SSSD returns inconsistent results with AD
by Prajwal Kumar
We have integrated the SUSE Linux (version 11 Patch level 2) with the
Microsoft Active Directory(AD) using the SSSD utility(version 1.9.4) for
making AD groups available to the Linux OS subsystem (we do not use SSSD
for authentication)
We have added the "sss" as the sources for "passwd", "group", "shadow"
within the "/etc/nsswitch.conf" file.
We are facing some inconsistency issues from SSSD while fetching the
User/Group information through "id" command. It appears that we are facing
this inconsistency only while SSSD interacts with Domain Controller with
version Windows Server 2008 R2, and not while SSSD is interacting with
Windows Server 2003 R2 based domain controller.
Please find the response/output from Linux host (terminal) as below:
1) For Windows Server 2008 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001
uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain
Users),2816151(Mygroups-hadoop-GED_KPI),2115887,2812298(Mygroups-hadoop-
DAS_ANALYST),2812208(Mygroups-hadoop-CV_US),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2827118(Mygroups-hadoop-DAS_ALL),2819228(Mygroups-hadoop-IMAGINE_GED_LON),2820642(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX),2024985,2356240,2358411,2100126,2115932,2099
968,2337579,1743308,1463380,2100236,1881724,170745 6
As can be seen above, certain GIDs are displayed though these are not
relevant to the user.
2) For Windows Server 2003 R2 based Domain Controller
controller@indelappvm02:~> id user_hadoop_3001
uid=2763510(user_hadoop_3001) gid=100513(Domain Users) groups=100513(Domain
Users),2816151(Mygroups-hadoop-GED_KPI),2812208(Mygroups-hadoop-CV_US),2819228(Mygroups-
hadoop-IMAGINE_GED_LON),2827118(Mygroups-hadoop-DAS_ALL),2812298(Mygroups-hadoop-DAS_ANALYST),2809985(Mygroups-hadoop-DB_TICKET),2816149(Mygroups-hadoop-TLM),2820642
(Mygroups-hadoop-IMHOTEP),2812212(Mygroups-hadoop-OPEX)
Below is the configuration of /etc/sssd/sssd.conf
################################################## ############
[sssd]
debug_level = 5
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 10
services = nss,pam
domains = mytest
[nss]
debug_level = 5
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
debug_level = 0
reconnection_retries = 3
offline_credentials_expiration = 0
offline_failed_login_attempts = 0
offline_failed_login_delay = 5
[domain/local]
id_provider = local
min_id = 1
max_id = 499
enumerate = False
[domain/mytest]
debug_level = 9
description = Kerberos 5 domain with Active Directory servers
id_provider = ldap
auth_provider = krb5
access_provider = ldap
min_id = 500
enumerate = False
timeout = 10
cache_credentials = True
entry_cache_timeout = 300
krb5_canonicalize = False
# General -----------------------
# LDAP
ldap_uri = ldap://inddelvm25.mytest.com
ldap_default_authtok_type = password
ldap_default_bind_dn = linux(a)mytest.com
ldap_default_authtok = *******
ldap_id_mapping = True
ldap_user_objectsid = objectSid
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 2000000000
ldap_access_filter = (cn=*)
ldap_user_search_base = DC=mytest,DC=com
ldap_group_search_base =
DC=mytest,DC=com?subtree?(|(CN=Mygroups-hadoop-*)(CN=Domain Users))
ldap_referrals = False
ldap_search_timeout = 20
ldap_network_timeout = 20
# KRB5
chpass_provider = krb5
ldap_force_upper_case_realm = True
krb5_server = inddelvm25.mytest.com
krb5_realm = mytest.com
krb5_store_password_if_offline = True
krb5_auth_timeout = 15
# Mapping --------------------
ldap_schema = ad
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_group_name = sAMAccountName
ldap_id_use_start_tls = False
krb5_kdcip = inddelvm25.mytest.com
################################################## ############
When we set debug level = 5, we get errors like range maximum exceeds the
global maximum, no free slices in situations where SSSD is returning the
wrong results. When the right results are returned, there are no errors.
