full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 1 month
netlink messages on Infiniband causing sssd to exit
by Ryan Novosielski
Over time, I’ve been having seemingly random sssd quits that I’ve not been able to figure out. Today, I finally traced it to fluctuations on my Infiniband fabric:
sssd.log
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x1003 (broadcast,multicast,up)
(Tue Nov 3 13:17:59 2015) [sssd] [message_type] (0x0200): netlink Message type: 16
(Tue Nov 3 13:17:59 2015) [sssd] [link_msg_handler] (0x1000): netlink link message: iface idx 4 (ib0) flags 0x11043 (broadcast,multicast,up,running,lower)
This exactly corresponds to the time in /var/log/messages for the unexplained shutdown:
2015-11-03T13:17:59-05:00 node75 sssd[pam]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[be[default]]: Shutting down
2015-11-03T13:17:59-05:00 node75 sssd[nss]: Shutting down
Here is sssd_default.log for good measure:
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x14133d0
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1414770/0x13fef90
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_ptask_destructor] (0x0400): Terminating periodic task [Cleanup of default]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sdap_handle_release] (0x2000): Trace: sh[0x14bd850], connected[1], ops[(nil)], ldap[0x1424260], destructor_lock[0], release_memory[0]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [sbus_remove_watch] (0x2000): 0x1415970/0x1416430
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_default.18702]
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [remove_socket_symlink] (0x4000): Removed the symlink
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed PAM client
(Tue Nov 3 13:17:59 2015) [sssd[be[default]]] [be_client_destructor] (0x0400): Removed NSS client
I can duplicate this by manually taking down the Infiniband link:
[root@node24 ~]# service sssd status
sssd (pid 9132) is running...
[root@node24 ~]# ifdown ib0
[root@node24 ~]# service sssd status
sssd dead but pid file exists
I have also noticed that sssd will not start on boot. As I know that Infiniband tends to flutter a little bit before the link comes up, I’m thinking this is probably the same cause.
Can anyone explain this behavior and tell me what I might do to prevent it?
--
____ *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences*
|| \\UTGERS |---------------------*O*---------------------
||_// Biomedical | Ryan Novosielski - Senior Technologist
|| \\ and Health | novosirj(a)rutgers.edu - 973/972.0922 (2x0922)
|| \\ Sciences | OIRT/High Perf & Res Comp - MSB C630, Newark
`'
7 years, 3 months
please do not remove enumeration from AD provider
by James Ralston
On Wed, May 6, 2015 at 4:27 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> You know, just this morning, I was thinking about enumeration. It
> doesn't work for IPA views at all for example. It doesn't work for
> trusted domains at all either (except for some limited support in AD
> trusted domains that is very untested)
>
> I wonder if we could just remove enumeration from IPA and AD back
> ends in some major release.
Please don't do this.
Enumeration is a very useful feature. It allows us to do things like
this:
$ getent passwd | grep -i lastname
The equivalent ldapsearch command is much more tedious:
$ ldapsearch -z 0 -E pr=2147483647/noprompt -o ldif-wrap=no -L -L -H
'ldap:///dc%3Dexample%2Cdc%3Dorg -Y GSSAPI -N -b "dc=example,dc=org"
"(&(objectClass=user)(cn=*lastname*))" dn cn sAMAccountName
More generically, enumeration is the way Unix/Linux has always worked.
Even getting users to change from:
grep -i lastname /etc/passwd
To this:
getent passwd | grep -i lastname
...has been a struggle.
We also have various services that (unfortuantely) pre-load the passwd
and group files at startup by enumerating them with getpwent_r() and
getgrent_r(), instead of using the get*nam_r() and get*id_r()
functions as-needed. These services break outright if enumeration is
disabled.
(Yes, these services are broken. Yes, they shouldn't do that. But our
ability to fix them is extremely limited at best, because we don't
control them.)
Finally, we have many systems that cannot be joined to Active
Directory (for policy reasons, not technical reasons). But we want to
use the same passwd/group entries on those systems as returned by sssd
on hosts that are joined to Active Directory. We do this by scraping
the output of "getent -s sss passwd" and "getent -s sss group" and
manually merging it into the local passwd and group files
(respectively) on these hosts.
> It's just a legacy feature, so those who need it can fall back to
> the LDAP provider..
