May 2014 - sssd-users - Fedora Mailing-Lists

ldap_sasl_mech EXTERNAL and SSL client authc

by Michael Ströder

HI! Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with StartTLS or LDAPS using client certs? In a project they have certs in all systems anyway (because of using puppet) and I'd like to let the sssd instances on all the systems authenticate to the LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid having to set/configure passwords for each system's sssd. Ciao, Michael.

8 years, 6 months

5
22
0 / 0

timeout and offline mode behaviour

by "Thomas B. Rücker"

Hi, we're using SSSD in combination with active directory and have received complaints from users about a corner case in our setup. Our AD servers are only reachable from within our corporate network, connection attempts from the outside are dropped by firewalls. This leads to the following scenario: - user takes machine (e.g. laptop) outside the corporate network - user tries to authenticate (or in some cases also tries to "ls" which causes uid/gid lookup) - sssd will try to reach the configured servers for up to 30s - sssd goes (back) into offline mode and uses cached credentials and authenticates the user This will however NOT happen if sssd gets told by the IP stack that a connection to the target IP is not possible (e.g. "ip route add blackhole 192.0.2.23/32" or one of the routers along the way generates an ICMP unreachable). In such cases sssd will go immediately into offline mode and use cached credentials. I'm aware that this is over all sensible behaviour, but what I would hope to fine tune is how sssd stays in offline mode. Currently it seems like it will leave offline mode when it tries to reconnect (hardcoded 30s?). That leads to a flip flop scenario where it seems to be 30s offline and 30s "online/connecting" and users have a fairly high chance to hit a time during which their authentication will seemingly stall. So my question is: Is there a better way to deal with this in the sssd context? If not we'll probably have to implement separate connection checking and inject and remove blackhole routes accordingly. Not the nicest of workarounds in my book. Thanks, cheers Thomas PS: We're using sssd on many distributions, but our main distro at the moment is ubuntu 12.04 with sssd 1.8.6 and we'll be rolling out 14.04 in addition, which has sssd 1.11.3.