Would appreciate your inputs on this issue.
Best Regards,
Prajwal Kumar
9 years, 7 months
failover mechanism from backup to primary
by Daniel Jung
Hi,
from sssd-ldap,
"After this timeout SSSD will periodically try to reconnect to one of the
primary servers. If it succeeds, it will replace the current active
(backup) server."
I am seeing that reconnect is made to other backup servers and not just to
primary servers. Quick search on the tickets on backup server didnt find
anything. Was this already fixed in the recent version or is this wanted
behaviour?
Running 1.9.2.11 on centos 6.5.
Thanks
9 years, 7 months
fixed timeout settings related to failover
by Daniel Jung
Hi,
Curious if following settings will be modifiable in upcoming release or
patches:
Check interval while using backup servers:
If a backup server is selected, a timeout of 31 seconds is set.
Check interval of offline servers/services:
Further connection attempts are made to machines or services marked as
offline after a specified period of time; this is currently hard coded to
30 seconds.
Check interval from using offline:
If there are no more machines to try, the back end as a whole switches to
offline mode, and then attempts to reconnect every 30 seconds.
Thanks
9 years, 7 months
Announcing SSSD 1.11.7
by Jakub Hrozek
=== SSSD 1.11.7 ===
The SSSD team is proud to announce the release of version 1.11.7 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19 and 20 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses on delivering bug fixes and smaller features backported
from the 1.12 line
* Several fixes related to retrieving the correct group memberships in
the AD provider configured to use POSIX attributes were fixed.
* The Active Directory provider now correctly detects Windows Server 2012 R2.
Previous versions would fall back to the slower non-AD path with 2012 R2.
* Groups without full POSIX information can now be used to enroll group
membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
resulting in fewer timeouts when SSSD is offline.
* If referrals are disabled with a config option (or by default in the AD
provider), any returned referral would be ignored. Previously, the back
end would switch to offline mode on encountering a referral.
== Documentation Changes ==
* A new option override_space was added. When this option is set, a space
character in user or group names is replaced by the character specified
in this option
* A small random value is now added to the offline_timeout parameter value
to avoid flooding servers with periodical online checks
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1854
[RFE] Add option for sssd to replace space with specified character in LDAP group
https://fedorahosted.org/sssd/ticket/2212
[RFE] Add fallback to sudoRunAs when sudoRunAsUser is not defined and no ldap_sudorule_runasuser mapping has been defined in SSSD
https://fedorahosted.org/sssd/ticket/2323
Expired shadow policy user(shadowLastChange=0) is not prompted for password change
https://fedorahosted.org/sssd/ticket/2343
CVE-2014-0249 sssd: incorrect expansion of group membership when encountering a non-POSIX group [fedora-all]
https://fedorahosted.org/sssd/ticket/2345
tokengroups do not work with id_provider=ldap
https://fedorahosted.org/sssd/ticket/2349
public key validator is too strict and does not allow newlines anywhere in the public key string, not even at the end
https://fedorahosted.org/sssd/ticket/2355
Requests queued during transition from offline to online mode
https://fedorahosted.org/sssd/ticket/2360
The SSSD dbus service should retry system bus connection if it fails
https://fedorahosted.org/sssd/ticket/2364
RFE: Be able to configure sssd to honor openldap account lock to restrict access via ssh key
https://fedorahosted.org/sssd/ticket/2377
sudo: invalid sudoHost filter with asterisk
https://fedorahosted.org/sssd/ticket/2380
Race condition in the client code
https://fedorahosted.org/sssd/ticket/2383
dereferencing control failure against openldap server