But the LDAP provider doesn't support ID mapping; only the AD provider
does. And ID mapping is the main reason we use sssd.
I'm not asking you to make enumeration the default. It shouldn't be;
it should be something you only turn on if you need it, and you KNOW
you need it. But if you need it, you NEED it. Please don't take it
away.
7 years, 10 months
SSSD issue after upgrade in fedora 23 x64
by Edouard Guigné
Hello sssd users,
I configured several fedora 22 x64 workstation with success with sssd against a AD domain.
I followed the tutorial at https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server ("Joining the Linux client to the AD domain manually" part).
Last week, I upgrraded my workstation from fedora 22 to fedora 23 x64 (using fedup).
I did not change the sssd.conf, krb5.conf and krb5.keytab from fedora 22 to 23.
In all upgraded fedora 23 workstations, users cannot loging anymore. Here is the error i get :
sshd[9313]: pam_sss(sshd:account): Access denied for user xxxxx: 4 (System error)
sshd[9313]: Failed password for xxxxx from x.x.x.x port 49459 ssh2
audit[9313]: USER_ACCT pid=9313 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=? acct="xxxxx" exe="/usr/sbin/sshd" hostname=x.x.x.x addr=x.x.x.x terminal=ssh res=failed'
sshd[9313]: fatal: Access denied for user xxxxx by PAM account configuration [preauth]
...
Although, users can still loging in fedora 22 workstations.
Is it a known issue ? May you help me to resolve it ?
Best Regards,
Ed
7 years, 10 months
localauth plugin and some other questions
by Longina Przybyszewska
Hi,
I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false)
Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box.
This is great.
I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine.
SRV discovery can figure out all domains and figure out AD structure;
1.
Is it still necessary make an explicit list of all domains in the 'domains' statement?
[sssd]
..
domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
2.
I tried login with setup for UPN/sAMAccountName login- without success.
Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1(a)n.c.realm ...
name: user1(a)n.c.realm
nameAlias. user1(a)n.c.realm
UserPrincipalName: user1@REALM
canonicalUserPrincipalName: user1(a)N.C.REALM
3.
Localauth plugin:
the option :
krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm]
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory
....
ls -ld
drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
Default value for option 'krb5_canonicalize' is FALSE;
I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it.
4.
ldbsearch
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?
Best,
Longina
7 years, 10 months
Ticket expiring problems still
by Thackeray, Neil L
I am having a frustrating time trying to figure out what is going on with these Ubuntu servers. I have tried to use msktutil as some have suggested, but this hasn't worked for me. Every 7 days on the mark I lose my domain connection and have to run realm leave/realm join again. I ran msktutil the day before the ticket was about to expire, so it should have worked. This is only a problem on Ubuntu, CentOS works perfectly fine. I even have one Ubuntu server that works.
I also have the problem that the sssd init script, wherever that is now, sometimes thinks that sssd is still running and won't start again. I then have to run 'sssd -D' if I don't want to restart the server.
This is what I get running msktutil.
msktutil --auto-update --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 86
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)
-- get_dc_host: Found DC: udc05.ad.mydomain.com
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-TSzpEQ
-- reload: Reloading Kerberos Context
-- get_short_hostname: Determined short hostname: myserver-domain-foo-com
Error: The SAM name (myserver-domain-foo-com$) for this host is longer than the maximum of MAX_SAM_ACCOUNT_LEN characters
You can specify a shorter name using --computer-name
-- ~KRB5Context: Destroying Kerberos Context
This appears to have worked, but it didn't.
msktutil --update --computer-name MYSERVER --verbose:
-- init_password: Wiping the computer password structure
-- generate_new_password: Generating a new, random password for the computer account
-- generate_new_password: Characters read from /dev/udandom = 82
-- get_dc_host: Attempting to find a Domain Controller to use (DNS SRV RR TCP)
-- get_dc_host: Found DC: udc05.ad.mydomain.com
-- get_dc_host: Canonicalizing DC through forward/reverse lookup...
-- get_dc_host: Found Domain Controller: udc05.ad.mydomain.com
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-ozv4A6
-- reload: Reloading Kerberos Context
-- finalize_exec: SAM Account Name is: MYSERVER$
-- try_machine_keytab_princ: Trying to authenticate for MYSERVER$ from local keytab...
