XokoHLEOIzS+
0VUAoK8mfaLdSzzoLpFZMLd/gFqNf5YY
=xEFs
-----END PGP SIGNATURE-----
9 years, 7 months
Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
by Longina Przybyszewska
Hi,
I have problem with mountning NFS4 file with Kerberos security ( I can mount without Kerberos security)
Both test machines run Ubuntu-saucy
I have the nfs4 server which joined to AD with 'msktutil' :
Server's /etc/krb5.keytab
klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 SERVER$(a)DOMAIN.ORG (arcfour-hmac)
3 SERVER$(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
3 SERVER$(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
3 host/server.domain.org(a)DOMAIN.ORG (arcfour-hmac)
3 host/server.domain.org(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
3 host/server.domain.org(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
3 nfs/server.domain.org(a)DOMAIN.ORG (arcfour-hmac)
3 nfs/server.domain.org(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
3 nfs/server.domain.org(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
Then, joined client machine to AD with 'realm' command:
alongina@client:~$ sudo realm join --verbose -U USER --computer-ou OU="Linux computers",OU=ADResources domain.org
[sudo] password for alongina:
* Resolving: _ldap._tcp.domain.org
* Performing LDAP DSE lookup on: 10.144.5.17
* Performing LDAP DSE lookup on: 10.144.5.18
* Successfully discovered: domain.org
Password for USER:
* Unconditionally checking packages
* Resolving required packages
* Installing necessary packages: samba-common-bin
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads join domain.org createcomputer=ADResources/Linux computers
Enter USER's password:
DNS update failed!
Using short domain name - AAA-BBB
Joined 'CLIENT' to dns domain 'domain.org'
No DNS domain configured for client. Unable to perform DNS Update.
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.JAW8AX -U USER ads keytab create
Enter USER's password:
* /usr/sbin/update-rc.d sssd enable
update-rc.d: /etc/init.d/sssd: file does not exist
* /usr/sbin/service sssd restart
sssd stop/waiting
sssd start/running, process 3597
* Successfully enrolled machine in realm
==============0000000=========
klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
4 host/client.domain.org(a)DOMAIN.ORG (des-cbc-crc)
4 host/client.domain.org(a)DOMAIN.ORG (des-cbc-md5)
4 host/client.domain.org(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
4 host/client.domain.org(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
4 host/client.domain.org(a)DOMAIN.ORG (arcfour-hmac)
4 host/CLIENT(a)DOMAIN.ORG (des-cbc-crc)
4 host/CLIENT(a)DOMAIN.ORG (des-cbc-md5)
4 host/CLIENT(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
4 host/CLIENT(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
4 host/CLIENT(a)DOMAIN.ORG (arcfour-hmac)
4 CLIENT$(a)DOMAIN.ORG (des-cbc-crc)
4 CLIENT$(a)DOMAIN.ORG (des-cbc-md5)
4 CLIENT$(a)DOMAIN.ORG (aes128-cts-hmac-sha1-96)
4 CLIENT$(a)DOMAIN.ORG (aes256-cts-hmac-sha1-96)
4 CLIENT$(a)DOMAIN.ORG (arcfour-hmac)
=================================================================
root@client:/export/alongina# mount -t nfs4 server.domain.org:/nfs4/server /mnt/server -o sec=krb5
mount.nfs4: access denied by server while mounting server.domain.org:/nfs4/server
client:
/var/log/syslog
eb 11 16:00:39 client rpc.gssd[708]: handling gssd upcall (/run/rpc_pipefs/nfs/clntb)
Feb 11 16:00:39 client rpc.gssd[708]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
Feb 11 16:00:39 client rpc.gssd[708]: handling krb5 upcall (/run/rpc_pipefs/nfs/clntb)
Feb 11 16:00:39 client rpc.gssd[708]: process_krb5_upcall: service is '<null>'
Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'server.domain.org' is 'server.domain.org'
Feb 11 16:00:39 client rpc.gssd[708]: Full hostname for 'client.domain.org' is 'client.domain.org'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for CLIENT.DOMAIN.ORG$(a)DOMAIN.ORG while getting keytab entry for 'CLIENT.DOMAIN.ORG$(a)DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for root/client.domain.org(a)DOMAIN.ORG while getting keytab entry for 'root/client.domain.org(a)DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: No key table entry found for nfs/client.domain.org(a)DOMAIN.ORG while getting keytab entry for 'nfs/client.domain.org(a)DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: Success getting keytab entry for 'host/client.domain.org(a)DOMAIN.ORG'
Feb 11 16:00:39 client rpc.gssd[708]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'host/client.domain.org(a)DOMAIN.ORG' using keytab 'FILE:/etc/krb5.keytab'
Feb 11 16:00:39 client rpc.gssd[708]: ERROR: No credentials found for connection to server server.domain.org
Feb 11 16:00:39 client rpc.gssd[708]: doing error downcall
Is it mismatch with encryption typs?
Problem with DNS ?