https://fedorahosted.org/sssd/ticket/2385
ad: group membership is empty when id mapping is off and tokengroups are enabled
https://fedorahosted.org/sssd/ticket/2389
Problems with tokengroups and ldap_group_search_base
https://fedorahosted.org/sssd/ticket/2390
Failover does not always happen from SRV to hostname resolution(via /etc/hosts)
https://fedorahosted.org/sssd/ticket/2391
sssd_be segfaults in ldb_msg_find_element
https://fedorahosted.org/sssd/ticket/2397
Auth fails when space in username is replaced with character set by override_default_whitespace
https://fedorahosted.org/sssd/ticket/2399
RHEL6.6 sssd not running after upgrade
https://fedorahosted.org/sssd/ticket/2400
sssd can't retrieve sudo rules when using the "default_domain_suffix" option
https://fedorahosted.org/sssd/ticket/2401
clarify the offline timeout in man page
https://fedorahosted.org/sssd/ticket/2402
IFP: FQDN lookups are broken
https://fedorahosted.org/sssd/ticket/2405
use-after-free in dyndns code
https://fedorahosted.org/sssd/ticket/2406
Saving group membership fails if provider is AD, POSIX attributes are used and primary group contains the user as a member
https://fedorahosted.org/sssd/ticket/2407
simple_allow_groups does not lookup groups from other AD domains
https://fedorahosted.org/sssd/ticket/2409
On error, libnss_sss can mistakenly close descriptors it doesn't "own"
https://fedorahosted.org/sssd/ticket/2410
Race condition between sudo refresh
https://fedorahosted.org/sssd/ticket/2418
sssd does not recognize Windows server 2012 R2's LDAP as AD
https://fedorahosted.org/sssd/ticket/2421
Dereference code errors out when dereferencing entries protected by ACIs
https://fedorahosted.org/sssd/ticket/2436
ipa user private group not found
== Detailed Changelog ==
Ian Lee (1):
* Add user lookup and session dependencies to systemd service file.
Jakub Hrozek (32):
* Updating the version for the 1.11.7 release
* BUILD: dbusintrospectdir is not used anymore
* IFP: Fix DEBUG messages
* IFP: Return a specific value on failure connecting to the system bus
* IFP: Provide a SBUS method to reconnect to sysbus
* MONITOR: Signal InfoPipe? to reconnect on SIGUSR2
* TOOLS: New helper tool sss_signal
* BUILD: Add the DBus service activation
* IFP: Fix lookups with fully-qualified names
* RPM: Restart service in %posttrans, not %post
* NSS: Ignore default_domain for netgroups
* Only replace space with the specified substitution
* Make the space override responder-agnostic
* PAM: Use the override_space option
* IFP: Use the override_space option
* SUDO: Use the override_space option
* IPA: handle searches by SID in apply_subdomain_homedir
* Revert "IPA: new attribute map for non-posix groups"
* Revert "IPA: process non-posix nested groups"
* Revert "IPA: try to resolve nested groups as poxix group"
* LDAP: Do not shortcut on ret != EOK during password expiry check
* LDAP: Split out linking primary group members into a separate function
* LDAP: Don't add a user member twice when adding a primary group
* LDAP: Use tmp_ctx in ldap_child for temporary data
* LDAP: Use randomized ccname for storing credentials
* LDAP: Add Windows Server 2012 R2 functional level
* LDAP: Fall back to functional level of Windows Server 2003
* LDAP: Enable tokenGroups with Windows Server 2003
* LDAP: Ignore returned referrals if referral support is disabled
* LDAP: Skip dereferenced entries that we are not permitted to read
* Ignore referrals in deref and ASQ, too
* Updating the translations for the 1.11.7 release
Jan Cholasta (1):
* SSH: Allow newline at the end of public key values in LDAP
Lukas Slebodnik (19):
* Don't use macro _XOPEN_SOURCE for function strptime
* sss_client: thread safe initialisation of sss_cli_mc_ctx
* sss_client: Fix memory leak in nss_mc_{group,passwd}
* LDAP: Remove unused option ldap_netgroup_uuid
* LDAP: Remove unused option ldap_group_uuid
* LDAP: Remove unused option ldap_user_uuid
* test_utils: Use common header file for libsss_util tests.