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ewj6uW
-- finalize_exec: Authenticated using method 1
-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=YES
-- ldap_connect: Connecting to LDAP server: udc05.ad.mydomain.com try_tls=NO
SASL/GSSAPI authentication started
SASL username: MYSERVER$(a)AD.MYDOMAIN.COM
SASL SSF: 56
SASL data security layer installed.
-- ldap_connect: LDAP_OPT_X_SASL_SSF=56
This is what I think is the pertinent portions of the logs from when the computer cant connect anymore.
sssd_ad.mydomain.com.log:
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Preauthentication failed], expired on [0]
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address]
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [sdap_cli_kinit_done] (0x0400): Cannot get a TGT: ret [1432158219](Authentication Failed)
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'udc02.ad.mydomain.com' as 'not working'
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [ad_user_data_cmp] (0x1000): Comparing LDAP with LDAP
(Wed Nov 4 15:26:09 2015) [sssd[be[ad.mydomain.com]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'udc02.ad.mydomain.com' as 'not working'
syslog:
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.
Nov 4 15:26:09 myserver [sssd[ldap_child[25833]]]: Preauthentication failed
Any help is appreciated.
7 years, 11 months
Announcing SSSD 1.13.1
by Jakub Hrozek
== SSSD 1.13.1 ===
The SSSD team is proud to announce the release of version 1.13.1 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel
or sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* Initial support for Smart Card authentication was added. The feature
can be activated with the new pam_cert_auth option
* The PAM prompting was enhanced so that when Two-Factor Authentication
is used, both factors (password and token) can be entered separately
on separate prompts. At the same time, only the long-term password is
cached, so offline access would still work using the long term password
* A new command line tool sss_override is present in this release. The
tools allows to override attributes on the SSSD side. It's helpful in
environment where e.g. some hosts need to have a different view of POSIX
attributes than others. Please note that the overrides are stored in
the cache as well, so removing the cache will also remove the overrides
* New methods were added to the SSSD D-Bus interface. Notably support
for looking up a user by certificate and looking up multiple users
using a wildcard was added. Please see the interface introspection or
the design pages for full details
* Several enhancements to the dynamic DNS update code. Notably, clients
that update multiple interfaces work better with this release
* This release supports authenticating againt a KDC proxy
* The fail over code was enhanced so that if a trusted domain is not
reachable, only that domain will be marked as inactive but the backed
would stay in online mode
* Several fixes to the GPO access control code are present
== Packaging Changes ==
* The Smart Card authentication feature requires a helper process
p11_child that needs to be marked as setgid if SSSD needs to be able
to. Please note the p11_child requires the NSS crypto library at the moment
* The sss_override tool was added along with its own manpage
* The upstream RPM can now build on RHEL/CentOS 6.7
== Documentation Changes ==
* The config_file_version configuration option now defaults to 2. As
an effect, this option doesn't have to be set anymore unless the config
file format is changed again by SSSD upstream
* It is now possible to specify a comma-separated list of interfaces in
the dyndns_iface option
* The InfoPipe responder and the LDAP provider gained a new option
wildcard_lookup that specifies an upper limit on the number of entries
that can be returned with a wildcard lookup
* A new option dyndns_server was added. This option allows to attempt
a fallback DNS update against a specific DNS server. Please note this
option only works as a fallback, the first attempt will always be
performed against autodiscovered servers.
* The PAM responder gained a new option ca_db that allows the storage
of trusted CA certificates to be specified
* The time the p11_child is allowed to operate can be specified using
a new option p11_child_timeout
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/546
[RFE] Support for smart cards
https://fedorahosted.org/sssd/ticket/1697
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1926
[RFE] Start the dynamic DNS update after the SSSD has been setup for
the first time
https://fedorahosted.org/sssd/ticket/1994
Complain loudly if backend doesn't start due to missing or invalid keytab
https://fedorahosted.org/sssd/ticket/2275
nested netgroups do not work in IPA provider
https://fedorahosted.org/sssd/ticket/2283
test dyndns failed.