9 years, 3 months

5
13
0 / 0

1.12 beta can't authenticate

by steve

Hi can kinit OK but pam doesn't allow us in it seems. Any ideas? Thanks Steve --- --- --- openSUSE 13.1 make install of beta build over a working 1.11.5.1 Here is a domain user: id steve2 uid=3000021(steve2) gid=20513(domain users) grupos=20513(domain users),21111(staff2) steve2 can authenticate and su fine with 1.11.5.1 on the same client pam: auth required pam_env.so auth optional pam_gnome_keyring.so auth sufficient pam_unix.so try_first_pass auth required pam_sss.so use_first_pass client log: 2014-05-31T16:25:27.738959+02:00 catral su: pam_unix(su:auth): authentication failure; logname=steve uid=1000 euid=0 tty=pts/1 ruser=steve rhost= user=steve2 2014-05-31T16:25:29.102746+02:00 catral su: pam_sss(su:auth): authentication success; logname=steve uid=1000 euid=0 tty=pts/1 ruser=steve rhost= user=steve2 2014-05-31T16:25:29.164275+02:00 catral su: pam_sss(su:account): Access denied for user steve2: 4 (Error del sistema) sssd -i -d7: 2014-05-31T16:25:07.537030+02:00 catral sssd: Starting up 2014-05-31T16:25:07.854951+02:00 catral sssd[be[hh3.site]]: Starting up 2014-05-31T16:25:09.645973+02:00 catral sssd[pam]: Starting up 2014-05-31T16:25:09.665278+02:00 catral sssd[nss]: Starting up 2014-05-31T16:25:09.702723+02:00 catral sssd[autofs]: Starting up (Sat May 31 16:25:24 2014) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Sat May 31 16:25:24 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Sat May 31 16:25:24 2014) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [steve2]. (Sat May 31 16:25:24 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [steve2] from [<ALL>] (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:24 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [steve2]. (Sat May 31 16:25:24 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [steve2] from [<ALL>] (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:24 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Sat May 31 16:25:24 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:27 2014) [sssd] [service_send_ping] (0x0100): Pinging hh3.site (Sat May 31 16:25:27 2014) [sssd] [ping_check] (0x0100): Service hh3.site replied to ping (Sat May 31 16:25:27 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [steve2]. (Sat May 31 16:25:27 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:27 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [steve2] from [<ALL>] (Sat May 31 16:25:27 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:27 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Sat May 31 16:25:27 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:27 2014) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected! (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:27 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x8054300:3:steve2@hh3.site] (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [hh3.site][3][1][name=steve2] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_get_account_info] (0x0100): Got request for [3][1][name=steve2] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_req_set_domain] (0x0400): Changing request domain from [hh3.site] to [hh3.site] (Sat May 31 16:25:27 2014) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [fo_resolve_service_send] (0x0100): Entering request [0x8054300:3:steve2@hh3.site] Trying to resolve service 'AD_GC' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_port_status] (0x1000): Port status of port 0 for server 'hh16.hh3.site' is 'neutral' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x0200): Found address for server hh16.hh3.site: [192.168.1.16] TTL 7200 (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://hh16.hh3.site' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://hh16.hh3.site:3268' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://hh16.hh3.site:3268/??base] with fd [18]. (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [*] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [altServer] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [namingContexts] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedControl] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedExtension] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedFeatures] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedLDAPVersion] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [supportedSASLMechanisms] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [domainControllerFunctionality] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_get_server_opts_from_rootdse] (0x0100): Setting AD compatibility level to [4] (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_kinit_send] (0x0400): Attempting kinit (/etc/krb5.keytab, CATRAL$, HH3.SITE, 86400) (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service AD (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_port_status] (0x1000): Port status of port 0 for server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x0200): Found address for server hh16.hh3.site: [192.168.1.16] TTL 7200 (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://hh16.hh3.site' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://hh16.hh3.site' (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT... (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [create_tgt_req_send_buffer] (0x0400): buffer size: 47 (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child (Sat May 31 16:25:27 2014) [sssd[be[hh3.site]]] [write_pipe_handler] (0x0400): All data has been sent! (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [main] (0x0400): ldap_child started. (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): total buffer size: 47 (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): realm_str size: 8 (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): got realm_str: HH3.SITE (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): princ_str size: 7 (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): got princ_str: CATRAL$ (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): keytab_name size: 16 (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): got keytab_name: /etc/krb5.keytab (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [unpack_buffer] (0x1000): lifetime: 86400 (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [ldap_child_get_tgt_sync] (0x0100): Principal name is: [CATRAL $(a)HH3.SITE] (Sat May 31 16:25:27 2014) [[sssd[ldap_child[2424]]]] [ldap_child_get_tgt_sync] (0x0100): Using keytab [/etc/krb5.keytab] (Sat May 31 16:25:28 2014) [sssd] [service_send_ping] (0x0100): Pinging nss (Sat May 31 16:25:28 2014) [sssd] [service_send_ping] (0x0100): Pinging pam (Sat May 31 16:25:28 2014) [sssd] [service_send_ping] (0x0100): Pinging autofs (Sat May 31 16:25:28 2014) [sssd] [ping_check] (0x0100): Service autofs replied to ping (Sat May 31 16:25:28 2014) [sssd] [ping_check] (0x0100): Service pam replied to ping (Sat May 31 16:25:28 2014) [[sssd[ldap_child[2424]]]] [prepare_response] (0x0400): (Sat May 31 16:25:28 2014) [sssd] [ping_check] (0x0100): Service nss replied to ping Building response for result [0] (Sat May 31 16:25:28 2014) [[sssd[ldap_child[2424]]]] [pack_buffer] (0x1000): result [0] krberr [0] msgsize [46] msg [FILE:/usr/local/var/lib/sss/db/ccache_HH3.SITE] (Sat May 31 16:25:28 2014) [[sssd[ldap_child[2424]]]] [main] (0x0400): ldap_child completed successfully (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [read_pipe_handler] (0x0400): EOF received, client finished (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_tgt_recv] (0x0400): Child responded: 0 [FILE:/usr/local/var/lib/sss/db/ccache_HH3.SITE], expired on [1401582327] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1401547228 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: gssapi, user: CATRAL$ (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [child_sig_handler] (0x1000): Waiting for child [2424]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [child_sig_handler] (0x0100): child [2424] finished successfully. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [set_server_common_status] (0x0100): Marking server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [ad_user_data_cmp] (0x1000): Comparing GC with GC (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [DC=hh3,DC=site] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=steve2)(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][DC=hh3,DC=site]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixUserPassword] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gecos] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [name] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSID] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [primaryGroupID] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_save_user] (0x0400): Save user (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_primary_name] (0x0400): Processing object steve2 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_save_user] (0x0400): Processing user steve2 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_save_user] (0x0400): Adding original memberOf attributes to [steve2]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_save_user] (0x0400): Adding user principal [steve2(a)HH3.SITE] to attributes of [steve2]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_save_user] (0x0400): Storing info for user steve2 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [no filter][CN=steve2,CN=Users,DC=hh3,DC=site]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [tokenGroups] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-451355595-2219208293-2714859210-1111] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-21-451355595-2219208293-2714859210-513] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x1000): Processing membership SID [S-1-5-32-545] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_ad_tokengroups_initgr_posix_tg_done] (0x0080): Domain not found for SID S-1-5-32-545 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [sdap_ad_tokengroups_update_members] (0x1000): Updating memberships for [steve2] (Sat May 31 16:25:28 2014) [sssd[nss]] [nss_memcache_initgr_check] (0x1000): Got request for [steve2(a)hh3.site] (Sat May 31 16:25:28 2014) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_check_user_search] (0x0400): (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: hh3.site (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [be_req_set_domain] (0x0400): Changing request domain from [hh3.site] to [hh3.site] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [be_pam_handler] (0x0100): Got request with the following data (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): domain: hh3.site (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): rhost: (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): authtok type: 1 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [krb5_pam_handler] (0x1000): Wait queue of user [steve2] is empty, running request immediately. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [switch_creds] (0x0200): Switch user to [3000021][20513]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [switch_creds] (0x0200): Switch user to [0][0]. (Sat May 31 16:25:28 2014) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Sat May 31 16:25:28 2014) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x8054300:3:steve2@hh3.site] (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'AD' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [get_port_status] (0x1000): Port status of port 0 for server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [get_server_status] (0x1000): Status of server 'hh16.hh3.site' is 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x1000): Saving the first resolved server (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [be_resolve_server_process] (0x0200): Found address for server hh16.hh3.site: [192.168.1.16] TTL 7200 (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed uri 'ldap://hh16.hh3.site' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [ad_resolve_callback] (0x0100): Constructed GC uri 'ldap://hh16.hh3.site' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [write_pipe_handler] (0x0400): All data has been sent! (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [main] (0x0400): krb5_child started. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [unpack_buffer] (0x1000): total buffer size: [106] (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [unpack_buffer] (0x0100): cmd [241] uid [3000021] gid [20513] validate [true] enterprise principal [true] offline [false] UPN [steve2(a)HH3.SITE] (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_3000021] keytab: [/etc/krb5.keytab] (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_RENEWABLE_LIFETIME] from environment. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [set_lifetime_options] (0x0100): Cannot read [SSSD_KRB5_LIFETIME] from environment. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true] (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [k5c_setup] (0x0100): Not using FAST. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [main] (0x0400): Will perform online auth (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [HH3.SITE] (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [validate_tgt] (0x0400): TGT verified using key for [host/catral.hh3.site(a)HH3.SITE]. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [sss_send_pac] (0x0040): sss_pac_make_request failed [-1][2]. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [validate_tgt] (0x0040): sss_send_pac failed, group membership for user with principal [steve2\@HH3.SITE(a)HH3.SITE] might not be correct. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [become_user] (0x0200): Trying to become user [3000021][20513]. (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [k5c_send_data] (0x0200): Received error code 0 (Sat May 31 16:25:28 2014) [[sssd[krb5_child[2425]]]] [main] (0x0400): krb5_child completed successfully (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [read_pipe_handler] (0x0400): EOF received, client finished (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [parse_krb5_child_response] (0x1000): child response [0][3][36]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741822][16]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [parse_krb5_child_response] (0x1000): child response [0][-1073741823][32]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [parse_krb5_child_response] (0x1000): TGT times are [1401546329][1401546329][1401582329][1401632728]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [set_server_common_status] (0x0100): Marking server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'hh16.hh3.site' as 'working' (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [switch_creds] (0x0200): Switch user to [3000021][20513]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [switch_creds] (0x0200): Switch user to [0][0]. (Sat May 31 16:25:28 2014) [sssd[be[hh3.site]]] [safe_remove_old_ccache_file] (0x0400): New and old ccache file are the same, none will be deleted. (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [check_wait_queue] (0x1000): Wait queue for user [steve2] is empty. (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): Sending result [0][hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [0][hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [0]. (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 69 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): (Sat May 31 16:25:29 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [steve2]. (Sat May 31 16:25:29 2014) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:29 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [steve2] from [<ALL>] (Sat May 31 16:25:29 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:29 2014) [sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. (Sat May 31 16:25:29 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_cmd_acct_mgmt] (0x0100): Sent result [0][hh3.site] entering pam_cmd_acct_mgmt (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [child_sig_handler] (0x1000): (Sat May 31 16:25:29 2014) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): Waiting for child [2425]. name 'steve2' matched without domain, user is steve2 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [child_sig_handler] (0x0100): command: PAM_ACCT_MGMT child [2425] finished successfully. (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [steve2(a)hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_check_user_search] (0x0400): Returning info for user [steve2(a)hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data: (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): domain: hh3.site (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_req_set_domain] (0x0400): Changing request domain from [hh3.site] to [hh3.site] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler] (0x0100): Got request with the following data (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): domain: hh3.site (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): user: steve2 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): service: su (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): tty: pts/1 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): ruser: steve (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): rhost: (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): authtok type: 0 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): newauthtok type: 0 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): priv: 0 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [pam_print_data] (0x0100): cli_pid: 2423 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_access_send] (0x0400): Performing access check for user [steve2] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [steve2] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [ad_gpo_connect_done] (0x0400): sam_account_name is catral.hh3.site$ (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectclass=user)(sAMAccountName=catral.hh3.site $))][dc=hh3,dc=site]. (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [distinguishedName] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0 (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target. (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No existe el fichero o el directorio) [Internal Error (Error del sistema)] (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): Sending result [4][hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_dp_process_reply] (0x0100): received: [4][hh3.site] (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [4]. (Sat May 31 16:25:29 2014) [sssd[pam]] [pam_reply] (0x0200): blen: 25 (Sat May 31 16:25:29 2014) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Sat May 31 16:25:29 2014) [sssd[be[hh3.site]]] [be_pam_handler_callback] (0x0100): Sent result [4][hh3.site] (Sat May 31 16:25:32 2014) [sssd[nss]] [client_recv] (0x0200): Client disconnected! ^C(Sat May 31 16:25:35 2014) [sssd] [monitor_quit_signal] (0x0040): Monitor received Interrupción: terminating children (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0040): Returned with: 0 (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Terminating [autofs][2413] (Sat May 31 16:25:35 2014) [sssd[autofs]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [be_client_destructor] (0x0400): Removed autofs client (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Child [autofs] terminated with a signal (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Terminating [pam][2412] (Sat May 31 16:25:35 2014) [sssd[pam]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [be_client_destructor] (0x0400): Removed PAM client (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Child [pam] terminated with a signal (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Terminating [nss][2411] (Sat May 31 16:25:35 2014) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [be_client_destructor] (0x0400): Removed NSS client (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Child [nss] terminated with a signal (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Terminating [hh3.site][2410] (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [remove_krb5_info_files] (0x0200): Could not remove [/usr/local/var/lib/sss/pubconf/kpasswdinfo.HH3.SITE], [2][No existe el fichero o el directorio] (Sat May 31 16:25:35 2014) [sssd[be[hh3.site]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of hh3.site] (Sat May 31 16:25:35 2014) [sssd] [monitor_quit] (0x0020): Child [hh3.site] terminated with a signal sssd.conf [sssd] services = nss, pam, autofs config_file_version = 2 domains = hh3.site [nss] [pam] [autofs] [domain/hh3.site] ad_hostname = catral.hh3.site ad_server = hh16.hh3.site ad_domain = hh3.site ldap_schema = ad id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ldap_id_mapping=false ldap_sasl_mech = gssapi ldap_sasl_authid = CATRAL$(a)HH3.SITE krb5_keytab = /etc/krb5.keytab ldap_krb5_init_creds = true autofs_provider=ldap ldap_autofs_search_base = OU=automount,DC=hh3,DC=site ldap_autofs_map_object_class = automountMap ldap_autofs_entry_object_class = automount ldap_autofs_map_name = automountMapName ldap_autofs_entry_key = automountKey ldap_autofs_entry_value = automountInformation KDC Kerberos: AS-REQ steve2\@HH3.SITE(a)HH3.SITE from ipv4:192.168.1.25:39732 for krbtgt/HH3.SITE(a)HH3.SITE Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- steve2\@HH3.SITE(a)HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve2\@HH3.SITE(a)HH3.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- steve2 \@HH3.SITE(a)HH3.SITE Kerberos: AS-REQ steve2\@HH3.SITE(a)HH3.SITE from ipv4:192.168.1.25:56942 for krbtgt/HH3.SITE(a)HH3.SITE Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- steve2\@HH3.SITE(a)HH3.SITE Kerberos: Looking for ENC-TS pa-data -- steve2\@HH3.SITE(a)HH3.SITE Kerberos: ENC-TS Pre-authentication succeeded -- steve2 \@HH3.SITE(a)HH3.SITE using arcfour-hmac-md5