* UTIL: Add functions for replacing whitespaces.
* NSS: Replace spaces with specified string in names.
* dyndns_test: Use right socket length of for IPv4 address.
* responder-get-domains-tests: fix checking of leaks
* test_dyndns: Use different talloc context in wrapped functions.
* TESTS: leak_check functions shouldn't be called with NULL context
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
* test_dyndns: sss_iface_addr_list_get can return more values
* SDAP: free subrequest in sdap_dyndns_update_addrs_done
* SDAP: Immediately finish request for empty array
* SDAP: Use different talloc_context for array of names
* SDAP: Update groups for user just once.
Michal Zidek (6):
* ptask: Allow adding random_offset to scheduled execution time
* ptask: Add backoff feature to the ptask api.
* Exit offline mode only if server is available.
* MAN: How much time sssd spends offline
* Add alternative objectClass to group attribute maps
* Use the alternative objectclass in group maps.
Michal Šrubař (1):
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'
Nalin Dahyabhai (1):
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
Nikolai Kondrashov (1):
* build: Switch back to DISTCHECK_CONFIGURE_FLAGS
Pavel Březina (9):
* sbus_request: fix potential NULL dereference
* ad: comment ENOENT when id mapping is disabled
* ad: update membership after SIDs are resolved
* sudo: fetch sudoRunAs attribute
* sudo: use dbus array for rules refresh
* sudo: replace asterisk with escape sequence in host filter
* failover: set port status to not working if previous srv lookup failed
* ad initgroups: continue if resolved SID is still missing
* sudo: work with correct D-Bus iterator
Pavel Reichl (18):
* TESTS: sss_ssh - textual public key format
* LDAP: tokengroups do not work with id_provider=ldap
* SDAP: Continue resolving SID even if some fail
* IPA: new attribute map for non-posix groups
* IPA: process non-posix nested groups
* IPA: try to resolve nested groups as poxix group
* SDAP: split sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_send
* SDAP: nitpicks in sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_done
* SDAP: don't log error on access denied
* SDAP: refactor AC offline checks
* SDAP: new option - DN to ppolicy on LDAP
* SDAP: account lockout to restrict access via ssh key
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'
* IPA: process non-posix nested groups
* AD: process non-posix nested groups w/o tokenGroups
* AD: process non-posix nested groups using tokenGroups
Sumit Bose (1):
* Replace space: add some checks
9 years, 7 months
sssd users and systemd services?
by Nordgren, Bryce L -FS
I'm trying to determine whether this is a known feature, a dumb user problem with a known workaround, or a problem.
I don't seem to be able to run a systemd service as a user provided by sssd? I joined my Fedora 19 analysis machine to my freeipa domain and configured sssd to allow logins from my AD. The simple access provider lets me in and disallows everyone else. Prior to this conversion, I had been running "ipython notebook" as me-the-local-user, as a systemd unit. All my files have been chowned so that my new domain login plays nice with them.
I can run "ipython notebook" (which is how the service is started) from the command line and it works.
The problem is, systemd is consistently failing with an exit code of 217/USER. I made a local user ('ipython'), and systemd runs perfectly fine. Systemd seems to want its users to exist in /etc/passwd. (getent passwd <me>) succeeds).
Ordinarily, this is where I'd say "fine, ship it". But my multi TB data files are on an NFS mount, and they're owned by me-the-domain-user. The local 'ipython' account can't manipulate them, and any new files it makes on the NFS mount will be owned by uidNumber 1000, which doesn't belong to any domain user. Note that prior to this, I was manually coordinating UIDs in password files, which is why this worked: same UID as other systems, user in the password file, everything works out.
Is there any way to run a system service as an sssd-provided domain user? For the moment, I guess I'm disabling this systemd service and running the server by hand inside a screen session.