https://fedorahosted.org/sssd/ticket/2335
Investigate using the krb5 responder for driving the PAM conversation
with OTPs
https://fedorahosted.org/sssd/ticket/2463
Pass error messages via the extdom plugin
https://fedorahosted.org/sssd/ticket/2495
[RFE]Allow sssd to add a new option that would specify which server
to update DNS with
https://fedorahosted.org/sssd/ticket/2549
RFE: Support multiple interfaces with the dyndns_iface option
https://fedorahosted.org/sssd/ticket/2553
RFE: Add support for wildcard-based cache updates
https://fedorahosted.org/sssd/ticket/2558
Add dualstack and multihomed support
https://fedorahosted.org/sssd/ticket/2561
Too much logging
https://fedorahosted.org/sssd/ticket/2579
TRACKER: Support one-way trusts for IPA
https://fedorahosted.org/sssd/ticket/2581
Re-check memcache after acquiring the lock in the client code
https://fedorahosted.org/sssd/ticket/2584
RFE: Support client-side overrides
https://fedorahosted.org/sssd/ticket/2597
Add index for 'objectSIDString' and maybe to other cache attributes
https://fedorahosted.org/sssd/ticket/2637
RFE: Don't mark the main domain as offline if SSSD can't connect to
a subdomain
https://fedorahosted.org/sssd/ticket/2639
RFE: Detect re-established trusts in the IPA subdomain code
https://fedorahosted.org/sssd/ticket/2652
KDC proxy not working with SSSD krb5_use_kdcinfo enabled
https://fedorahosted.org/sssd/ticket/2676
Group members are not turned into ghost entries when the user is purged
from the SSSD cache
https://fedorahosted.org/sssd/ticket/2682
sudoOrder not honored as expected
https://fedorahosted.org/sssd/ticket/2688
Default to config_file_version=2
https://fedorahosted.org/sssd/ticket/2691
GPO: PAM system error returned for PAM_ACCT_MGMT and offline mode
https://fedorahosted.org/sssd/ticket/2692
GPO: Access denied due to using wrong sam_account_name
https://fedorahosted.org/sssd/ticket/2694
CI: Fix ramshackle test_ipa_subdomains_server (FAIL:
test_ipa_subdom_server)
https://fedorahosted.org/sssd/ticket/2699
SSSDConfig: wrong return type returned on python3
https://fedorahosted.org/sssd/ticket/2700
krb5_child should always consider online state to allow use of
MS-KKDC proxy
https://fedorahosted.org/sssd/ticket/2708
Logging messages from user point of view
https://fedorahosted.org/sssd/ticket/2711
[RFE] Provide interface for SSH to fetch user certificate
https://fedorahosted.org/sssd/ticket/2712
Initgroups memory cache does not work with fq names
https://fedorahosted.org/sssd/ticket/2716
Initgroups mmap cache needs update after db changes
https://fedorahosted.org/sssd/ticket/2717
well-known SID check is broken for NetBIOS prefixes
https://fedorahosted.org/sssd/ticket/2718
SSSD keytab validation check expects root ownership
https://fedorahosted.org/sssd/ticket/2719
IPA: returned unknown dp error code with disabled migration mode
https://fedorahosted.org/sssd/ticket/2722
Missing config options in gentoo init script
https://fedorahosted.org/sssd/ticket/2723
Could not resolve AD user from root domain
https://fedorahosted.org/sssd/ticket/2724
getgrgid for user's UID on a trust client prevents getpw*
https://fedorahosted.org/sssd/ticket/2725
If AD site detection fails, not even ad_site override skipped
https://fedorahosted.org/sssd/ticket/2729
Do not send SSS_OTP if both factors were entered separately
https://fedorahosted.org/sssd/ticket/2731
searching SID by ID always checks all domains
https://fedorahosted.org/sssd/ticket/2733
Don't use deprecated libraries (libsystemd-*)
https://fedorahosted.org/sssd/ticket/2737
sss_override: add import and export commands
https://fedorahosted.org/sssd/ticket/2738
Cannot build rpms from upstream spec file on rawhide
https://fedorahosted.org/sssd/ticket/2742
When certificate is added via user-add-cert, it cannot be looked up
via org.freedesktop.sssd.infopipe.Users.FindByCertificate
https://fedorahosted.org/sssd/ticket/2743
memory cache can work intermittently
https://fedorahosted.org/sssd/ticket/2744
cleanup_groups should sanitize dn of groups
https://fedorahosted.org/sssd/ticket/2746
the PAM srv test often fails on RHEL-7
https://fedorahosted.org/sssd/ticket/2748
