full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
6 years, 11 months
please do not remove enumeration from AD provider
by James Ralston
On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> You know, just this morning, I was thinking about enumeration. It
> doesn't work for IPA views at all for example. It doesn't work for
> trusted domains at all either (except for some limited support in AD
> trusted domains that is very untested)
>
> I wonder if we could just remove enumeration from IPA and AD back
> ends in some major release.
Please don't do this.
Enumeration is a very useful feature. It allows us to do things like
this:
$ getent passwd | grep -i lastname
The equivalent ldapsearch command is much more tedious:
$ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
"(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
More generically, enumeration is the way Unix/Linux has always worked.
Even getting users to change from:
grep -i lastname /etc/passwd
To this:
getent passwd | grep -i lastname
...has been a struggle.
We also have various services that (unfortuantely) pre-load the passwd
and group files at startup by enumerating them with getpwent_r() and
getgrent_r(), instead of using the get*nam_r() and get*id_r()
functions as-needed. These services break outright if enumeration is
disabled.
(Yes, these services are broken. Yes, they shouldn't do that. But our
ability to fix them is extremely limited at best, because we don't
control them.)
Finally, we have many systems that cannot be joined to Active
Directory (for policy reasons, not technical reasons). But we want to
use the same passwd/group entries on those systems as returned by sssd
on hosts that are joined to Active Directory. We do this by scraping
the output of "getent -s sss passwd" and "getent -s sss group" and
manually merging it into the local passwd and group files
(respectively) on these hosts.
> It's just a legacy feature, so those who need it can fall back to
> the LDAP provider..
But the LDAP provider doesn't support ID mapping; only the AD provider
does. And ID mapping is the main reason we use sssd.
I'm not asking you to make enumeration the default. It shouldn't be;
it should be something you only turn on if you need it, and you KNOW
you need it. But if you need it, you NEED it. Please don't take it
away.
7 years, 7 months
Announcing SSSD 1.13.1
by Jakub Hrozek
== SSSD 1.13.1 ===
The SSSD team is proud to announce the release of version 1.13.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Initial support for Smart Card authentication was added. The feature
can be activated with the new pam_cert_auth option
* The PAM prompting was enhanced so that when Two-Factor Authentication
is used, both factors (password and token) can be entered separately
on separate prompts. At the same time, only the long-term password is
cached, so offline access would still work using the long term password
* A new command line tool sss_override is present in this release. The
tools allows to override attributes on the SSSD side. It's helpful in
environment where e.g. some hosts need to have a different view of POSIX
attributes than others. Please note that the overrides are stored in
the cache as well, so removing the cache will also remove the overrides
* New methods were added to the SSSD D-Bus interface. Notably support
for looking up a user by certificate and looking up multiple users
using a wildcard was added. Please see the interface introspection or
the design pages for full details
* Several enhancements to the dynamic DNS update code. Notably, clients
that update multiple interfaces work better with this release
* This release supports authenticating againt a KDC proxy
* The fail over code was enhanced so that if a trusted domain is not
reachable, only that domain will be marked as inactive but the backed
would stay in online mode
* Several fixes to the GPO access control code are present
== Packaging Changes ==
* The Smart Card authentication feature requires a helper process
p11_child that needs to be marked as setgid if SSSD needs to be able
to. Please note the p11_child requires the NSS crypto library at the moment
* The sss_override tool was added along with its own manpage
* The upstream RPM can now build on RHEL/CentOS 6.7
== Documentation Changes ==
* The config_file_version configuration option now defaults to 2. As
an effect, this option doesn't have to be set anymore unless the config
file format is changed again by SSSD upstream
* It is now possible to specify a comma-separated list of interfaces in
the dyndns_iface option
* The InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup that specifies an upper limit on the number of entries
that can be returned with a wildcard lookup
* A new option dyndns_server was added. This option allows to attempt
a fallback DNS update against a specific DNS server. Please note this
option only works as a fallback, the first attempt will always be
performed against autodiscovered servers.