Client machine is missing reverse addresse in DNS...
host client.domain.org
client.domain.org has address 10.80.8.54
--------------------
host 10.80.8.54
Host 54.8.80.10.in-addr.arpa. not found: 3(NXDOMAIN)
Best
longina
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 30. januar 2014 14:38
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount
That was me.
Yes, autofs works with sssd having AD backend (and using RFC2307 schema).
No blushing.
________________________________
From: sssd-users-bounces(a)lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org> [sssd-users-bounces(a)lists.fedorahosted.org] on behalf of Chris Gray [fathed(a)gmail.com]
Sent: Thursday, January 30, 2014 11:28 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount
This person was able to setup autofs with sssd and samba as their AD server.
https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg00810.html
I haven't tried this, but in theory if you make the right settings in MS AD and in the config files for autofs and sssd, it should work pretty much the same.
Since you have to specify where the ou for the automount base is in the autofs config files, you don't actually need to make the automount ou at the base level, but it's up to you and your ad structure on where you want to put it. Then as long as you have krb5, ldap, and everything set right, it should work for
Chris
On Wed, Jan 29, 2014 at 4:06 AM, Longina Przybyszewska <longina(a)sdu.dk<mailto:longina@sdu.dk>> wrote:
Use case is - we work towards policy, accessing any resources from any platform.
All users get per automatic windows share.
Additionally, Linux users have primary homedir as nfs mounted share with automount/autofs+ NIs.
Some enterprise services have access only to windows share.
Linux desktops, running sssd with AD-provider should be able access both shares.
Best
Longina
9 years, 7 months
Announcing SSSD 1.11.4
by Jakub Hrozek
=== SSSD 1.11.4 ===
The SSSD team is proud to announce the release of version 1.11.4 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes, especially for use cases
where SSSD is acting as an Active Directory client
* The simple access provider supports specifying users and groups using
their NetBIOS domain name (such as `DOMAIN\username`)
* Support for enumerating users and groups from trusted AD domains was
added to the AD provider
* The Active Directory site discovery was made more robust for configurations
which use multiple trusted domains
* Several bugs in the LDAP provider that affected setups which mapped
Windows SIDs to POSIX IDs were fixed
* The SSSD is now able to use One Time Password (OTP) authentication
configured on an IPA server. Please note that this functionality is not
present in the released FreeIPA versions yet
== Documentation Changes ==
* The `krb5_use_fast` option changes its default from `never` to `try` in the
IPA provider. The config option value did not change in the other providers.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/2142
AD Enumeration reads data from LDAP while regular lookups connect to GC
https://fedorahosted.org/sssd/ticket/2152
Implement heuristics to detect if POSIX attributes have been replicated
to the Global Catalog or not
https://fedorahosted.org/sssd/ticket/2160
sssd_be crashes when ad_access_filter uses FOREST keyword.
https://fedorahosted.org/sssd/ticket/2164
"System Error" when invalid ad_access_filter is used
https://fedorahosted.org/sssd/ticket/2169
RHEL7 sssd not setting IPA AD trusted user homedir
https://fedorahosted.org/sssd/ticket/2172
Enabling ldap_id_mapping doesn't exclude uidNumber in filter
https://fedorahosted.org/sssd/ticket/2186
FAST does not work in SSSD 1.11.2 in Fedora 20
https://fedorahosted.org/sssd/ticket/2189
Access denied for users from gc domain when using format DOMAIN\user
https://fedorahosted.org/sssd/ticket/2190
Group membership lookup issue
https://fedorahosted.org/sssd/ticket/2191
Group lookup does not return member with multiple names after user lookup
https://fedorahosted.org/sssd/ticket/2196
sssd ad trusted sub domain do not inherit fallbacks and overrides settings
https://fedorahosted.org/sssd/ticket/2199
sssd_be crashes when ldap_search_base cannot be parsed.
https://fedorahosted.org/sssd/ticket/2200
sssd_be aborts a request if it doesn't match any configured idmap domain
https://fedorahosted.org/sssd/ticket/2202
sssd_be should hint about increasing the krb5_auth_timeout if krb5 auth
times out
https://fedorahosted.org/sssd/ticket/2208
Warn with a user-friendly error message when permissions on sssd.conf
are incorrect
https://fedorahosted.org/sssd/ticket/2213
sudo rules time filter is nondeterministic
https://fedorahosted.org/sssd/ticket/2215
Man page states default_shell option supersedes other shell options
but in fact override_shell does.
