12.5 problems
by Longina Przybyszewska
Hi,
We have a problem after upgrade from 11.7 to 12.5 version
Identity lookups periodically change from short name to fully qualified name for users from trust domains.
In turn, users get lockout of files, or can not login because nfsidmap setup can't figure out id mapping.
This setup worked in 11.7 version
(+several domains identically configured)
[domain/A.C.DOM.ORG]
debug_level = 9
cache_credentials = true
id_provider = ad
dyndns_update = false
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = a.c.dom.org
krb5_realm = A.C.DOM.ORG
use_fully_qualified_names = false
subdomain_provider = none
ldap_id_mapping = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 1h
ad_gpo_access_control = disabled
ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names.
Only ids from native for client machine domain do.
Cross realm membership resolves fine.
[nss]
debug_level = 7
filter_groups = root
filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 9
domains = A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG
config_file_version = 2
services = nss, pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/A.C.DOM.ORG]
debug_level = 9
id_provider = ad
dyndns_update = true
ad_hostname = a431.a.c.dom.org
ignore_group_members = true
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_user_name = sAMAccountName
#ldap_user_principal = sAMAccountName
ad_site = DOM
Best,
Longina
8 years, 5 months
sssd nss call fails if group has "@" in it
by Franky Van Liedekerke
Hi,
it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm hitting a bug with nss if a group contains "@" in it's cn (auth done via LDAP):
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [sudo_sasfdr@FFF-AP-dev].
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [LDAP][FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41df60:domains@LDAP]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0 "ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x139bbc0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0 "ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13a07b0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13ab1d0
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0 "ltdb_timeout"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0 "ltdb_callback"
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name received [sudo_sasfdr@FFF-AP-dev]
(Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41df60:domains@LDAP]
At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev worked just fine.
The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe now the "@" is considered a domain-delimiter?
Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that or change over 200 groups in LDAP and the master provisioning system), since it seems so far only sudo rules are impacted for now.
If anybody can point me to a config param to get the old behaviour back , I wouldvery much appreciate it.
Or, if it is no longer supported, then I need to start writing ldap-renames ...
With friendly regards,
Franky
8 years, 5 months
Authentication by SSH against Active Directory without AD computer object
by Jordi Claret
Hi All!
I explain my problem...
We have 2 Windows Active Directories domains in different forests, and i
need to autheticate with password and passwordless against first one
(DOMAIN1), and only with password against second one (DOMAIN2). I know that
SSSD currently does not support AD-AD cross-forest and i already have
created two separate entries in sssd.conf for both domains, but it seems
you need to join both domains and i need a computer object created in 2
ADs. Is it possible to authenticate by SSH with password against second
domain without AD computer object created in the second domain and
id_provider=ad ?
Versions => rhel6 and sssd 1.12.4-47
Thanks!
8 years, 5 months
nested groups enumeration problem
by Ondrej Valousek
Hi List,
I am using sssd 1-12-4 (last one in RHEL-6) and I am suffering a strange problem:
User is member of group A which is nested into group B.
Now, sometimes it happens that "id -a" only shows membership in group A, but not B. Happens only sometimes.
Do we know?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
8 years, 5 months