* The PAM responder gained a new option ca_db that allows the storage
of trusted CA certificates to be specified
* The time the p11_child is allowed to operate can be specified using
a new option p11_child_timeout
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/546
[RFE] Support for smart cards
https://fedorahosted.org/sssd/ticket/1697
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1926
[RFE] Start the dynamic DNS update after the SSSD has been setup for
the first time
https://fedorahosted.org/sssd/ticket/1994
Complain loudly if backend doesn't start due to missing or invalid keytab
https://fedorahosted.org/sssd/ticket/2275
nested netgroups do not work in IPA provider
https://fedorahosted.org/sssd/ticket/2283
test dyndns failed.
https://fedorahosted.org/sssd/ticket/2335
Investigate using the krb5 responder for driving the PAM conversation
with OTPs
https://fedorahosted.org/sssd/ticket/2463
Pass error messages via the extdom plugin
https://fedorahosted.org/sssd/ticket/2495
[RFE]Allow sssd to add a new option that would specify which server
to update DNS with
https://fedorahosted.org/sssd/ticket/2549
RFE: Support multiple interfaces with the dyndns_iface option
https://fedorahosted.org/sssd/ticket/2553
RFE: Add support for wildcard-based cache updates
https://fedorahosted.org/sssd/ticket/2558
Add dualstack and multihomed support
https://fedorahosted.org/sssd/ticket/2561
Too much logging
https://fedorahosted.org/sssd/ticket/2579
TRACKER: Support one-way trusts for IPA
https://fedorahosted.org/sssd/ticket/2581
Re-check memcache after acquiring the lock in the client code
https://fedorahosted.org/sssd/ticket/2584
RFE: Support client-side overrides
https://fedorahosted.org/sssd/ticket/2597
Add index for 'objectSIDString' and maybe to other cache attributes
https://fedorahosted.org/sssd/ticket/2637
RFE: Don't mark the main domain as offline if SSSD can't connect to
a subdomain
https://fedorahosted.org/sssd/ticket/2639
RFE: Detect re-established trusts in the IPA subdomain code
https://fedorahosted.org/sssd/ticket/2652
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
https://fedorahosted.org/sssd/ticket/2676
Group members are not turned into ghost entries when the user is purged
from the SSSD cache
https://fedorahosted.org/sssd/ticket/2682
sudoOrder not honored as expected
https://fedorahosted.org/sssd/ticket/2688
Default to config_file_version=2
https://fedorahosted.org/sssd/ticket/2691
GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
https://fedorahosted.org/sssd/ticket/2692
GPO: Access denied due to using wrong sam_account_name
https://fedorahosted.org/sssd/ticket/2694
CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
test_ipa_subdom_server)
https://fedorahosted.org/sssd/ticket/2699
SSSDConfig: wrong return type returned on python3
https://fedorahosted.org/sssd/ticket/2700
krb5_child should always consider online state to allow use of
MS-KKDC proxy
https://fedorahosted.org/sssd/ticket/2708
Logging messages from user point of view
https://fedorahosted.org/sssd/ticket/2711
[RFE] Provide interface for SSH to fetch user certificate
https://fedorahosted.org/sssd/ticket/2712