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
9 years, 7 months
Announcing SSSD 1.12.1
by Jakub Hrozek
=== SSSD 1.12.1 ===
The SSSD team is proud to announce the release of version 1.12.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 21 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* The GPO access control was further enhanced to allow the access control
decisions while offline and map the Windows logon rights onto Linux PAM
services
* The SSSD now ships a plugin for the rpc.idmapd daemon. Please refer to
the sss_rpcidmapd(5) man page for more details on the plugin.
* A MIT Kerberos localauth plugin was added to SSSD. This plugin helps
translating principals to user names in IPA-AD trust scenarios, allowing
the krb5.conf configuration to be less complex.
* A libwbclient plugin implementation is now part of the SSSD. The main
purpose is to map Active Directory users and groups identified by their
SID to POSIX users and groups for the file-server use-case.
* Active Directory users ca nnow use their User Logon Name to log in
* The sss_cache tool was enhanced to allow invalidating the SSH host keys.
* Groups without full POSIX information can now be used to enroll group
membership (fixes CVE-2014-0249)
* Detection of transition from offline to online state was improved,
resulting in fewer timeouts when SSSD is offline.
* The Active Directory provider now correctly detects Windows Server 2012 R2
Previous versions would fall back to the slower non-AD path with 2012 R2.
* Several other bugs related to deployments where SSSD is acting as an
AD client were fixed. Please refer to the detailed changelog for more
information.
== Packaging Changes ==
* The upstream spec file dropped support for RHEL-5
* The libwbclient plugin implementation is packaged in its own subpackage
* GPO files are stored in a new subdirectory, by default /var/lib/sss/gpo_cache
== Documentation Changes ==
* The case_sensitive option was changed to be a tri-state and accepts a
new value "preserving". When this option is used, the sssd would match
case-insensitive, but return the original case.
* A new option override_space was added. When this option is set, a space
character in user or group names is replaced by the character specified
in this option
* The NFS plugin has a new man page sss_rpcidmapd(5)
* A small random value is now added to the offline_timeout parameter value
to avoid flooding servers with periodical online checks
* Several new GPO-related options were added. Please refer to the sssd-ad
man page for more details. The options are prefixed with ad_gpo_*
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1560
Enable OpenSSH-LPK support by default
https://fedorahosted.org/sssd/ticket/1588
[RFE] Allow SSSD to be used with smbd shares
https://fedorahosted.org/sssd/ticket/1749
[RFE] Allow email-address in ldap_user_principal
https://fedorahosted.org/sssd/ticket/1835
[RFE] Implement localauth plugin for MIT krb5 1.12
https://fedorahosted.org/sssd/ticket/1974
Remove the references to RHEL5 from upstream spec file
https://fedorahosted.org/sssd/ticket/2281
[GSS 7.0] if access_provider is not set sssd fails with no good error
https://fedorahosted.org/sssd/ticket/2357
Failover SRV discovery not honouring priority/weight
https://fedorahosted.org/sssd/ticket/2358
[PATCH] sss_cache flush ssh host keys.
https://fedorahosted.org/sssd/ticket/2359
"local" auth_provider is not documented in sssd.conf
https://fedorahosted.org/sssd/ticket/2367
RFE: SSSD should preserve case for user uid field.
https://fedorahosted.org/sssd/ticket/2382
Push patches to bump the version info of sss_sifp
https://fedorahosted.org/sssd/ticket/2403
"Mapping ID [4294967295] to SID failed" messages clutter the sssd domain log
https://fedorahosted.org/sssd/ticket/2423
Man sssd-ldap shows parameter ldap_purge_cache_timeout with "Default: 10800 (12 hours)"
https://fedorahosted.org/sssd/ticket/2431
offline gpo processing yields incorrect results if "tattooing" occurs
== Detailed Changelog ==
Ian Lee (1):
* Add user lookup and session dependencies to systemd service file.