test_memory_cache failed in invalidation cache before stop
https://fedorahosted.org/sssd/ticket/2749
Fix crash in nss responder
https://fedorahosted.org/sssd/ticket/2754
Clear environment and set restrictive umask in p11_child
https://fedorahosted.org/sssd/ticket/2757
sss_override does not work correctly when 'use_fully_qualified_names
= True'
https://fedorahosted.org/sssd/ticket/2758
sss_override contains an extra parameter --debug but is not listed in
the man page or in the arguments help
https://fedorahosted.org/sssd/ticket/2762
[RFE] sssd: better feedback form constraint password change
https://fedorahosted.org/sssd/ticket/2768
Test 'test_id_cleanup_exp_group' failed
https://fedorahosted.org/sssd/ticket/2772
sssd cannot resolve user names containing backslash with ldap provider
https://fedorahosted.org/sssd/ticket/2773
Make p11_child timeout configurable
https://fedorahosted.org/sssd/ticket/2777
Fix memory leak in GPO
https://fedorahosted.org/sssd/ticket/2782
sss_override : The local override user is not found
https://fedorahosted.org/sssd/ticket/2783
REGRESSION: Dyndns soes not update reverse DNS records
https://fedorahosted.org/sssd/ticket/2790
sss_override --name doesn't work with RFC2307 and ghost users
https://fedorahosted.org/sssd/ticket/2799
unit tests do not link correctly on Debian
https://fedorahosted.org/sssd/ticket/2803
Memory leak / possible DoS with krb auth.
https://fedorahosted.org/sssd/ticket/2805
AD: Conditional jump or move depends on uninitialised value
== Detailed Changelog ==
Jakub Hrozek (52):
* Updating the version for 1.13.1 development
* tests: Move N_ELEMENTS definition to tests/common.h
* SYSDB: Add functions to look up multiple entries including name and
custom filter
* DP: Add DP_WILDCARD and SSS_DP_WILDCARD_USER/SSS_DP_WILDCARD_GROUP
* cache_req: Extend cache_req with wildcard lookups
* UTIL: Add sss_filter_sanitize_ex
* LDAP: Fetch users and groups using wildcards
* LDAP: Add sdap_get_and_parse_generic_send
* LDAP: Use sdap_get_and_parse_generic_/_recv
* LDAP: Add sdap_lookup_type enum
* LDAP: Add the wildcard_limit option
* IFP: Add wildcard requests
* Use NSCD path in execl()
* KRB5: Use the right domain for case-sensitive flag
* IPA: Better debugging
* UTIL: Lower debug level in perform_checks()
* IPA: Handle sssd-owned keytabs when running as root
* IPA: Remove MPG groups if getgrgid was called before getpw()
* LDAP: use ldb_binary_encode when printing attribute values
* IPA: Change the default of ldap_user_certificate to
userCertificate;binary
* UTIL: Provide a common interface to safely create temporary files
* IPA: Always re-fetch the keytab from the IPA server
* DYNDNS: Add a new option dyndns_server
* p11child: set restrictive umask and clear environment
* KRB5: Use sss_unique file in krb5_child
* KRB5: Use sss_unique_file when creating kdcinfo files
* LDAP: Use sss_unique_filename in ldap_child
* SSH: Use sss_unique_file_ex to create the known hosts file
* SYSDB: Index the objectSIDString attribute
* sbus: Initialize errno if constructing message fails and add debug
messages
* sbus: Add a special error code for messages sent by the bus itself
* GPO: Use sss_unique_file and close fd on failure
* SDAP: Remove unused function
* KRB5: Don't error out reading a minimal krb5.conf
* UTIL: Convert domain->disabled into tri-state with domain states
* DP: Provide a way to mark subdomain as disabled and auto-enable it
later with offline_timeout
* SDAP: Do not set is_offline if ignore_mark_offline is set
* AD: Only ignore errors from SDAP lookups if there's another connection
to fallback to
* KRB5: Offline operation with disabled domain
* AD: Do not mark the whole back end as offline if subdomain lookup fails
* AD: Set ignore_mark_offline=false when resolving AD root domain
* IPA: Do not allow the AD lookup code to set backend as offline in
server mode
* BUILD: link dp tests with LDB directly to fix builds on Debian
* LDAP: imposing sizelimit=1 for single-entry searches breaks
overlapping domains
* tests: Move named_domain from test_utils to common test code
* LDAP: Move sdap_create_search_base from ldap to sdap code