Initgroups memory cache does not work with fq names
https://fedorahosted.org/sssd/ticket/2716
Initgroups mmap cache needs update after db changes
https://fedorahosted.org/sssd/ticket/2717
well-known SID check is broken for NetBIOS prefixes
https://fedorahosted.org/sssd/ticket/2718
SSSD keytab validation check expects root ownership
https://fedorahosted.org/sssd/ticket/2719
IPA: returned unknown dp error code with disabled migration mode
https://fedorahosted.org/sssd/ticket/2722
Missing config options in gentoo init script
https://fedorahosted.org/sssd/ticket/2723
Could not resolve AD user from root domain
https://fedorahosted.org/sssd/ticket/2724
getgrgid for user's UID on a trust client prevents getpw*
https://fedorahosted.org/sssd/ticket/2725
If AD site detection fails, not even ad_site override skipped
https://fedorahosted.org/sssd/ticket/2729
Do not send SSS_OTP if both factors were entered separately
https://fedorahosted.org/sssd/ticket/2731
searching SID by ID always checks all domains
https://fedorahosted.org/sssd/ticket/2733
Don't use deprecated libraries (libsystemd-*)
https://fedorahosted.org/sssd/ticket/2737
sss_override: add import and export commands
https://fedorahosted.org/sssd/ticket/2738
Cannot build rpms from upstream spec file on rawhide
https://fedorahosted.org/sssd/ticket/2742
When certificate is added via user-add-cert, it cannot be looked up
via org.freedesktop.sssd.infopipe.Users.FindByCertificate
https://fedorahosted.org/sssd/ticket/2743
memory cache can work intermittently
https://fedorahosted.org/sssd/ticket/2744
cleanup_groups should sanitize dn of groups
https://fedorahosted.org/sssd/ticket/2746
the PAM srv test often fails on RHEL-7
https://fedorahosted.org/sssd/ticket/2748
test_memory_cache failed in invalidation cache before stop
https://fedorahosted.org/sssd/ticket/2749
Fix crash in nss responder
https://fedorahosted.org/sssd/ticket/2754
Clear environment and set restrictive umask in p11_child
https://fedorahosted.org/sssd/ticket/2757
sss_override does not work correctly when 'use_fully_qualified_names
= True'
https://fedorahosted.org/sssd/ticket/2758
sss_override contains an extra parameter --debug but is not listed in
the man page or in the arguments help
https://fedorahosted.org/sssd/ticket/2762
[RFE] sssd: better feedback form constraint password change
https://fedorahosted.org/sssd/ticket/2768
Test 'test_id_cleanup_exp_group' failed
https://fedorahosted.org/sssd/ticket/2772
sssd cannot resolve user names containing backslash with ldap provider
https://fedorahosted.org/sssd/ticket/2773
Make p11_child timeout configurable
https://fedorahosted.org/sssd/ticket/2777
Fix memory leak in GPO
https://fedorahosted.org/sssd/ticket/2782
sss_override : The local override user is not found
https://fedorahosted.org/sssd/ticket/2783
REGRESSION: Dyndns soes not update reverse DNS records
https://fedorahosted.org/sssd/ticket/2790
sss_override --name doesn't work with RFC2307 and ghost users
https://fedorahosted.org/sssd/ticket/2799
unit tests do not link correctly on Debian
https://fedorahosted.org/sssd/ticket/2803
Memory leak / possible DoS with krb auth.