9 years, 3 months

3
7
0 / 0

Announcing SSSD 1.12 beta 1

by Jakub Hrozek

=== SSSD 1.12 Beta 1 === The SSSD team is proud to announce the beta release of version 1.12 of the System Security Services Daemon. This beta release includes several new features, notably a public DBus API, an ID-mapping plugin for cifs-utils and a first milestone of the GPO access control support. As always, the source is available from https://fedorahosted.org/sssd. RPM packages will be made available for Fedora rawhide shortly. The SSSD 1.12 Beta 2 release is scheduled for next week. Our goal is to include several patches currently pending review and finish string changes before declaring String Freeze. After the Beta 2 release, the development will refocus to bug fixing in preparation for the 1.12 final release. == Feedback == Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users == Highlights == * A new responder, called InfoPipe was added. This responder provides a public D-Bus interface accessible over the system bus. In this release, methods for retrieving user attributes and list of groups were added as well as objects representing SSSD domains and processes. The next 1.12.x releases will publish objects representing users and groups, too. * SSSD provides an ID-mapping plugin for cifs-utils so that Windows SIDs can be mapped onto POSIX IDs and/or names without requiring Winbind and using the same code as the SSSD uses for identity information. * Added a new library called sss_sifp that provides a simple synchronous API for communication with our new InfoPipe responder over the system bus. * journald can now be used to store debug logs. The journald support is not enabled by default. In order to enable it, compile SSSD with --with-syslog=journald. * First phase of Group Policy-based access control for the AD provider was added. At the moment, the gpo-ldap component that downloads the list of GPOs that apply for the specific client has been implemented. The gpo-smb component that retrieves the group policy files and determines the access control check results based on those files is expected to be implemented in one of the next 1.12.x releases == Packaging Changes == * The sssd_sifp library and the InfoPipe responder are packaged in their own subpackages == Documentation Changes == * The new InfoPipe responder has several configuration options. Refer to the sssd-ifp manual page for details. * A new option offline_timeout was added. This option allows the administrator to configure how often should SSSD attempt to reconnect when in offline mode * The LDAP provider has a new option ldap_user_extra_attrs that enables the administrator to extend the map of attributes downloaded when looking up a user. These custom attributes can then be retrieved with the new DBus API. * The automounter master map name can now be configured with a new option ldap_autofs_map_master_name * A new option ad_gpo_access_control is available to let the user configure the behaviour of the GPO access control feature. == Tickets Fixed == https://fedorahosted.org/sssd/ticket/1096 Clock skew in krb5 auth should result in offline operation, not failure https://fedorahosted.org/sssd/ticket/1187 Delete IPA specific attribute mappings from man page https://fedorahosted.org/sssd/ticket/1366 [RFE] Optimize RFC2307bis lookups when user and group search bases do not overlap https://fedorahosted.org/sssd/ticket/1451 Update manpage with the minimal value expected for ldap_idmap_range_size https://fedorahosted.org/sssd/ticket/1585 [RFE] Add a check to pam_sss to ensure that authtok_type=SSS_AUTHTOK_TYPE_PASSWORD is \0 terminated https://fedorahosted.org/sssd/ticket/1718 Offline mode timeout not documented https://fedorahosted.org/sssd/ticket/1866 SSSD changes primary creds on authentication https://fedorahosted.org/sssd/ticket/1885 Use a shorter retry timeout for SRV queries in cases the query cannot be resolved (negative timeout) https://fedorahosted.org/sssd/ticket/1918 Undocument and deprecate ipa_hbac_support_srchost https://fedorahosted.org/sssd/ticket/1923 Create tickets to track unit test enhancements https://fedorahosted.org/sssd/ticket/2022 Review Fedora 20 system wide changes and file corresponging tickets if they affect SSSD https://fedorahosted.org/sssd/ticket/2024 Create unit test for nested groups https://fedorahosted.org/sssd/ticket/2037 nondescriptive error message when ccache directory has wrong permissions https://fedorahosted.org/sssd/ticket/2040 Enable ad_compat sasl option https://fedorahosted.org/sssd/ticket/2061 ccache mangament simplification https://fedorahosted.org/sssd/ticket/2072 [RFE] Provide an experimental DBus responder to retrieve custom attributes from SSSD cache https://fedorahosted.org/sssd/ticket/2073 [RFE] Extend the LDAP backend to retrieve extended set of attributes https://fedorahosted.org/sssd/ticket/2084 check for active sessions not troll proc for uids https://fedorahosted.org/sssd/ticket/2094 find uid tests fail https://fedorahosted.org/sssd/ticket/2097 Build library libsss_test_common in test phase https://fedorahosted.org/sssd/ticket/2125 cifsidmap support should be optional https://fedorahosted.org/sssd/ticket/2162 [RFE] warn to syslog if an unresponsive subprocess is terminated https://fedorahosted.org/sssd/ticket/2171 Do not start multiple backends for the same domain https://fedorahosted.org/sssd/ticket/2179 Sssd dyndns update fails for addresses from different networks https://fedorahosted.org/sssd/ticket/2195 [RFE] Send debug logs to journald by default https://fedorahosted.org/sssd/ticket/2198 remove unused tmp_ctx in async_resolv.c https://fedorahosted.org/sssd/ticket/2210 convert ad_account_can_shortcut to returning boolean https://fedorahosted.org/sssd/ticket/2225 PO files changed during build https://fedorahosted.org/sssd/ticket/2227 [RFE] Expose domain object over DBus https://fedorahosted.org/sssd/ticket/2234 autogenerate introspection https://fedorahosted.org/sssd/ticket/2254 [RFE] Create a library to simplify usage of D-Bus responder https://fedorahosted.org/sssd/ticket/2258 [src/providers/krb5/krb5_common.c:418] -> [src/providers/krb5/krb5_common.c:418]: (style) Same expression on both sides of '||'. https://fedorahosted.org/sssd/ticket/2288 sssd is crashing after several quick invokes of automount -m https://fedorahosted.org/sssd/ticket/2290 The DBus responder should not spawn a client socket https://fedorahosted.org/sssd/ticket/2291 make distcheck fails https://fedorahosted.org/sssd/ticket/2304 refactor splitting the selinux priority list https://fedorahosted.org/sssd/ticket/2313 consider going offline on KRB5KRB_ERR_GENERIC error instead of System Error https://fedorahosted.org/sssd/ticket/2319 provide a compatible definition of ck_assert_uint_eq https://fedorahosted.org/sssd/ticket/2321 daemon FAILS to start with config file set to mode 400 https://fedorahosted.org/sssd/ticket/2331 sssd should also filter out S-1-18 == Detailed Changelog == Please note this detailed changelog contains only changes since the latest stable version 1.11.5.1. Alexander Bokovoy (2): * ipa subdomains provider: make sure search by SID works for homedir * well known sids: Windows Server 2012 new asserted identity SIDs Benjamin Franzke (3): * Add CIFS idmap plugin * BUILD: Use OPENLDAP_CFLAGS instead of LDAP_CFLAGS * BUILD: Link libsss_krb5_common.so to libkeyutils.so Chris Leick (1): * German translation update Cove Schneider (1): * Add ldap_autofs_map_master_name option Jakub Hrozek (86): * Bump version to track 1.12 development * Add journald support * BE: Log domain name to journald if available * MAN: Fix provider man page subtitle * LDAP: Deprecate ldap_{user,group}_search_filter * Check return values of setenv and unsetenv * MAN: Fix refsect-id * Include external headers with #include <foo.h> * Remove unused constants * IPA: Do not enable IPA sites in server mode * Remove duplicate declaration * UTIL: Move sss_parse_name_for_domains declaration to util.h * NSS: Use new safealign macros in NSS responder * UTIL: Free log message when using journald * Remove unused variable * PAC: Free config attribute when it's processed * Merge ipa_selinux_common.c and ipa_selinux.c * SYSDB: Drop the sysdb_ctx parameter from the autofs API * SYSDB: Drop the