sssd-users October 2015

sssd-users@lists.fedorahosted.org

14 participants
15 discussions

HOWTO: Troubleshooting SUDO
by Pavel Březina 09 Oct '15

09 Oct '15

Hi, I just submitted a sudo troubleshooting guide [1]. If you find anything missing, please, let me know. [1] https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO

1 0

12.5 problems
by Longina Przybyszewska 09 Oct '15

09 Oct '15

Hi, We have a problem after upgrade from 11.7 to 12.5 version Identity lookups periodically change from short name to fully qualified name for users from trust domains. In turn, users get lockout of files, or can not login because nfsidmap setup can't figure out id mapping. This setup worked in 11.7 version (+several domains identically configured) [domain/A.C.DOM.ORG] debug_level = 9 cache_credentials = true id_provider = ad dyndns_update = false access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = a.c.dom.org krb5_realm = A.C.DOM.ORG use_fully_qualified_names = false subdomain_provider = none ldap_id_mapping = false krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h ad_gpo_access_control = disabled ad_gpo_default_right = permit With my new setup - Ids from trust domains can't resolve as short names. Only ids from native for client machine domain do. Cross realm membership resolves fine. [nss] debug_level = 7 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd [sssd] debug_level = 9 domains = A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG config_file_version = 2 services = nss, pam,ssh [pam] pam_verbosity = 3 debug_level = 9 [domain/A.C.DOM.ORG] debug_level = 9 id_provider = ad dyndns_update = true ad_hostname = a431.a.c.dom.org ignore_group_members = true use_fully_qualified_names = false ldap_id_mapping = false ldap_user_name = sAMAccountName #ldap_user_principal = sAMAccountName ad_site = DOM Best, Longina

2 4

sssd nss call fails if group has "@" in it
by Franky Van Liedekerke 06 Oct '15

06 Oct '15

Hi, it seems that since the upgrade on my EL6 server to sssd-1.12.4-47.el6.x86_64, I'm hitting a bug with nss if a group contains "@" in it's cn (auth done via LDAP): (Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13ac330][20] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [33] with input [sudo_sasfdr@FFF-AP-dev]. (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41df60:domains@LDAP] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [LDAP][FFF-AP-dev] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x13a7ce0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41df60:domains@LDAP] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x13a7ce0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1397ab0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 3 errno: 19 error message: Subdomains back end target is not configured (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13a07b0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13a07b0 "ltdb_timeout" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13ab1d0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x139bbc0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13ab1d0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x139bbc0 "ltdb_timeout" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13ab1d0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13a07b0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13ab1d0 (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x13a07b0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x13ab1d0 "ltdb_timeout" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x13a07b0 "ltdb_callback" (Tue Oct 6 12:10:39 2015) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name received [sudo_sasfdr@FFF-AP-dev] (Tue Oct 6 12:10:39 2015) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41df60:domains@LDAP] At first I thought it was an LDAP issue, but changing the name to sudo_sasfdr_FFF-AP-dev worked just fine. The older sssd version sssd-1.11.6-30.el6_6.4.x86_64 did not have that problem, but maybe now the "@" is considered a domain-delimiter? Currently as a workaround, I switched back to LDAP for sudo-queries (it's either that or change over 200 groups in LDAP and the master provisioning system), since it seems so far only sudo rules are impacted for now. If anybody can point me to a config param to get the old behaviour back , I wouldvery much appreciate it. Or, if it is no longer supported, then I need to start writing ldap-renames ... With friendly regards, Franky

3 6

Authentication by SSH against Active Directory without AD computer object
by Jordi Claret 06 Oct '15

06 Oct '15

Hi All! I explain my problem... We have 2 Windows Active Directories domains in different forests, and i need to autheticate with password and passwordless against first one (DOMAIN1), and only with password against second one (DOMAIN2). I know that SSSD currently does not support AD-AD cross-forest and i already have created two separate entries in sssd.conf for both domains, but it seems you need to join both domains and i need a computer object created in 2 ADs. Is it possible to authenticate by SSH with password against second domain without AD computer object created in the second domain and id_provider=ad ? Versions => rhel6 and sssd 1.12.4-47 Thanks!

2 1

nested groups enumeration problem
by Ondrej Valousek 05 Oct '15

05 Oct '15

Hi List, I am using sssd 1-12-4 (last one in RHEL-6) and I am suffering a strange problem: User is member of group A which is nested into group B. Now, sometimes it happens that "id -a" only shows membership in group A, but not B. Happens only sometimes. Do we know? Thanks, Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.

3 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users October 2015