https://fedorahosted.org/sssd/ticket/2805
AD: Conditional jump or move depends on uninitialised value
== Detailed Changelog ==
Jakub Hrozek (52):
* Updating the version for 1.13.1 development
* tests: Move N_ELEMENTS definition to tests/common.h
* SYSDB: Add functions to look up multiple entries including name and
custom filter
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
* cache_req: Extend cache_req with wildcard lookups
* UTIL: Add sss_filter_sanitize_ex
* LDAP: Fetch users and groups using wildcards
* LDAP: Add sdap_get_and_parse_generic_send
* LDAP: Use sdap_get_and_parse_generic_/_recv
* LDAP: Add sdap_lookup_type enum
* LDAP: Add the wildcard_limit option
* IFP: Add wildcard requests
* Use NSCD path in execl()
* KRB5: Use the right domain for case-sensitive flag
* IPA: Better debugging
* UTIL: Lower debug level in perform_checks()
* IPA: Handle sssd-owned keytabs when running as root
* IPA: Remove MPG groups if getgrgid was called before getpw()
* LDAP: use ldb_binary_encode when printing attribute values
* IPA: Change the default of ldap_user_certificate to
userCertificate;binary
* UTIL: Provide a common interface to safely create temporary files
* IPA: Always re-fetch the keytab from the IPA server
* DYNDNS: Add a new option dyndns_server
* p11child: set restrictive umask and clear environment
* KRB5: Use sss_unique file in krb5_child
* KRB5: Use sss_unique_file when creating kdcinfo files
* LDAP: Use sss_unique_filename in ldap_child
* SSH: Use sss_unique_file_ex to create the known hosts file
* SYSDB: Index the objectSIDString attribute
* sbus: Initialize errno if constructing message fails and add debug
messages
* sbus: Add a special error code for messages sent by the bus itself
* GPO: Use sss_unique_file and close fd on failure
* SDAP: Remove unused function
* KRB5: Don't error out reading a minimal krb5.conf
* UTIL: Convert domain->disabled into tri-state with domain states
* DP: Provide a way to mark subdomain as disabled and auto-enable it
later with offline_timeout
* SDAP: Do not set is_offline if ignore_mark_offline is set
* AD: Only ignore errors from SDAP lookups if there's another connection
to fallback to
* KRB5: Offline operation with disabled domain
* AD: Do not mark the whole back end as offline if subdomain lookup fails
* AD: Set ignore_mark_offline=false when resolving AD root domain
* IPA: Do not allow the AD lookup code to set backend as offline in
server mode
* BUILD: link dp tests with LDB directly to fix builds on Debian
* LDAP: imposing sizelimit=1 for single-entry searches breaks
overlapping domains
* tests: Move named_domain from test_utils to common test code
* LDAP: Move sdap_create_search_base from ldap to sdap code
* LDAP: Filter out multiple entries when searching overlapping domains
* IPA: Change ipa_server_trust_add_send request to be reusable from ID code
* FO: Add an API to reset all servers in a single service
* FO: Also reset the server common data in addition to SRV
* IPA: Retry fetching keytab if IPA user lookup fails
* Updating translations for the 1.13.1 release
Lukas Slebodnik (49):
* KRB5: Return right data provider error code
* Update few debug messages
* intg: Invalidate memory cache before removing files
* SPEC: Update spec file for krb5_local_auth_plugin
* SSSDConfig: Return correct types in python3
* intg: Modernize 'except' clauses
* mmap_cache: Rename variables
* mmap_cache: "Override" functions for initgr mmap cache
* mmap: Invalidate initgroups memory cache after any change
* sss_client: Update integrity check of records in mmap cache
* intg_test: Add module for simulation of utility id
* intg_test: Add integration test for memory cache
* NSS: Initgr memory cache should work with fq names
* test_memory_cache: Add test for initgroups mc with fq names
* SPEC: Workaround for build with rpm 4.13
* KRB5: Do not try to remove missing ccache
* test_memory_cache: Test mmap cache after initgroups
* test_memory_cache: Test invalidation with sss_cache
* krb5_utils-tests: Remove unused variables
* sss_cache: Wait a while for invalidation of mc by nss responder
* test_memory_cache: Fix few python issues
* NSS: Fix use after free
* NSS: Don't ignore backslash in usernames with ldap provider
* intg_tests: Add regression test for 2163
* BUILD: Build libdlopen_test_providers.la as a dynamic library
* BUILD: Speed up build of some tests
* BUILD: Simplify build of simple_access_tests
* CI: Set env variable for all tabs in screen
* dyndns-tests: Simulate job in wrapped execv
* AUTOMAKE: Disable portability warnings
* tests: Use unique name for TEST_PATH
* tests: Move test_dom_suite_setup to different module
* test_ipa_subdomains_server: Use unique dorectory for keytabs
* test_copy_keytab: Create keytabs in unique directory
* test_ad_common: Use unique directory for keytabs
* Revert "LDAP: end on ENOMEM"
* Partially revert "LDAP: sanitize group name when used in filter"
* LDAP: Sanitize group dn before using in filter
* test_ldap_id_cleanup: Fix coding style issues
* DYNDNS: Return right error code in case of failure
* BUILD: Simplify build of test_data_provider_be
* BUILD: Remove unused variable CHECK_OBJ
* BUILD: Do not build libsss_ad_common.la as library
* BUILD: Remove unused variable SSSD_UTIL_OBJ
* CONFIGURE: Remove bashism
* IFP: Suppress warning from static analyzer
* BUILD: Link test_data_provider_be with -ldl
* sysdb-tests: Use valid base64 encoded certificate for search
* test_pam_srv: Run cert test only with NSS
Michal Židek (13):
* DEBUG: Add new debug category for fail over.