sysdb_ctx parameter from SELinux functions * SYSDB: Drop the sysdb_ctx parameter from the sysdb_idmap module * SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module * KRB5: Go offline in case of clock skew * MAN: Add a link explaining different LDAP scopes * MAN: Remove unused experimental file * NSS: Compare bool with false, not 0 * Fix a trivial typo * LDAP: Fix a debug message * NSS: Fix DEBUG formatting of cmdctx->id * DEBUG: Fix build without journald * NSS: Continue if there is no port * Fix DEBUG message formatting * IFP: Fix a typo in the Makefile * IFP: Re-add the InfoPipe server * IFP: Connect to the system bus * tests: Don't set the check fork mode explicitly * SBUS: Generate introspection from the interface meta structure * ConfigAPI: Add two missing AD options * Add a unit test for sss_parse_name_for_domains * Minor fixes for sss_parse_name_for_domains * SBUS: Create an sbus_method_meta instance for Introspection * RESPONDER: Fix a wrong DEBUG message * DP: Remove unused 'force' parameter from the subdomain handler * TESTS: Create a default sss_names_ctx in create_dom_test_ctx * TESTS: Split a separate common_mock_resp_dp module * RESPONDERS: Add a new request sss_parse_inp_send * KRB5: Print a verbose error message on failure reading the keytab * LDAP: Fix off-by-one bug in sdap_copy_opts * LDAP: Make it possible to extend an attribute map * IFP: Close memstream handle in introspect destructor * LDAP: Check the LDAP handle before using it * SBUS: several trivial style fixes * SBUS: Fix error handling condition * SBUS: Add a convenience function sbus_error_new * SBUS: Split out dbus_conn_send * SBUS: Add SBUS_CONN_TYPE_SYSBUS * SBUS: Add an async request to retrieve the caller ID * SBUS: Refactor sbus_message_handler to retrieve caller ID * IFP: Add utility functions * IFP: use a list of allowed_uids for authentication * IFP: Initialize negative cache timeout * IFP: Add GetUserAttrs call * AD: Do not remove non-root domains when looking up root domain * IFP: Per-attribute ACL for users * SBUS: Allow registering paths with fallback * SYSDB: return SYSDB_NAME from sysdb_initgroups * IFP: Add a GetGroupsList method * AD: Initialize user_map_cnt in server mode * IFP: Add utility functions to escape and unescape object paths * IFP: Add a unit test for ifp_reply_objpath * SBUS: Utility function sbus_request_return_as_variant * IFP: Allow Set, Get and GetAll from DBus.Properties * SBUS: Implement org.freedesktop.DBus.Properties.Get for primitive types * SBUS: Return / if an object path getter returns NULL * SBUS: Add several error constant definitions * SBUS: Add org.freedesktop.DBus.Properties.Get to Introspection * IFP: Support multiple interfaces on sysbus * SBUS: Add utility function sbus_add_variant_to_dict * SBUS: Consolidate VTABLE_FUNC definitions in sssd_dbus_meta.h * SBUS: Implement org.freedesktop.DBus.Properties.GetAll for primitive types * SBUS: Add org.freedesktop.DBus.Properties.GetAll to Introspection * TESTS: check allocation result * TESTS: check dbus mock result * IFP: Add ListDomains and FindDomainByName * tests: Add test for confdb_list_all_domain_names * tests: Add test for get_known_services * BUILD: Disable dbus tests when running distcheck Lukas Slebodnik (106): * Add missing new line in DEBUG message * RESPONDER: Use right function prototype * Revert "mmap_cache: Skip records which doesn't have same hash" * mmap_cache: Use two chains for hash collision. * Include right header file * Include header file in implementation module. * IPA: Remove unused memory context. * BUILD: Explicitly link libsss_ad.so with sasl libs * BUILD: Change error message if missing cifsimap.h * monitor: return right error code * TESTS: Remove test dir after successful tests * Remove unused parameter from sss_selinux_extract_user * Remove unused parameter from get_user_dn * Remove unused parameter from sdap_save_user * Remove unused parameter from sdap_get_members_with_primary_gid * Remove unused parameter from sdap_store_group_with_gid * Remove unused parameter from sdap_add_group_member_2307 * Remove unused parameter from sdap_process_missing_member_2307 * Remove unused parameter from sdap_save_netgroup * Remove unused parameter from krb5_auth_cache_creds * Remove unused parameter from krb5_auth_store_creds * Remove unused parameter from mod_groups_member * Remove unused parameter from usermod * Remove unused parameter from groupmod * Remove unused parameter from useradd * Remove unused parameter from groupadd * Remove unused parameter from invalidate_entry * Remove unused parameter from search_autofsmaps * Remove unused parameter from seed_domain_user_info * Remove unused parameter from sudosrv_get_sudorules_query_cache * Remove unused parameter from delete_user * Remove unused parameter from save_user * Remove unused parameter from save_netgroup * Remove unused memory context in proxy * Remove unused parameter from ipa_save_netgroup * Remove unused parameter from group_show_mpg * Remove unused parameter from group_show_trim_memberof * AUTOMAKE: Don't build libsss_test_common every time * SYSDB: Sanitize filter before sysdb_search_groups * SYSDB: Sanitize filter before removing ghost attrs * TESTS: Fix build with older version of check framework * TESTS: Fix authtok test for zero length string. * CLIENT: Remove unused macros * AD: Remove unused memory contexts * memberof: Removed unused parameter from mbof_fill_vals_array. * Makefile: Remove unused libraries * test_dyndns: Test right variable after allocation. * IPA: explicitly link libsss_ipa with selinux library * Translation: Move german translation to right directory * SPEC: Fix packaging rpms on OSes without systemd * DEBUG: Fix crash after fallback from journal log * Fix warning unused variable ap_fallback * KRB5: Fix condition for empty string * NSS: Fix warning access array with index then check * TEST: Fix warning invalid printf argument type * Remove unused structures. * TEST: Use unique directory for negcache test * PAM: Test return value of strdup * TEST: Remove unused argument sysdb_path * TEST: Use right domain name in negcache test * TEST: Do not clean up if test fail. * hbac-test: Use defined macros instead of strings * TESTS: Remove unused macros * KRB: Prevent dereference of a null pointer * UTIL: Hide implementation details about unicode libraries. * Use pattern #elif defined(identifier) * BUILD: Enable additional compiler warnings * AUTOFS: terminate array after the last entry * krb5_child: Remove unused krb5_context from set_changepw_options * Remove unused argument from resolv_gethostbyname_dns_parse * Fix warning zero-length gnu_printf format string * krb5_child: Fix use after free in debug message * BUILD: Link libsss_ldap_common.so to libsss_idmap.so * BUILD: Move file find_uid.c into libsss_util.so * BUILD: Move file sss_krb5.c into libsss_krb5_common.so * BUILD: Move duplicated files from providers to libsss_ldap_common.so * TEST: Add untested libraries into dlopen test * TEST: Some macros aren't defined in older version of check. * CRYPTO: Fix access to uninitialized data * SPEC: Remove duplicate sssd_ifp. * TEST: Link ipa_ldap_opt test with openldap libs * UTIL: Use constant instead of value for stdin. * MONITOR: Fix start up with empty standard input * SPEC: Add libsss_ad_common.so to the package sssd-ad * TEST: Refactor test_io * BUILD: Make samba4 libraries optional * SBUS: Fix warning declaration shadows a global declaration * PAM: Fix problem with missing declaration. * PAM: macro PAM_DATA_REPLACE isn't available in openpam. * CRYPTO: Use unprefixed version of function stpncpy * CONFIGURE: Remove duplicate detection of pam * Remove unused parameter from ifp_user_get_attr_handle_reply * Remove unused parameter from ifp_user_get_groups_reply * resolv: Do not try to free addrinfo in case of error * AUTOCONF: Move detection of samba libraries to one file * SBUS: Define DBUS_ERROR_INIT for old version of dbus * SBUS: Include config.h for enabling function in stdio.h * UTIL: Fix order of header files. * LDAP: Don't use macro _XOPEN_SOURCE for extra features * UTIL: Include netinet/in.h for ip adress macros * TEST: Test empty results from functions sysdb_search_* * sss_autofs: Check return value of autofs make request * sss_autofs: Do not