ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 6 months
timeout and offline mode behaviour
by "Thomas B. Rücker"
Hi,
we're using SSSD in combination with active directory and have received
complaints from users about a corner case in our setup.
Our AD servers are only reachable from within our corporate network,
connection attempts from the outside are dropped by firewalls. This
leads to the following scenario:
- user takes machine (e.g. laptop) outside the corporate network
- user tries to authenticate (or in some cases also tries to "ls" which
causes uid/gid lookup)
- sssd will try to reach the configured servers for up to 30s
- sssd goes (back) into offline mode and uses cached credentials and
authenticates the user
This will however NOT happen if sssd gets told by the IP stack that a
connection to the target IP is not possible (e.g. "ip route add
blackhole 192.0.2.23/32" or one of the routers along the way generates
an ICMP unreachable). In such cases sssd will go immediately into
offline mode and use cached credentials.
I'm aware that this is over all sensible behaviour, but what I would
hope to fine tune is how sssd stays in offline mode. Currently it seems
like it will leave offline mode when it tries to reconnect (hardcoded
30s?). That leads to a flip flop scenario where it seems to be 30s
offline and 30s "online/connecting" and users have a fairly high chance
to hit a time during which their authentication will seemingly stall.
So my question is:
Is there a better way to deal with this in the sssd context?
If not we'll probably have to implement separate connection checking and
inject and remove blackhole routes accordingly. Not the nicest of
workarounds in my book.
Thanks, cheers
Thomas
PS: We're using sssd on many distributions, but our main distro at the
moment is ubuntu 12.04 with sssd 1.8.6 and we'll be rolling out 14.04 in
addition, which has sssd 1.11.3.
9 years, 3 months
New AD provider howto
by Jakub Hrozek
Hi,
our current HOWTO[1] on connecting SSSD to an AD DC is outdated,
mostly because the page still only introduces the LDAP provider. Recently, me,
Sumit and Jeremy Agee wrote a new page that specifically advises to use
the AD provider and also use realmd for setup:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
We started a new page and kept the old one around mostly because pre-1.9
versions still need the LDAP provider info.
I'd like to get some review and feedback from our community so we can
link the wiki page from the front page or the documentation section. In
addition to the lists, I also CC-ed the individual contributors to the
original page directly..I hope that's fine.
Thank you for your comments.
[1]
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate...
9 years, 4 months
1.11.5 ad names
by steve
Hi
We want to run:
getent passwd steve2
but we get:
(Wed Apr 30 13:02:06 2014) [sssd[nss]] [nss_cmd_getpwnam_search]
(0x0080): No matching domain found for [steve2], fail!
This works fine:
getent passwd steve2(a)hh3.site
steve2@hh3.site:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
All our rfc2307 are in Samba4 AD
Question: Is it possible to drop the domain?
[sssd]
services = nss, pam
config_file_version = 2
domains = hh3.site
[nss]
[pam]
[domain/hh3.site]
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
9 years, 4 months
feasibility using ldap only with AD
by Geerten Schram
Hi,
I'm trying to set up a ldap proxy in front of an Active Directory and
configure sssd on the end point using AD schema, but so far I'm not very
succesfull and now I wonder if it is feasible at all.
My first attempt is trying to use sssd directly to AD with these
settings:
ldap_schema=ad
id_provider = ldap
auth_provider = ldap
to no avail. I can join the AD domain and then it works. So is this
possible at all?
Regards,
Geerten Schram
9 years, 4 months
Password Changing with SSSD not running
by Kevin Sullivan
I am seeing an issue when I try to change a local user's password when SSSD
(1.9.2-82.el6) is not running. I have two sets of users: users stored in
ldap and users stored locally on my RHEL 6.4 machine. When able, I want to
login as the ldap users and only fallback to the local users when I can't
contact the ldap server. This is why I have pam configured like this:
password requisite pam_cracklib.so retry=3 minlen=10
password sufficient pam_sss.so forward_pass use_authtok
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password required pam_deny.so
When SSSD is running, I can change the password of local users and ldap
users. However, when I try to change the password of a local user when SSSD
is not running, I see this error:
Changing password for user.
passd: Authentication token manipulation error.