Jakub Hrozek (45):
* Updating the version for the 1.12.1 development
* MAN: local auth_provider is not documented in sssd.conf
* MAN: Document that each provider type uses its own set of options
* No point in searching for gid if we already know the group should be filtered
* Only check GID if ID-mapping
* AD: Check return value of ad_gpo_evaluate_dacl
* AD: Increment som_index when advancing to the next GPO
* LDAP: Print referrals for debugging purposes
* LDAP: Dump LDAP server IP address with a high DEBUG level
* LDAP: Avoid undefined ret value
* UTIL: remove get_username_from_uid
* PAC: krb5_pac_verify failures should not be fatal
* IFP: Fix lookups with fully-qualified names
* RPM: Restart service in %posttrans, not %post
* TESTS: Check if option maps have the right number of members
* NSS: Ignore default_domain for netgroups
* Only replace space with the specified substitution
* Make the space override responder-agnostic
* PAM: Use the override_space option
* IFP: Use the override_space option
* SUDO: Use the override_space option
* TESTS: Add unit tests for the replace-space functionality
* BE: Handle SIGUSR2
* IPA: handle searches by SID in apply_subdomain_homedir
* SYSDB: Clarify sss_ldb_modify_permissive returns ldb error code
* Revert "IPA: new attribute map for non-posix groups"
* Revert "IPA: process non-posix nested groups"
* Revert "IPA: try to resolve nested groups as poxix group"
* LDAP: Do not shortcut on ret != EOK during password expiry check
* LDAP: Split out linking primary group members into a separate function
* LDAP: Don't add a user member twice when adding a primary group
* LDAP: Use tmp_ctx in ldap_child for temporary data
* LDAP: Use randomized ccname for storing credentials
* LDAP: Add Windows Server 2012 R2 functional level
* LDAP: Fall back to functional level of Windows Server 2003
* LDAP: Enable tokenGroups with Windows Server 2003
* TESTS: Add unit tests for the GPO interface
* LDAP: Set umask before calling mkstemp
* LDAP: Ignore returned referrals if referral support is disabled
* LDAP: Don't reuse a single tevent callback for multiple requests
* LDAP: Skip dereferenced entries that we are not permitted to read
* TESTS: Add a unit test for dereference parsing
* MAN: Add sss_rpcidmapd.5.xml to the list of translatable man pages
* LDAP: Check return value
* Updating translations for the 1.12.1 release
Jan Cholasta (1):
* SDAP: Set default value of ldap_user_ssh_public_key to "sshPublicKey"
Lukas Slebodnik (31):
* sss_client: thread safe initialisation of sss_cli_mc_ctx
* sss_client: Fix memory leak in nss_mc_{group,passwd}
* LDAP: Remove unused option ldap_netgroup_uuid
* LDAP: Remove unused option ldap_group_uuid
* LDAP: Remove unused option ldap_user_uuid
* test_utils: Use common header file for libsss_util tests.
* UTIL: Add functions for replacing whitespaces.
* NSS: Replace spaces with specified string in names.
* SDAP: Deref needn't be treated as critical
* Revert "SDAP: Deref needn't be treated as critical"
* dyndns_test: Use right socket length of for IPv4 address.
* responder-get-domains-tests: fix checking of leaks
* test_dyndns: Use different talloc context in wrapped functions.
* TESTS: leak_check functions shouldn't be called with NULL context
* dyndns: Fix talloc hierarchy of "struct sss_iface_addr"
* test_dyndns: sss_iface_addr_list_get can return more values
* SDAP: free subrequest in sdap_dyndns_update_addrs_done
* SDAP: Immediately finish request for empty array
* SDAP: Use different talloc_context for array of names
* SDAP: Update groups for user just once.
* SDAP: Fix using of uninitialized variable
* strtonum-tests: Add unit test for strtouint16.
* responder_socket_access-tests: Fix condition in loop
* MAN: Fix a conversion of seconds to hours
* AD: Ignore all errors if gpo is in permissive mode.