try to free empty autofs context * Don't use macro _XOPEN_SOURCE for function strptime * TEST: Add libsss_simpleifp.so to dlopen test * man: Substitute entity values for entity references Michal Zidek (25): * nss: Wrong debug message. * util: Add functions to check if IP addresses is special * dyndns: Use check_ipvX_addr functions * sdap_async_sudo_hostinfo.c: Use check_ipvX_addr * tests: Silence alignment warning in tests. * responder: Access packet header using SAFEALIGN macros. * confdb: Make offline timeout configurable * SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module * SYSDB: Drop the sysdb_ctx parameter from the sysdb_services module * SYSDB: Drop the sysdb_ctx parameter from the sysdb_ssh module * SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1) * SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2) * SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c * sss_client: Use SAFEALIGN_SETMEM_<type> macros where appropriate. * krb5: Alignment warning reported by clang * monitor: Stop using unnecessary helper pointer. * Missing parameter name in declaration. * Fix parameter name. * sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate. * responder: Use SAFEALIGN macro when checking pam data validity. * Properly align buffer when storing pointers. * responder: Use SAFEALIGN macros where appropriate. * Remove dead code from ipa_get_selinux_recv * mmap: Get errno when unlink fails * ipa_selinux: Put SELinux map order related variables into structure Nikolai Kondrashov (20): * dyndns: Update PTR records separately * Add cscope inverted index files to .gitignore * Update debug levels in sss_semanage_error_callback * Move DEBUG macro body to debug_fn * Remove extra flushing from debug message output * Cleanup debug_fn * Make DEBUG macro definition variadic * Make DEBUG macro invocations variadic * Fixup DEBUG macro invocations update * Update DEBUG* invocations to use new levels * Update debug level in sysdb_check_upgrade_02 * Remove DEBUG macro support for old debug levels * Use HW instead of processor name as build arch * Use functions, not aliases in bashrc_sssd * Handle unbound variables in bashrc_sssd * Clarify CFLAGS handling in bashrc_sssd * Remove --with-distro-version * build: Don't assume systemd implies journald * build: List test extensions * build: Switch to AM_DISTCHECK_CONFIGURE_FLAGS Ondrej Kos (2): * MAN: Remove IPA specific LDAP settings * IPA: Deprecate ipa_hbac_support_srchost option Pallavi Jha (5): * added null checks to authtok module * permament is corrected to permanent * cmocka unit test for authtok module added * Unit-test-for-negcache-module-added * cmocka-unit-test-for-functions-getpwuid*-added Pavel Březina (37): * resolv_gethostbyname_dns_parse(): remove tmp_ctx * sdap: move non async functions from sdap_async.c to sdap_utils.c * sdap: move non async functions from sdap_async_connection.c to sdap_utils.c * sdap: move sdap_get_id_specific_filter() to sdap_utils.c * ldap: move options related content from ldap_common.c to ldap_options.c * ldap: move domain related content from ldap_common.c to sdap_domain.c * make make_realm_upper_case() static * tests: add confdb_path to sss_test_ctx * tests: mock SDAP * tests: mock sysdb users and groups * tests: prepare makefile for provider related unit tests * tests: new macro sss_will_return_always * tests: nested groups unit test * tests: don't print debug message when test dir does not exist * ad_account_can_shortcut(): return bool instead of errno * IFP: do not create client socket * sbus_tests: fix missing invoker in initializer * sbus request: fix error initialization * SBUS: remove unused variables * sss_config: the code * sss_config: build * sss_config: unit tests * sss_config: build only when IFP is allowed * IFP: Add a utility function to reply with an object path * SBUS: Utility function sbus_request_return_array_as_variant * SBUS: Return empty string if a string getter returns NULL * SBUS: Add utility function sbus_add_array_as_variant_to_dict * IFP: Implement domain getters * confdb: add confdb_list_all_domain_names() * utils: add get_known_services() * IFP: Implement SSSD components * sss_sifp: introduce API * sss_sifp: implement API * sss_sifp: build * sss_sifp: unit tests * sss_sifp: add support for string dictionary * sss_sifp: add shortcuts for common use cases Pavel Reichl (27): * Include ext headers with #include <foo.h> - cont * monitor: use-after-free bugfix * monitor: monitor_kill_service - refactor * monitor: memory-leak bug * monitor: syslog when process killed by monitor * SYSDB: typos & debug macro constants * SYSDB: missing conversion of LDB error to errno * SYSDB: simplification of condition in if statement * CONFDB: fail if there are domains with same name * MAN: new general options section * MAN: Option name typo in sssd-krb5 * refactor calls of sss_parse_name * KRB5: log message - wrong permissions on ccache dir * MAN: minimal value expected for ldap_idmap_range_size * PAC: fix clang warning * failover: Shorter retry time for failed SRV * SDAP: augmented logging for group saving * KRB: do not check ccache directory for GID * KRB5: Go offline in case of generic error * Monitor: fix message wrong perm. mode on config file * util: Fix 'wrong mode' debug message * AD Provider: bug-fix uninitialized variable * AD Provider: bugfix use-after-free * TEST: Remove unused variable * TEST: fix warning in sbus_codegen_tests * TEST: unused variable * TEST: simple_access & sysdb tests - cleanup Simo Sorce (7): * util: Use systemd-login to check user sessions * util: Allways fall back to old find_uid method * Signals: Remove unused functions * Signals: Remove empty sig_hup * Signals: Refactor termination of processes * util: Change file check fns to use a mode mask * confdb: Change file checks for config file Stef Walter (18): * Update .gitignore for 'make check' built files * util: Fix const cast failures when building with -Werror * util: A safe printf for user provided format strings * NSS: Don't use printf(3) on user provided strings. * sbus: Add meta data structures and code generator * sbus: Add sbus_vtable and update codegen to support it * nss: Stop using one DBus interface with totally different methods * sbus: Rework sbus to use interface metadata and vtables * sbus: Generate constants from interface definitions * sbus: Use constants to make dbus calls * sbus: Add struct sbus_request to represent a DBus invocation * sbus: Refactor how we export DBus interfaces * sbus: Make sbus_new_server() work for non-priveleged processes * sbus_tests: Add some testing of dispatch and handler code * sbus: Add the sbus_request_parse_or_finish() method * sbus: Add type-safe DBus method handlers and finish functions * sbus_codegen_tests: Add test case type-safe handler args * SBUS: Start implementing property access Stephen Gallagher (4): * DEBUG: Allow debug_fn to process __FILE__ and __LINE__ * DEBUG: Enable sending structured debug logs to journald * BUILD: Build with journald support by default on Fedora * BUILD: Simplify enabling journald on installed systems Sumit Bose (19): * Do not set HAVE_SYSTEMD_LOGIN if libsystemd-login is not available * Spec file changes for cifs-utils plugin * Enhance/add unit tests for find_subdomain_by_sid/name * Replace prog_DEPENDENCIES with EXTRA_prog_DEPENDENCIES * Add sss_packet_get_status() * sss_names_init: allow empty domain name * nss: save global name configuration to the nss context * Add sss_tc_fqname2() * Add utility to handle Well-Known SIDs * nss-srv-tests: check packet status * nss: check for Well-Known SIDs in SID based requests * Update CIFS plugin for Well-Known SID support * rfc2307bis_nested_groups_send: reuse search base * config API: read only specific files from schemaplugindir * config API: prepend source dir search path for tests * krb5_child: remove unused option lifetime_str from k5c_setup_fast() * krb5-child: extract lifetime settings into set_lifetime_options() * Make LDAP extra attributes available to IPA and AD * contrib: add BuildRequires libsmbclient-devel to spec file Yassir Elley (4): * ad_access_filter man page typo * Implemented LDAP component of GPO-based access control * AD-GPO: Remove dependency on libsamba-security * AD-GPO: add libsmbclient to makefiles