I then added 'audit' and 'debug' options to the pam_unix module and saw
this output in /var/log/secure:
Apr 25 16:01:21 localhost passwd: pam_sss(passwd:chauthtok): Request to
sssd failed. Connection refused
Apr 25 16:01:21 localhost passwd: pam_unix(passwd:chauthtok): username
[user] obtained
Apr 25 16:01:28 localhost passwd: pam_sss(passwd:chauthtok): Request to
sssd failed. Connection refused
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): username
[user] obtained
Apr 25 16:01:28 localhost passwd: pam_unix(passwd:chauthtok): password -
new password not obtained
Apr 25 16:01:28 localhost passwd: gkr-pam: couldn't update the 'login'
keyring password: no old password was entered
I know that I can comment out the password line in
/etc/pam.d/system-auth-ac that references pam_sss, and the password change
will work correctly. Also, I know that I can login using a local account
when SSSD is stopped. Here is the auth section of my system-auth-ac:
auth required pam_env.so
auth sufficient pam_sss.so forward_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Am I misconfigured somehow? Does pam_sss support forwarding passwords when
SSSD is stopped?
Thanks,
Kevin
9 years, 4 months
Sudo Ignoring User Via SSSD
by Chris Hayes
I have SSSD (1.8.4) working fine on Debian Wheezy system, with an LDAP
backend for users and groups. However, I'm having a problem with sudo.
My sudoers configuration file has the line following line in it:
%sudo ALL=(ALL:ALL) ALL
And my LDAP (via SSSD) user is in that "sudo" group (its UID is in the
/etc/group file for group sudo, and getent shows this fine).
sudo:x:27:9009
However, when I run a sudo command, I receive the following error:
chris is not in the sudoers file. This incident will be reported.
Can someone help me to understand why this might be happening?
Chris
9 years, 5 months
Re: [SSSD-users] [SSSD] New AD provider howto-proper krb5.conf in multidomain env
by Longina Przybyszewska
I tried to follow the minimal setup from the new Howto:
In my multiple domain AD, SRV records are resolved for main domain and for subdomains from my client jedi.n.c.example.com,
dnsdomainname=n.c.example.com
I consider N.C.EXAMPLE.COM as my default_realm because my computer's attributes are defined in it.
(default_realm = N.C.EXAMPLE.COM ## defined in /etc/krb5.conf)
================================================
root@jedi:~# realm discover
See: journalctl REALMD_OPERATION=r6913.3121
realm: No default realm discovered
==============================================
root@jedi:~# realm discover C.EXAMPLE.COM
c.example.com
type: kerberos
realm-name: C.EXAMPLE.COM
domain-name: c.example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
================================================
root@jedi:~# realm discover N.C.EXAMPLE.COM
n.c.example.com
type: kerberos
realm-name: N.C.EXAMPLE.COM
domain-name: n.c.example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
How understand the "configured:" line in both output ?
What should be my default_realm?
Longina
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: 24. april 2014 14:47
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] [SSSD] New AD provider howto
Still, isn't it preferable to specify all domains in sssd.conf and use for each, dns_discovery_domain to speed up lookups?
_
> Using ad provider in multi domain environment and Global Catalog search:
> -do I still need the section for each subdomain in sssd.conf? Can I
> configure sssd only for main domain C.EXAMPLE.COM, if all subdomains {A,B,D}.C.EXAMPLE.COM don't differ?
If the subdomans are all part of a single forest, then SSSD should be able to see all the domains and all their users with 1.11.x.
>
>
> Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
9 years, 5 months
Using LDAP Sudoers alongside Active Directory
by Jacob Taylor
Hi guys,
I'm in a pickle:
I'm trying to configure a domain in SSSD to both perform all the usual AD
authentication wizardry, and at the same time perform LDAP Sudo lookup in
the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain,
but doesn't Sudo require LDAP and not AD? I know that's how it works for
IPA.