* AUTOCONF: Update detection of libnfsidmap
* SPEC: Use netlink library version 3 for rhel7
* SPEC: Drop old OS conditions from spec file.
* refcount-tests: Do not force to run test in CK_FORK mode
* NSS: Use right domain for group members with fq names
* pysss: test return value of realloc.
Michal Zidek (10):
* Add function confdb_set_string.
* case_sensitivity = preserving
* MAN: case_sensitivity man page update
* Remove unused function confdb_set_bool
* ptask: Allow adding random_offset to scheduled execution time
* ptask: Add backoff feature to the ptask api.
* Exit offline mode only if server is available.
* MAN: offline_timeout
* be_get_account_info change level of debug message
* IFP: Suppress 'git diff' noise
Michal Šrubař (1):
* LDAP SUDO: sudo provider doesn't fetch 'EntryUSN'
Nalin Dahyabhai (2):
* sss_client: Fix "struct sss_cli_mc_ctx" reinitialize-on-errors
* Accept krb5 1.13 for building the PAC plugin
Nikolai Kondrashov (10):
* build: Remove substitution of *_OBJ variables
* build: Mention required libini_config version
* build: Distinguish libini_config version checks
* build: Distinguish libnl version checks
* build: Reverse order of libini_config checks
* build: Move libini_config 1.1.0 check to libini_config.m4
* build: Don't install ad and ipa man pages unnecessarily
* Add basic support for CI test execution
* CI: Add libnfsidmap-dev Debian dependency
* CI: Consider libcmocka-devel always present
Noam Meltzer (5):
* NEW CLIENT: plugin for NFSv4 rpc.idmapd
* NFSv4 client: (private) headers from libnfsidmap
* NFSv4 client: add to build system
* NFSv4 client: add to RPM spec
* NFSv4 client: man page
Pavel Březina (15):
* resolv tests: remove ununused variable from for cyclus
* resolv tests: add test for multiple servers with zero weights
* resolv: fix server sort by weight
* sudo: fetch sudoRunAs attribute
* sss_sifp test: fix object path array test
* sss_sifp: set output parameters if attribute is NULL
* ad_handle_acct_info_step: fix typo
* ad: comment ENOENT when id mapping is disabled
* ad: update membership after SIDs are resolved
* sudo: use dbus array for rules refresh
* sudo: replace asterisk with escape sequence in host filter
* failover: set port status to not working if previous srv lookup failed
* ad initgroups: continue if resolved SID is still missing
* sudo: work with correct D-Bus iterator
* sss_sifp: bump version to 0:1:0
Pavel Reichl (25):
* SYSDB: augmented logging when adding new group
* LDAP: tokengroups do not work with id_provider=ldap
* SDAP: Continue resolving SID even if some fail
* UTIL: rename find_subdomain_by_sid
* UTIL: rename find_subdomain_by_name
* UTIL: rename find_subdomain_by_object_name
* SDAP: remove duplicated code
* SDAP: reduce code duplicity-rfc2307bis nested groups
* SDAP: fix use after free in async_initgroups
* SDAP: split sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_send
* SDAP: nitpicks in sdap_access_filter_get_access_done
* SDAP: refactor sdap_access_filter_done
* SDAP: don't log error on access denied
* IPA: new attribute map for non-posix groups
* IPA: process non-posix nested groups
* IPA: try to resolve nested groups as poxix group
* SDAP: refactor AC offline checks
* SDAP: new option - DN to ppolicy on LDAP
* SDAP: account lockout to restrict access via ssh key
* MAN: options 'lockout' and 'ldap_pwdlockout_dn'
* SYSDB: SSS_LDB_SEARCH - macro around ldb_search
* IPA: process non-posix nested groups
* AD: process non-posix nested groups w/o tokenGroups
* AD: process non-posix nested groups using tokenGroups
Sumit Bose (17):
* KRB5: add missing debug-to-stderr option to krb5_child
* AD: add missing debug-to-stderr option to gpo_child
* libwbclient: SSSD implementation
* sss_log: fix handling of variable argument lists
* sysdb_get_real_name: allow UPN as input
* LDAP: If extra_value is 'U' do a UPN search
* PAM: extract checks from parsing routines