== Detailed Changelog ==
Alexander Bokovoy (1):
* FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one
Benjamin Franzke (1):
* dlopen-tests: Check the result of asprintf
Jakub Hrozek (27):
* Updating the version for the 1.11.4 release
* LDAP: Fix typo and use the right attribute map
* LDAP: Add a new error code for malformed access control filter
* tests: Remove tests that check creating public directories
* UTIL: Inherit parent domain's default_shell
* NSS: Use plain user name when expanding homedir
* AD: Don't fail the request if ad_account_can_shortcut fails
* MAN: Fix a typo
* LDAP: Fix error check
* LDAP: Don't abort request if no id mapping domain matches
* AD: Don't mark domain as enumerated twice
* AD: Store info on whether a subdomain is set to enumerate
* LDAP: Pass a private context to enumeration ptask instead of hardcoded connection
* LDAP: Add enum request with custom connection
* AD: Enumerate users from GC, other entities from LDAP
* LDAP: Don't clobber original_member during enumeration
* DB: Add sss_ldb_el_to_string_list
* AD: Establish cross-domain memberships after enumeration finishes
* MAN: clarify which shell option takes precedence
* LDAP: Detect the presence of POSIX attributes
* AD: Only download domains that are set to enumerate
* AD: Remove dead code
* LDAP: Handle errors from sdap_id_op properly in enum code
* SSS_CACHE: Reset the initgroups attribute when resetting users
* IPA: Default to krb5_use_fast=try
* MAN: Clarify the new krb5_use_fast IPA default
* Updating translations for the 1.11.4 release
Lukas Slebodnik (7):
* AD: Return right error code from netlogon_get_flat_name
* LDAP: Don't fail if subdomain cannot be found by sid
* LDAP: update id mapping detection for ldap provider
* sdap_idamp: Fall back to another method if sid is wrong
* krb5: fix warning may be used uninitialized
* LDAP: store group if subdomain cannot be found by sid
* LDAP: require attribute groupType for AD groups
Pavel Březina (2):
* sudo: memset tm when converting time attributes
* IPA: default krb5_fast_principal to host/$client@$realm
Pavel Reichl (10):
* responder: Set forest attribute in AD domains
* simple access: match objects using flat name
* simple access: refresh master domain info
* NSS: add support for subdomain_homedir
* krb5: hint to increase krb5_auth_timeout
* MONITOR: Incorrect permissions on sssd.conf
* Revert "NSS: add support for subdomain_homedir"
* AD: support for subdomain_homedir
* MAN: update of subdomain_homedir usage
* utils: handling NULL params in sss_parse_name
Sumit Bose (2):
* IPA: fix for recent AD group membership changes
* AD SRV: use right domain name for CLDAP ping
9 years, 7 months
SSSD to Active Directory subdomain problem
by Donald Casson
Hi All,
I am trying to get SSSD working with an Active Directory.
The SSSD machine is a member of the sub domain student.example.com and this
works as expected.
I can do all the getent, id's and groups:
[root@puppetmaster-test sssd]# getent group "Server Administrators"
server administrators:*:10006:sa.cassond
[root@puppetmaster-test sssd]# getent passwd sa.cassond
sa.cassond:*:10005:10006:Don Casson:/home/sa.cassond:/bin/bash
[root@puppetmaster-test sssd]# groups sa.cassond
sa.cassond : server administrators
[root@puppetmaster-test sssd]# id cassond
uid=10007(cassond) gid=10006(server administrators) groups=10006(server
administrators)
When I do the same for users in the parent domain (example.com)
[root@puppetmaster-test sssd]# getent passwd duckd(a)example.com
[root@puppetmaster-test sssd]#
I get no users and this error in the sssd_nss.log:
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client
connected!
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Received client version [1].
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200):
Offered version [1].
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_issue_request] (0x0400):
Issuing request for [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400):
Sending get domains request for [student.example.com][forced][example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_internal_get_send] (0x0400):
Entering request [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got
reply from Data Provider - DP error code: 3 errno: 19 error message:
Subdomains back end target is not configured
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [nss_cmd_getpwnam_cb] (0x0040):
Invalid name received [duckd(a)example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [sss_dp_req_destructor] (0x0400):
Deleting request: [0x435b80:domains@student.example.com]
(Fri Feb 7 11:16:49 2014) [sssd[nss]] [client_recv] (0x0200): Client
disconnected!
Please help! Do I need to be on a higher version of SSSD to support
subdomains with the "id_provider=ad"? Am i missing something in the
configuration to support sub domains? Is this a bug in SSSD ?
OS and SSD version: RHEL 6.3 and sssd 1.9.2-129
[sssd]
config_file_version = 2
domains = student.example.com
services = nss, pam, ssh
debug_level = 7
[nss]
# The following prevents SSSD from searching for the root user/group in
# all domains (you can add here a comma-separated list of system accounts
that
# are always going to be /etc/passwd users, or that you want to filter out).
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 7
[pam]
debug_level = 7
[domain/student.example.com]
# disable Windows SID to UID mapping
ldap_id_mapping = false
debug_level = 7
cache_credentials = true
#enumerate = true
case_sensitive = false
id_provider = ad
ad_domain = student.example.com
# LDAP options
ldap_user_shell = loginShell
ldap_user_home_directory = unixHomeDirectory
ldap_schema = rfc2307bis
ldap_group_member = msSFU30PosixMember
# krb5 options
krb5_canonicalize = false
Thanks in advance.
Cheers
Don
9 years, 7 months