9 years, 3 months

1
0
0 / 0

1.11.5 build error on Ubuntu

by steve

Hi after a successful ./configure make all-recursive make[1]: se ingresa al directorio «/home/steve/Descargas/sssd-1.11.5.1» Making all in po make[2]: se ingresa al directorio «/home/steve/Descargas/sssd-1.11.5.1/po» make[2]: No se hace nada para «all». make[2]: se sale del directorio «/home/steve/Descargas/sssd-1.11.5.1/po» Making all in src/man make[2]: se ingresa al directorio «/home/steve/Descargas/sssd-1.11.5.1/src/man» /usr/bin/xmllint --catalogs --postvalid --nonet --xinclude --noout sss_useradd.8.xml sss_useradd.8.xml:4: element reference: validity error : No declaration for element reference sss_useradd.8.xml:5: element title: validity error : No declaration for element title ... ... :78: element manvolnum: validity error : No declaration for element manvolnum Document sss_useradd.8.xml does not validate make[2]: *** [sss_useradd.8] Error 3 make[2]: se sale del directorio «/home/steve/Descargas/sssd-1.11.5.1/src/man» make[1]: *** [all-recursive] Error 1 make[1]: se sale del directorio «/home/steve/Descargas/sssd-1.11.5.1» make: *** [all] Error 2 Any ideas? Thanks, Steve

9 years, 3 months

2
3
0 / 0

Announcing DING-LIBS 0.4.0

by Pavel Reichl

The SSSD team is proud to announce the 0.4.0 release of ding-libs utility library. It can be downloaded from https://fedorahosted.org/sssd/wiki/Releases#DING-LIBSReleases == Highlights == === libini_config === * Ability to convert input INI file from UTF 16/32 to UTF8 during parsing * Support C style comments in INI file parsing * Ability to read configuration data from a memory buffer * Fixed processing of multi-valued strings * Fixed parsing of line with multiple tokens == Note for distribution packagers == * This release bumps the soname of subpackages (libcollection, libini_config) * A new version script was added (for more detailed information please see #2193) == Detailed Changelog == Dmitri Pal (20): * Trim trailing spaces * Adding missing argument to docs * Fix for ini_get_string_config_array * Do not check validity of comments * Extend error set and add parsing error * Process c-style comments * Test files for unit test * Unit test for c-style comments * Expose buffer context as void * Extend internal file handle * Convert files to UTF * Updated unit test for UTF8 conversion * Fix typo in trace message * Fix processing of the white space at the end of the line * Unit test for space trimming in multiline values * Adding more unit tests * Refactor conversion function * New entry to read data from mem * Prevent tight loop * Unit test for the new interface Jakub Hrozek (2): * libiniconfig_devel must require libref_array-devel and libbasicobjects-devel * rpm: Include the right filename of libini_config Jan Engelhardt (1): * build: add missing Requires to pkgconfig file Lukas Slebodnik (19): * Fix warning format string is not a string literal. * Fix linking of tests on debian * DHASH: Remove dead code. * AUTOTOOLS: fix warning: macro xyz not found in library * DOC: Fix problems in documentation comments. * SPEC: path-utils unit test requires libcheck * INI: run also negative_test * Collection: Fix typo in function declarations * INI: Use static modifier for non public functions * Use static modifier for unit test functions * INI: Fix warning missing-prototypes for some functions. * INI: Include missing header file with declarations * REFARRAY: Move declaration of ref_array_debug to public header file * DHASH: Use ifdef for testing DEBUG macro * Enable extra compiler warning flags * Add version symbol files * AUTOMAKE: Do not treat warnings as errors * Bump version-info * Bump versions for 0.4.0 release Ondrej Kos (8): * COLLECTION: Fix comparision * DHASH: Check before dereferencing * PATH_UTILS: check against character representation of NULL * INI: Remove dead code * DHASH: Don't use backward jumps * DHASH: minor fixes * INI: Bump version-info * DOXY: Don't generate timestamp Peter Robinson (1): * Fix build with automake 1.14