* pam: Incerease p11 child timeout
* sdap_async: Use specific errmsg when available
* TESTS: ldap_id_cleanup timeouts
* sssd: incorrect checks on length values during packet decoding
* CONFDB: Assume config file version 2 if missing
* Makefile.am: Add missing AM_CFLAGS
* SYSDB: Add function to expire entry
* cleanup task: Expire all memberof targets when removing user
* CI: Add regression test for #2676
* intg: Fix some PEP 8 violations
* PAM: Make p11_child timeout configurable
* tests: Set p11_child_timeout to 30 in tests
Nikolai Kondrashov (1):
* TESTS: Add trailing whitespace test
Pavel Březina (18):
* VIEWS TEST: add null-check
* SYSDB: prepare for LOCAL view
* TOOLS: add common command framework
* TOOLS: add sss_override for local overrides
* AD: Use ad_site also when site search fails
* IFP: use default limit if provided is 0
* sudo: use "higher value wins" when ordering rules
* sss_override: print input name if unable to parse it
* sss_override: support domains that require fqname
* TOOLS: add sss_colondb API
* sss_override: decompose code better
* sss_override: support import and export
* sss_override: document --debug options
* sss_override: support fqn in override name
* views: do not require overrideDN in grous when LOCAL view is set
* views: fix two typos in debug messages
* views: allow ghost members for LOCAL view
* sss_override: remove -d from manpage
Pavel Reichl (23):
* DYNDNS: sss_iface_addr_list_get return ENOENT
* DYNDNS: support mult. interfaces for dyndns_iface opt
* DYNDNS: special value '*' for dyndns_iface option
* TESTS: dyndns tests support AAAA addresses
* DYNDNS: support for dualstack
* TESTS: fix compiler warnings
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
* IPA: Improve messages about failures
* DYNDNS: Don't use server cmd in nsupdate by default
* DYNDNS: remove redundant talloc_steal()
* DYNDNS: remove zone command
* DYNDNS: rename field of sdap_dyndns_update_state
* DYNDNS: remove code duplication
* TESTS: UT for sss_iface_addr_list_as_str_list()
* LDAP: sanitize group name when used in filter
* LDAP: minor improvements in ldap id cleanup
* TESTS: fix fail in test_id_cleanup_exp_group
* LDAP: end on ENOMEM
* AD: send less logs to syslog
* Remove trailing whitespace
* GPO: fix memory leak
* DDNS: execute nsupdate for single update of PTR rec
* AD: inicialize root_domain_attrs field
Petr Cech (6):
* BUILD: Repair dependecies on deprecated libraries
* TESTS: Removing part of responder_cache_req-tests
* UTIL: Function 2string for enum sss_cli_command
* UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
* DATA_PROVIDER: BE_REQ as string in log message
* IPA PROVIDER: Resolve nested netgroup membership
Robin McCorkell (1):
* man: List alternative schema defaults for LDAP AutoFS parameters
Stephen Gallagher (1):
* AD: Handle cases where no GPOs apply
Sumit Bose (17):
* test common: sss_dp_get_account_recv() fix assignment
* nss_check_name_of_well_known_sid() improve name splitting
* negcache: allow domain name for UID and GID
* nss: use negative cache for sid-by-id requests
* krb5: do not send SSS_OTP if two factors were used
* utils: add NSS version of cert utils
* Add NSS version of p11_child
* pack_message_v3: allow empty name
* authok: add support for Smart Card related authtokens
* PAM: add certificate support to PAM (pre-)auth requests
* pam_sss: add sc support
* ssh: generate public keys from certificate
* krb5 utils: add sss_krb5_realm_has_proxy()