Has anyone gotten this working? I'm scratching my head. It works without
the sudo bit.
SSSD.conf:
[sssd]
domains = ad.example.com
services = nss,pam,sudo
config_file_version = 2
debug_level = 3
[nss]
filter_groups = root
filter_users = root
[sudo]
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/ad.example.com]
# This is for testing
enumerate = true
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
# These values should auto-detect, but to be sure...
ad_server = server.ad.example.com
ad_hostname = client.ad.example.com
ad_domain = ad.example.com
# Provide default values for the Unix specifics
fallback_homedir = /home/%u
default_shell = /bin/bash
# LDAP SUDO must be done the old fashioned way
sudo_provider = ldap
# Provide LDAP params
ldap_uri = ldap://server.ad.example.com/
ldap_sudo_search_base = OU=SUDOers,DC=ad,DC=example,DC=com
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=300
# Configure Machine Authentication
krb5_server = server.ad.example.com
ldap_sasl_realm = AD.EXMAPLE.COM
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = client$ #Yes, I tried host/client
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
Cheers,
Jacob Neil Taylor
9 years, 5 months
Fwd: Slow convergence between sssd and windows 2008 r2 ad server
by Paul Liljenberg
Notice: I sent this email to the list using another mail address, which i
believe whas not verified properly. If this emali is properly sent to the
list you can disregard moderating the message.
Hello
Im setting up a single signon solution for about 1200 servers. The
situation as it seems is that we are setting up all users in a windows 2008
r2 active directory, adding proper unix permissions. A user with proper
priveliges to read active directory is being used by sssd to read which
users is allowed in and not. If the users does not have a home directory
they are being created automatically. So whats the issue here? Access to
the system does not happen instantanely and i believe its because sssd is
polling active directory every 120 seconds. It seems as if it has issues
remaining its state and it is just as if it would loose its local database.
I would like to be able to have users being logged directly after a user is
being added to active directory. Is this possible and how could this be
achieved?
Versions being used: Debian 7.4
ii sssd 1.8.4-2 amd64
System Security Services Daemon
ii sssd-tools 1.8.4-2 amd64
System Security Services Daemon -- tools
config:
--
[sssd]
config_file_version = 2
domains = int.home.local
services = nss, pam
debug_level = 0
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/int.home.local]
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
# Uncomment if service discovery is not working
ldap_uri = ldap://win-04vje0onhci.int.home.local
# Comment out if not using SASL/GSSAPI to bind
#ldap_sasl_mech = GSSAPI
# Uncomment and adjust if the default principal host/fqdn@REALM is not
available
#ldap_sasl_authid = nfs/client.ad.example.com(a)AD.EXAMPLE.COM
# Define these only if anonymous binds are not allowed and no keytab is
available
# Enabling use_start_tls is very important, otherwise the bind password is
transmitted
# over the network in the clear
#ldap_id_use_start_tls = True
ldap_default_bind_dn = CN=test,CN=Users,DC=int,DC=home,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = secretpassword
ldap_schema = rfc2307bis
ldap_user_search_base = CN=Users,DC=int,DC=home,DC=local
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_search_base = CN=Builtin,DC=int,DC=home,DC=local
#ldap_group_search_base = ou=group,dc=int,dc=home,dc=local
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = win-04vje0onhci.int.home.local
krb5_realm = int.home.local
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
# Perhaps you need to redirect to certain attributes?
# ldap_user_object_class = user
# ldap_user_name = sAMAccountName
# ldap_user_uid_number = msSFU30UidNumber
# ldap_user_gid_number = msSFU30GidNumber
# ldap_user_gecos = displayName
# ldap_user_home_directory = msSFU30HomeDirectory
# ldap_user_shell = msSFU30LoginShell
# ldap_user_principal = userPrincipalName
# ldap_group_object_class = group
# ldap_group_name = cn
# ldap_group_gid_number = msSFU30GidNumber
--
Vänliga Hälsningar / Best Regards
Paul Liljenberg
9 years, 5 months