* LDAP: Filter out multiple entries when searching overlapping domains
* IPA: Change ipa_server_trust_add_send request to be reusable from ID code
* FO: Add an API to reset all servers in a single service
* FO: Also reset the server common data in addition to SRV
* IPA: Retry fetching keytab if IPA user lookup fails
* Updating translations for the 1.13.1 release
Lukas Slebodnik (49):
* KRB5: Return right data provider error code
* Update few debug messages
* intg: Invalidate memory cache before removing files
* SPEC: Update spec file for krb5_local_auth_plugin
* SSSDConfig: Return correct types in python3
* intg: Modernize 'except' clauses
* mmap_cache: Rename variables
* mmap_cache: "Override" functions for initgr mmap cache
* mmap: Invalidate initgroups memory cache after any change
* sss_client: Update integrity check of records in mmap cache
* intg_test: Add module for simulation of utility id
* intg_test: Add integration test for memory cache
* NSS: Initgr memory cache should work with fq names
* test_memory_cache: Add test for initgroups mc with fq names
* SPEC: Workaround for build with rpm 4.13
* KRB5: Do not try to remove missing ccache
* test_memory_cache: Test mmap cache after initgroups
* test_memory_cache: Test invalidation with sss_cache
* krb5_utils-tests: Remove unused variables
* sss_cache: Wait a while for invalidation of mc by nss responder
* test_memory_cache: Fix few python issues
* NSS: Fix use after free
* NSS: Don't ignore backslash in usernames with ldap provider
* intg_tests: Add regression test for 2163
* BUILD: Build libdlopen_test_providers.la as a dynamic library
* BUILD: Speed up build of some tests
* BUILD: Simplify build of simple_access_tests
* CI: Set env variable for all tabs in screen
* dyndns-tests: Simulate job in wrapped execv
* AUTOMAKE: Disable portability warnings
* tests: Use unique name for TEST_PATH
* tests: Move test_dom_suite_setup to different module
* test_ipa_subdomains_server: Use unique dorectory for keytabs
* test_copy_keytab: Create keytabs in unique directory
* test_ad_common: Use unique directory for keytabs
* Revert "LDAP: end on ENOMEM"
* Partially revert "LDAP: sanitize group name when used in filter"
* LDAP: Sanitize group dn before using in filter
* test_ldap_id_cleanup: Fix coding style issues
* DYNDNS: Return right error code in case of failure
* BUILD: Simplify build of test_data_provider_be
* BUILD: Remove unused variable CHECK_OBJ
* BUILD: Do not build libsss_ad_common.la as library
* BUILD: Remove unused variable SSSD_UTIL_OBJ
* CONFIGURE: Remove bashism
* IFP: Suppress warning from static analyzer
* BUILD: Link test_data_provider_be with -ldl
* sysdb-tests: Use valid base64 encoded certificate for search
* test_pam_srv: Run cert test only with NSS
Michal Židek (13):
* DEBUG: Add new debug category for fail over.
* pam: Incerease p11 child timeout
* sdap_async: Use specific errmsg when available
* TESTS: ldap_id_cleanup timeouts
* sssd: incorrect checks on length values during packet decoding
* CONFDB: Assume config file version 2 if missing
* Makefile.am: Add missing AM_CFLAGS
* SYSDB: Add function to expire entry
* cleanup task: Expire all memberof targets when removing user
* CI: Add regression test for #2676
* intg: Fix some PEP 8 violations
* PAM: Make p11_child timeout configurable
* tests: Set p11_child_timeout to 30 in tests
Nikolai Kondrashov (1):
* TESTS: Add trailing whitespace test
Pavel Březina (18):
* VIEWS TEST: add null-check
* SYSDB: prepare for LOCAL view
* TOOLS: add common command framework
* TOOLS: add sss_override for local overrides
* AD: Use ad_site also when site search fails
* IFP: use default limit if provided is 0
* sudo: use "higher value wins" when ordering rules
* sss_override: print input name if unable to parse it
* sss_override: support domains that require fqname
* TOOLS: add sss_colondb API
* sss_override: decompose code better
* sss_override: support import and export
* sss_override: document --debug options
* sss_override: support fqn in override name
* views: do not require overrideDN in grous when LOCAL view is set
* views: fix two typos in debug messages