* krb5: do not create kdcinfo file if proxy configuration exists
* krb5: assume online state if KDC proxy is configured
* GPO: use SDAP_SASL_AUTHID as samAccountName
* utils: make sss_krb5_get_primary() private
Thomas Oulevey (1):
* Fix memory leak in sssdpac_verify()
Tyler Gates (1):
* CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd
Yuri Chornoivan (1):
* Fix minor typos
7 years, 8 months
SSSD & Kerberos renewal
by Ondrej Valousek
Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that normally sssd refreshes my cache just fine, but if I create Kerberos cache manually using kinit like this:
$ ssh root@remote_machine
Remote_machine # su - Ondrej
Remote_machine $ kinit Ondrej
... my cache is never renewed. Is this a normal behaviour? Is there any way how to "register" this cache with SSSD so it can take a care of it as well?
Note that normally the SSSD ticket cache is created in format of:
FILE:/tmp/krb5cc_<uid>_random
Whereas kinit's is:
FILE:/tmp/krb5cc_<uid>
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
7 years, 10 months
Local Administrators (group) and delegation in AD
by Davor Vusir
Hi all!
We have got many delegations in our AD. To add a certain administrator
group to the local Administrators group you can use GPO for
Windowsservers. As Samba does not understand GPO I have initially used
the "username map" feature to add a domain account to become root. After
the appropriate group is added via Computer Management MMC by the
delegated administrator, the line "username map" is commented and Samba
is restarted. After this procedure the delegated administrators have got
proper access to the server. Not using this feature of course renders
access denied error when attempting to add an AD-group to the local
Administrators group.
If Winbind is disabled you get the well known SID in members list in the
properties dialog for the local Administrators group instead of the
human readable names (AD\Domain Admins...).
We are using SSSD to retrieve user- and groupinfo from AD, therefore is
the AD-backend commented in smb.conf.
https://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2 mentions that
the local provider is using LDB-files for storing information. Is it
possible to use the files used by Samba/Winbind to retrieve the users
and groups in the local "SAM", eg the local Administrators and Users group?
Regards
Davor vusir
Relevant part of smb.conf:
# username map = /etc/samba/usermap
idmap config *:backend = tdb
idmap config *:range = 2200000001-2200100000
# idmap config AD:backend = ad
# idmap config AD:schema_mode = rfc2307
# idmap config AD:range = 1000-2200000000
# winbind nss info = rfc2307
Relevant part of nsswitch.conf:
passwd: files sss winbind
shadow: files
group: files sss winbind
7 years, 10 months
own domain sid unknown when using subdomains_provider=none
by Alexander 'Leo' Bergolth
Hi!
I am using the AD provider to connect to a domain which is a member of a
forest.
Unfortunately the forest root is not reachable due to firewall rules
which I cannot control.
To prevent forest lookup timeouts, I followed the advice in the
troubleshooting HOWTO and set "subdomains_provider=none". Besides I had
to explicitly specify an ad_server.
However, as soon as I add "subdomains_provider=none", sssd doesn't know
the SID of the configured domain anymore. Lookups return "Domain not
found for SID <owndomainsid>"
Do you have any hints?
I am using sssd-1.13.1.