* PAM: remove ldb_result member from pam_auth_req context
* NSS: check_cache() add extra option
* PAM, NSS: allow UPN login names
* Replace space: add some checks
* Add conditional build for MIT Kerberos localauth plugin
* Implement MIT Kerberos localauth plugin
* Doxygen: replace <pre> with markdown table
* libwbclient: make build optional
* dlopen test: only test libwbclient when it is build
* libwbclient: avoid collision with Samba version
William B (1):
* SSS_CACHE: Allow sss_cache tool to flush SSH hosts cache
Yassir Elley (9):
* AD-GPO: Store policy settings in local files
* AD-GPO: add sysdb_gpo support for caching gpo version
* AD-GPO: only download policy files if gpo version changes
* AD-GPO: add ad_gpo_cache_timeout option
* AD-GPO: sysdb_gpo changes for offline gpo support
* AD-GPO: ad_gpo changes for offline gpo support
* AD-GPO: config changes for gpo_map_* options
* AD-GPO: processing changes for gpo_map_* options
* AD-GPO: delete stale GPOs
9 years, 7 months
Re: [SSSD-users] sudo password verification
by Jacob Weber
I figured it out -- for some reason /etc/pam.d/system-auth-ac didn't contain the pam_sss.so entries. I had been running authconfig --update, but that wasn't adding them to the file. So I ran authconfig --updateall, which did the trick.
Not sure why SSH login was working with SSSD, but maybe that uses a different config file.
Jacob
9 years, 7 months
Inefficient ldap query...I think (sssd 1.11.2/CentOS 7)
by Nordgren, Bryce L -FS
ls -l is very slow, as is "getfacl".
Is there any reason that a call to getpwuid(10008) should produce an ldap query filter like this?:
(&(uidNumber=10008)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))
Clearly, if uidNumber=10008, it is both present and not zero so the last two terms are moot. At best, a smart ldap server will optimize this out and only waste the time it takes to parse the filter. At worst, it goes and performs all three checks independently.
Also, my ldap setup is proxying "uid" defined in two remote ADs and FreeIPA, optionally overriding the uid value locally to resolve conflicts. Adding (uid=*) essentially translates to "send me information on every account in your system, so I can then combine your remote result with the rest of the query", which is causing size limit errors and/or timeouts. (objectClass=posixAccount) would cause the same issues, except none of the entries in AD are posixAccounts. FreeIPA will probably observe exactly the same phenomenon when they implement views.
Is there any way for me to control this ldap query, hopefully knocking it down to (&(uidNumber=10008)(objectClass=posixAccount)), requesting attribute uid?
Thanks,
Bryce
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
9 years, 7 months
Re: [SSSD-users] sudo password verification
by Jacob Weber
> Yes you can use the local sudoers file by adding a ldap user or group,
> but it will only work on the the machine you add the user or group to, I
> initially did this with my AD domain joined laptop.
>
> There is a very big problem with doing it this way if you want to do it
> for multiple machines and users, you have to alter each and every
> sudoers file. This is where sssd-sudoers comes in, you setup the sudo
> rules in ldap or AD (once) and get the same results everywhere.
I'm okay with having local rules; I just want the local rules to apply to LDAP users/groups. Is that what you had? Did you have them defined with NOPASSWD, or did they require a password?
Thanks,
Jacob
9 years, 7 months
Re: [SSSD-users] sudo password verification
by Jacob Weber
As far as I can tell from looking at sssd-sudo, this requires you to get the rules from your LDAP directory. But is it possible to use the sudoers file instead, for rules that apply to LDAP users/groups?
It seems to work when the rule includes NOPASSWD, but not when it requires a password.
Jacob
9 years, 7 months