* views: allow ghost members for LOCAL view
* sss_override: remove -d from manpage
Pavel Reichl (23):
* DYNDNS: sss_iface_addr_list_get return ENOENT
* DYNDNS: support mult. interfaces for dyndns_iface opt
* DYNDNS: special value '*' for dyndns_iface option
* TESTS: dyndns tests support AAAA addresses
* DYNDNS: support for dualstack
* TESTS: fix compiler warnings
* SDAP: rename SDAP_CACHE_PURGE_TIMEOUT
* IPA: Improve messages about failures
* DYNDNS: Don't use server cmd in nsupdate by default
* DYNDNS: remove redundant talloc_steal()
* DYNDNS: remove zone command
* DYNDNS: rename field of sdap_dyndns_update_state
* DYNDNS: remove code duplication
* TESTS: UT for sss_iface_addr_list_as_str_list()
* LDAP: sanitize group name when used in filter
* LDAP: minor improvements in ldap id cleanup
* TESTS: fix fail in test_id_cleanup_exp_group
* LDAP: end on ENOMEM
* AD: send less logs to syslog
* Remove trailing whitespace
* GPO: fix memory leak
* DDNS: execute nsupdate for single update of PTR rec
* AD: inicialize root_domain_attrs field
Petr Cech (6):
* BUILD: Repair dependecies on deprecated libraries
* TESTS: Removing part of responder_cache_req-tests
* UTIL: Function 2string for enum sss_cli_command
* UTIL: Fixing Makefile.am for util/sss_cli_cmd.h
* DATA_PROVIDER: BE_REQ as string in log message
* IPA PROVIDER: Resolve nested netgroup membership
Robin McCorkell (1):
* man: List alternative schema defaults for LDAP AutoFS parameters
Stephen Gallagher (1):
* AD: Handle cases where no GPOs apply
Sumit Bose (17):
* test common: sss_dp_get_account_recv() fix assignment
* nss_check_name_of_well_known_sid() improve name splitting
* negcache: allow domain name for UID and GID
* nss: use negative cache for sid-by-id requests
* krb5: do not send SSS_OTP if two factors were used
* utils: add NSS version of cert utils
* Add NSS version of p11_child
* pack_message_v3: allow empty name
* authok: add support for Smart Card related authtokens
* PAM: add certificate support to PAM (pre-)auth requests
* pam_sss: add sc support
* ssh: generate public keys from certificate
* krb5 utils: add sss_krb5_realm_has_proxy()
* krb5: do not create kdcinfo file if proxy configuration exists
* krb5: assume online state if KDC proxy is configured
* GPO: use SDAP_SASL_AUTHID as samAccountName
* utils: make sss_krb5_get_primary() private
Thomas Oulevey (1):
* Fix memory leak in sssdpac_verify()
Tyler Gates (1):
* CONTRIB: Gentoo daemon startup options as declared in conf.d/sssd
Yuri Chornoivan (1):
* Fix minor typos
7 years, 11 months
ad provider - mangle user names
by Frank Ritchie
Hi all,
Looking to have my cake and eat it too.
I have alot of users that have been using Winbind for years. They currently
log in with the workgroup, ie:
WORKGROUP+username
I would like to roll out SSSD with the ad provider. I would ideally like
for a user to be able to log in as:
WORKGROUP+username
or
username
and sssd would know this is the same AD user.
Is this possible?
thx
7 years, 11 months
SSSD offline authentication cache timtout question
by aaron wang
Hi All,
1. I plan to enable cache_credential flag in the system, and it looks like
that "account_cache_expiration", "offline_credentials_expiration",
"offline_failed_login_attempts". These three options needs to be set as
well, as their default value is unlimited, which may bring some security
concerns.
Is there any other options I need to take care if I want to enable offline
authentication ?
2. Also, I have some doubt about the difference between
"account_cache_expiration" and "offline_credentials_expiration". I know
"account_cache_expiration" is per domain, but
"offline_credentials_expiration" is for PAM responder.
E.g. I set account_cache_expiration to 10 days,
offline_credentials_expiration to 2 days. What's the use case of the cache
after day 2 ?
3. Both "offline_credentials_expiration" and "account_cache_expiration" are
counted after last successful login. Does the successful login after LDAP
offline count ? Will the successful login after LDAP offline extend the
life of the cache ?
Thanks for any information.
Thanks,
Aaron
7 years, 11 months