Logs and config can be found at
http://leo.kloburg.at/tmp/sssd-subdomains_provider/
Thanks in advance,
--leo
--
e-mail ::: Leo.Bergolth (at) wu.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria
7 years, 11 months
Sorting mechanism (for groups) - two identical cn, different dn
by Davor Vusir
Hello,
two groups with identical cn, but residing in different OUs on the same
level, containing the same user accounts. The first has got RID 307742
and gidNumber 10307742. The other has got RID 307744 and gidNumber 10307744.
Running "id useraccount" returns the group with the lower gidNumber.
After renaming the second group (adding the number 2), both groups are
resolved.
Moving first group (RID 307742/gidNumber 20307742) away from search base
and create a third group with the same name. This group gets RID 307358
and gidNumber 10307358 returns this newly created group when running "id
useraccount".
Level 9 log shows this difference:
[sssd[be[ad.example.org]]] [sysdb_search_users] (0x2000): Search users
with filter: (&(objectclass=user)(gidNumber=10307742))
[sssd[be[ad.example.org]]] [sysdb_search_users] (0x2000): Search users
with filter: (&(objectclass=user)(gidNumber=10307358))
It is always the group with the lower gidNumber that's beeing checked.
Is SSSD using some name based filter? Or what filter is being used?
Regards
Davor Vusir
7 years, 11 months
SSSD & AD & Kerberized nfs
by Ondrej Valousek
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sss...
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
7 years, 11 months
Weird keytab issue
by Thackeray, Neil L
I'm encountering a strange problem on some of my Ubuntu 14.0.4 LTS servers. I have yet to encounter the same problem on any of the CentOS or RHEL6/7 servers.
After a few days of working fine, all of the sudden users can't log in. I can fix the problem easily by using 'realm leave' and 'realm join', but this isn't optimal since users can go a day or two before it gets fixed. I thought at first it was clock drift causing a problem with the Kerberos ticket, but this last time I made sure to check the date before I rejoined the realm.
Oct 19 10:16:30 myserver [sssd[ldap_child[19092]]]: Preauthentication failed
Oct 19 10:16:31 myserver [sssd[ldap_child[19093]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
sssd 1.12.5
Any ideas?
7 years, 11 months
A security bug in SSSD 1.10 and later (CVE-2015-5292)
by Jakub Hrozek
=============== A security bug in SSSD 1.10 and later ==============
=
= Subject: A memory leak was found in SSSD's PAC processing plugin
=
= CVE ID#: CVE-2015-5292
=
= Summary: When SSSD's PAC responder is configured and a user login
= triggers parsing of the PAC blob (typically a GSSAPI
= password-less login), a small amount of memory is leaked
= in the context of the Kerberized application. This can
= eventually lead to memory exhaustion.
=
= Impact: Low
=
= Acknowledgements: This bug was found by Thomas Oulevey from CERN
=
= Affects default
= configuration: Only for the IPA provider
=
= Introduced with: 1.10.0 beta2
=
===============================================================
==== DESCRIPTION ====
When SSSD's PAC responder is configured and a user login triggers parsing of
the PAC blob (typically a GSSAPI password-less login), a small amount of
memory is leaked in the context of the Kerberized application. This can
eventually lead to memory exhaustion.
The affected configration would include "pac" in the list of services in
the the "[sssd]" section of the /etc/sssd/sssd.conf config file. Please
note that SSSD automatically starts the PAC responder in case the provider
type is set to IPA.
Also note that the most widely deployed application with this configuration
is OpenSSH, where the bug is not noticeable because, the leak happens in
a short-lived child process, not the long-running deamon.
The fix was delivered as part of the 1.13.1 release. However, the security
implications of the bug were only determined later.
The bug is being tracked in the following Red Hat Bugzilla report:
https://bugzilla.redhat.com/show_bug.cgi?id=1267580
==== PATCH AVAILABILITY ====
The patch is available at:
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=b4c44ebb8997d3debb3...
7 years, 11 months