9 years, 3 months

1
0
0 / 0

Login with Enterprise Principal Name with AD backend

by Vinícius Ferrão

Hello guys, I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names. Let-me illustrate the problem with my user account: Domain: local.example.com sAMAccountName: ferrao UPN: ferrao(a)example.com (there’s no local in the UPN) I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao(a)example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName. Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u What I would like to achieve is separated home directories from the EPN. For example: /home/example.com/user /home/whatever.example.com/user But with this pattern I can’t map the way I would like to do. I’ve looked through man pages and was unable to find any answers for this issues. Thanks in advance, Vinícius.

9 years, 4 months

5
16
0 / 0

Re: [SSSD-users] s sssd version

by Daniel Jung

awesome. i will test out it out in our environment using 1.5 for centos 5 and latest package avail on centos 6. cheers On May 23, 2014 1:40 AM, "Jakub Hrozek" <jhrozek(a)redhat.com> wrote: > On Thu, May 22, 2014 at 01:55:44PM -0700, Daniel Jung wrote: > > Hi Jakub, > > > > I was curious on how the servers with same priority with weights were > > implemented, the wording in RFC on this algorithm was a bit hard to > > visualize for me and whether this was strictly followed. > > You can see the implementation of the weight selection here: > > https://git.fedorahosted.org/cgit/sssd.git/tree/src/resolv/async_resolv.c... > > Even if you're not a C programmer, maybe the comments will show how we > follow the RFC. The intent of the code is to share the load from several > clients according to the sum of the weights on the same priority level. > So if you had two servers A and B with the same priority with weights > of 70 and 30 respectively, 70% of clients should select server A and 30% > should select server B. > > > Also, at which > > timeout setting is applied for cases where selected server is not > reachable > > and next server is selected and connected? > > Would this be same timeout > > setting when using multiple servers with URI instead of DN? > > There are several timeouts at play, depending on how exactly the server > is unreachable and what the provider is. For DNS resolution itself, > dns_resolver_timeout is applied. Once you have an IP address and start > connecting to an LDAP server, we try for ldap_network_timeout seconds. > > There are different timeouts for Kerberos, you can see them all in the > sssd-ldap and sssd-krb5 man pages. > > > > > Thanks for all the information. > > > > > > On Wed, May 21, 2014 at 3:14 AM, Jakub Hrozek <jhrozek(a)redhat.com> > wrote: > > > > > On Tue, May 20, 2014 at 11:01:42PM -0700, Daniel Jung wrote: > > > > thanks for the response guys. just one more question on the topic of > SRV > > > > records, does sssd implementation folllow srv rfc closely? would i > need > > > to > > > > dig into the code to find this? > > > > > > As far as I know it does, the code was modeled after the RFC. Is there > > > any particular functionality that you are concerned about? > > > _______________________________________________ > > > sssd-users mailing list > > > sssd-users(a)lists.fedorahosted.org > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > _______________________________________________ > > sssd-users mailing list > > sssd-users(a)lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > _______________________________________________ > sssd-users mailing list > sssd-users(a)lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users >

9 years, 4 months

1
0
0 / 0

autofs fails after update to 1.11.5

by steve

automount fails with both versions of the maps. Worked fine with both openSUSE 13.1 and Ubuntu 14.04 with sssd 1.11.4 [sssd] services = nss, pam, autofs config_file_version = 2 domains = hh3.site [nss] [pam] [domain/hh3.site] id_provider = ad auth_provider = ad access_provider = ad ldap_id_mapping = False [autofs] autofs_provider=ldap ldap_autofs_search_base = CN=hh3,CN=defaultMigrationContainer30,DC=hh3,DC=site ldap_autofs_map_object_class = nisMap ldap_autofs_entry_object_class = nisObject ldap_autofs_map_name = nisMapName ldap_autofs_entry_key = cn ldap_autofs_entry_value = nisMapEntry #ldap_autofs_search_base = OU=automount,DC=hh3,DC=site #ldap_autofs_map_object_class = automountMap #ldap_autofs_entry_object_class = automount #ldap_autofs_map_name = automountMapName #ldap_autofs_entry_key = automountKey #ldap_autofs_entry_value = automountInformation [sssd[be[hh3.site]]] [be_autofs_handler] (0x0020): Undefined backend target. (Thu May 22 22:29:03 2014) [sssd[autofs]] [lookup_automntmap_cache_updated] (0x0020): Unable to get information from Data Provider Error: 3, 19, Autofs back end target is not configured Will try to return what we have in cache (Thu May 22 22:29:03 2014) [sssd[autofs]] [lookup_automntmap_step] (0x0080): No automount map [auto.master] in cache for domain [hh3.site]

9 years, 4 months

3
11
0 / 0

recommended sssd version

by Daniel Jung

hi, we run various centos releases from 5.4 to 6.5. some of the early os releases packages from rhel is pretty old, older than LTM by looks of it. what would be general rule of thumb for the sssd version? run two separate latest custom version per 5 and 6? my main focus with sssd would be to ensure ldap connectivty via SRV + off auth while ldap is not available. Not sure when SRV support was introduced and how stable it is. your feedback is much appreciates. thanks

9 years, 4 months

4
8
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users May 2014